2025-09-22
2025-09-22 19:16Z
CRIT

CVE-2025-58255 — Site: Cross-Site Request Forgery (CSRF) vulnerability in yonisink Custom Post Type Images custom-post-types-image allows Code

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-58255

Cross-Site Request Forgery (CSRF) vulnerability in yonisink Custom Post Type Images custom-post-types-image allows Code Injection.This issue affects Custom Post Type Images: from n/a through <= 0.5. CVSSv3.1 9.6 (CRITICAL)

CWECWE 352TYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2025-09-22
2025-09-22 19:16Z
HIGH

CVE-2025-58250 — Site: Cross-Site Request Forgery (CSRF) vulnerability in ApusTheme Findgo fingo allows Authentication Bypass.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-58250

Cross-Site Request Forgery (CSRF) vulnerability in ApusTheme Findgo fingo allows Authentication Bypass.This issue affects Findgo: from n/a through <= 1.3.55. CVSSv3.1 8.8 (HIGH)

CWECWE 352TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-09-22
2025-09-22 19:16Z
HIGH

CVE-2025-58244 — Site: Cross-Site Request Forgery (CSRF) vulnerability in Anps Constructo constructo allows Object Injection.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-58244

Cross-Site Request Forgery (CSRF) vulnerability in Anps Constructo constructo allows Object Injection.This issue affects Constructo: from n/a through <= 4.3.9. CVSSv3.1 8.8 (HIGH)

CWECWE 352TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-09-22
2025-09-22 19:16Z
HIGH

CVE-2025-58013 — Site: Cross-Site Request Forgery (CSRF) vulnerability in pebas CouponXxL couponxxl allows Privilege Escalation.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-58013

Cross-Site Request Forgery (CSRF) vulnerability in pebas CouponXxL couponxxl allows Privilege Escalation.This issue affects CouponXxL: from n/a through <= 4.5.0. CVSSv3.1 8.8 (HIGH)

CWECWE 352TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-09-22
2025-09-22 19:15Z
HIGH

CVE-2025-57685 — Link: The LB-Link routers, including the BL-AC2100_AZ3 V1.0.4, BL-WR4000 v2.5.0, BL-WR9000_AE4 v2.4.9, BL-AC1900_AZ2 v1.0.2, BL-X26_AC8

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-57685

The LB-Link routers, including the BL-AC2100_AZ3 V1.0.4, BL-WR4000 v2.5.0, BL-WR9000_AE4 v2.4.9, BL-AC1900_AZ2 v1.0.2, BL-X26_AC8 v1.2.8, and BL-LTE300_DA4 V1.2.3 models, are vulnerable to unauthorized command injection. Attackers can exploit this vulnerability by accessing the /goform/set_serial_cfg interface to gain the highest level of device privileges without authorization, enabling them to remotely execute malicious commands. CVSSv3.1 8.8 (HIGH) · EPSS 70th percentile

CWECWE 77VNDLinkTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-09-22
2025-09-22 19:15Z
HIGH

CVE-2025-53468 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-53468

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus@hotmail.com Wp tabber widget wp-tabber-widget allows SQL Injection.This issue affects Wp tabber widget: from n/a through <= 4.0. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-09-19
2025-09-19 16:26Z
CRIT

DeviceCodePhishing — This is a novel technique that leverages the well-known Device Code phishing approach. It dynamically initiates the flow

GitHub · Azure / Entra tools·github.comGITHUB POC

DeviceCodePhishing is a novel phishing tool that automates Azure Entra Device Code Flow attacks using headless browser automation, eliminating the 10-minute manual entry window and defeating MFA including FIDO2. The attack redirects victims to legitimate authentication pages, making detection nearly impossible; Microsoft patched standard Entra tenants but federated Entra tenants remain vulnerable.

TACTA0001TACTA0006SRFIdentitySRFCloudVNDMicrosoftVNDAzureTYPResearchTYPTool
92
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-09-19
2025-09-19 00:00Z
HIGH

How AI-Native Development Platforms Enable Fake Captcha Pages

Trend Micro Research·trendmicro.comin the wild

Trend Micro documents a surge in phishing campaigns since January 2025 leveraging AI-native development platforms (Vercel, Netlify, Lovable) to host fake CAPTCHA pages that deceive users and evade automated security scanning. Attackers exploit the ease of deployment, free hosting tiers, and inherited domain credibility to redirect victims to credential-harvesting sites after CAPTCHA completion. The research identifies 95 malicious instances across the three platforms, with Vercel hosting 52 sites and Lovable 43, demonstrating a scalable attack pattern.

