2026-01-06
2026-01-06 17:15Z
CRIT

CVE-2025-60534 — Blueaccesstech Cobalt_x1: Blue Access Cobalt v02.000.195 suffers from an authentication bypass vulnerability, which allows an attacker

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-60534

Blue Access Cobalt v02.000.195 suffers from an authentication bypass vulnerability, which allows an attacker to selectively proxy requests in order to operate functionality on the web application without the need to authenticate with legitimate credentials. CVSSv3.1 9.8 (CRITICAL) · EPSS 48th percentile

CWECWE 287VNDBlueaccesstechVNDBlueTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-01-06
2026-01-06 17:15Z
HIGH

CVE-2025-47553 — Deserialization: of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery dzs-videogallery allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47553

Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery dzs-videogallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through <= 12.39. CVSSv3.1 8.8 (HIGH)

CWECWE 502TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-01-06
2026-01-06 17:15Z
CRIT

CVE-2025-39477 — Authorization: Missing Authorization vulnerability in Sfwebservice InWave Jobs iwjob allows Exploiting Incorrectly Configured Access Control

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-39477

Missing Authorization vulnerability in Sfwebservice InWave Jobs iwjob allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InWave Jobs: from n/a through <= 3.5.8. CVSSv3.1 9.8 (CRITICAL)

CWECWE 862TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-01-06
2026-01-06 05:16Z
HIGH

CVE-2025-14997 — BuddyPress: The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-14997

The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). CVSSv3.1 8.8 (HIGH)

CWECWE 22VNDBuddypressTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-01-05
2026-01-05 17:15Z
CRIT

CVE-2025-39484 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-39484

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Waituk Entrada entrada allows SQL Injection.This issue affects Entrada: from n/a through <= 5.7.7. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2026-01-05
2026-01-05 11:17Z
HIGH

CVE-2025-69087 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-69087

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes FreeAgent freeagent allows PHP Local File Inclusion.This issue affects FreeAgent: from n/a through <= 2.1.2. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-01-05
2026-01-05 11:17Z
CRIT

CVE-2025-68865 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-68865

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global infility-global allows SQL Injection.This issue affects Infility Global: from n/a through <= 2.15.11. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-01-05
2026-01-05 11:17Z
HIGH

CVE-2025-68044 — Authorization: Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations restaurant-reservations allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-68044

Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations restaurant-reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Five Star Restaurant Reservations: from n/a through <= 2.7.4. CVSSv3.1 8.6 (HIGH)

CWECWE 639TYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-01-05
2026-01-05 11:17Z
CRIT

CVE-2025-31048 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Themify Shopo shopo allows Upload

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31048

Unrestricted Upload of File with Dangerous Type vulnerability in Themify Shopo shopo allows Upload a Web Shell to a Web Server.This issue affects Shopo: from n/a through <= 1.1.4. CVSSv3.1 9.9 (CRITICAL)

CWECWE 434TYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2026-01-05
2026-01-05 11:17Z
HIGH

CVE-2025-31047 — Deserialization: of Untrusted Data vulnerability in Themify Themify Edmin edmin allows Object Injection.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31047

Deserialization of Untrusted Data vulnerability in Themify Themify Edmin edmin allows Object Injection.This issue affects Themify Edmin: from n/a through <= 2.0.0. CVSSv3.1 8.8 (HIGH)

CWECWE 502TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-01-05
2026-01-05 11:17Z
HIGH

CVE-2025-31044 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31044

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Premium SEO Pack premium-seo-pack allows SQL Injection.This issue affects Premium SEO Pack: from n/a through <= 3.3.2. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2026-01-05
2026-01-05 11:17Z
CRIT

CVE-2025-30633 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30633

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Native Shopping Recommendations woozone-contextual allows SQL Injection.This issue affects Amazon Native Shopping Recommendations: from n/a through <= 1.3. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2026-01-02
2026-01-02 16:17Z
CRIT

CVE-2025-67268 — Gpsd_project Gpsd: before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-67268

gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS CVSSv3.1 9.8 (CRITICAL)

CWECWE 122CWECWE 1285VNDGpsd ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-12-31
2025-12-31 20:15Z
HIGH

CVE-2025-30628 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30628

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) azon-addon-js-composer allows SQL Injection.This issue affects Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through <= 1.2. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-12-31
2025-12-31 20:15Z
HIGH

CVE-2025-28949 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-28949

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Codedraft Mediabay - WordPress Media Library Folders mediabay allows Blind SQL Injection.This issue affects Mediabay - WordPress Media Library Folders: from n/a through <= 1.4. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-12-31
2025-12-31 17:16Z
INFO

v3.6.2

Nuclei releases·github.com

Nuclei v3.6.2 released with TLS session caching, custom Jira OAuth URL support, and multiple bug fixes including JavaScript template execution restoration, pagination improvements for issue detection, and segmentation fault resolution in flow execution.

