CVE ID : CVE-2025-27889
Published : July 10, 2025, 5:15 p.m. | 2 hours, 3 minutes ago
Description : Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.
Severity: 3.4 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-47811
Published : July 10, 2025, 5:15 p.m. | 2 hours, 3 minutes ago
Description : In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior “fine to keep.”
Severity: 4.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-47812
Published : July 10, 2025, 5:15 p.m. | 29 minutes ago
Description : In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle ” bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-47813
Published : July 10, 2025, 5:15 p.m. | 2 hours, 3 minutes ago
Description : loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-49462
Published : July 10, 2025, 5:15 p.m. | 2 hours, 3 minutes ago
Description : Cross-site scripting in certain Zoom Clients before version 6.4.5 may allow an authenticated user to conduct a disclosure of information via network access.
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-49463
Published : July 10, 2025, 5:15 p.m. | 2 hours, 3 minutes ago
Description : Insufficient control flow management in certain Zoom Clients for iOS before version 6.4.5 may allow an unauthenticated user to conduct a disclosure of information via network access.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-49464
Published : July 10, 2025, 5:15 p.m. | 2 hours, 3 minutes ago
Description : Classic buffer overflow in certain Zoom Clients for Windows may allow an authorised user to conduct a denial of service via network access.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-7410
Published : July 10, 2025, 5:15 p.m. | 2 hours, 3 minutes ago
Description : A vulnerability was found in code-projects LifeStyle Store 1.0. It has been classified as critical. Affected is an unknown function of the file /cart_remove.php. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-49630
Published : July 10, 2025, 5:15 p.m. | 2 hours, 3 minutes ago
Description : In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2.
Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to “on”.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-49812
Published : July 10, 2025, 5:15 p.m. | 2 hours, 3 minutes ago
Description : In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.
Only configurations using “SSLEngine optional” to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-53020
Published : July 10, 2025, 5:15 p.m. | 2 hours, 3 minutes ago
Description : Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server.
This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.
Users are recommended to upgrade to version 2.4.64, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-7409
Published : July 10, 2025, 5:15 p.m. | 2 hours, 3 minutes ago
Description : A vulnerability was found in code-projects Mobile Shop 1.0 and classified as critical. This issue affects some unknown processing of the file /LoginAsAdmin.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-53371
Published : July 10, 2025, 6:15 p.m. | 1 hour, 3 minutes ago
Description : DiscordNotifications is an extension for MediaWiki that sends notifications of actions in your Wiki to a Discord channel. DiscordNotifications allows sending requests via curl and file_get_contents to arbitrary URLs set via $wgDiscordIncomingWebhookUrl and $wgDiscordAdditionalIncomingWebhookUrls. This allows for DOS by causing the server to read large files. SSRF is also possible if there are internal unprotected APIs that can be accessed using HTTP POST requests, which could also possibly lead to RCE. This vulnerability is fixed in commit 1f20d850cbcce5b15951c7c6127b87b927a5415e.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
The this keyword in JavaScript is like a chameleon – it changes its meaning depending on where and how it’s…
Tired of making projects that are just AI API wrappers? Do you want to learn how to build a real…
Overview You may have seen this pop-up message appearing on the main page of your EPM instance: …
Useful Laravel links to read/watch for this week of July 10, 2025. Source: Read MoreÂ
Cryptocurrency users are the target of an ongoing social engineering campaign that employs fake startup companies to trick users into…
This post is cowritten with Siddhant Waghjale and Samuel Barry from Mistral AI. Model Context Protocol (MCP) is a standard…
Rocket Companies is a Detroit-based FinTech company with a mission to “Help Everyone Home.” Although known to many as a…