Category: Alert Feeds

  Posted by Apple Product Security via Fulldisclosure on Dec 15 APPLE-SA-12-12-2025-9 Safari 26.2 Safari 26.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/125892. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Safari Available for: macOS Sonoma and macOS Sequoia Impact: … Read More “APPLE-SA-12-12-2025-9 Safari 26.2  – Full Disclosure” »

  Posted by Yuffie Kisaragi via Fulldisclosure on Dec 15 UPDATE: The reported vulnerabilities have now been assigned CVE identifiers: CVE-2025-34411: https://www.cve.org/cverecord?id=CVE-2025-34411 [https://www.cve.org/cverecord?id=CVE-2025-34411] CVE-2025-34412: https://www.cve.org/cverecord?id=CVE-2025-34412 [https://www.cve.org/cverecord?id=CVE-2025-34412] – Read More  – Full Disclosure 

  Posted by Onur Tezcan via Fulldisclosure on Dec 15 [Attack Vectors]       > It was detected that a Stored XSS vulnerability in the Attributes management workflow. An attacker can insert JavaScript into the Name field when adding a new Attribute Group (Catalog > Attributes > Specification attributes > Add Group > Name input field). To … Read More “nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality  – Full Disclosure” »

  Posted by Yuffie Kisaragi via Fulldisclosure on Dec 05 Advisory ID: CONVERCENT-2025-001 Title: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group) Date: 2025-12-04 Vendor: EQS Group Product: Convercent Whistleblowing Platform (app.convercent.com) Severity: Critical CVSS v4.0 Base Score: 9.3 Vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N Summary A series of security weaknesses were identified in … Read More “Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group)  – Full Disclosure” »

  Posted by Aerith Gainsborough via Fulldisclosure on Dec 01 Advisory ID: LEGALITYWHISTLEBLOWING-2025-001 Title: Missing Critical Security Headers in Legality WHISTLEBLOWING Date: 2025-11-29 Vendor: DigitalPA (segnalazioni.net) Severity: High CVSS v3.1 Base Score: 8.2 (High) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N Summary: Multiple public deployments of Legality WHISTLEBLOWING by DigitalPA are missing essential HTTP security headers. This misconfiguration exposes users … Read More “Missing Critical Security Headers in Legality WHISTLEBLOWING  – Full Disclosure” »

  Posted by Matteo Beccati on Dec 01 ======================================================================== Revive Adserver Security Advisory REVIVE-SA-2025-005 ———————————————————————— https://www.revive-adserver.com/security/revive-sa-2025-005 ———————————————————————— Date: 2025-11-26 Risk Level: Medium Applications affected: Revive… – Read More  – Full Disclosure 

  Posted by Pierre Kim on Dec 01 ## Advisory Information Title: 2 vulnerabilities in Egovframe Advisory URL: https://pierrekim.github.io/advisories/2025-egovframe.txt Blog URL: https://pierrekim.github.io/blog/2025-11-20-egovframe-2-vulnerabilities.html Date published: 2025-11-20 Vendors contacted: KISA/KrCERT Release mode: Released CVE: CVE-2025-34336, CVE-2025-34337 ## Product description Egovframe is a Java-based framework mainly used in the websites of the Government of… – Read More  – Full … Read More “2 vulnerabilities in Egovframe  – Full Disclosure” »

  Posted by Pierre Kim on Dec 01 ## Advisory Information Title: 8 vulnerabilities in AudioCodes Fax/IVR Appliance Advisory URL: https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt Blog URL: https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html Date published: 2025-11-20 Vendors contacted: Audiocodes Release mode: Released CVE: CVE-2025-34328, CVE-2025-34329, CVE-2025-34330, CVE-2025-34331, CVE-2025-34332, CVE-2025-34333,… – Read More  – Full Disclosure 

