CVE-2025-56802

The Reolink desktop application uses a hard-coded and predictable AES encryption key to encrypt user configuration files allowing attackers with local access to decrypt sensitive application data stored in %APPDATA%. A different vulnerability than CVE-2025-56801. NOTE: the Supplier's position is...

EUVD-2025-35229

The Reolink Desktop Application 8.18.12 contains hardcoded credentials as the Initialization Vector IV in its AES-CFB encryption implementation allowing attackers with access to the application environment to reliably decrypt encrypted configuration data...

CVE-2025-56801

The Red Hat advisories describe CVE-2025-56801 as a vulnerability in the Reolink Desktop Application 8.18.12 where hardcoded hard-coded credentials function as the Initialization Vector (IV) in AES-CFB encryption, enabling local attackers to decrypt sensitive configuration data stored under %APPD...

F5 Breach Exposes BIG-IP Source Code — Nation-State Hackers Behind Massive Intrusion

U.S. cybersecurity company F5 on Wednesday disclosed that unidentified threat actors broke into its systems and stole files containing some of BIG-IP's source code and information related to undisclosed vulnerabilities in the product. It attributed the activity to a "highly sophisticated...

Malicious code in prettier-config-data-ui (npm)

The package prettier-config-data-ui was found to contain malicious code...

Malicious code in stylelint-config-data-ui (npm)

The package stylelint-config-data-ui was found to contain malicious code...

Malicious code in eslint-config-data-ui (npm)

The package eslint-config-data-ui was found to contain malicious code...

MAL-2025-34123 Malicious code in stylelint-config-data-ui (npm)

The package stylelint-config-data-ui was found to contain malicious code...

MAL-2025-19826 Malicious code in eslint-config-data-ui (npm)

The package eslint-config-data-ui was found to contain malicious code...

CVE-2025-55280

This vulnerability exists in ZKTeco WL20 due to storage of Wi-Fi credentials, configuration data and system data in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and reverse engineer the binary data to access the...

CVE-2025-55169

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, a path traversal vulnerability was discovered in the WeGIA application, html/socio/sistema/downloadremessa.php endpoint. This vulnerability could allow an attacker to...

PT-2025-32886

Name of the Vulnerable Software and Affected Versions: WeGIA versions prior to 3.4.8 Description: WeGIA is a web manager focused on the Portuguese language and charitable institutions. A path traversal vulnerability exists in the html/socio/sistema/download remessa.php endpoint. This could allow ...

git: Git arbitrary code execution

A line-end handling flaw was found in Git. When writing a config entry, values with a trailing carriage return CR are not quoted, resulting in the CR being lost when the config is read later. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read,...

CVE-2025-34031

A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the filegetcontents function without proper validation, allowing attackers to read arbitrary files from the server's filesystem ...

Malicious code in just-config-data (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 8f014f07f8a3583cf07008dc133b2276390b17d34f6eae237b48210437247544 The OpenSSF Package Analysis project identified 'just-config-data' @ 0.0.3 npm as malicious. It is considered malicious because: - The package...

MAL-2025-4992 Malicious code in just-config-data (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 8f014f07f8a3583cf07008dc133b2276390b17d34f6eae237b48210437247544 The OpenSSF Package Analysis project identified 'just-config-data' @ 0.0.3 npm as malicious. It is considered malicious because: - The package...

PT-2025-5269

Name of the Vulnerable Software and Affected Versions: Envoy Gateway versions prior to 1.2.6 Description: A user with access to the Kubernetes cluster can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by Envoy Gateway. The admin interface can be used to...

PT-2025-1767 · Google · Optimize Your Campaigns – Google Shopping – Google Ads – Google Adwords Plugin For Wordpress

Name of the Vulnerable Software and Affected Versions: Optimize Your Campaigns – Google Shopping – Google Ads – Google Adwords plugin for WordPress versions up to, and including, 3.1 Description: The issue is related to the public accessibility of the print php information.php file, which allows...

CVE-2024-47160

JetBrains YouTrack before 2024.3.44799 is vulnerable to an issue where access to global application config data is possible without proper permissions. This CVE (CVE-2024-47160) is corroborated by multiple connected sources: Red Hat advisory, a Nessus plugin for JetBrains YouTrack

PT-2024-25911 · Softwarex · Softwarex

Name of the Vulnerable Software and Affected Versions: SoftwareX versions prior to 2.1.4 Description: The issue allows a regular user to view everyone's user flink information, including executeSQL and config, after successfully logging in. This is achieved by manually making a request using the...