2025-12-08
2025-12-08 21:21Z
CRIT

CVE-2025-55182-research — CVE-2025-55182 POC

GitHub · recent CVE PoCs·github.comGITHUB POCCVE-2025-55182in the wild

CVE-2025-55182 is a critical RCE vulnerability in React's Flight Protocol affecting versions 19.0.0–19.2.0 and Next.js 15.x–16.x. The exploit chains path traversal via `$1:constructor:constructor`, fake chunk injection with self-referential thenable objects, and `$B` handler abuse to reach the Function constructor and execute arbitrary code. Patches are available in React 19.0.1+, 19.1.2+, 19.2.1+ and corresponding Next.js releases.

SRFApplicationTACTA0002SRFWebTACTA0003VNDReactVNDNext JsTYPWriteupTYPExploit
92
Edit Score
2025-12-08
2025-12-08 13:51Z
CRIT

CVE-2025-55182 — Explanation and full RCE PoC for CVE-2025-55182

GitHub · recent CVE PoCs·github.comGITHUB POCCVE-2025-55182

CVE-2025-55182 is a critical prototype pollution vulnerability in React Server Functions (Next.js) that allows unauthenticated remote code execution via the React Flight Protocol deserialization. The vulnerability stems from insufficient validation during chunk reference resolution, enabling attackers to access the Function constructor and chain gadgets through blob deserialization to achieve arbitrary code execution before action validation occurs.

SRFApplicationTACTA0002SRFWebTACTA0003VNDNextjsVNDReactTYPWriteupTYPExploit
92
Edit Score
2025-12-08
2025-12-08 00:00Z
HIGH

AI-Automated Threat Hunting Brings GhostPenguin Out of the Shadows

Trend Micro Research·trendmicro.com

Trend Micro Research disclosed GhostPenguin, a previously undocumented Linux backdoor written in C++ that evaded detection for over four months on VirusTotal. The malware was discovered through AI-automated threat hunting and provides remote shell access, file operations, and C&C communication via RC5-encrypted UDP channels. Analysis reveals the backdoor is still in active development with debug artifacts and unused persistence functions.

SRFOsTACTA0011TACTA0010VNDTrend MicroTYPResearchTYPThreat IntelSTGExecutionSTGPersistence
72
Edit Score
2025-12-07
2025-12-07 04:16Z
CRIT

react2shell-scanner — High Fidelity Detection Mechanism for RSC/Next.js RCE (CVE-2025-55182 & CVE-2025-66478)

GitHub · recent CVE PoCs·github.comGITHUB POCCVE-2025-55182CVE-2025-66478in the wild

Assetnote released react2shell-scanner, a Python tool for detecting critical RCE vulnerabilities (CVE-2025-55182 and CVE-2025-66478) in Next.js applications using React Server Components. The scanner executes a deterministic PoC payload and detects vulnerability via response header reflection, with optional safe-check mode, WAF bypass techniques, and multi-threaded scanning capabilities.

SRFApplicationTACTA0002SRFWebVNDReactVNDNext JsTYPToolTYPExploitSTGExecution
92
Edit Score
2025-12-06
2025-12-06 12:04Z
CRIT

Nuclei Templates v10.3.5 - Release Notes

Nuclei Templates v10.3.5 adds 57 new detection templates covering 33 CVEs, with critical focus on React Server Components RCE (CVE-2025-55182), WordPress plugin vulnerabilities (auth bypass, arbitrary file upload, privilege escalation), and PrestaShop/CMS exploits. The release includes bug fixes reducing false positives/negatives and enhanced detection accuracy across WordPress ecosystem, PHP applications, and infrastructure services.

SRFApplicationTACTA0004TACTA0001TACTA0002SRFWebVNDProjectdiscoveryTYPToolTYPVulnerability
9.8
CVSS v3.1
72
Edit Score
2025-12-06
2025-12-06 10:16Z
HIGH

CVE-2025-14126 — Such manipulation leads to hard-coded credentials.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-14126

A vulnerability has been found in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. Affected is an unknown function of the component Web Interface. Such manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.8 (HIGH) · EPSS 12th percentile

CWECWE 798CWECWE 259TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-12-06
2025-12-06 06:15Z
CRIT

CVE-2025-12673 — Flex: The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-12673

The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 9.8 (CRITICAL)

CWECWE 434VNDFlexTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-12-06
2025-12-06 01:27Z
CRIT

CVE-2025-55182 — RSC/Next.js RCE Vulnerability Detector & PoC Chrome Extension – CVE-2025-55182 & CVE-2025-66478

GitHub · recent CVE PoCs·github.comGITHUB POCCVE-2025-55182CVE-2025-66478in the wild

A public GitHub repository released a Chrome extension and Shodan scanner toolkit for detecting and exploiting CVE-2025-55182 and CVE-2025-66478, critical RCE vulnerabilities in React Server Components (RSC) and Next.js applications. The toolkit includes automated vulnerability detection, proof-of-concept exploitation capabilities, and a CORS-bypass proxy for remote testing.