  Posted by Micha Borrmann via Fulldisclosure on Nov 19 Advisory ID: SYSS-2025-059 Product: Dell computer Manufacturer: Dell Affected Version(s): Probably all Dell computers Tested Version(s): Latitude 5431 (BIOS 1.33.1), Latitude 7320 (BIOS 1.44.1), Latitude 7400 (BIOS 1.41.1), Latitude 7480 (BIOS 1.41.3), Latitude 9430 (BIOS… – Read More  – Full Disclosure 

  Posted by Matteo Beccati on Nov 19 ======================================================================== Revive Adserver Security Advisory REVIVE-SA-2025-003 ———————————————————————— https://www.revive-adserver.com/security/revive-sa-2025-003 ———————————————————————— Date: 2025-11-05 Risk Level: High Applications affected: Revive… – Read More  – Full Disclosure 

  Posted by Matteo Beccati on Nov 19 ======================================================================== Revive Adserver Security Advisory REVIVE-SA-2025-004 ———————————————————————— https://www.revive-adserver.com/security/revive-sa-2025-004 ———————————————————————— Date: 2025-11-19 Risk Level: Medium Applications affected: Revive… – Read More  – Full Disclosure 

  Posted by Pierre Kim on Nov 13 No message preview for long message of 668188 bytes. – Read More  – Full Disclosure 

  Posted by Apple Product Security via Fulldisclosure on Nov 13 APPLE-SA-11-13-2025-1 Compressor 4.11.1 Compressor 4.11.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125693. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Compressor Available for: macOS Sequoia 15.6 and later Impact: … Read More “APPLE-SA-11-13-2025-1 Compressor 4.11.1  – Full Disclosure” »

  Posted by Patrick via Fulldisclosure on Nov 13 Hello Jan, You are completely right and it’s something I warned about early, which is abuse of AI-generated sensationalized headline and fake PoC-s, for fame. I urge the Full Disclosure staff to look into it. Discussions with the individual responsible seem to be fruitless, and this … Read More “Re: [FD] : “Glass Cage” – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)  – Full Disclosure” »

  Posted by Jan Schermer on Nov 07 I looked at few repos and posts of “Joseph Goydish”. It all seems to be thinly veiled AI slop and BS. Cited vulns are not attributed to him really and those chains don’t make a lot of sense. Screen recordings look suspicious, some versions reference High Sierra … Read More “Re: : “Glass Cage” – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)  – Full Disclosure” »

  Posted by Joseph Goydish II via Fulldisclosure on Nov 07 Hey Patrick, I understand the doubt. However… what’s not slop is reproducible logs I provided a video of and the testable, working exploit I provided. Neither is the upstream patches that can be tracked from the disclosure dates to the cve’s listed in the … Read More “Re: [FD] : “Glass Cage” – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-05-2025-1 iOS 18.7.2 and iPadOS 18.7.2 iOS 18.7.2 and iPadOS 18.7.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/125633. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Accessibility Available for: … Read More “APPLE-SA-11-05-2025-1 iOS 18.7.2 and iPadOS 18.7.2  – Full Disclosure” »

  Posted by Martin Heiland via Fulldisclosure on Nov 07 Dear subscribers, We’re sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at YesWeHack. This advisory has also been published … Read More “OXAS-ADV-2025-0002: OX App Suite Security Advisory  – Full Disclosure” »

