Security

CVE ID : CVE-2025-8764

Published : Aug. 9, 2025, 7:15 p.m. | 4 hours, 25 minutes ago

Description : A vulnerability classified as critical has been found in linlinjava litemall up to 1.8.0. Affected is the function Upload of the file /wx/storage/upload. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Severity: 6.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-8765

Published : Aug. 9, 2025, 7:15 p.m. | 4 hours, 25 minutes ago

Description : A vulnerability classified as problematic was found in Datacom DM955 5GT 1200 825.8010.00. Affected by this vulnerability is an unknown functionality of the component Wireless Basic Settings. The manipulation of the argument SSID leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Severity: 3.5 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-8772

Published : Aug. 9, 2025, 8:15 p.m. | 3 hours, 25 minutes ago

Description : A vulnerability, which was classified as problematic, has been found in Vinades NukeViet up to 4.5.06. This issue affects some unknown processing of the file /admin/index.php?language=en&nv=upload of the component Module Handler. The manipulation leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Severity: 4.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-8773

Published : Aug. 9, 2025, 8:15 p.m. | 3 hours, 25 minutes ago

Description : A vulnerability, which was classified as critical, was found in Dinstar Monitoring Platform 甘肃省危险品库监控平台 1.0. Affected is an unknown function of the file /itc/$%7BappPath%7D/login_getPasswordErrorNum.action. The manipulation of the argument userBean.loginName leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Severity: 7.3 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-8774

Published : Aug. 9, 2025, 9:15 p.m. | 2 hours, 25 minutes ago

Description : A vulnerability has been found in riscv-boom SonicBOOM up to 2.2.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component L1 Data Cache Handler. The manipulation leads to observable timing discrepancy. Local access is required to approach this attack. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.

Severity: 2.5 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-8775

Published : Aug. 9, 2025, 9:15 p.m. | 2 hours, 25 minutes ago

Description : A vulnerability was found in Qiyuesuo Eelectronic Signature Platform up to 4.34 and classified as critical. Affected by this issue is the function execute of the file /api/code/upload of the component Scheduled Task Handler. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Severity: 6.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-8784

Published : Aug. 9, 2025, 11:15 p.m. | 25 minutes ago

Description : A vulnerability classified as problematic was found in Portabilis i-Educar up to 2.9. This vulnerability affects unknown code of the file /intranet/funcionario_vinculo_cad.php of the component Cadastrar Vínculo Page. The manipulation of the argument nome leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Severity: 3.5 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Success in cybersecurity is when nothing happens, plus other standout themes from two of the event’s keynotes Source: Read More

Who’s to blame when the AI tool managing a company’s compliance status gets it wrong? Source: Read More

A newly discovered campaign dubbed GreedyBear has leveraged over 150 malicious extensions to the Firefox marketplace that are designed to…

TeaOnHer hasn’t stopped at copying the functionality of the original Tea app (albeit skewed towards men rating women). It also…

A fresh set of 60 malicious packages has been uncovered targeting the RubyGems ecosystem by posing as seemingly innocuous automation…

When an organization’s credentials are leaked, the immediate consequences are rarely visible—but the long-term impact is far-reaching. Far from the…

The Australian Information Commissioner has launched civil penalty proceedings against telecommunications giant Optus over the massive 2022 data breach that…

Cybersecurity researchers are drawing attention to a new campaign that’s using legitimate generative artificial intelligence (AI)-powered website building tools like…

CVE ID : CVE-2025-50692

Published : Aug. 7, 2025, 7:15 p.m. | 1 day, 4 hours ago

Description : FoxCMS
Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-54886

Published : Aug. 8, 2025, 1:15 a.m. | 22 hours, 44 minutes ago

Description : skops is a Python library which helps users share and ship their scikit-learn based models. In versions 0.12.0 and below, the Card.get_model does not contain any logic to prevent arbitrary code execution. The Card.get_model function supports both joblib and skops for model loading. When loading .skops models, it uses skops’ secure loading with trusted type validation, raising errors for untrusted types unless explicitly allowed. However, when non-.zip file formats are provided, the function silently falls back to joblib without warning. Unlike skops, joblib allows arbitrary code execution during loading, bypassing security measures and potentially enabling malicious code execution. This issue is fixed in version 0.13.0.

Severity: 8.4 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-54887

Published : Aug. 8, 2025, 1:15 a.m. | 22 hours, 44 minutes ago

Description : jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption (JWE) standard. In versions 1.1.0 and below, authentication tags of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. This puts users at risk because JWEs can be modified to decrypt to an arbitrary value, decrypted by observing parsing differences and the GCM internal GHASH key can be recovered. Users are affected by this vulnerability even if they do not use an AES-GCM encryption algorithm for their JWEs. As the GHASH key may have been leaked, users must rotate the encryption keys after upgrading. This issue is fixed in version 1.1.1.

Severity: 9.1 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-48913

Published : Aug. 8, 2025, 10:15 a.m. | 13 hours, 44 minutes ago

Description : If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility.

Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-53606

Published : Aug. 8, 2025, 10:15 a.m. | 13 hours, 44 minutes ago

Description : Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).

This issue affects Apache Seata (incubating): 2.4.0.

Users are recommended to upgrade to version 2.5.0, which fixes the issue.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…