TACTA0001SRFWebSRFAiVNDVercelVNDLovableVNDNetlifyTYPResearchTYPThreat Intel
72
Edit Score
2025-09-18
2025-09-18 21:15Z
CRIT

CVE-2025-54807 — An attacker who obtains the signing key can bypass authentication, gaining complete access to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-54807

The secret used for validating authentication tokens is hardcoded in device firmware for affected versions. An attacker who obtains the signing key can bypass authentication, gaining complete access to the system. CVSSv3.1 9.8 (CRITICAL) · EPSS 26th percentile

CWECWE 321TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-09-18
2025-09-18 16:15Z
HIGH

CVE-2023-49367 — An issue in user interface in Kyocera Command Center RX EXOSYS M5521cdn allows remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-49367

An issue in user interface in Kyocera Command Center RX EXOSYS M5521cdn allows remote to obtain sensitive information via inspecting sent packages by user. CVSSv3.1 8.8 (HIGH) · EPSS 22th percentile

CWECWE 200TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-09-18
2025-09-18 12:15Z
CRIT

CVE-2024-13151 — CWE: 89 - Improper Neutralization of Special Elements used in an SQL Command

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-13151

CWE - 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ESBI Information and Telecommunication Industry and Trade Limited Company Auto Service Software allows SQL Injection. This issue affects Auto Service Software: before v.2025.10.01. CVSSv3.1 9.8 (CRITICAL) · EPSS 13th percentile

VNDCweTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-09-18
2025-09-18 00:00Z
CRIT

What We Know About the NPM Supply Chain Attack

Trend Micro Research·trendmicro.comin the wild

A large-scale NPM supply chain attack compromised ~500 JavaScript packages via targeted phishing against maintainer accounts, injecting malicious code including the Shai-hulud worm. The worm self-replicates across NPM packages, steals GitHub tokens, injects malicious CI/CD workflows, clones private repositories to attacker infrastructure, and harvests secrets using TruffleHog. Organizations across North America and Europe have been affected by the Cryptohijacker payload variant, which diverts cryptocurrency assets through API hijacking and network traffic manipulation.

SRFApplicationTACTA0004TACTA0005TACTA0001TACTA0006TACTA0007TACTA0003TACTA0008
92
Edit Score
2025-09-17
2025-09-17 12:15Z
CRIT

CVE-2025-10439 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-10439

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yordam Informatics Yordam Library Automation System allows SQL Injection. This issue affects Yordam Library Automation System: from 21.5 & 21.6 before 21.7. CVSSv3.1 9.8 (CRITICAL) · EPSS 17th percentile

CWECWE 89TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-09-16
2025-09-16 20:15Z
CRIT

CVE-2025-57631 — Tduckcloud Tduck: SQL Injection vulnerability in TDuckCloud v.5.1 allows a remote attacker to execute arbitrary code

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-57631

SQL Injection vulnerability in TDuckCloud v.5.1 allows a remote attacker to execute arbitrary code via the Add a file upload module CVSSv3.1 9.8 (CRITICAL) · EPSS 51th percentile

CWECWE 89VNDTduckcloudTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-09-16
2025-09-16 20:15Z
CRIT

CVE-2025-34186 — Ilevia Eve_x1_server_firmware: Because the binary interprets non-zero exit codes from system() as successful authentication, remote attackers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-34186

Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a vulnerability in its authentication mechanism. Unsanitized input is passed to a system() call for authentication, allowing attackers to inject special characters and manipulate command parsing. Because the binary interprets non-zero exit codes from system() as successful authentication, remote attackers can bypass authentication and gain full access to the system. CVSSv3.1 9.8 (CRITICAL) · EPSS 74th percentile

CWECWE 287CWECWE 78VNDIleviaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-09-16
2025-09-16 19:15Z
CRIT

