IntroductionIn May 2025, Zscaler ThreatLabz discovered CVE-2025-50165, a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8 that impacts the Windows Graphics Component. The vulnerability lies within windowscodecs.dll, and any applicat…

Two vulnerabilities in Qt SVG module have been discovered. Uncontrolled recursion vulnerability has been assigned the CVE id CVE-2025-10728. Whereas Use-After-Free vulnerability has been assigned the CVE id CVE-2025-10729.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting Smartbedded Meteobridge to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability,…

Posted by josephgoyd via Fulldisclosure on Oct 02Updated repo location: https://github.com/JGoyd/Glass-Cage-iOS18-CVE-2025-24085-CVE-2025-24201 Working exploit: https://www.dropbox.com/scl/fi/ech6wdnpnyscbfiu2o8zh/IMG_1118.png?rlkey=jna5uo6aihs6tfbwtsk8fw7e…

Posted by josephgoyd via Fulldisclosure on Oct 02Updated repo location: https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201 Working exploit: https://www.dropbox.com/scl/fi/oerpnhq1ui3xfswsszfh2/Audio-clip.amr?rlkey=7n54m1o84poezyipxvd2f9…

Chrome faces its sixth zero-day attack in 2025 as Google patches critical V8 engine flaw CVE-2025-10585 discovered by Threat Analysis Group.

CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2014-6278 GNU Bash OS Command Injection Vulnerability CVE-2015-7755 Juniper ScreenOS Improper Authent…

Posted by Jacob Walls on Oct 01* Announce link: https://www.djangoproject.com/weblog/2025/oct/01/security-releases/ * Announce content: In accordance with `our security release policy https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django t…

Posted by Emilio Pozuelo Monfort on Oct 01The CVE got assigned by MITRE, so one can dispute it with MITRE directly. Apparently it's already been done, and the CVE appears as disputed [1]. I'm not sure if it will go from there to rejected. Cheers, Emilio […

Posted by Mike O'Connor on Oct 01:> Second, I had expected ECC to "kill Rowhammer dead" only to find that it :> can be possible to cause enough bit flips to get all the way from one :> valid ECC word to another valid ECC word before ECC scrub reaches …

Posted by Marco Benatto on Sep 30Hello all, please find the announcement of a Privilege Escalation vulnerability in FreeIPA bellow. Upstream release note: https://www.freeipa.org/release-notes/4-12-5.html ==== Security Report ==== * CVE-2025-7493 Contin…

Hackers are actively exploiting a critical vulnerability (CVE-2025-32463) in the sudo package that enables the execution of commands with root-level privileges on Linux operating systems. [...]

We are all aware of the abysmal state of security appliances, no matter their price tag. Ever so often, we see an increase in attacks against some of these vulnerabilities, trying to mop up systems missed in earlier exploit waves. Currently, on source in part…

Posted by Peter Gutmann on Sep 29Damien Miller writes: Everyone gets that at some point. There was a discussion on another mailing list about it a while back, how do you respond to a CVE for a vulnerability that doesn't exist unless you modify the code or co…

Posted by Theo de Raadt on Sep 29Damien Miller wrote: I don't think the CVE was filed because of the misleading abstract. Rather, it was due to the misleading contents saying that OpenSSH is vulnerable, with a large amount of effort shown, and text explaini…

CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2021-21311 Adminer Server-Side Request Forgery Vulnerability CVE-2025-20352 Cisco IOS and IOS XE Stac…

Akira ransomware is targeting SonicWall SSL VPNs, bypassing OTP MFA on accounts, likely using stolen OTP seeds. Since July 2025, Akira ransomware has exploited SonicWall SSL VPNs, likely using credentials obtained from the exploitation of the CVE-2024-40766 v…

WhatsApp 0-click remote code execution (RCE) vulnerability affecting Apple's iOS, macOS, and iPadOS platforms, detailed with a proof of concept demonstration. The attack chain exploits two distinct vulnerabilities, identified as CVE-2025-55177 and CVE-2025-43…

Posted by Adiletta, Andrew on Sep 28Theo, Even after two years we stand behind our paper and the contributions as outlined. There is nothing more natural for any vulnerability researcher to evaluate the most widely used products. If we had doubts about the …

Posted by Theo de Raadt on Sep 28Damien Miller wrote: Andrew, I think you should answer Damien's comment. I'm a bit more cynical, and think this is very close to open source community engagement malpractice -- where you picked projects specifically to incre…