Exploit for OS Command Injection in Vsftpd_Project Vsftpd

TP : Exploitation VSFTPD 2.3.4 Backdoor Table des Matières...

Missing Authorization

Jenkins MCP Server Plugin is vulnerable to Missing Authorization. The vulnerability is due to missing permission checks in multiple MCP tools, which allows an attacker to trigger builds and access sensitive information related to job and cloud configurations without proper authorization...

XML External Entity (XXE)

org.jenkins-ci.plugins, generic-webhook-trigger is vulnerable to XML External Entity XXE. The vulnerability is due to improper XML parser configuration that does not disable external entity processing, which allows an attacker to exploit crafted XML input to access sensitive information or perfor...

CVE-2025-53523

Stored cross-site scripting vulnerabilities exist in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. A logged-in user can prepare a malicious page or URL, and an arbitrary script may be executed on the web browser when...

Authority Backdoor: A Certifiable Backdoor Mechanism for Authoring DNNs

Deep Neural Networks DNNs, as valuable intellectual property, face unauthorized use. Existing protections, such as digital watermarking, are largely passive; they provide only post-hoc ownership verification and cannot actively prevent the illicit use of a stolen model. This work proposes a...

Unity Linux 20.1050e Security Update: kernel (UTSA-2025-991205)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-991205 advisory. In the Linux kernel, the following vulnerability has been resolved: iio: trigger: sysfs: fix possible memory leak in iiosysfstriginit devsetname allocates memory for...

Unity Linux 20.1050e Security Update: kernel (UTSA-2025-991214)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-991214 advisory. In the Linux kernel, the following vulnerability has been resolved: iio: adc: at91adc: fix possible memory leak in at91adcallocatetrigger If iiotriggerregister retur...

Exploit for Deserialization of Untrusted Data in Apache Tomcat

CVE-2025-24813-PoC-exploit Apache Tomcat Deserialization RCE...

CVE-2025-41076

In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database...

CVE-2025-12349

The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the...

CVE-2025-12349 Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Mailing Queue Trigger

The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the...

CVE-2025-12349 Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Mailing Queue Trigger

The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the...

CVE-2025-12349

CVE-2025-12349 concerns the WordPress plugin Icegram Express – Email Subscribers, Newsletters and Marketing Automation . The vulnerability is a missing authorization check in the function trigger_mailing_queue_sending , allowing unauthenticated actors to force immediate email sending, bypass the ...

Siemens SCALANCE and RUGGEDCOM Devices Improper Input Validation (CVE-2024-56705)

media: atomisp: In iacss3astatisticsallocate, there is no check on the allocation result of the rgbydata memory. If rgbydata is not successfully allocated, it may trigger the asserthoststats-rgbydata assertion in iacsss3ahmemdecode. This plugin only works with Tenable.ot. Please visit...

DataX-Web 访问控制错误漏洞

DataX-Web is a distributed data synchronization tool developed on top of DataX by WeiYe's personal developer. An access control error vulnerability exists in DataX-Web 2.1.2 and earlier versions, which stems from incorrect operation of the function remove/update/pause/start/triggerJob in the...

MAL-2025-191810 Malicious code in pam98wyfupa98w (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 be7177fd2d56b518724377233ca5eda13a07f6252e400cfb4c1115db456b5fd8 Importing the module starts a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2025-11-d1n0...

Malicious code in d1n0exploitaaaa (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 7ecd01d9010a3e9192c6636d4ddefa1e493438b1bbf65002e8daf6a014067692 Importing the module starts a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2025-11-d1n0...

MTAttack: Multi-Target Backdoor Attacks against Large Vision-Language Models

Recent advances in Large Visual Language Models LVLMs have demonstrated impressive performance across various vision-language tasks by leveraging large-scale image-text pretraining and instruction tuning. However, the security vulnerabilities of LVLMs have become increasingly concerning,...

AFLGopher: Accelerating Directed Fuzzing Via Feasibility-Aware Guidance

Directed fuzzing is a useful testing technique that aims to efficiently reach target code sites in a program. The core of directed fuzzing is the guiding mechanism that directs the fuzzing to the specified target. A general guiding mechanism adopted in existing directed fuzzers is to calculate th...

CVE-2025-12177

CVE-2025-12177 affects the WordPress Download Manager plugin (versions ≤ 3.3.30). The root cause is a hardcoded Cron key that enables unauthenticated triggering of deleteExpired() and clearTempDataCPCron(). This can lead to deletion of expired posts and clearing of cache. The vulnerability is con...