webkitgtk: A website may be able to access sensor information without user consent

A flaw was found in WebKitGTK. A malicious website can obtain access to sensor information without user consent due to improper handling of caches...

EUVD-2018-16891

Malware in sbrugna...

EUVD-2022-52726

Malicious code in bioql PyPI...

EUVD-2025-8854

Malicious code in bioql PyPI...

CVE-2025-20701

In the Airoha Bluetooth audio SDK, there is a possible way to pair Bluetooth audio device without user consent. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2025-20701

In the Airoha Bluetooth audio SDK, there is a possible way to pair Bluetooth audio device without user consent. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2024-49732

In multiple functions of CompanionDeviceManagerService.java, there is a possible way to grant permissions without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

CVE-2023-42468

The com.cutestudio.colordialer application through 2.1.8-2 for Android allows a remote attacker to initiate phone calls without user consent, because of improper export of the com.cutestudio.dialer.activities.DialerActivity component. A third-party application without any permissions can craft an...

CVE-2023-34246

Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot...

CVE-2021-39768

In Settings, there is a possible way to add an auto-connect WiFi network without the user's consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product:...

PT-2025-14005 · Apple · Safari +4

Name of the Vulnerable Software and Affected Versions: Safari versions prior to 18.4 iOS versions prior to 18.4 iPadOS versions prior to 18.4 macOS Sequoia versions prior to 15.4 Description: The issue allows a website to access sensor information without user consent. This can be achieved by...

GHSA-CW7Q-5CGC-H3H9 Mattermost fail to prompt for explicit approval before adding a team admin to a private channel

Mattermost versions 9.11.x = 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them...

CVE-2025-27715 Auto-Enrollment of Team Admins into Private Channels without explicit consent

Mattermost versions 9.11.x = 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them...

CVE-2024-54463

This issue was addressed with improved entitlements. This issue is fixed in macOS Sequoia 15. An app may be able to access removable volumes without user consent...

CVE-2024-54463

CVE-2024-54463 affects macOS Sequoia 15, where an app could access removable volumes without user consent due to entitlements checks. Apple fixed the issue in Sequoia 15 by improving entitlements handling. Practical impact per sources: potential leakage of data from removable volumes if an app la...

Account Takeover

Socialstream is vulnerable to Account Takeover. The vulnerability is due to the lack of a confirmation step when linking social accounts and the potential use of -stateless in the Socialite configuration, which allows an attacker to link a social account to an authenticated user’s account without...

Wireless carriers fined $200 million after illegally sharing customer location data

After four years of investigation, the Federal Communications Commission FCC has concluded that four of the major wireless carriers in the US violated the law in sharing access to customers’ location data. The FCC fined AT&T, Sprint, T-Mobile, and Verizon a total of almost $200 million for...

Functions addCredit(...) and increaseCredit(...) can lock lender’s ETH forever

Lines of code Vulnerability details Impact In LineOfCredit contract, both functions addCredit... and increaseCredit... require mutual consent between lender and borrower. If lender is tricked by borrower, or by mistake, lender ETH will be locked in the contract forever. function addCredit uint128...