Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the deployments configured with ACME and SCEP provisioners. An attacker can gain unauthorized access to sensitive resources by bypassing authorization controls. Remediation Upgrade...

Claude Code Command Validation Bypass Allows Arbitrary Code Execution

Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. Users on...

WhiteLie: A Robust System for Spoofing User Data in Android Platforms

Android employs a permission framework that empowers users to either accept or deny sharing their private data for example, location with an app. However, many apps tend to crash when they are denied permission, leaving users no choice but to allow access to their data in order to use the app. In...

IoTEdu: Access Control, Detection, and Automatic Incident Response in Academic IoT Networks

The growing presence of IoT devices in academic environments has increased operational complexity and exposed security weaknesses, especially in academic institutions without unified policies for registration, monitoring, and incident response involving IoT. This work presents IoTEdu, an integrat...

WordPress Autochat Automatic Conversation plugin <= 1.1.9 - Missing Authorization to Unauthenticated Settings Update vulnerability

Missing Authorization to Unauthenticated Settings Update vulnerability discovered by Legion Hunter in WordPress Plugin Autochat Automatic Conversation versions = 1.1.9...

WordPress plugin Autochat Automatic Conversation 安全漏洞

WordPress Autochat Automatic Conversation plugin is an automated chat plugin designed for WordPress, which is mainly used to automate the communication between website visitors and merchants. WordPress Autochat Automatic Conversation plugin suffers from an unauthorized data modification...

Malicious code in @posthog/automatic-cohorts-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6bf3963e4ab04b6b37d6cbb3f237a7b5577ddd854a7249a30f8b78dcc063af97 The package @posthog/automatic-cohorts-plugin was found to contain malicious code. Source: google-open-source-security...

EUVD-2025-198952

Malicious code in @posthog/automatic-cohorts-plugin npm...

GHSA-7MV8-J34Q-VP7Q @anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes

Due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the...

EUVD-2025-198295

Lite XL versions 2.1.8 and prior automatically execute the .liteproject.lua file when opening a project directory, without prompting the user for confirmation. The .liteproject.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow...

CVE-2025-12120

Lite XL versions 2.1.8 and prior automatically execute the .liteproject.lua file when opening a project directory, without prompting the user for confirmation. The .liteproject.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow...

CVE-2025-12120 CVE-2025-12120

Lite XL versions 2.1.8 and prior automatically execute the .liteproject.lua file when opening a project directory, without prompting the user for confirmation. The .liteproject.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow...

PT-2025-47576

🎯 Real scan results: 11 subdomains → 4m 35s ✅ Found nginx/1.18.0 🔴 Detected CVE-2021-4567 HIGH 🤖 AI provided patch + remediation All automatic. All local. All free. This is recon in 2025 👀 bugbountytips cve appsec...

Claude Code vulnerable to command execution prior to startup trust dialog

When using Claude Code with Yarn installed, Yarn config files can trigger code execution when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins and yarnPath could be executed prior to the user accepting the risks of working in an untruste...

EUVD-2025-197937

The Permalinks Cascade plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action in the handleTPCAdminAjaxRequest function. This makes it possible for...

Siemens SIPROTEC 5 Allocation of Resources Without Limits or Throttling (CVE-2025-40570)

Affected devices do not properly limit the bandwidth for incoming network packets over their local USB port. This could allow an attacker with physical access to send specially crafted packets with high bandwidth to the affected devices thus forcing them to exhaust their memory and stop respondin...

Fedora 44 : kubernetes1.34 (2025-eeedae8757)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-eeedae8757 advisory. Automatic update for kubernetes1.34-1.34.2-1.fc44. Changelog Fri Nov 14 2025 Bradley G Smith - 1.34.2-1 - Update to release v1.34.2 - Resolves:...

Malicious code in wezen-mutation-ora-grunt (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 785a2cd14109740cafff9a8e5b31c61ce4568134f9abfba94196cfe4cfa0d4d5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in cz-conventional-changelog-blitz-steganography-lacerta (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 730ff285678049eb66e80db3988bb6718e03f59c281d112d5768eb338419befa This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-186113 Malicious code in changelog-multiverse-heliophysics-regulus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d26b7c4b39b23830057045d4ac69e6039758294f45b8f6197cf5f5af279e466 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...