1445 matches found
The Phone is Listening: A Cold War–Style Vulnerability in Modern VoIP
I don’t know about you, but when I think about “critical vulnerabilities,” I usually picture ransomware, data theft, or maybe a server falling over at 2 a.m. while someone frantically searches Slack for the last good backup. What I don’t picture is a scene straight out of a Cold War spy film...
CVE-2026-25729
DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated user to enumerate all users in the system and retrieve sensitive information including email addresse...
CVE-2026-1431 Booking Calendar <= 10.14.13 - Missing Authorization to Unauthenticated Booking Details Exposure
The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbcajaxWPBCFLEXTIMELINENAV function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information...
Cisco IP Phones Exposure of Sensitive Information to an Unauthorized Actor (CVE-2025-20336)
A vulnerability in the directory permissions of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability exists because the product expose...
CVE-2021-31795
The PowerVR GPU kernel driver in pvrsrvkm.ko through 2021-04-24 for the Linux kernel, as used on Alcatel 1S phones, allows attackers to overwrite heap memory via PhysmemNewRamBackedPMR...
CVE-2021-22327
There is an arbitrary memory write vulnerability in Huawei smart phone when processing file parsing. Due to insufficient validation of the input files, successful exploit could cause certain service abnormal. Affected product versions include:HUAWEI P30 versions 10.0.0.186C10E7R5P1,...
CVE-2019-18659
The Wireless Emergency Alerts WEA protocol allows remote attackers to spoof a Presidential Alert because cryptographic authentication is not used, as demonstrated by MessageIdentifier 4370 in LTE System Information Block 12 aka SIB12. NOTE: testing inside an RF-isolated shield box suggested that...
CVE-2019-11341
On certain Samsung P9.0 phones, an attacker with physical access can start a TCP Dump capture without the user's knowledge. This feature of the Service Mode application is available after entering the 9900 check code, but is protected by an OTP password. However, this password is created locally...
CVE-2024-41710
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, through R6.4.0.HF1 R6.4.0.136 could allow an authenticated attacker with administrative privilege to conduct an argument injection attack, due to insufficient parameter...
CVE-2024-41711
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, through R6.4.0.HF1 R6.4.0.136 could allow an unauthenticated attacker with physical access to the phone to conduct an argument injection attack, due to insufficient parameter...
CVE-2024-58314
Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'cmd' parameter in webcgimain.cgi, enabling remot...
CVE-2024-58314
Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'cmd' parameter in webcgimain.cgi, enabling remot...
EUVD-2024-55349
Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'cmd' parameter in webcgimain.cgi, enabling remot...
CVE-2024-58314 Atcom 2.7.x.x Authenticated Command Injection via Web Configuration CGI
Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'cmd' parameter in webcgimain.cgi, enabling remot...
PT-2025-50974
Name of the Vulnerable Software and Affected Versions Atcom 100M IP Phones versions 2.7.x.x Description The software contains an authenticated command injection issue in the web configuration CGI script. This allows attackers to execute arbitrary system commands. The cmd parameter within the 'web...
A week in security (November 17 – November 23)
Last week on Malwarebytes Labs: AI teddy bear for kids responds with sexual content and advice about weapons Fake calendar invites are spreading. Here’s how to remove them and prevent more Budget Samsung phones shipped with unremovable spyware, say researchers What the Flock is happening with...
CVE-2025-52663
A vulnerability was identified in certain UniFi Talk devices where internal debugging functionality remained unintentionally enabled. This issue could allow an attacker with access to the UniFi Talk management network to invoke internal debug operations through the device API. Affected Products:...
CVE-2025-52663
A vulnerability was identified in certain UniFi Talk devices where internal debugging functionality remained unintentionally enabled. This issue could allow an attacker with access to the UniFi Talk management network to invoke internal debug operations through the device API. Affected Products:...
Ubiquiti多款产品 安全漏洞
Ubiquiti UniFi Talk Touch, among others, is an IP phone from Ubiquiti USA. A security vulnerability exists in various Ubiquiti products, which stems from an unintentional enablement of the internal debugging feature, which could allow an attacker to invoke internal debugging operations via the...
CVE-2025-52663
A vulnerability was identified in certain UniFi Talk devices where internal debugging functionality remained unintentionally enabled. This issue could allow an attacker with access to the UniFi Talk management network to invoke internal debug operations through the device API. Affected Products:...