CVE ID : CVE-2025-4388

Published : May 6, 2025, 6:15 p.m. | 1 hour, 19 minutes ago

Description : A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/marketplace/marketplace-app-manager-web.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-46816

Published : May 6, 2025, 7:16 p.m. | 19 minutes ago

Description : goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.

Severity: 9.4 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-46820

Published : May 6, 2025, 7:16 p.m. | 19 minutes ago

Description : phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUB_TOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run’s GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the GitHub API to push malicious code or rewrite release commits in your repository. Any downstream user of the repository may be affected, but the token should only be valid for the duration of the workflow run, limiting the time during which exploitation could occur. Version 4.1.8 fixes the issue.

Severity: 7.1 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Le Biniou is a music visualization / VJing tool which works with music, voice, ambient sounds, whatever acoustic source you…

Gourmand is a fork of the Gourmet Recipe Manager: a manager, editor, and organizer for recipes. The post Gourmand Recipe…

Maintaining an open source project can be a big responsibility. But it’s not one you’re obligated to bear forever. Maybe…

Android Security Update – Critical Patch Released for Actively Exploited Vulnerability

Google has released the Android Security Bulletin for May 2025, addressing multiple vulnerabilities, including a high-severity remote code execution flaw that is actively being exploited in the wild.
…
Read more

Published Date:
May 06, 2025 (2 hours, 56 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-27363

RCE flaw in tool for building AI agents exploited by attackers (CVE-2025-3248)

A missing authentication vulnerability (CVE-2025-3248) in Langflow, a web application for building AI-driven agents, is being exploited by attackers in the wild, CISA has confirmed by adding it to its …
Read more

Published Date:
May 06, 2025 (2 hours, 46 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-3248

DragonForce Ransomware Hits Harrods, Marks and Spencer, Co-Op & Other UK Retailers

A coordinated wave of cyberattacks has struck major UK retailers in recent weeks, with the DragonForce ransomware group claiming responsibility for breaches at Marks & Spencer, Co-op, and luxury depar …
Read more

Published Date:
May 06, 2025 (2 hours, 28 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2021-44228

Google fixes actively exploited FreeType flaw on Android

Google has released the May 2025 security updates for Android with fixes for 45 security flaws, including an actively exploited zero-click FreeType 2 code execution vulnerability.
FreeType is a popula …
Read more

Published Date:
May 06, 2025 (2 hours, 21 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-27363

CISA Adds Langflow flaw to KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2025-3248, a critical vulnerability in Langflow, to its Known Exploited Vulnerabilities (KEV) Catalog, citing activ …
Read more

Published Date:
May 06, 2025 (26 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-3248

⚡ Weekly Recap: Nation-State Hacks, Spyware Alerts, Deepfake Malware, Supply Chain Backdoors

Cybersecurity / Hacking News
What if attackers aren’t breaking in—they’re already inside, watching, and adapting?
This week showed a sharp rise in stealth tactics built for long-term access and silent …
Read more

Published Date:
May 05, 2025 (1 day, 3 hours ago)

Vulnerabilities has been mentioned in this article.

Samsung MagicINFO 9 Server Vulnerability Exploited in the Wild

A critical security vulnerability in Samsung’s digital signage management platform has moved from theoretical risk to active threat as attackers begin exploiting it in real-world attacks.
CVE-2024-739 …
Read more

Published Date:
May 06, 2025 (2 hours ago)

Vulnerabilities has been mentioned in this article.

CVE-2024-7399

CVE ID : CVE-2025-45607

Published : May 5, 2025, 8:15 p.m. | 18 hours, 44 minutes ago

Description : An issue in the component /manage/ of itranswarp v2.19 allows attackers to bypass authentication via a crafted request.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-45611

Published : May 5, 2025, 8:15 p.m. | 18 hours, 44 minutes ago

Description : Incorrect access control in the /user/edit/ component of hope-boot v1.0.0 allows attackers to bypass authentication via a crafted GET request.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-45612

Published : May 5, 2025, 8:15 p.m. | 18 hours, 44 minutes ago

Description : Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-0984

Published : May 6, 2025, 12:15 p.m. | 2 hours, 44 minutes ago

Description : Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Netoloji Software E-Flow allows Accessing Functionality Not Properly Constrained by ACLs, Stored XSS, File Content Injection.This issue affects E-Flow: before 3.23.00.

Severity: 8.2 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4349

Published : May 6, 2025, 12:15 p.m. | 2 hours, 44 minutes ago

Description : A vulnerability classified as critical has been found in D-Link DIR-600L up to 2.07B01. This affects the function formSysCmd. The manipulation of the argument host leads to command injection. It is possible to initiate the attack remotely. This vulnerability only affects products that are no longer supported by the maintainer.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4350

Published : May 6, 2025, 12:15 p.m. | 2 hours, 44 minutes ago

Description : A vulnerability classified as critical was found in D-Link DIR-600L up to 2.07B01. This vulnerability affects the function wake_on_lan. The manipulation of the argument host leads to command injection. The attack can be initiated remotely. This vulnerability only affects products that are no longer supported by the maintainer.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4352

Published : May 6, 2025, 12:15 p.m. | 3 hours, 19 minutes ago

Description : A vulnerability, which was classified as critical, has been found in Golden Link Secondary System up to 20250424. This issue affects some unknown processing of the file /reprotframework/tcEntrFlowSelect.htm. The manipulation of the argument custTradeId leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Severity: 6.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…