Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

Next.js Middleware Flaw Lets Attackers Bypass Authorization

Researchers have uncovered a critical vulnerability (CVE-2025-29927) in Next.js middleware, allowing authorization bypass. Learn about the exploit and fixes.

HackRead
#vulnerability#web#dos#js#java#auth
About Remote Code Execution – Veeam Backup & Replication (CVE-2025-23120) vulnerability

About Remote Code Execution – Veeam Backup & Replication (CVE-2025-23120) vulnerability. Veeam B&R is a client-server software solution for centralized backup of virtual machines in VMware vSphere and Microsoft Hyper-V environments. A deserialization flaw (CWE-502) lets an attacker run arbitrary code on a Veeam server. The necessary conditions: the Veeam server must be part of […]

GHSA-3p6v-hrg8-8qj7: @mozilla/readability Denial of Service through Regex

Specially crafted titles may have caused a regular expression to excessively backtrack and cause a local denial of service. Additional Details are [available at Bugzilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1948833) Credit: DayShift

EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware

The threat actor known as EncryptHub exploited a recently-patched security vulnerability in Microsoft Windows as a zero-day to deliver a wide range of malware families, including backdoors and information stealers such as Rhadamanthys and StealC. "In this attack, the threat actor manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payload,

Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks

Google has released out-of-band fixes to address a high-severity security flaw in its Chrome browser for Windows that it said has been exploited in the wild as part of attacks targeting organizations in Russia.  The vulnerability, tracked as CVE-2025-2783, has been described as a case of "incorrect handle provided in unspecified circumstances in Mojo on Windows." Mojo refers to a

New Security Flaws Found in VMware Tools and CrushFTP — High Risk, No Workaround

Broadcom has issued security patches to address a high-severity security flaw in VMware Tools for Windows that could lead to an authentication bypass. Tracked as CVE-2025-22230, the vulnerability is rated 7.8 on the ten-point Common Vulnerability Scoring System (CVSS). "VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control," Broadcom said in an

GHSA-5565-3c98-g6jc: WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack

### Impact A vulnerability was found in OIDC-Client. When using the elytron-oidc-client subsystem with WildFly, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack. ### Patches [2.2.9.Final](https://github.com/wildfly-security/wildfly-elytron/releases/tag/2.2.9.Final) [2.6.2.Final](https://github.com/wildfly-security/wildfly-elytron/releases/tag/2.6.2.Final) ### Workarounds Currently, no mitigation is currently available for this vulnerability. ### References https://nvd.nist.gov/vuln/detail/CVE-2024-12369 https://access.redhat.com/security/cve/CVE-2024-12369 https://bugzilla.redhat.com/show_bug.cgi?id=2331178 https://issues.redhat.com/browse/ELY-2887

GHSA-7287-grhx-542x: Pixelfed may allow unauthorized actor to view private posts and private users

Pixelfed before 0.12.5 allows anyone to follow private accounts and see private posts on other Fediverse servers. This affects users elsewhere in the Fediverse, if they otherwise have any followers from a Pixelfed instance.

Satellite Navigation Systems Facing Rising Jamming and Spoofing Attacks

Satellite navigation systems are under rising threat from jamming and spoofing attacks, risking aviation, maritime, and telecom safety worldwide, warn global agencies.

GHSA-qrv3-jc3h-f3m6: Frappe vulnerable to information disclosure leading to account takeover

### Impact Making crafted requests could lead to information disclosure that could further lead to account takeover. ### Workarounds There's no workaround to fix this without upgrading. ### Credits Thanks to Thanh of Calif.io for reporting the issue