CVE-2025-12421

Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email...

CVE-2025-12421 Account Takeover via Code Exchange Endpoint

Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email...

CVE-2025-12421

Mattermost suffers an authentication-tampering vulnerability (CVE-2025-12421) where the token used during code exchange is not verified to originate from the same authentication flow. Affected versions include 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, and 10.5.x

CVE-2025-12421 Account Takeover via Code Exchange Endpoint

Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email...

CVE-2025-64333

A flaw was found in Suricata. This vulnerability allows a stack overflow, leading to a crash, via a large HTTP Hypertext Transfer Protocol content type when logged...

📄 Monsta FTP DownloadFile Remote Code Execution

This Metasploit module exploits a pre-authenticated remote code execution vulnerability in Monsta FTP versions prior to 2.11.3. The vulnerability exists in the downloadFile action which allows an attacker to connect to a malicious FTP or SFTP server and download arbitrary files to arbitrary...

Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps

Cybersecurity researchers have discovered a new malicious extension on the Chrome Web Store that's capable of injecting a stealthy Solana transfer into a swap transaction and transferring the funds to an attacker-controlled cryptocurrency wallet. The extension, named Crypto Copilot, was first...

curl: Infinite loop issue in the state machine of the curl project

Summary: Vulnerability impact: When curl attempts to download files from a malicious FTP server, it triggers an infinite loop in the code execution. I discovered this issue in the FTP functionality of the curl project .As described in...

Suricata 安全漏洞

Suricata is a network IDS, IPS and NSM engine from the Open Information Security Foundation. A security vulnerability exists in Suricata versions prior to 7.0.13 and prior to 8.0.2, which stems from a stack overflow during large HTTP file transfers that could lead to a crash...

JLSEC-2025-252 An Invalid Address dereference was discovered in TIFFWriteDirectoryTagTransferfunction in libtiff/ti...

An Invalid Address dereference was discovered in TIFFWriteDirectoryTagTransferfunction in libtiff/tifdirwrite.c in LibTIFF 4.0.10, affecting the cpSeparateBufToContigBuf function in tiffcp.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file...

USN-7887-2: Linux kernel (Raspberry Pi) vulnerabilities

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - ARM64 architecture; - PowerPC architecture; - x86 architecture; - ACPI drivers; - Ublk userspace block driver; -...

EUVD-2025-199588

Security Point Windows of MaLion and MaLionCloud contains a stack-based buffer overflow vulnerability in processing HTTP headers. Receiving a specially crafted request from a remote unauthenticated attacker could lead to arbitrary code execution with SYSTEM privilege...

CVE-2025-10646 Search Exclude <= 2.5.7 – Missing Authorization to Authenticated (Contributor+) Search Settings Modification via REST API

The Search Exclude plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient capability check on the Base::getrestpermission method in all versions up to, and including, 2.5.7. This makes it possible for authenticated attackers, with Contributor-level access an...

From One Attack Domain to Another: Contrastive Transfer Learning with Siamese Networks for APT Detection

Advanced Persistent Threats APT pose a major cybersecurity challenge due to their stealth, persistence, and adaptability. Traditional machine learning detectors struggle with class imbalance, high dimensional features, and scarce real world traces. They often lack transferability-performing well ...

echidna-credit-union-race-CTF

NOISYECHIDNA — Race Condition CTF This repository implements...

CVE-2025-36160

IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system...

Vulnerability fixed in Progress MOVEit Transfer

Progress has fixed a vulnerability in MOVEit Transfer Specifically for versions before 2024.1.8 and from 2025.0.0 to before 2025.0.4. The vulnerability involves a server-side request forgery SSRF. This vulnerability allows attackers to send unauthorized requests from the server, which can lead to...

CVE-2025-13147

Server-Side Request Forgery SSRF vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4...

Multi-Faceted Attack: Exposing Cross-Model Vulnerabilities in Defense-Equipped Vision-Language Models

The growing misuse of Vision-Language Models VLMs has led providers to deploy multiple safeguards, including alignment tuning, system prompts, and content moderation. However, the real-world robustness of these defenses against adversarial attacks remains underexplored. We introduce Multi-Faceted...

TencentOS Server 4: cpp-httplib (TSSA-2025:0374)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2025:0374 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...