Category: Alert Feeds

  Posted by Pierre Kim on Nov 13 No message preview for long message of 668188 bytes. – Read More  – Full Disclosure 

  Posted by Apple Product Security via Fulldisclosure on Nov 13 APPLE-SA-11-13-2025-1 Compressor 4.11.1 Compressor 4.11.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125693. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Compressor Available for: macOS Sequoia 15.6 and later Impact: … Read More “APPLE-SA-11-13-2025-1 Compressor 4.11.1  – Full Disclosure” »

  Posted by Patrick via Fulldisclosure on Nov 13 Hello Jan, You are completely right and it’s something I warned about early, which is abuse of AI-generated sensationalized headline and fake PoC-s, for fame. I urge the Full Disclosure staff to look into it. Discussions with the individual responsible seem to be fruitless, and this … Read More “Re: [FD] : “Glass Cage” – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)  – Full Disclosure” »

  Posted by Jan Schermer on Nov 07 I looked at few repos and posts of “Joseph Goydish”. It all seems to be thinly veiled AI slop and BS. Cited vulns are not attributed to him really and those chains don’t make a lot of sense. Screen recordings look suspicious, some versions reference High Sierra … Read More “Re: : “Glass Cage” – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)  – Full Disclosure” »

  Posted by Joseph Goydish II via Fulldisclosure on Nov 07 Hey Patrick, I understand the doubt. However… what’s not slop is reproducible logs I provided a video of and the testable, working exploit I provided. Neither is the upstream patches that can be tracked from the disclosure dates to the cve’s listed in the … Read More “Re: [FD] : “Glass Cage” – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-05-2025-1 iOS 18.7.2 and iPadOS 18.7.2 iOS 18.7.2 and iPadOS 18.7.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/125633. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Accessibility Available for: … Read More “APPLE-SA-11-05-2025-1 iOS 18.7.2 and iPadOS 18.7.2  – Full Disclosure” »

  Posted by Martin Heiland via Fulldisclosure on Nov 07 Dear subscribers, We’re sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at YesWeHack. This advisory has also been published … Read More “OXAS-ADV-2025-0002: OX App Suite Security Advisory  – Full Disclosure” »

  Posted by Aleksa Sarai via Fulldisclosure on Nov 07 | NOTE: This advisory was sent to <security-announce () opencontainers org> | on 2025-10-16. If you ship any Open Container Initiative software, we | highly recommend that you subscribe to our security-announce list in | order to receive more timely disclosures of future security issues. … Read More “runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-7 visionOS 26.1 visionOS 26.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125638. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Apple Account Available for: Apple Vision Pro (all models) … Read More “APPLE-SA-11-03-2025-7 visionOS 26.1  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-8 Safari 26.1 Safari 26.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125640. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Safari Available for: macOS Sonoma and macOS Sequoia Impact: … Read More “APPLE-SA-11-03-2025-8 Safari 26.1  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-9 Xcode 26.1 Xcode 26.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125641. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. GNU Available for: macOS Sequoia 15.6 and later Impact: … Read More “APPLE-SA-11-03-2025-9 Xcode 26.1  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-4 macOS Sonoma 14.8.2 macOS Sonoma 14.8.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/125636. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Admin Framework Available for: macOS Sonoma Impact: … Read More “APPLE-SA-11-03-2025-4 macOS Sonoma 14.8.2  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-5 tvOS 26.1 tvOS 26.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125637. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Apple Neural Engine Available for: Apple TV 4K (2nd … Read More “APPLE-SA-11-03-2025-5 tvOS 26.1  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-6 watchOS 26.1 watchOS 26.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125639. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Apple Account Available for: Apple Watch Series 6 and … Read More “APPLE-SA-11-03-2025-6 watchOS 26.1  – Full Disclosure” »

