Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-60534 — Blueaccesstech Cobalt_x1: Blue Access Cobalt v02.000.195 suffers from an authentication bypass vulnerability, which allows an attacker
Blue Access Cobalt v02.000.195 suffers from an authentication bypass vulnerability, which allows an attacker to selectively proxy requests in order to operate functionality on the web application without the need to authenticate with legitimate credentials. CVSSv3.1 9.8 (CRITICAL) · EPSS 48th percentile
CVE-2025-47553 — Deserialization: of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery dzs-videogallery allows
Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery dzs-videogallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through <= 12.39. CVSSv3.1 8.8 (HIGH)
CVE-2025-39477 — Authorization: Missing Authorization vulnerability in Sfwebservice InWave Jobs iwjob allows Exploiting Incorrectly Configured Access Control
Missing Authorization vulnerability in Sfwebservice InWave Jobs iwjob allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InWave Jobs: from n/a through <= 3.5.8. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-14997 — BuddyPress: The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file
The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). CVSSv3.1 8.8 (HIGH)
CVE-2025-39484 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Waituk Entrada entrada allows SQL Injection.This issue affects Entrada: from n/a through <= 5.7.7. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-69087 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes FreeAgent freeagent allows PHP Local File Inclusion.This issue affects FreeAgent: from n/a through <= 2.1.2. CVSSv3.1 8.1 (HIGH)
CVE-2025-68865 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global infility-global allows SQL Injection.This issue affects Infility Global: from n/a through <= 2.15.11. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-68044 — Authorization: Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations restaurant-reservations allows
Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations restaurant-reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Five Star Restaurant Reservations: from n/a through <= 2.7.4. CVSSv3.1 8.6 (HIGH)
CVE-2025-31048 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Themify Shopo shopo allows Upload
Unrestricted Upload of File with Dangerous Type vulnerability in Themify Shopo shopo allows Upload a Web Shell to a Web Server.This issue affects Shopo: from n/a through <= 1.1.4. CVSSv3.1 9.9 (CRITICAL)
CVE-2025-31047 — Deserialization: of Untrusted Data vulnerability in Themify Themify Edmin edmin allows Object Injection.This issue
Deserialization of Untrusted Data vulnerability in Themify Themify Edmin edmin allows Object Injection.This issue affects Themify Edmin: from n/a through <= 2.0.0. CVSSv3.1 8.8 (HIGH)
CVE-2025-31044 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Premium SEO Pack premium-seo-pack allows SQL Injection.This issue affects Premium SEO Pack: from n/a through <= 3.3.2. CVSSv3.1 8.5 (HIGH)
CVE-2025-30633 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Native Shopping Recommendations woozone-contextual allows SQL Injection.This issue affects Amazon Native Shopping Recommendations: from n/a through <= 1.3. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-67268 — Gpsd_project Gpsd: before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file.
gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS CVSSv3.1 9.8 (CRITICAL)
CVE-2025-30628 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) azon-addon-js-composer allows SQL Injection.This issue affects Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through <= 1.2. CVSSv3.1 8.5 (HIGH)
CVE-2025-28949 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Codedraft Mediabay - WordPress Media Library Folders mediabay allows Blind SQL Injection.This issue affects Mediabay - WordPress Media Library Folders: from n/a through <= 1.4. CVSSv3.1 8.5 (HIGH)
v3.6.2
Nuclei v3.6.2 released with TLS session caching, custom Jira OAuth URL support, and multiple bug fixes including JavaScript template execution restoration, pagination improvements for issue detection, and segmentation fault resolution in flow execution.
Detect Go’s silent arithmetic bugs with go-panikint
Trail of Bits released go-panikint, a modified Go compiler that converts silent integer overflows into runtime panics, enabling fuzzing to detect a previously invisible class of vulnerabilities. The tool was validated by discovering a live integer overflow in Cosmos SDK's RPC pagination logic where offset+limit wrapping caused empty result sets instead of panicking.
CVE-2025-66848 — Jdcloud Ax1800_firmware: JD Cloud NAS routers AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533
JD Cloud NAS routers AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533 and earlier), BE6500 (4.4.1.r4308 and earlier), ER1 (4.5.1.r4518 and earlier), and ER2 (4.5.1.r4518 and earlier) contain an unauthorized remote command execution vulnerability. CVSSv3.1 9.8 (CRITICAL) · EPSS 59th percentile
CVE-2025-52835 — Site: Cross-Site Request Forgery (CSRF) vulnerability in ConoHa by GMO WING WordPress Migrator wing-migrator allows
Cross-Site Request Forgery (CSRF) vulnerability in ConoHa by GMO WING WordPress Migrator wing-migrator allows Upload a Web Shell to a Web Server.This issue affects WING WordPress Migrator: from n/a through <= 1.2.0. CVSSv3.1 9.6 (CRITICAL)
GenAI DevOps: More Code, More Problems
Bishop Fox research examines security risks from GenAI-assisted code generation in DevOps workflows, where non-developers can ship production code without triggering traditional code review safeguards. The article proposes 15 architectural guardrails—templates, centralized auth, secrets management, CI gates, network policies, and least-privilege isolation—to enforce secure defaults at the infrastructure and pipeline level rather than relying on prompt quality.
CVE-2025-69034 — Qodeinteractive Lekker: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Lekker lekker allows PHP Local File Inclusion.This issue affects Lekker: from n/a through <= 1.8. CVSSv3.1 8.1 (HIGH)
CVE-2025-68990 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in xenioushk BWL Pro Voting Manager bwl-pro-voting-manager allows Blind SQL Injection.This issue affects BWL Pro Voting Manager: from n/a through <= 1.4.9. CVSSv3.1 8.5 (HIGH)
CVE-2025-68860 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in Mobile Builder Mobile builder
Authentication Bypass Using an Alternate Path or Channel vulnerability in Mobile Builder Mobile builder mobile-builder allows Authentication Abuse.This issue affects Mobile builder: from n/a through <= 1.4.2. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-68562 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Upload
Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through <= 8.7.3. CVSSv3.1 9.9 (CRITICAL)
Bugs that survive the heat of continuous fuzzing
GitHub Security Lab researcher Antonio Morales documents how critical vulnerabilities persist in heavily-fuzzed open-source projects (GStreamer, Poppler, Exiv2) despite years of continuous fuzzing via OSS-Fuzz. The analysis reveals systematic gaps: inadequate fuzzer coverage (GStreamer 19% vs OpenSSL 139 fuzzers), unfuzzed dependencies shipped in production (DjVuLibre in Evince), and asymmetric fuzzing focus (decode vs encode paths). Morales proposes a five-step fuzzing workflow emphasizing >90% code coverage, context-sensitive coverage, value coverage, and fault injection to close detection gaps.