PT-2025-50080

Name of the Vulnerable Software and Affected Versions SNMP Web Pro version 1.1 Description An unauthenticated directory traversal issue exists in the cgi-bin/upload.cgi component. The component concatenates user-supplied parameters directly onto a base path /var/www/files/userScript/ using memcpy...

PT-2025-49779

WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword to create passwords using PHP's rand. rand is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege...

PT-2025-50245

Name of the Vulnerable Software and Affected Versions STVS ProVision version 5.9.10 Description An authenticated attacker can access arbitrary files. This is possible by manipulating the files parameter within the archive download functionality. Attackers can send GET requests to the...

CVE-2025-65287

An unauthenticated directory traversal vulnerability in cgi-bin/upload.cgi in SNMP Web Pro 1.1 allows a remote attacker to read arbitrary files. The CGI concatenates the user-supplied params directly onto the base path /var/www/files/userScript/ using memcpy + strcat without validation or...

CVE-2025-65287

An unauthenticated directory traversal vulnerability in cgi-bin/upload.cgi in SNMP Web Pro 1.1 allows a remote attacker to read arbitrary files. The CGI concatenates the user-supplied params directly onto the base path /var/www/files/userScript/ using memcpy + strcat without validation or...

Unity Linux 20.1070e Security Update: netty (UTSA-2025-991102)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-991102 advisory. Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP...

Unity Linux 20.1070e Security Update: aide (UTSA-2025-991101)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-991101 advisory. AIDE is an advanced intrusion detection environment. Prior to version 0.19.2, there is an improper output neutralization vulnerability in AIDE. An attacker can craft...

Amazon Linux 2023 : libsoup3, libsoup3-devel (ALAS2023-2025-1288)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1288 advisory. A flaw was found in the cookie date handling logic of the libsoup HTTP library, widely used by GNOME and other applications for web communication. When processing cookies with specially crafte...

📄 Cloudbleed Scanner

Cloudbleed Scanner is a comprehensive security tool designed to detect memory leak patterns similar to the 2017 Cloudbleed incident, where Cloudflare's reverse proxies leaked uninitialized memory containing sensitive data...

CVE-2025-65287

SNMP Web Pro 1.1 is affected by an unauthenticated directory traversal in cgi-bin/upload.cgi. The CGI concatenates user-supplied parameters onto /var/www/files/userScript/ using memcpy/strcat without validation or canonicalization, enabling ../ sequences to escape the intended directory. The down...

CVE-2025-65082

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal in the Attachment service when processing uploaded file names. A user can overwrite files on the server by submitting specially crafted file paths. Details A Directory Traversal attack also known as path traversal ai...

Use of Non-Canonical URL Paths for Authorization Decisions

Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions due to improper URL decoding logic. The pathname validation used for...

2025 in Review: A Year of Smarter, Context-Aware API Security

As the year draws to a close, it’s worth pausing to look back on what has been an extraordinary year for Wallarm and, more importantly, for the businesses we protect. If 2024 was about laying the groundwork tracking API sessions to understand behavioral attacks, then 2025 was the year we built up...

Detecting Ambiguity Aversion in Cyberattack Behavior to Inform Cognitive Defense Strategies

Adversaries hackers attempting to infiltrate networks frequently face uncertainty in their operational environments. This research explores the ability to model and detect when they exhibit ambiguity aversion, a cognitive bias reflecting a preference for known versus unknown probabilities. We...

Apache 2.4.x < 2.4.66 Multiple Vulnerabilities

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.66. It is, therefore, affected by multiple vulnerabilities: - Server-Side Request Forgery SSRF in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially le...

Important: libsoup3

Issue Overview: A flaw was found in the cookie date handling logic of the libsoup HTTP library, widely used by GNOME and other applications for web communication. When processing cookies with specially crafted expiration dates, the library may perform an out-of-bounds memory read. This flaw could...

wshawk

WSHawk v2.0 - Professional WebSocket Security Scanner !Pyth...

SUSE CVE-2025-65082

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through...

Zero-Click Agentic Browser Attack Can Delete Entire Google Drive Using Crafted Emails

A new agentic browser attack targeting Perplexity's Comet browser that's capable of turning a seemingly innocuous email into a destructive action that wipes a user's entire Google Drive contents, findings from Straiker STAR Labs show. The zero-click Google Drive Wiper technique hinges on connecti...