Tagged: Cybersecurity Alert

The Service Finder SMS System plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.0. This is due to the plugin not verifying a user’s phone number before...

The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘user_ids’ parameter in all versions up to, and including, 3.3.23 due to insufficient input sanitization and output escaping. This makes...

The Kubio AI Page Builder plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the kubio-image-hub-install-plugin AJAX action in all versions up to, and including, 2.6.3. This...

In the @digitalocean/do-markdownit package through 1.16.1 (in npm), the callout and fence_environment plugins perform .includes substring matching if allowedClasses or allowedEnvironments is a string (instead of an array). More information : https://gist.github.com/thesmartshadow/dd19665f1f51a4e3c7a766e70c9eafd0

There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X12STW . An attacker can update the system firmware with a specially crafted image. More information : https://www.supermicro.com/en/support/security_BMC_IPMI_Sept_2025

SMSEagle before 6.11 allows reflected XSS via a username or contact phone number. More information : https://www.smseagle.eu/security-advisory/resolved-xss-in-smseagle-software-6-11/

In Internet2 Grouper 5.17.1 before 5.20.5, group admins who are not Grouper sysadmins can configure loader jobs. More information : https://spaces.at.internet2.edu/display/Grouper/Grouper+bug+-+GRP-6311+-+non-Grouper-admins+can+configure+loader+jobs

Snipe-IT before 8.1.18 allows unsafe deserialization. More information : https://github.com/grokability/snipe-it/releases/tag/v8.1.18

Snipe-IT before 8.1.18 allows XSS. More information : https://github.com/grokability/snipe-it/releases/tag/v8.1.18

The Goza – Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the ‘beplus_import_pack_install_plugin’ function in all versions up to, and including,...

There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X13SEM-F . An attacker can update the system firmware with a specially crafted image. More information : https://www.supermicro.com/en/support/security_BMC_IPMI_Sept_2025

OpenGrok 1.14.1 has a reflected Cross-Site Scripting (XSS) issue when producing the cross reference page. This happens through improper handling of the revision parameter. The application reflects unsanitized user input into the HTML output....

PureVPN client applications on Linux through September 2025 allow IPv6 traffic to leak outside the VPN tunnel upon network events such as Wi-Fi reconnect or system resume. In the CLI client, the VPN auto-reconnects...

PureVPN client applications on Linux through September 2025 mishandle firewalling. They flush the system’s existing iptables rules and apply default ACCEPT policies when connecting to a VPN server. This removes firewall rules that may...