  Posted by SBA Research Security Advisory via Fulldisclosure on Nov 07 # Checkmk Cross Site Scripting # Link: https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting ## Vulnerability Overview ## Checkmk in versions before 2.4.0p14 and 2.3.0p39, as well as in branches 2.2.0, 2.1.0 and 2.0.0 is prone to a Stored Cross-Site Scripting (XSS) vulnerability when used in a distributed monitoring … Read More “[SBA-ADV-20250729-01] CVE-2025-39663: Checkmk Cross Site Scripting  – Full Disclosure” »

  Posted by akendo () akendo eu on Nov 07 Thank you for sharing this. I wondered how big the impact of this vulnerability is when you have only the ability to access runs via the Kubernetes API? Would you argue that the vulnerability becomes harder (or impossible?) to exploit when you can only interact … Read More “Re: [oss-security] runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-1 iOS 26.1 and iPadOS 26.1 iOS 26.1 and iPadOS 26.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125632. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Accessibility Available for: … Read More “APPLE-SA-11-03-2025-1 iOS 26.1 and iPadOS 26.1  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-2 macOS Tahoe 26.1 macOS Tahoe 26.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125634. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Admin Framework Available for: macOS Tahoe Impact: … Read More “APPLE-SA-11-03-2025-2 macOS Tahoe 26.1  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-3 macOS Sequoia 15.7.2 macOS Sequoia 15.7.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/125635. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Admin Framework Available for: macOS Sequoia Impact: … Read More “APPLE-SA-11-03-2025-3 macOS Sequoia 15.7.2  – Full Disclosure” »

  Posted by Aki Tuomi via Fulldisclosure on Oct 29 Affected product: Dovecot IMAP Server Internal reference: DOV-7830 Vulnerability type: CWE-1250 (Improper Preservation of Consistency Between Independent Representations of Shared State) Vulnerable version: 2.4.0, 2.4.1 Vulnerable component: auth Report confidence: Confirmed Solution status: Fixed in 2.4.2 Researcher credits: Erik <erik () broadlux com> Vendor notification: … Read More “Dovecot CVE-2025-30189: Auth cache causes access to wrong account  – Full Disclosure” »

  Posted by Christoph Gruber on Oct 29 It seems, the whole account is down – Read More  – Full Disclosure 

  Posted by josephgoyd via Fulldisclosure on Oct 29 The exploit I caught in the wild and the flow of the attack chain are in this repo: https://github.com/JGoyd/Glass-Cage-iOS18-CVE-2025-24085-CVE-2025-24201 The report was constructed via log analysis. ——– Original Message ——– It seems, the whole account is down – Read More  – Full Disclosure 

  Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Oct 29 SEC Consult Vulnerability Lab Security Advisory < 20251029-0 > ======================================================================= title: Unprotected NFC card manipulation leading to free top-up product: GiroWeb Cashless Catering Solutions vulnerable version: Only legacy customer infrastructure using outdated Legic Prime or other insecure NFC cards fixed version: – CVE… – … Read More “SEC Consult SA-20251029-0 :: Unprotected NFC card manipulation leading to free top-up in GiroWeb Cashless Catering Solutions (only legacy customer infrastructure)  – Full Disclosure” »

  Posted by Andrey Stoykov on Oct 28 # Exploit Title: Stored HTML Injection – Layout Functionality – totaljsv5013 # Date: 10/2025 # Exploit Author: Andrey Stoykov # Version: 5013 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-45-stored.html Stored HTML Injection – Layout Functionality: Steps to Reproduce: 1. Login with user and visit “Layouts” 2. … Read More “Stored HTML Injection – Layout Functionality – totaljsv5013  – Full Disclosure” »

  Posted by Andrey Stoykov on Oct 28 # Exploit Title: Stored Cross-Site Scripting (XSS) via SVG File Upload – totaljsv5013 # Date: 10/2025 # Exploit Author: Andrey Stoykov # Version: 5013 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-46-stored.html Stored Cross-Site Scripting (XSS) via SVG File Upload: Steps to Reproduce: 1. Login with user … Read More “Stored Cross-Site Scripting (XSS) via SVG File Upload – totaljsv5013  – Full Disclosure” »

  Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Oct 28 SEC Consult Vulnerability Lab Security Advisory < 20251027-0 > ======================================================================= title: Unauthenticated Local File Disclosure product: MPDV Mikrolab MIP 2 / FEDRA 2 / HYDRA X Manufacturing Execution System vulnerable version: 10.14.STD, MIP 2 / FEDRA 2 / HYDRA X with Servicepack 8 … Read More “SEC Consult SA-20251027-0 :: Unauthenticated Local File Disclosure in MPDV Mikrolab MIP 2 / FEDRA 2 / HYDRA X Manufacturing Execution System #CVE-2025-12055  – Full Disclosure” »

  Posted by Noor Christensen on Oct 28 Hi Joseph, Looks like your post with the technical details is down; I’m getting a 404 since yesterday. — kchr – Read More  – Full Disclosure 

  Posted by Andrey Stoykov on Oct 28 # Exploit Title: Current Password not Required When Changing Password – totaljsv5013 # Date: 10/2025 # Exploit Author: Andrey Stoykov # Version: 5013 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-43-current.html Current Password not Required When Changing Password: Steps to Reproduce: 1. Login with user and click … Read More “Current Password not Required When Changing Password – totaljsv5013  – Full Disclosure” »

  Posted by Andrey Stoykov on Oct 28 # Exploit Title: Stored Cross-Site Scripting (XSS) – Layout Functionality – totaljsv5013 # Date: 10/2025 # Exploit Author: Andrey Stoykov # Version: 5013 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-44-stored.html Stored Cross-Site Scripting (XSS) – Layout Functionality: Steps to Reproduce: 1. Login with user and visit … Read More “Stored Cross-Site Scripting (XSS) – Layout Functionality – totaljsv5013  – Full Disclosure” »

  Posted by Daniel Owens via Fulldisclosure on Oct 28 Struts2 has, since its inception and to today, contained a significant denial of service (DoS) vulnerability stemming from how the Struts2 default deserialiser parses and deserialises arrays, collections (including maps), and related objects. Specifically, Struts2 and related frameworks allow attackers to specify indices and adhere … Read More “Struts2 and Related Framework Array/Collection DoS  – Full Disclosure” »

  Posted by Matteo Beccati on Oct 25 ======================================================================== Revive Adserver Security Advisory REVIVE-SA-2025-001 ———————————————————————— https://www.revive-adserver.com/security/revive-sa-2025-001 ———————————————————————— CVE-ID: CVE-2025-27208 Date: 2025-10-22 Risk Level:… – Read More  – Full Disclosure 

  Posted by Matteo Beccati on Oct 25 ======================================================================== Revive Adserver Security Advisory REVIVE-SA-2025-002 ———————————————————————— https://www.revive-adserver.com/security/revive-sa-2025-002 ———————————————————————— Date: 2025-10-24 Risk Level: High Applications affected: Revive… – Read More  – Full Disclosure 

  Posted by BSidesSF CFP via Fulldisclosure on Oct 21 BSidesSF is still soliciting submissions for the annual BSidesSF conference on March 21-22, 2026. Call for participation is currently open for both Informational/Collaborative Tracks. Our theme for 2026 is “BSidesSF: The Musical”. Deadline for submissions is OCTOBER 28, 2025. https://bsidessf.org/cfp BSidesSF (bsidessf.org) is a non-profit … Read More “BSidesSF 2026 CFP still open until October 28th  – Full Disclosure” »

  Posted by malvuln on Oct 21 Greetings, I created a MISP-compatible feed for Malvuln that provides malware-vulnerability intelligence; vulnerability types are normalized and mapped to the MITRE ATT&CK framework to improve tagging, correlation and threat analysis. https://intel.malvuln.com Track vulnerable malware, for researchers or anyone building CTI pipelines Existing data live now — new entries … Read More “Malvuln – MISP compatible malware vulnerability intelligence feed now live  – Full Disclosure” »