SRFApplicationVNDProjectdiscoveryTYPTool
35
Edit Score
2025-12-31
2025-12-31 12:00Z
HIGH

Detect Go’s silent arithmetic bugs with go-panikint

Trail of Bits·blog.trailofbits.com

Trail of Bits released go-panikint, a modified Go compiler that converts silent integer overflows into runtime panics, enabling fuzzing to detect a previously invisible class of vulnerabilities. The tool was validated by discovering a live integer overflow in Cosmos SDK's RPC pagination logic where offset+limit wrapping caused empty result sets instead of panicking.

SRFApplicationTACTA0007VNDCosmosTYPResearchTYPToolSTGDiscoveryTECT1592EXPInteger Overflow
78
Edit Score
2025-12-30
2025-12-30 17:15Z
CRIT

CVE-2025-66848 — Jdcloud Ax1800_firmware: JD Cloud NAS routers AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-66848

JD Cloud NAS routers AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533 and earlier), BE6500 (4.4.1.r4308 and earlier), ER1 (4.5.1.r4518 and earlier), and ER2 (4.5.1.r4518 and earlier) contain an unauthorized remote command execution vulnerability. CVSSv3.1 9.8 (CRITICAL) · EPSS 59th percentile

CWECWE 94VNDCloudVNDJdcloudTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-12-30
2025-12-30 17:15Z
CRIT

CVE-2025-52835 — Site: Cross-Site Request Forgery (CSRF) vulnerability in ConoHa by GMO WING WordPress Migrator wing-migrator allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-52835

Cross-Site Request Forgery (CSRF) vulnerability in ConoHa by GMO WING WordPress Migrator wing-migrator allows Upload a Web Shell to a Web Server.This issue affects WING WordPress Migrator: from n/a through <= 1.2.0. CVSSv3.1 9.6 (CRITICAL)

CWECWE 352TYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2025-12-30
2025-12-30 14:00Z
HIGH

GenAI DevOps: More Code, More Problems

Bishop Fox Labs·bishopfox.com

Bishop Fox research examines security risks from GenAI-assisted code generation in DevOps workflows, where non-developers can ship production code without triggering traditional code review safeguards. The article proposes 15 architectural guardrails—templates, centralized auth, secrets management, CI gates, network policies, and least-privilege isolation—to enforce secure defaults at the infrastructure and pipeline level rather than relying on prompt quality.

SRFApplicationTACTA0005TACTA0001TACTA0002SRFCloudTYPResearchTYPTechniqueSTGDefense Evasion
68
Edit Score
2025-12-30
2025-12-30 11:16Z
HIGH

CVE-2025-69034 — Qodeinteractive Lekker: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-69034

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Lekker lekker allows PHP Local File Inclusion.This issue affects Lekker: from n/a through <= 1.8. CVSSv3.1 8.1 (HIGH)

CWECWE 98VNDQodeinteractiveTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-12-30
2025-12-30 11:15Z
HIGH

CVE-2025-68990 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-68990

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in xenioushk BWL Pro Voting Manager bwl-pro-voting-manager allows Blind SQL Injection.This issue affects BWL Pro Voting Manager: from n/a through <= 1.4.9. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-12-29
2025-12-29 22:15Z
CRIT

CVE-2025-68860 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in Mobile Builder Mobile builder

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-68860

Authentication Bypass Using an Alternate Path or Channel vulnerability in Mobile Builder Mobile builder mobile-builder allows Authentication Abuse.This issue affects Mobile builder: from n/a through <= 1.4.2. CVSSv3.1 9.8 (CRITICAL)

CWECWE 288TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-12-29
2025-12-29 22:15Z
CRIT

CVE-2025-68562 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Upload

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-68562

Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through <= 8.7.3. CVSSv3.1 9.9 (CRITICAL)

CWECWE 434TYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2025-12-29
2025-12-29 22:01Z
HIGH

Bugs that survive the heat of continuous fuzzing

GitHub Security Lab researcher Antonio Morales documents how critical vulnerabilities persist in heavily-fuzzed open-source projects (GStreamer, Poppler, Exiv2) despite years of continuous fuzzing via OSS-Fuzz. The analysis reveals systematic gaps: inadequate fuzzer coverage (GStreamer 19% vs OpenSSL 139 fuzzers), unfuzzed dependencies shipped in production (DjVuLibre in Evince), and asymmetric fuzzing focus (decode vs encode paths). Morales proposes a five-step fuzzing workflow emphasizing >90% code coverage, context-sensitive coverage, value coverage, and fault injection to close detection gaps.

SRFApplicationTACTA0043SRFSupply ChainTYPResearchTYPTechniqueSTGDiscovery
82
Edit Score