  Posted by Aleksa Sarai via Fulldisclosure on Nov 07 | NOTE: This advisory was sent to <security-announce () opencontainers org> | on 2025-10-16. If you ship any Open Container Initiative software, we | highly recommend that you subscribe to our security-announce list in | order to receive more timely disclosures of future security issues. … Read More “runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-7 visionOS 26.1 visionOS 26.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125638. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Apple Account Available for: Apple Vision Pro (all models) … Read More “APPLE-SA-11-03-2025-7 visionOS 26.1  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-8 Safari 26.1 Safari 26.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125640. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Safari Available for: macOS Sonoma and macOS Sequoia Impact: … Read More “APPLE-SA-11-03-2025-8 Safari 26.1  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-9 Xcode 26.1 Xcode 26.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125641. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. GNU Available for: macOS Sequoia 15.6 and later Impact: … Read More “APPLE-SA-11-03-2025-9 Xcode 26.1  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-4 macOS Sonoma 14.8.2 macOS Sonoma 14.8.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/125636. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Admin Framework Available for: macOS Sonoma Impact: … Read More “APPLE-SA-11-03-2025-4 macOS Sonoma 14.8.2  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-5 tvOS 26.1 tvOS 26.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125637. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Apple Neural Engine Available for: Apple TV 4K (2nd … Read More “APPLE-SA-11-03-2025-5 tvOS 26.1  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-6 watchOS 26.1 watchOS 26.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125639. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Apple Account Available for: Apple Watch Series 6 and … Read More “APPLE-SA-11-03-2025-6 watchOS 26.1  – Full Disclosure” »

  Posted by SBA Research Security Advisory via Fulldisclosure on Nov 07 # Checkmk Cross Site Scripting # Link: https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting ## Vulnerability Overview ## Checkmk in versions before 2.4.0p14 and 2.3.0p39, as well as in branches 2.2.0, 2.1.0 and 2.0.0 is prone to a Stored Cross-Site Scripting (XSS) vulnerability when used in a distributed monitoring … Read More “[SBA-ADV-20250729-01] CVE-2025-39663: Checkmk Cross Site Scripting  – Full Disclosure” »

  Posted by akendo () akendo eu on Nov 07 Thank you for sharing this. I wondered how big the impact of this vulnerability is when you have only the ability to access runs via the Kubernetes API? Would you argue that the vulnerability becomes harder (or impossible?) to exploit when you can only interact … Read More “Re: [oss-security] runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-1 iOS 26.1 and iPadOS 26.1 iOS 26.1 and iPadOS 26.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125632. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Accessibility Available for: … Read More “APPLE-SA-11-03-2025-1 iOS 26.1 and iPadOS 26.1  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-2 macOS Tahoe 26.1 macOS Tahoe 26.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/125634. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Admin Framework Available for: macOS Tahoe Impact: … Read More “APPLE-SA-11-03-2025-2 macOS Tahoe 26.1  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-3 macOS Sequoia 15.7.2 macOS Sequoia 15.7.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/125635. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Admin Framework Available for: macOS Sequoia Impact: … Read More “APPLE-SA-11-03-2025-3 macOS Sequoia 15.7.2  – Full Disclosure” »

  Posted by Aki Tuomi via Fulldisclosure on Oct 29 Affected product: Dovecot IMAP Server Internal reference: DOV-7830 Vulnerability type: CWE-1250 (Improper Preservation of Consistency Between Independent Representations of Shared State) Vulnerable version: 2.4.0, 2.4.1 Vulnerable component: auth Report confidence: Confirmed Solution status: Fixed in 2.4.2 Researcher credits: Erik <erik () broadlux com> Vendor notification: … Read More “Dovecot CVE-2025-30189: Auth cache causes access to wrong account  – Full Disclosure” »

  Posted by Christoph Gruber on Oct 29 It seems, the whole account is down – Read More  – Full Disclosure 

  Posted by josephgoyd via Fulldisclosure on Oct 29 The exploit I caught in the wild and the flow of the attack chain are in this repo: https://github.com/JGoyd/Glass-Cage-iOS18-CVE-2025-24085-CVE-2025-24201 The report was constructed via log analysis. ——– Original Message ——– It seems, the whole account is down – Read More  – Full Disclosure 

  Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Oct 29 SEC Consult Vulnerability Lab Security Advisory < 20251029-0 > ======================================================================= title: Unprotected NFC card manipulation leading to free top-up product: GiroWeb Cashless Catering Solutions vulnerable version: Only legacy customer infrastructure using outdated Legic Prime or other insecure NFC cards fixed version: – CVE… – … Read More “SEC Consult SA-20251029-0 :: Unprotected NFC card manipulation leading to free top-up in GiroWeb Cashless Catering Solutions (only legacy customer infrastructure)  – Full Disclosure” »

  Posted by Andrey Stoykov on Oct 28 # Exploit Title: Stored HTML Injection – Layout Functionality – totaljsv5013 # Date: 10/2025 # Exploit Author: Andrey Stoykov # Version: 5013 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-45-stored.html Stored HTML Injection – Layout Functionality: Steps to Reproduce: 1. Login with user and visit “Layouts” 2. … Read More “Stored HTML Injection – Layout Functionality – totaljsv5013  – Full Disclosure” »

  Posted by Andrey Stoykov on Oct 28 # Exploit Title: Stored Cross-Site Scripting (XSS) via SVG File Upload – totaljsv5013 # Date: 10/2025 # Exploit Author: Andrey Stoykov # Version: 5013 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-46-stored.html Stored Cross-Site Scripting (XSS) via SVG File Upload: Steps to Reproduce: 1. Login with user … Read More “Stored Cross-Site Scripting (XSS) via SVG File Upload – totaljsv5013  – Full Disclosure” »

  Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Oct 28 SEC Consult Vulnerability Lab Security Advisory < 20251027-0 > ======================================================================= title: Unauthenticated Local File Disclosure product: MPDV Mikrolab MIP 2 / FEDRA 2 / HYDRA X Manufacturing Execution System vulnerable version: 10.14.STD, MIP 2 / FEDRA 2 / HYDRA X with Servicepack 8 … Read More “SEC Consult SA-20251027-0 :: Unauthenticated Local File Disclosure in MPDV Mikrolab MIP 2 / FEDRA 2 / HYDRA X Manufacturing Execution System #CVE-2025-12055  – Full Disclosure” »

  Posted by Noor Christensen on Oct 28 Hi Joseph, Looks like your post with the technical details is down; I’m getting a 404 since yesterday. — kchr – Read More  – Full Disclosure 

  Posted by Andrey Stoykov on Oct 28 # Exploit Title: Current Password not Required When Changing Password – totaljsv5013 # Date: 10/2025 # Exploit Author: Andrey Stoykov # Version: 5013 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-43-current.html Current Password not Required When Changing Password: Steps to Reproduce: 1. Login with user and click … Read More “Current Password not Required When Changing Password – totaljsv5013  – Full Disclosure” »

  Posted by Andrey Stoykov on Oct 28 # Exploit Title: Stored Cross-Site Scripting (XSS) – Layout Functionality – totaljsv5013 # Date: 10/2025 # Exploit Author: Andrey Stoykov # Version: 5013 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-44-stored.html Stored Cross-Site Scripting (XSS) – Layout Functionality: Steps to Reproduce: 1. Login with user and visit … Read More “Stored Cross-Site Scripting (XSS) – Layout Functionality – totaljsv5013  – Full Disclosure” »

  Posted by Daniel Owens via Fulldisclosure on Oct 28 Struts2 has, since its inception and to today, contained a significant denial of service (DoS) vulnerability stemming from how the Struts2 default deserialiser parses and deserialises arrays, collections (including maps), and related objects. Specifically, Struts2 and related frameworks allow attackers to specify indices and adhere … Read More “Struts2 and Related Framework Array/Collection DoS  – Full Disclosure” »

  Posted by Matteo Beccati on Oct 25 ======================================================================== Revive Adserver Security Advisory REVIVE-SA-2025-001 ———————————————————————— https://www.revive-adserver.com/security/revive-sa-2025-001 ———————————————————————— CVE-ID: CVE-2025-27208 Date: 2025-10-22 Risk Level:… – Read More  – Full Disclosure 