SRFApplicationTACTA0002SRFWebTACTA0003VNDReactVNDNext JsTYPToolTYPWriteup
88
Edit Score
2025-12-05
2025-12-05 23:15Z
HIGH

CVE-2025-34291 — Langflow Langflow: versions up to and including 1.6.9 contain a chained vulnerability that enables account

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-34291

Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_t CVSSv3.1 8.8 (HIGH) · EPSS 93th percentile

CWECWE 346VNDLangflowTYPVulnerability
8.8
CVSS v3.1
97
Edit Score
2025-12-05
2025-12-05 17:48Z
INFO

Ghostwriter v6.1 — Playing Fetch with BloodHound

SpecterOps·specterops.io

SpecterOps released Ghostwriter v6.1, introducing native BloodHound integration that allows direct import of BloodHound data and findings into assessment projects. The release also adds collaborative project notes, improved caption editor objects, dark mode, expanded SSO/MFA options including WebAuthn groundwork, and programmatic evidence downloads via GraphQL.

SRFApplicationVNDBloodhoundVNDGhostwriterTYPToolSTGLat MovementSTGCollection
62
Edit Score
2025-12-05
2025-12-05 16:15Z
CRIT

CVE-2025-64054 — Fanvil X210_firmware: A reflected Cross Site Scripting (XSS) vulnerability on Fanvil x210 2.12.20 devices allows attackers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-64054

A reflected Cross Site Scripting (XSS) vulnerability on Fanvil x210 2.12.20 devices allows attackers to cause a denial of service or potentially execute arbitrary commands via crafted POST request to the /cgi-bin/webconfig?page=upload&action=submit endpoint. CVSSv3.1 9.6 (CRITICAL) · EPSS 32th percentile

CWECWE 79VNDFanvilTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2025-12-05
2025-12-05 15:15Z
HIGH

CVE-2025-64057 — Fanvil X210_firmware: Directory traversal vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-64057

Directory traversal vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local network to store files in arbitrary locations and potentially modify the system configuration or other unspecified impacts. CVSSv3.1 8.3 (HIGH) · EPSS 52th percentile

CWECWE 22VNDFanvilTYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2025-12-05
2025-12-05 08:56Z
CRIT

React2Shell-CVE-2025-55182-original-poc — Original Proof-of-Concepts for React2Shell CVE-2025-55182

GitHub · recent CVE PoCs·github.comGITHUB POCCVE-2025-55182in the wild

Original proof-of-concept code for CVE-2025-55182 affecting React2Shell has been publicly released on GitHub by the original discoverer. The vulnerability allows remote code execution through a promise-chain gadget attack that manipulates Chunk objects and leverages the `_formData` gadget chain in Next.js/React environments. Public variants are already in circulation and integrated into Google's Tsunami security scanner.

SRFApplicationTACTA0002SRFWebVNDMetaVNDReactTYPExploitTYPVulnerabilitySTGExecution
92
Edit Score
2025-12-05
2025-12-05 08:11Z
HIGH

RSC_Detector — Supports RSC fingerprinting and exploitation of the React component vulnerability CVE-2025-55182.

GitHub · recent CVE PoCs·github.comGITHUB POCCVE-2025-55182

RSC_Detector is a Chrome extension that performs passive and active fingerprinting of React Server Components (RSC) and Next.js App Router implementations, with exploitation capabilities for CVE-2025-55182. The tool uses multiple detection methods including Content-Type analysis, header inspection, and React Flight Protocol pattern matching to identify vulnerable RSC deployments.

SRFWebTACTA0043SRFBrowserVNDNextjsVNDReactTYPToolTYPExploitSTGInitial Access
78
Edit Score
2025-12-05
2025-12-05 07:16Z
CRIT

CVE-2025-12374 — Email: The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-12374

The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.44. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a v CVSSv3.1 9.8 (CRITICAL)

CWECWE 287TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-12-05
2025-12-05 06:16Z
HIGH

CVE-2025-12181 — ContentStudio: The ContentStudio plugin for WordPress is vulnerable to arbitrary file uploads due to missing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-12181

The ContentStudio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the cstu_update_post() function in all versions up to, and including, 1.3.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVE-2025-67910 is likely a duplicate of this. CVSSv3.1 8.8 (HIGH)

CWECWE 434VNDContentstudioTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-12-05
2025-12-05 05:16Z
CRIT

CVE-2025-13313 — CRM: The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-13313

The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 2.6. This is due to missing authorization and authentication checks on the `ntzcrm_changepassword` AJAX action. This makes it possible for unauthenticated attackers to reset arbitrary user passwords and gain unauthorized access to user accounts via the `ntzcrm_changepassword` endpoint, granted they can obtain or enumerate a target user's emai CVSSv3.1 9.8 (CRITICAL)

