Security

Nessus Windows Vulnerabilities Allow Overwrite of Arbitrary Local System Files

A newly disclosed security advisory from Tenable reveals serious vulnerabilities in the Nessus vulnerability scanner that could enable attackers to compromise Windows systems through privilege escalat …
Read more

Published Date:
Jul 02, 2025 (3 hours, 36 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-36630

CVE-2025-6021

CVE-2025-24855

Honderdduizenden WordPress-sites via lek in Forminator over te nemen

Een kwetsbaarheid in een veelgebruikte plug-in voor WordPress maakt remote code execution op honderdduizenden websites mogelijk, die zo volledig zijn over te nemen. Een update die het probleem verhelp …
Read more

Published Date:
Jul 02, 2025 (3 hours, 9 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-6463

Critical Vulnerability in Anthropic MCP Inspector Let Attackers Execute Arbitrary Code

A critical Remote Code Execution (RCE) vulnerability in Anthropic’s MCP Inspector tool, designated as CVE-2025-49596, has a severe CVSS score of 9.4.
This vulnerability represents one of the first cri …
Read more

Published Date:
Jul 02, 2025 (1 hour, 31 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-49596

Critical WordPress Plugin Vulnerability Exposes 600,000+ Sites to Remote Takeover

A severe arbitrary file deletion vulnerability has been discovered in the popular Forminator WordPress plugin, affecting over 600,000 active installations worldwide.
The vulnerability, assigned CVE-20 …
Read more

Published Date:
Jul 02, 2025 (1 hour, 25 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-6463

CISA Adds TelelMessage TM SGNL to KEV Catalog

Skip to contentCVE-2025-48927 — Insecure Spring Boot Heap Dump Exposure📌 Description:This vulnerability exists in TeleMessage TM SGNL due to an exposed Spring Boot Actuator /heapdump endpoint, accessi …
Read more

Published Date:
Jul 02, 2025 (28 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-6554

CVE-2025-48928

CVE-2025-48927

CVE ID : CVE-2025-27023

Published : July 2, 2025, 10:15 a.m. | 1 hour, 28 minutes ago

Description : Lack or insufficent input validation in WebGUI CLI web in Infinera G42
version R6.1.3 allows remote authenticated users to read all OS files
via crafted CLI commands.

Details: The web interface based management of the Infinera G42 appliance enables the feature of
executing a restricted set of commands. This feature
also offers the option to execute a script-file already present on the target
device. When a non-script or incorrect file is specified, the content
of the file is shown along with an error message. Due to an execution of the http service with a privileged user all files on the file system can be viewed this way.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-27024

Published : July 2, 2025, 10:15 a.m. | 1 hour, 28 minutes ago

Description : Unrestricted access to OS file system in SFTP service in Infinera G42
version R6.1.3 allows remote authenticated users to read/write OS files
via SFTP connections.

Details: Account members of the Network Administrator profile can access the
target machine via SFTP with the same credentials used for SSH CLI
access and are able to read all files according to the OS permission instead of remaining inside the chrooted directory position.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-27025

Published : July 2, 2025, 10:15 a.m. | 1 hour, 28 minutes ago

Description : The target device exposes a service on a specific TCP port with a configured
endpoint. The access to that endpoint is granted using a Basic Authentication
method. The endpoint accepts also the PUT method and it is possible to
write files on the target device file system. Files are written as root.
Using Postman it is possible to perform a Directory Traversal attack
and write files into any location of the device file system. Similarly to the PUT method, it is possible to leverage the
same mechanism to read any file from the file system by using the GET
method.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-2330

Published : July 2, 2025, 10:15 a.m. | 1 hour, 28 minutes ago

Description : The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘button+modal’ widget in all versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4946

Published : July 2, 2025, 10:15 a.m. | 1 hour, 28 minutes ago

Description : The Vikinger theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the vikinger_delete_activity_media_ajax() function in all versions up to, and including, 1.9.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Note: Requires Vikinger Media plugin to be installed and active.

Severity: 8.1 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-39362

Published : July 2, 2025, 11:15 a.m. | 28 minutes ago

Description : Missing Authorization vulnerability in Mollie Mollie Payments for WooCommerce.This issue affects Mollie Payments for WooCommerce: from n/a through 8.0.2.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-6297

Published : July 1, 2025, 5:15 p.m. | 16 hours, 59 minutes ago

Description : It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is
documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on
adversarial .deb packages or with well compressible files, placed
inside a directory with permissions not allowing removal by a non-root
user, this can end up in a DoS scenario due to causing disk quota
exhaustion or disk full conditions.

Severity: 8.2 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-37099

Published : July 1, 2025, 6:15 p.m. | 15 hours, 59 minutes ago

Description : A remote code execution vulnerability exists in HPE Insight Remote Support (IRS) prior to v7.15.0.646.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-45080

Published : July 1, 2025, 6:15 p.m. | 15 hours, 59 minutes ago

Description : YONO SBI: Banking & Lifestyle v1.23.36 was discovered to use unencrypted communicatons, possibly allowing attackers to execute a man-in-the-middle attack.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-45081

Published : July 1, 2025, 6:15 p.m. | 15 hours, 59 minutes ago

Description : Misconfigured settings in IITB SSO v1.1.0 allow attackers to access sensitive application data.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-53104

Published : July 1, 2025, 7:15 p.m. | 14 hours, 59 minutes ago

Description : gluestack-ui is a library of copy-pasteable components & patterns crafted with Tailwind CSS (NativeWind). Prior to commit e6b4271, a command injection vulnerability was discovered in the discussion-to-slack.yml GitHub Actions workflow. Untrusted discussion fields (title, body, etc.) were directly interpolated into shell commands in a run: block. An attacker could craft a malicious GitHub Discussion title or body (e.g., $(curl …)) to execute arbitrary shell commands on the Actions runner. This issue has been fixed in commit e6b4271 where the discussion-to-slack.yml workflow was removed. Users should remove the discussion-to-slack.yml workflow if using a fork or derivative of this repository.

Severity: 9.1 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-36630

Published : July 2, 2025, 12:15 a.m. | 9 hours, 59 minutes ago

Description : In Tenable Nessus versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could overwrite arbitrary local system files with log content at SYSTEM privilege.

Severity: 8.4 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-5692

Published : July 2, 2025, 3:15 a.m. | 6 hours, 59 minutes ago

Description : The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the doFieldAjaxAction() function in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Other AJAX actions handling plugin settings are also insufficiently protected and exploitable.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3848

Published : July 2, 2025, 4:15 a.m. | 5 hours, 59 minutes ago

Description : The Download Manager and Payment Form WordPress Plugin – WP SmartPay plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 1.1.0 to 2.7.13. This is due to the plugin not properly validating a user’s identity prior to updating their email through the update() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user’s email addresses, including administrators, and leverage that to reset the user’s password and gain access to their account.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4380

Published : July 2, 2025, 4:15 a.m. | 5 hours, 59 minutes ago

Description : The Ads Pro Plugin – Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.89 via the ‘bsa_template’ parameter of the `bsa_preview_callback` function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases .php files can can be uploaded and included, or already exist on the site.

Severity: 8.1 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…