Critical Kibana Flaws: CVE-2025-2135 (CVSS 9.9) Allows Heap Corruption & RCE; Open Redirect Also Patched

Critical Kibana Flaws: CVE-2025-2135 (CVSS 9.9) Allows Heap Corruption & RCE; Open Redirect Also Patched

Elastic has published a security advisory addressing two significant vulnerabilities in Kibana, the visualization and dashboarding layer for the Elastic Stack. One vulnerability, CVE-2025-2135, is par …
Read more

Published Date:
Jun 25, 2025 (4 hours, 22 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-0966 – IBM InfoSphere Information Server SQL Injection Vulnerability

CVE ID : CVE-2025-0966

Published : June 25, 2025, 3:15 a.m. | 1 hour, 43 minutes ago

Description : IBM InfoSphere Information Server 11.7 vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.

Severity: 7.6 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-36004 – IBM Facsimile Support for i Privilege Escalation Vulnerability

CVE ID : CVE-2025-36004

Published : June 25, 2025, 3:15 a.m. | 1 hour, 42 minutes ago

Description : IBM i 7.2, 7.3, 7.4, and 7.5 could allow a user to gain elevated privileges due to an unqualified library call in IBM Facsimile Support for i. A malicious actor could cause user-controlled code to run with administrator privilege.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-5585 – SiteOrigin Widgets Bundle Stored Cross-Site Scripting Vulnerability

CVE ID : CVE-2025-5585

Published : June 25, 2025, 3:15 a.m. | 1 hour, 42 minutes ago

Description : The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-url` DOM Element Attribute in all versions up to, and including, 1.68.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Rogue WordPress Plugin Unmasked: Stealthy Malware Skims Credit Cards & Steals Credentials

Rogue WordPress Plugin Unmasked: Stealthy Malware Skims Credit Cards & Steals Credentials

The Wordfence Threat Intelligence Team has unveiled a powerful malware framework operating under the guise of a rogue WordPress plugin. This campaign, first identified during a site clean on May 16, 2 …
Read more

Published Date:
Jun 25, 2025 (2 hours, 45 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2022-31626

Urgent Advantech Alert: Critical Flaws (CVSS 9.6) Expose Industrial Automation to Remote Takeover, PoC Releases

Urgent Advantech Alert: Critical Flaws (CVSS 9.6) Expose Industrial Automation to Remote Takeover, PoC Releases

The Phantom The Cyber Security Agency (CSA) of Singapore has issued an urgent security advisory highlighting multiple high-impact vulnerabilities affecting Advantech’s industrial automation products, …
Read more

Published Date:
Jun 25, 2025 (2 hours, 41 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-48470

CVE-2025-48469

CVE-2025-48468

CVE-2025-48467

CVE-2025-48466

CVE-2025-48463

CVE-2025-48462

CVE-2025-48461

Critical Flaws in ELECOM Routers: JPCERT/CC Issues Warning Over Command Injection and XSS Risks

Critical Flaws in ELECOM Routers: JPCERT/CC Issues Warning Over Command Injection and XSS Risks

In its latest vulnerability disclosure, JPCERT/CC has sounded the alarm on multiple critical security flaws affecting a range of wireless LAN routers manufactured by ELECOM CO., LTD. The vulnerabiliti …
Read more

Published Date:
Jun 25, 2025 (2 hours, 26 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-48890

CVE-2025-43879

CVE-2025-43877

CVE-2025-41427

CVE-2025-36519

CVE-2024-45200

Flaws Found in Hitachi Energy’s MicroSCADA X SYS600: CVEs Could Enable File Tampering, DoS, and MITM Attacks

Flaws Found in Hitachi Energy’s MicroSCADA X SYS600: CVEs Could Enable File Tampering, DoS, and MITM Attacks

Hitachi Energy has released a cybersecurity advisory (8DBD000218) disclosing five newly discovered vulnerabilities affecting its MicroSCADA X SYS600 product, a widely deployed supervisory control and …
Read more

Published Date:
Jun 25, 2025 (1 hour, 12 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-39205

CVE-2025-39204

CVE-2025-39203

CVE-2025-39202

CVE-2025-39201

Double Injection Risk in NVIDIA Megatron-LM: Code Execution Flaws Patched in v0.12.1

Double Injection Risk in NVIDIA Megatron-LM: Code Execution Flaws Patched in v0.12.1

NVIDIA has released a security bulletin addressing two newly discovered vulnerabilities—CVE-2025-23264 and CVE-2025-23265—affecting Megatron-LM, its open-source large language model (LLM) framework de …
Read more

Published Date:
Jun 25, 2025 (1 hour, 5 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-23265

CVE-2025-23264

CVE-2024-0138

SonicWall Warns: Trojanized NetExtender VPN Client Stealing Credentials in Active Campaign

SonicWall Warns: Trojanized NetExtender VPN Client Stealing Credentials in Active Campaign

SonicWall, in collaboration with Microsoft Threat Intelligence (MSTIC), has uncovered a sophisticated campaign that distributes a Trojanized version of SonicWall’s NetExtender VPN client, masquerading …
Read more

Published Date:
Jun 25, 2025 (51 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-36537

CVE-2024-40766

TeamViewer Remote Management Bug (CVE-2025-36537) Enables Privilege Escalation

TeamViewer Remote Management Bug (CVE-2025-36537) Enables Privilege Escalation

TeamViewer, a widely used remote access and management platform, has disclosed a new vulnerability that impacts its Remote Management features on Windows systems. Tracked as CVE-2025-36537, the flaw h …
Read more

Published Date:
Jun 25, 2025 (44 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-36537

CVE-2025-0065

CVE-2025-52572 – Hikka Telegram Userbot Remote Code Execution and Account Takeover Vulnerability

CVE ID : CVE-2025-52572

Published : June 24, 2025, 9:15 p.m. | 4 hours, 14 minutes ago

Description : Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click “Allow” in the “Allow web application ops” menu. This gave an attacker access not only to remote code execution, but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild. No known patches are available, but some workarounds are available. Use `–no-web` flag and do not start userbot without it; after authorizing in the web interface, close the port on the server and/or start the userbot with `–no-web` flag; and do not click “Allow” in your helper bot unless it is your explicit action that needs to be allowed.

Severity: 10.0 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-52883 – Meshtastic-Android PKC Impersonation Vulnerability

CVE ID : CVE-2025-52883

Published : June 24, 2025, 9:15 p.m. | 5 hours, 40 minutes ago

Description : Meshtastic-Android is an Android application for the mesh radio software Meshtastic. Prior to version 2.5.21, an attacker is able to send an unencrypted direct message to a victim impersonating any other node of the mesh. This message will be displayed in the same chat that the victim normally communicates with the other node and it will appear as using PKC, while it is not. This means that the victim will be provided with a false sense of security due to the green padlock displayed when using PKC and they’ll read the attacker’s message as legitimate. Version 2.5.21 contains a patch for the issue. It is suggested to implement a stricter control on whether a message has been received using PKC or using the shared Meshtastic channel key. Moreover, instead of showing no green padlock icon in the chat with no PKC, consider using an explicit indicator like, for example, the yellow half-open padlock displayed when in HAM mode. This remediation, however, applies to the client applications rather than the Meshtastic firmware.

Severity: 5.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…