CWECWE 862VNDCrmTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-12-05
2025-12-05 00:00Z
CRIT

Critical React Server Components Vulnerability CVE-2025-55182: What Security Teams Need to Know

Trend Micro Research·trendmicro.comCVE-2025-55182in the wild

CVE-2025-55182 is a critical pre-authentication RCE (CVSS 10.0) in React Server Components affecting React 19.x, Next.js 15.x/16.x, and related frameworks. The vulnerability stems from unsafe deserialization of HTTP payloads in Server Function endpoints, allowing unauthenticated attackers to execute arbitrary code with a single malicious POST request. Active exploitation in the wild has been observed targeting financial services, technology, and e-commerce sectors.

SRFApplicationTACTA0001SRFWebVNDReactVNDNext JsVNDFacebookTYPVulnerabilityTYPAdvisory
92
Edit Score
2025-12-04
2025-12-04 21:20Z
INFO

v3.6.0

Nuclei releases·github.com

Nuclei v3.6.0 released with new features including resume file writing, JavaScript multi-port support, direct fuzzing for OpenAPI/Swagger specs, .NET deserialization DSL helpers, and persistent metadata caching. The release includes bug fixes for DNS lookups, parallel processing restoration, and various dependency updates.

SRFApplicationVNDProjectdiscoveryTYPTool
52
Edit Score
2025-12-04
2025-12-04 20:16Z
CRIT

CVE-2025-29269 — Allnet All-rut22gw_firmware: ALL-RUT22GW v3.3.8 was discovered to contain an OS command injection vulnerability via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-29269

ALLNET ALL-RUT22GW v3.3.8 was discovered to contain an OS command injection vulnerability via the command parameter in the popen.cgi endpoint. CVSSv3.1 9.8 (CRITICAL) · EPSS 82th percentile

CWECWE 78VNDAllnetTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2025-12-04
2025-12-04 20:16Z
CRIT

CVE-2025-29268 — Allnet All-rut22gw_firmware: ALL-RUT22GW v3.3.8 was discovered to store hardcoded credentials in the libicos.so library.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-29268

ALLNET ALL-RUT22GW v3.3.8 was discovered to store hardcoded credentials in the libicos.so library. CVSSv3.1 9.8 (CRITICAL) · EPSS 94th percentile

CWECWE 798VNDAllnetTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2025-12-04
2025-12-04 17:15Z
HIGH

CVE-2025-66287 — WebKitGTK: A flaw was found in WebKitGTK.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-66287

A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling. CVSSv3.1 8.8 (HIGH) · EPSS 30th percentile

CWECWE 120VNDWebkitgtkTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-12-04
2025-12-04 14:00Z
CRIT

Arista NextGen Firewall XSS to RCE Chain

Bishop Fox Labs·bishopfox.comCVE-2025-6980CVE-2025-6979CVE-2025-6978in the wild

Bishop Fox disclosed a critical vulnerability chain in Arista Next Generation Firewalls affecting three CVEs: CVE-2025-6980 (information disclosure exposing VPN credentials), CVE-2025-6979 (reflected XSS for credential theft), and CVE-2025-6978 (command injection for RCE). Researchers confirmed the XSS-to-RCE chain is exploitable in real-world conditions and that Arista's patch for CVE-2025-6978 does not fully remediate the underlying issues, leaving administrator-level exploitation possible.

TACTA0004TACTA0001SRFNetwork ApplianceTACTA0006VNDAristaTYPResearchTYPVulnerabilitySTGPrivesc
92
Edit Score
2025-12-04
2025-12-04 12:00Z
HIGH

Dangerous Invitations: Russian Threat Actor Spoofs European Security Events in Targeted Phishing Attacks

Volexity·volexity.com

Volexity documents ongoing campaigns by Russian APT UTA0355 abusing Microsoft 365 OAuth and Device Code authentication workflows to phish credentials from targeted users. The threat actor creates fake websites impersonating legitimate European security conferences (Belgrade Security Conference, Brussels Indo-Pacific Dialogue), uses rapport-building phishing, compromised accounts, and out-of-band communication via WhatsApp/Signal to socially engineer victims into granting unauthorized account access.

TACTA0001TACTA0006SRFIdentitySRFWebSRFCloudVNDMicrosoftVNDGoogleTYPResearch
78
Edit Score
2025-12-03
2025-12-03 21:15Z
CRIT

CVE-2025-64055 — Fanvil X210_firmware: file upload, firmware update, reboot...) via a crafted authentication bypass.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-64055

An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass. CVSSv3.1 9.8 (CRITICAL) · EPSS 40th percentile

CWECWE 287VNDFanvilTYPVulnerability
9.8
CVSS v3.1
99
Edit Score