Monthly
Insufficient entropy in cookie encryption within Auth0 PHP SDK versions 8.0.0 through 8.18.x enables brute-force attacks against session cookie encryption keys, potentially allowing authenticated threat actors with network access to forge arbitrary session cookies and bypass authentication controls. Vendor-released patch available in version 8.19.0. No public exploit identified at time of analysis, though CVSS score of 8.2 reflects high severity due to potential for complete authentication bypass with cross-scope impact.
Telerik Ui For Asp.Net Ajax versions up to 2026.1.225 contains a vulnerability that allows attackers to collisions and file content tampering (CVSS 5.3).
An insufficient entropy vulnerability was found in glibc. The getrandom and arc4random family of functions may return predictable randomness if these functions are called again after the fork, which happens concurrently with a call to any of these functions. [CVSS 4.8 MEDIUM]
The Micca KE700 system relies on a 6-bit portion of an identifier for authentication within rolling codes, providing only 64 possible combinations. This low entropy allows an attacker to perform a brute-force attack against one component of the rolling code.
DPA countermeasures in Silicon Labs' Series 2 devices are not reseeded under certain conditions. This may allow an attacker to eventually extract secret keys through a DPA attack.
Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method.
Vx800V Firmware contains a vulnerability that allows attackers to high impact to confidentiality, integrity, and availability of transmitted data (CVSS 8.8).
SM2 elliptic curve implementations in RustCrypto versions 0.14.0-pre.0 and 0.14.0-rc.0 suffer from a critical entropy reduction flaw where ephemeral nonce generation requests only 32 bits instead of 256 bits of randomness, degrading encryption security from 128-bit to 16-bit strength. Public exploit code exists, allowing attackers to recover the nonce and decrypt ciphertexts using only the public key and encrypted message. A patch is available for affected deployments.
Arteco DVR/NVR web client uses session IDs with insufficient complexity, allowing brute-force attacks to hijack active sessions and access live camera streams without authentication. PoC available.
CVE-2025-14261 is a security vulnerability (CVSS 7.1). High severity vulnerability requiring prompt remediation.
Insufficient entropy in cookie encryption within Auth0 PHP SDK versions 8.0.0 through 8.18.x enables brute-force attacks against session cookie encryption keys, potentially allowing authenticated threat actors with network access to forge arbitrary session cookies and bypass authentication controls. Vendor-released patch available in version 8.19.0. No public exploit identified at time of analysis, though CVSS score of 8.2 reflects high severity due to potential for complete authentication bypass with cross-scope impact.
Telerik Ui For Asp.Net Ajax versions up to 2026.1.225 contains a vulnerability that allows attackers to collisions and file content tampering (CVSS 5.3).
An insufficient entropy vulnerability was found in glibc. The getrandom and arc4random family of functions may return predictable randomness if these functions are called again after the fork, which happens concurrently with a call to any of these functions. [CVSS 4.8 MEDIUM]
The Micca KE700 system relies on a 6-bit portion of an identifier for authentication within rolling codes, providing only 64 possible combinations. This low entropy allows an attacker to perform a brute-force attack against one component of the rolling code.
DPA countermeasures in Silicon Labs' Series 2 devices are not reseeded under certain conditions. This may allow an attacker to eventually extract secret keys through a DPA attack.
Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method.
Vx800V Firmware contains a vulnerability that allows attackers to high impact to confidentiality, integrity, and availability of transmitted data (CVSS 8.8).
SM2 elliptic curve implementations in RustCrypto versions 0.14.0-pre.0 and 0.14.0-rc.0 suffer from a critical entropy reduction flaw where ephemeral nonce generation requests only 32 bits instead of 256 bits of randomness, degrading encryption security from 128-bit to 16-bit strength. Public exploit code exists, allowing attackers to recover the nonce and decrypt ciphertexts using only the public key and encrypted message. A patch is available for affected deployments.
Arteco DVR/NVR web client uses session IDs with insufficient complexity, allowing brute-force attacks to hijack active sessions and access live camera streams without authentication. PoC available.
CVE-2025-14261 is a security vulnerability (CVSS 7.1). High severity vulnerability requiring prompt remediation.