CVE-2025-56557 — Tuya Tuya: An issue discovered in the Tuya Smart Life App 5.6.1 allows attackers to unprivileged

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-56557

An issue discovered in the Tuya Smart Life App 5.6.1 allows attackers to unprivileged control Matter devices via the Matter protocol. CVSSv3.1 9.1 (CRITICAL) · EPSS 22th percentile

CWECWE 250VNDTuyaTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-09-16
2025-09-16 15:15Z
HIGH

CVE-2024-13174 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-13174

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in E1 Informatics Web Application allows SQL Injection. This issue affects Web Application: through 20250916.  NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available. CVSSv3.1 8.6 (HIGH) · EPSS 11th percentile

CWECWE 89TYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2025-09-16
2025-09-16 15:15Z
CRIT

CVE-2024-13149 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE -

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-13149

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 200 - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Arma Store Armalife allows SQL Injection. This issue affects Armalife: through 20250916.  NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available. CVSSv3.1 9.8 (CRITICAL) · EPSS 11th percentile

CWECWE 89TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-09-16
2025-09-16 14:15Z
CRIT

CVE-2025-57119 — Phpgurukul Online_library_management_system: An issue in Online Library Management System v.3.0 allows an attacker to escalate privileges

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-57119

An issue in Online Library Management System v.3.0 allows an attacker to escalate privileges via the adminlogin.php component and the Login function CVSSv3.1 9.8 (CRITICAL) · EPSS 41th percentile

CWECWE 250VNDPhpgurukulVNDOnlineTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-09-16
2025-09-16 13:15Z
HIGH

CVE-2025-10537 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-10537

Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3. CVSSv3.1 8.8 (HIGH)

CWECWE 119VNDMozillaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-09-16
2025-09-16 13:15Z
HIGH

CVE-2025-10534 — Mozilla Firefox: Spoofing issue in the Site Permissions component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-10534

Spoofing issue in the Site Permissions component. This vulnerability was fixed in Firefox 143 and Thunderbird 143. CVSSv3.1 8.1 (HIGH)

CWECWE 79VNDMozillaVNDSpoofingTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-09-16
2025-09-16 13:15Z
HIGH

CVE-2025-10533 — Mozilla Firefox: Integer overflow in the SVG component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-10533

Integer overflow in the SVG component. This vulnerability was fixed in Firefox 143, Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3. CVSSv3.1 8.8 (HIGH)

CWECWE 190VNDMozillaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-09-16
2025-09-16 13:00Z
CRIT

State of the SaaS Security Union

Bishop Fox Labs·bishopfox.comin the wild

Bishop Fox documents two concurrent threat campaigns targeting SaaS applications: UNC6040 (ShinyHunters/Scattered Spider) conducting OAuth phishing and credential attacks against Salesforce customers for ransom, and UNC6395 (suspected nation-state APT) exploiting integration misconfigurations in Salesloft to compromise 700+ customers and pivot into downstream SaaS and AWS environments. The attacks expose critical gaps in SaaS security posture, particularly overprivileged integration accounts and lack of secrets management visibility.

SRFApplicationTACTA0001TACTA0006TACTA0007SRFCloudTACTA0008VNDSalesforceVNDAws
78
Edit Score
2025-09-16
2025-09-16 12:15Z
CRIT

CVE-2025-7744 — Dolusoft Omaspot: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-7744

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dolusoft Omaspot allows SQL Injection. This issue affects Omaspot: before 12.09.2025. CVSSv3.1 9.8 (CRITICAL) · EPSS 17th percentile

CWECWE 89VNDDolusoftTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-09-16
2025-09-16 12:15Z
CRIT

CVE-2025-7743 — Dolusoft Omaspot: Cleartext Transmission of Sensitive Information vulnerability in Dolusoft Omaspot allows Interception, Privilege Escalation.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-7743

Cleartext Transmission of Sensitive Information vulnerability in Dolusoft Omaspot allows Interception, Privilege Escalation. This issue affects Omaspot: before 12.09.2025. CVSSv3.1 9.6 (CRITICAL)

CWECWE 319VNDCleartextVNDDolusoftTYPVulnerability
9.6
CVSS v3.1
98
Edit Score