Aggregator

CVE-2025-69072 | Prider Plugin up to 1.1.3.1 on WordPress file inclusion

2 months 1 week ago

A vulnerability was found in Prider Plugin up to 1.1.3.1 on WordPress. It has been classified as critical. The affected element is an unknown function. The manipulation leads to file inclusion. This vulnerability is documented as CVE-2025-69072. The attack can be initiated remotely. There is not any exploit available.

vuldb.com

CVE-2025-69071 | TanTum Plugin up to 1.1.13 on WordPress file inclusion

Vuldb Updates

2 months 1 week ago

A vulnerability categorized as critical has been discovered in TanTum Plugin up to 1.1.13 on WordPress. This impacts an unknown function. Such manipulation leads to file inclusion. This vulnerability is traded as CVE-2025-69071. The attack may be launched remotely. There is no exploit available.

vuldb.com

CVE-2025-69075 | Yolox Plugin up to 1.0.15 on WordPress file inclusion

Vuldb Updates

2 months 1 week ago

A vulnerability labeled as critical has been found in Yolox Plugin up to 1.0.15 on WordPress. Affected by this vulnerability is an unknown functionality. Executing a manipulation can lead to file inclusion. This vulnerability is handled as CVE-2025-69075. The attack can be executed remotely. There is not any exploit available.

vuldb.com

CVE-2025-69077 | Hobo Plugin up to 1.0.10 on WordPress file inclusion

Vuldb Updates

2 months 1 week ago

A vulnerability described as critical has been identified in Hobo Plugin up to 1.0.10 on WordPress. This affects an unknown part. The manipulation results in file inclusion. This vulnerability was named CVE-2025-69077. The attack may be performed from remote. There is no available exploit.

vuldb.com

CVE-2025-69074 | Pearson Specter Theme Plugin up to 1.11.3 on WordPress file inclusion

Vuldb Updates

2 months 1 week ago

A vulnerability marked as critical has been reported in Pearson Specter Theme Plugin up to 1.11.3 on WordPress. Impacted is an unknown function. Performing a manipulation results in file inclusion. This vulnerability is reported as CVE-2025-69074. The attack is possible to be carried out remotely. No exploit exists.

vuldb.com

CVE-2025-69079 | Sound Musical Instruments Online Store Theme Plugin deserialization

Vuldb Updates

2 months 1 week ago

A vulnerability has been found in Sound Musical Instruments Online Store Theme Plugin up to 1.6.9 on WordPress and classified as critical. Affected by this vulnerability is an unknown functionality. Performing a manipulation results in deserialization. This vulnerability was named CVE-2025-69079. The attack may be initiated remotely. There is no available exploit.

vuldb.com

CVE-2025-69097 | WPLMS Plugin up to 1.9.9.5.4 on WordPress denial of service

Vuldb Updates

2 months 1 week ago

A vulnerability classified as problematic was found in WPLMS Plugin up to 1.9.9.5.4 on WordPress. Affected by this vulnerability is an unknown functionality. The manipulation results in denial of service. This vulnerability is known as CVE-2025-69097. It is possible to launch the attack remotely. No exploit is available.

vuldb.com

CVE-2025-69099 | North Plugin up to 5.7.5 on WordPress deserialization

Vuldb Updates

2 months 1 week ago

A vulnerability identified as critical has been detected in North Plugin up to 5.7.5 on WordPress. This impacts an unknown function. Performing a manipulation results in deserialization. This vulnerability is cataloged as CVE-2025-69099. It is possible to initiate the attack remotely. There is no exploit available.

vuldb.com

CVE-2025-69095 | Reservation Plugin up to 1.7 on WordPress Setting authorization

Vuldb Updates

2 months 1 week ago

A vulnerability was found in Reservation Plugin up to 1.7 on WordPress. It has been rated as critical. Affected is an unknown function of the component Setting Handler. Performing a manipulation results in missing authorization. This vulnerability is identified as CVE-2025-69095. The attack can be initiated remotely. There is not any exploit available.

vuldb.com

CVE-2025-14693 | Ugreen DH2100+ up to 5.3.0 USB symlink (EUVD-2025-203318)

Vuldb Updates

2 months 1 week ago

A vulnerability was found in Ugreen DH2100+ up to 5.3.0 and classified as critical. This affects an unknown function of the component USB Handler. Such manipulation leads to symlink following. This vulnerability is referenced as CVE-2025-14693. The attack can be executed directly on the physical device. Furthermore, an exploit is available. It is suggested to upgrade the affected component.

vuldb.com

CVE-2025-14187 | UGREEN DH2100+ up to 5.3.0.251125 nas_svr /v1/file/backup/create handler_file_backup_create path buffer overflow (EUVD-2025-201596 / CNNVD-202512-829)

Vuldb Updates

2 months 1 week ago

A vulnerability was found in UGREEN DH2100+ up to 5.3.0.251125. It has been declared as critical. This affects the function handler_file_backup_create of the file /v1/file/backup/create of the component nas_svr. Executing a manipulation of the argument path can lead to buffer overflow. This vulnerability is handled as CVE-2025-14187. The attack can be executed remotely. Additionally, an exploit exists. It is recommended to upgrade the affected component.

vuldb.com

CVE-2025-14188 | UGREEN DH2100+ up to 5.3.0.251125 nas_svr /v1/file/backup/create handler_file_backup_create path command injection (EUVD-2025-201598 / CNNVD-202512-827)