  Posted by Matthias Deeg via Fulldisclosure on Oct 21 Advisory ID: SYSS-2025-015 Product: Keypad Secure USB 3.2 Gen 1 Drive Manufacturer: Verbatim Affected Version(s): Part Number #49427 (GDMSLK03A-IN3637 VER1.0) Part Number #49428 (GDMSLK03A-IN3637 VER1.0) Tested Version(s): Part Number #49427 (GDMSLK03A-IN3637 VER1.0) Part Number #49428 (GDMSLK03A-IN3637 VER1.0) Vulnerability Type:… – Read More  – Full Disclosure 

  Posted by Matthias Deeg via Fulldisclosure on Oct 21 Advisory ID: SYSS-2025-016 Product: Store ‘n’ Go Secure Portable SSD Manufacturer: Verbatim Affected Version(s): Part Number #53402 (GDMSLK02 C-INIC3637-V1.1) Tested Version(s): Part Number #53402 (GDMSLK02 C-INIC3637-V1.1) Vulnerability Type: Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) Risk Level:… – Read More  – Full Disclosure 

  Posted by Matthias Deeg via Fulldisclosure on Oct 21 Advisory ID: SYSS-2025-017 Product: Store ‘n’ Go Secure Portable HDD Manufacturer: Verbatim Affected Version(s): Part Number #53401 (GD25LK01-3637-C VER4.0) Tested Version(s): Part Number #53401 (GD25LK01-3637-C VER4.0) Vulnerability Type: Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) Risk Level: High… – Read More  – Full … Read More “[SYSS-2025-017]: Verbatim Store ‘n’ Go Secure Portable HDD (security update v1.0.0.6) – Offline brute-force attack  – Full Disclosure” »

  Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Oct 21 SEC Consult Vulnerability Lab Security Advisory < 20251021-0 > ======================================================================= title: Multiple Vulnerabilities product: EfficientLab WorkExaminer Professional vulnerable version: <= 4.0.0.52001 fixed version: – CVE number: CVE-2025-10639, CVE-2025-10640, CVE-2025-10641 impact: Critical homepage:… – Read More  – Full Disclosure 

  Posted by Security Explorations on Oct 21 Dear All, We have recently experienced “an outage” / unavailability of our website [1] due to Google suspending our Firebase project (the root for our website hosting). On Oct 16, 2025 (23:20 PM CET) we received a message [2] from Google Cloud Compliance, which indicated our hosting … Read More “Google Firebase hosting suspension / “malware distribution” bypass  – Full Disclosure” »

  Posted by cve on Oct 18 The critical vulnerabilities discovered within Mercku routers, specifically the M6a model, that could pose serious security threats to home networks. These issues allow remote code execution with minimal effort, tested against version 2.1.0 of the official firmware. I have also submitted a CVE request in June 2024 (CVE … Read More “Urgent Security Vulnerabilities Discovered in Mercku Routers Model M6a  – Full Disclosure” »

  Posted by Patrick via Fulldisclosure on Oct 18 —————————————————————————- Summary —————————————————————————- A CWE-601 (Open Redirect) vulnerability has been identified in the additnow functionality of apis.google.com. The vulnerability has been actively exploited in targeted phishing attacks since at least September 15, 2025…. – Read More  – Full Disclosure 

  Posted by Thomas Weber | CyberDanube via Fulldisclosure on Oct 18 CyberDanube Security Research 20251014-0 ——————————————————————————- title| Multiple Vulnerabilities product| QUINT4-UPS vulnerable version| VC:00<VC:07 fixed version| VC:07 (partially) CVE number| CVE-2025-41703, CVE-2025-41704, CVE-2025-41705, | CVE-2025-41706, CVE-2025-41707 impact| High… – Read More  – Full Disclosure 