  Posted by Matteo Beccati on Oct 25 ======================================================================== Revive Adserver Security Advisory REVIVE-SA-2025-002 ———————————————————————— https://www.revive-adserver.com/security/revive-sa-2025-002 ———————————————————————— Date: 2025-10-24 Risk Level: High Applications affected: Revive… – Read More  – Full Disclosure 

  Posted by BSidesSF CFP via Fulldisclosure on Oct 21 BSidesSF is still soliciting submissions for the annual BSidesSF conference on March 21-22, 2026. Call for participation is currently open for both Informational/Collaborative Tracks. Our theme for 2026 is “BSidesSF: The Musical”. Deadline for submissions is OCTOBER 28, 2025. https://bsidessf.org/cfp BSidesSF (bsidessf.org) is a non-profit … Read More “BSidesSF 2026 CFP still open until October 28th  – Full Disclosure” »

  Posted by malvuln on Oct 21 Greetings, I created a MISP-compatible feed for Malvuln that provides malware-vulnerability intelligence; vulnerability types are normalized and mapped to the MITRE ATT&CK framework to improve tagging, correlation and threat analysis. https://intel.malvuln.com Track vulnerable malware, for researchers or anyone building CTI pipelines Existing data live now — new entries … Read More “Malvuln – MISP compatible malware vulnerability intelligence feed now live  – Full Disclosure” »

  Posted by Matthias Deeg via Fulldisclosure on Oct 21 Advisory ID: SYSS-2025-015 Product: Keypad Secure USB 3.2 Gen 1 Drive Manufacturer: Verbatim Affected Version(s): Part Number #49427 (GDMSLK03A-IN3637 VER1.0) Part Number #49428 (GDMSLK03A-IN3637 VER1.0) Tested Version(s): Part Number #49427 (GDMSLK03A-IN3637 VER1.0) Part Number #49428 (GDMSLK03A-IN3637 VER1.0) Vulnerability Type:… – Read More  – Full Disclosure 

  Posted by Matthias Deeg via Fulldisclosure on Oct 21 Advisory ID: SYSS-2025-016 Product: Store ‘n’ Go Secure Portable SSD Manufacturer: Verbatim Affected Version(s): Part Number #53402 (GDMSLK02 C-INIC3637-V1.1) Tested Version(s): Part Number #53402 (GDMSLK02 C-INIC3637-V1.1) Vulnerability Type: Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) Risk Level:… – Read More  – Full Disclosure 

  Posted by Matthias Deeg via Fulldisclosure on Oct 21 Advisory ID: SYSS-2025-017 Product: Store ‘n’ Go Secure Portable HDD Manufacturer: Verbatim Affected Version(s): Part Number #53401 (GD25LK01-3637-C VER4.0) Tested Version(s): Part Number #53401 (GD25LK01-3637-C VER4.0) Vulnerability Type: Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) Risk Level: High… – Read More  – Full … Read More “[SYSS-2025-017]: Verbatim Store ‘n’ Go Secure Portable HDD (security update v1.0.0.6) – Offline brute-force attack  – Full Disclosure” »

  Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Oct 21 SEC Consult Vulnerability Lab Security Advisory < 20251021-0 > ======================================================================= title: Multiple Vulnerabilities product: EfficientLab WorkExaminer Professional vulnerable version: <= 4.0.0.52001 fixed version: – CVE number: CVE-2025-10639, CVE-2025-10640, CVE-2025-10641 impact: Critical homepage:… – Read More  – Full Disclosure 

  Posted by Security Explorations on Oct 21 Dear All, We have recently experienced “an outage” / unavailability of our website [1] due to Google suspending our Firebase project (the root for our website hosting). On Oct 16, 2025 (23:20 PM CET) we received a message [2] from Google Cloud Compliance, which indicated our hosting … Read More “Google Firebase hosting suspension / “malware distribution” bypass  – Full Disclosure” »