Trending now

CVE-2024-37079 is a heap-overflow vulnerability found within the DCERPC protocol implementation of VMware vCenter Server. This flaw allows a malicious actor with network access to the vCenter Server to send specially crafted network packets. Successful exploitation of this vulnerability can lead to remote code execution on the affected server. This vulnerability has been observed to be actively exploited in the wild.

CVE-2025-59718 is a vulnerability affecting Fortinet's FortiOS, FortiProxy, and FortiSwitchManager. It stems from an improper verification of cryptographic signatures, which could allow an unauthenticated attacker to bypass FortiCloud Single Sign-On (SSO) login authentication. This bypass is possible through a crafted Security Assertion Markup Language (SAML) message, but only if the FortiCloud SSO login feature is enabled on the device. The FortiCloud SSO login feature is not enabled by default in factory settings. However, it becomes enabled when an administrator registers the device with FortiCare via the GUI, unless the administrator specifically disables the "Allow administrative login using FortiCloud SSO" option during registration.

CVE-2025-34164 describes a heap-based buffer overflow vulnerability found in NetSupport Manager 14.x versions preceding 14.12.0000. This flaw allows a remote, unauthenticated attacker to potentially trigger a denial of service (DoS) condition or execute arbitrary code on affected systems.

CVE-2025-34165 describes a stack-based buffer overflow vulnerability found in NetSupport Manager versions prior to 14.12.0000. This flaw allows a remote and unauthenticated attacker to trigger a denial of service (DoS) condition. Additionally, the vulnerability could potentially lead to the leakage of a limited amount of memory from the affected system.

CVE-2025-2294 is a Local File Inclusion (LFI) vulnerability found in the Kubio AI Page Builder plugin for WordPress, affecting versions up to and including 2.5.1. The vulnerability exists within the `kubio_hybrid_theme_load_template` function. This flaw allows unauthenticated attackers to include and execute arbitrary files on the server. By exploiting this, attackers can execute PHP code, bypass access controls, and potentially obtain sensitive data. In scenarios where attackers can upload files, such as images, they can include and execute them to run malicious PHP code.

CVE-2025-51683 identifies a blind SQL Injection (SQLi) vulnerability present in mJobtime version 15.7.2. This flaw enables unauthenticated attackers to execute arbitrary SQL statements. The vulnerability is exploited by sending a specially crafted POST request to the `/Default.aspx/update_profile_Server` endpoint. This issue was uncovered during an external penetration test and could potentially lead to remote code execution and the leakage of sensitive information.

CVE-2025-54068 is a remote command execution (RCE) vulnerability found in Livewire, a full-stack framework for Laravel. Specifically, it affects Livewire v3 versions up to and including v3.6.3. The vulnerability stems from how certain component property updates are handled during hydration, which could allow unauthenticated attackers to execute arbitrary code. Exploitation requires a component to be mounted and configured in a particular way but does not require authentication or user interaction. The vulnerability lies in the `hydrateForUpdate` method within the `Livewire\Mechanisms\HandleComponents\HandleComponents` class. A specially crafted update payload can bypass validation and sanitization during the hydration process, causing the framework to interpret untrusted input as executable code. This issue has been patched in Livewire v3.6.4, and users are strongly encouraged to upgrade to this version or later as soon as possible. There are no known workarounds.

CVE-2025-14174 is an out-of-bounds memory access vulnerability found in ANGLE, a component of Google Chrome. The vulnerability could allow a remote attacker to perform out-of-bounds memory access via a crafted HTML page. Google is aware that an exploit for this vulnerability exists in the wild. Apple also addressed CVE-2025-14174, describing it as a memory corruption flaw in WebKit that could lead to memory corruption. Apple indicated that this vulnerability may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.

CVE-2025-43529 is a use-after-free vulnerability in WebKit that can be exploited by processing maliciously crafted web content. Google's Threat Analysis Group discovered this flaw. Apple has released security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari to address this vulnerability, as it may have been exploited in targeted attacks against specific individuals using versions of iOS before iOS 26. Devices impacted include iPhone 11 and later, iPad Pro 12.9-inch (3rd generation and later), iPad Pro 11-inch (1st generation and later), iPad Air (3rd generation and later), iPad (8th generation and later), and iPad mini (5th generation and later).

CVE-2025-13878 is a vulnerability affecting BIND 9, a widely used DNS server software. The flaw allows remote attackers to crash DNS servers by sending specially crafted, malformed DNS records. Specifically, the vulnerability stems from improper handling of malformed BRID (Breadth-first Record ID) and HHIT (Host Hash Information Table) records within BIND 9's `named` daemon. When a vulnerable BIND 9 server processes these malicious records, the `named` daemon terminates unexpectedly, leading to a complete service outage. This denial-of-service (DoS) condition impacts both authoritative nameservers and DNS resolvers. The vulnerability affects various BIND 9 versions, including 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, and 9.21.12 through 9.21.16, as well as corresponding BIND SPE (Preview) versions.