  Posted by Gynvael Coldwind on Oct 15 Vendor Response Pattern Hi Christopher, Vendor is correct with this one. The problem isn’t the vendor’s site – it’s that the browser is already pwned with the malicious browser extension (this is site-agnostic). You’ve mentioned “No user interaction required beyond normal application usage.”, but having “Malicious browser … Read More “Re: Security Advisory: Multiple High-Severity Vulnerabilities in Suno.com (JWT Leakage, IDOR, DoS)  – Full Disclosure” »

  Posted by SBA Research Security Advisory via Fulldisclosure on Oct 13 # Checkmk Agent Privilege Escalation via Insecure Temporary Files # Link: https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250724-01_Checkmk_Agent_Privilege_Escalation_via_Insecure_Temporary_Files ## Vulnerability Overview ## The `win_license` plugin as included in Checkmk agent for Windows versions before 2.4.0p13, 2.3.0p38 and 2.2.0p46, as well as since version 2.1.0b2 and 2.0.0p28 allows low privileged … Read More “[SBA-ADV-20250724-01] CVE-2025-32919: Checkmk Agent Privilege Escalation via Insecure Temporary Files  – Full Disclosure” »

  Posted by SBA Research Security Advisory via Fulldisclosure on Oct 13 # Checkmk Path Traversal # Link: https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250730-01_Checkmk_Path_Traversal ## Vulnerability Overview ## Checkmk in versions before 2.4.0p13, 2.3.0p38 and 2.2.0p46, as well as since version 2.1.0b1 is prone to a path traversal vulnerability in the report scheduler. Due to an insufficient validation of a … Read More “[SBA-ADV-20250730-01] CVE-2025-39664: Checkmk Path Traversal  – Full Disclosure” »

  Posted by Christopher Dickinson via Fulldisclosure on Oct 13 Security Advisory: Multiple High-Severity Vulnerabilities in Suno.com CVE Identifiers * CVE-2025-[PENDING] – Excessive Data Exposure / JWT Token Leakage * CVE-2025-[PENDING] – Broken Object Level Authorization (IDOR) * CVE-2025-[PENDING] – Unrestricted Resource Consumption (DoS) Executive Summary This security advisory details three significant vulnerabilities discovered in … Read More “Security Advisory: Multiple High-Severity Vulnerabilities in Suno.com (JWT Leakage, IDOR, DoS)  – Full Disclosure” »

  Posted by Seralys Research Team via Fulldisclosure on Oct 08 Seralys Security Advisory | https://www.seralys.com/research ====================================================================== Title: SQL Injection Vulnerability Product: Open Web Analytics (OWA) Affected: Confirmed on 1.8.0 (older versions likely affected) Fixed in: 1.8.1 Vendor: Open Web Analytics (open-source) Discovered: August 2025 Severity: HIGH CWE: CWE-89: SQL Injection CVE: CVE-2025-59397… – Read More  … Read More “CVE-2025-59397 – Open Web Analytics SQL Injection  – Full Disclosure” »

  Posted by Stefan Kanthak via Fulldisclosure on Oct 07 On a fresh installation of the just released Windows 11 25H2 the former file %SystemRoot%System32SecurityHealth10.0.27840.1000-0SecurityHealthHost.exe is %SystemRoot%System32SecurityHealthHost.exe now, but the BUG persists: | svchost.exe (PID = 9876) identified \?C:WindowsSystem32SecurityHealthHost.exe | as Disallowed using default rule, Guid = 11015445-d282-4f86-96a2-9e485f593302 stay tuned, and far away from bug-riddled … Read More “Re: Defense in depth — the Microsoft way (part 93): SRP/SAFER whitelisting goes black on Windows 11  – Full Disclosure” »

  Posted by full on Oct 07 Substack is down. If there is a replacement, it is appreciated. -x9p – Read More  – Full Disclosure 

  Posted by josephgoyd via Fulldisclosure on Oct 07 The GitHub link has a write up on the attack-chain. Along with the CNVD certs that were issued for validation. https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201 – Read More  – Full Disclosure