The Cyber Express, in collaboration with Suraksha Catalyst, has kicked off the Black Hat USA 2025 CISO Series Podcast with…
Security
Financial institutions like trading and brokerage firms are the target of a new campaign that delivers a previously unreported remote…
A hack of the Netherlands’ Public Prosecution Service has had an unusual side effect – causing some speed cameras to…
Threat actors are exploiting a nearly two-year-old security flaw in Apache ActiveMQ to gain persistent access to cloud Linux systems…
CVE ID : CVE-2025-8218
Published : Aug. 19, 2025, 7:15 a.m. | 17 hours, 37 minutes ago
Description : The Real Spaces – WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the ‘change_role_member’ parameter in all versions up to, and including, 3.5. This is due to a lack of restriction in the profile update role. This makes it possible for unauthenticated attackers to arbitrarily choose their role, including the Administrator role, during a profile update.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-6758
Published : Aug. 19, 2025, 7:15 a.m. | 17 hours, 37 minutes ago
Description : The Real Spaces – WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the ‘imic_agent_register’ function in all versions up to, and including, 3.6. This is due to a lack of restriction in the registration role. This makes it possible for unauthenticated attackers to arbitrarily choose their role, including the Administrator role, during user registration.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-7654
Published : Aug. 19, 2025, 8:15 a.m. | 16 hours, 37 minutes ago
Description : Multiple FunnelKit plugins are vulnerable to Sensitive Information Exposure via the wf_get_cookie shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including authentication cookies of other site users, which may make privilege escalation possible.
Please note both FunnelKit – Funnel Builder for WooCommerce Checkout AND FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce are affected by this.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-8723
Published : Aug. 19, 2025, 8:15 a.m. | 16 hours, 37 minutes ago
Description : The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary PHP into the codebase, achieving remote code execution.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-4044
Published : Aug. 19, 2025, 2:15 p.m. | 10 hours, 37 minutes ago
Description : Improper Restriction of XML External Entity Reference in various Lexmark printer drivers for Windows allows attacker to disclose sensitive information to an arbitrary URL.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-4046
Published : Aug. 19, 2025, 2:15 p.m. | 10 hours, 37 minutes ago
Description : A missing authorization vulnerability in Lexmark Cloud Services badge management allows attacker to reassign badges within their organization
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-50567
Published : Aug. 19, 2025, 2:15 p.m. | 10 hours, 37 minutes ago
Description : Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP code execution.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-54336
Published : Aug. 19, 2025, 2:15 p.m. | 10 hours, 37 minutes ago
Description : In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is “0e” followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 (such as the 0e0 string). This occurs in admin/plib/LoginManager.php.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-52478
Published : Aug. 19, 2025, 5:15 p.m. | 7 hours, 37 minutes ago
Description : n8n is a workflow automation platform. From 1.77.0 to before 1.98.2, a stored Cross-Site Scripting (XSS) vulnerability was identified in n8n, specifically in the Form Trigger node’s HTML form element. An authenticated attacker can inject malicious HTML via an with a srcdoc payload that includes arbitrary JavaScript execution. The attacker can also inject malicious Javascript by using coupled using an onerror event. While using iframe or a combination of video and source tag, this vulnerability allows for Account Takeover (ATO) by exfiltrating n8n-browserId and session cookies from authenticated users who visit a maliciously crafted form. Using these tokens and cookies, an attacker can impersonate the victim and change account details such as email addresses, enabling full control over the account—especially if 2FA is not enabled. Users should upgrade to version >= 1.98.2.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-55294
Published : Aug. 19, 2025, 6:15 p.m. | 6 hours, 37 minutes ago
Description : screenshot-desktop allows capturing a screenshot of your local machine. This vulnerability is a command injection issue. When user-controlled input is passed into the format option of the screenshot function, it is interpolated into a shell command without sanitization. This results in arbitrary command execution with the privileges of the calling process. This vulnerability is fixed in 1.15.2.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-8450
Published : Aug. 19, 2025, 6:15 p.m. | 6 hours, 37 minutes ago
Description : Improper Access Control issue in the Workflow component of Fortra’s FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2024-44373
Published : Aug. 19, 2025, 7:15 p.m. | 5 hours, 37 minutes ago
Description : A Path Traversal vulnerability in AllSky v2023.05.01_04 allows an unauthenticated attacker to create a webshell and remote code execution via the path, content parameter to /includes/save_file.php.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-55306
Published : Aug. 19, 2025, 7:15 p.m. | 5 hours, 37 minutes ago
Description : GenX_FX is an advance IA trading platform that will focus on forex trading. A vulnerability was identified in the GenX FX backend where API keys and authentication tokens may be exposed if environment variables are misconfigured. Unauthorized users could gain access to cloud resources (Google Cloud, Firebase, GitHub, etc.).
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-55736
Published : Aug. 19, 2025, 7:15 p.m. | 5 hours, 37 minutes ago
Description : flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to “admin”, giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-55733
Published : Aug. 19, 2025, 7:15 p.m. | 5 hours, 37 minutes ago
Description : DeepChat is a smart assistant that connects powerful AI to your personal world. DeepChat before 0.3.1 has a one-click remote code execution vulnerability. An attacker can exploit this vulnerability by embedding a specially crafted deepchat: URL on any website, including a malicious one they control. When a victim visits such a site or clicks on the link, the browser triggers the app’s custom URL handler (deepchat:), causing the DeepChat application to launch and process the URL, leading to remote code execution on the victim’s machine. This vulnerability is fixed in 0.3.1.
Severity: 9.6 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-55032
Published : Aug. 19, 2025, 9:15 p.m. | 4 hours, 28 minutes ago
Description : Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline, potentially allowing for XSS attacks This vulnerability affects Focus for iOS
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…