Vuldb Updates

2 months 1 week ago

A vulnerability was found in UGREEN DH2100+ up to 5.3.0.251125. It has been rated as critical. This impacts the function handler_file_backup_create of the file /v1/file/backup/create of the component nas_svr. The manipulation of the argument path leads to command injection. This vulnerability is uniquely identified as CVE-2025-14188. The attack is possible to be carried out remotely. Moreover, an exploit is present. Upgrading the affected component is advised.

vuldb.com

PackageGate bugs let attackers bypass protections in NPM, PNPM, VLT, and Bun

Security Affairs

2 months 1 week ago

Koi researchers found “PackageGate” flaws in NPM, PNPM, VLT, and Bun that let attackers perform supply chain attacks and run malicious code. Security firm Koi uncovered a set of vulnerabilities collectively tracked as “PackageGate” affecting major JavaScript package managers like NPM, PNPM, VLT, and Bun. These flaws could let attackers bypass supply chain protections and […]

Pierluigi Paganini

Yubico extends hardware passkey deployment options

Help Net Security

2 months 1 week ago

Yubico announced a significant expansion of YubiKey as a Service, introducing new capabilities that make modern organizations more agile and cyber resilient. With new Self-Service Ordering of YubiKeys enabled through a more streamlined Customer Portal, organizations can deliver phishing-resistance company-wide. Designed to enable the rollout and management of YubiKeys at a global scale, these enhancements enable organizations to move towards passwordless authentication with hardware passkeys. “As the cyber threat landscape continues evolving with AI-driven attacks, … More →

The post Yubico extends hardware passkey deployment options appeared first on Help Net Security.

Industry News

网络安全信息与动态周报2026年第4期（1月19日-1月25日）

深信服千里目安全实验室

2 months 1 week ago

分享一篇文章。

【漏洞通告】Microsoft Office 安全功能绕过漏洞(CVE-2026-21509)

深信服千里目安全实验室

2 months 1 week ago

2026年1月27日，深瞳漏洞实验室监测到一则微软-Office组件存在绕过认证漏洞的信息，漏洞编号：CVE-2026-21509，漏洞威胁等级：高危。

Pwn2Own Automotive 2026 落幕：76 个零日漏洞被攻破，研究人员斩获百万美元奖金

嘶吼

2 months 1 week ago

Pwn2Own Automotive 2026黑客大赛已正式结束，安全研究人员在赛事期间共成功利用76 个零日漏洞，累计赢得104.7 万美元奖金。

本届赛事聚焦汽车技术领域，在日本东京举行的Automotive World（汽车世界）展会上同期举办。

在整个比赛过程中，黑客们的攻击目标涵盖了完全打补丁的车载信息娱乐系统（IVI）、电动汽车（EV）充电桩以及汽车操作系统（如 Automotive Grade Linux）。

根据规则，在其公开披露这些漏洞之前，厂商有90 天的时间为比赛期间被利用并上报的零日漏洞开发和发布安全修复程序。

Fuzzware.io团队以21.5 万美元的奖金总额夺得本次大赛冠军，DDOS 团队以 100,750 美元紧随其后，Synactiv 团队则获得 85,000 美元。

Pwn2Own Automotive 2026 排行榜

据悉，Fuzzware.io 团队在第一天通过攻破Alpitronic HYC50 充电站、Autel 充电桩以及Kenwood DNR1007XR 导航接收机，入账 11.8 万美元。

第二天，他们又因在Phoenix Contact CHARX SEC-3150 充电控制器、ChargePoint Home Flex 充电桩和 Grizzl-E Smart 40A 充电桩中演示多个零日漏洞而获得 9.5 万美元。在比赛最后一天，他们在尝试获取 Alpine iLX-F511 多媒体接收机 Root 权限时遭遇“漏洞撞车”，额外获得 2,500 美元。

Synacktiv 团队在比赛首日也斩获 3.5 万美元，他们通过将一个越界写入漏洞与一个信息泄露漏洞进行链式利用，经由 USB 接口成功入侵了特斯拉信息娱乐系统。

回顾过往，在Pwn2Own Automotive 2024大赛中，黑客们演示了 49 个零日漏洞并两次攻破特斯拉汽车，共赢得 132.375 万美元。而在去年（2025 年）的赛事中，安全研究人员利用 49 个零日漏洞赢得了 88.625 万美元。

胡金鱼

Volante’s Multi-cloud Resiliency Service keeps payments running during cloud outages

Help Net Security

2 months 1 week ago

Volante Technologies announced the launch of its Multi-cloud Resiliency Service, engineered to keep financial institutions’ payment operations running seamlessly during major cloud provider outages. Built on Volante’s cloud-native payments platform, the service provides cross-cloud continuity, eliminating single-cloud/provider dependency for the payments layer. Recent large-scale outages across hyperscale cloud providers have demonstrated the real-world impact of cloud concentration risk for banks: delayed or failed transactions, SLA penalties, customer churn, operational recovery costs, and reputational damage. While … More →

The post Volante’s Multi-cloud Resiliency Service keeps payments running during cloud outages appeared first on Help Net Security.

Industry News

手把手教你给某讯滑块的JSVMP写反编译器 (如宝宝辅食一样易懂)

吾爱破解论坛

2 months 1 week ago

2026, 又是新的一年, 新能力GET! 没想到我不仅能写JSVMP, 我还能写反编译器, 嘿嘿!话说, 以我目前的能力, 能上班吗 ( (马上就是高中阶段第一个寒假, 难得能抽出时间 :) :)

Теперь вас сложнее взломать (но это не точно). В WhatsApp появилась мега-кнопка безопасности

Securitylab.ru

2 months 1 week ago

Мессенджер вводит жесткие ограничения на входящие сообщения и ссылки..

Aggregator

Managed ad