Monthly
Silent file download in RoboForm Password Manager for Android (Siber Systems, Inc.) can be triggered by a co-installed malicious application delivering a crafted Android Intent containing an attacker-controlled URL. RoboForm fails to validate the URL destination, request user confirmation, or surface any notification before fetching and writing remote content to the device. Reported by JPCERT (JVNVU93461473) with no CISA KEV listing and no public exploit identified at time of analysis, placing this in a moderate-low real-world risk category despite the sensitive nature of the affected product - a password manager.
Windows Remote Desktop spoofing vulnerability allows remote unauthenticated attackers to bypass security warnings and trick users into accepting malicious RDP connections, potentially exposing sensitive session data. Affects all supported Windows 10, 11, and Server versions from 2012 through 2025. Vendor-released patches are available. No public exploit identified at time of analysis, though the low attack complexity (AC:L) and network attack vector (AV:N) indicate exploitation would be straight
Insufficient ui warning of dangerous operations in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A security vulnerability in Insufficient UI warning of dangerous operations in Remote Desktop Client (CVSS 8.1) that allows an unauthorized attacker. High severity vulnerability requiring prompt remediation.
Stored XSS vulnerability in XWiki affecting versions before 15.10.16, 16.4.7, and 16.10.2. An unprivileged user can inject malicious content into the NotificationDisplayerClass object of a document, which is then rendered as raw HTML when an administrator edits and saves the document, enabling XSS attacks with high integrity and confidentiality impact. The vulnerability requires low attack complexity and user interaction (admin action), with a CVSS score of 8.0 indicating significant real-world risk.
A security vulnerability in versions (CVSS 8.0). Risk factors: public PoC available. Vendor patch is available.
XWiki's macro rights analyzer introduced in version 15.9RC1 contains incomplete validation that allows attackers to hide malicious script macros (Groovy, Python) by exploiting non-lowercase parameter handling and unanalyzed macro parameters. An authenticated attacker with limited privileges can inject hidden malicious macros that execute when a higher-privileged user edits the page, enabling remote code execution. This vulnerability affects XWiki versions 15.9RC1 through 16.4.6, 16.10.0-16.10.2, and 16.x-17.0.0-rc1, with patches available in versions 16.4.7, 16.10.3, and 17.0.0.
Silent file download in RoboForm Password Manager for Android (Siber Systems, Inc.) can be triggered by a co-installed malicious application delivering a crafted Android Intent containing an attacker-controlled URL. RoboForm fails to validate the URL destination, request user confirmation, or surface any notification before fetching and writing remote content to the device. Reported by JPCERT (JVNVU93461473) with no CISA KEV listing and no public exploit identified at time of analysis, placing this in a moderate-low real-world risk category despite the sensitive nature of the affected product - a password manager.
Windows Remote Desktop spoofing vulnerability allows remote unauthenticated attackers to bypass security warnings and trick users into accepting malicious RDP connections, potentially exposing sensitive session data. Affects all supported Windows 10, 11, and Server versions from 2012 through 2025. Vendor-released patches are available. No public exploit identified at time of analysis, though the low attack complexity (AC:L) and network attack vector (AV:N) indicate exploitation would be straight
Insufficient ui warning of dangerous operations in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A security vulnerability in Insufficient UI warning of dangerous operations in Remote Desktop Client (CVSS 8.1) that allows an unauthorized attacker. High severity vulnerability requiring prompt remediation.
Stored XSS vulnerability in XWiki affecting versions before 15.10.16, 16.4.7, and 16.10.2. An unprivileged user can inject malicious content into the NotificationDisplayerClass object of a document, which is then rendered as raw HTML when an administrator edits and saves the document, enabling XSS attacks with high integrity and confidentiality impact. The vulnerability requires low attack complexity and user interaction (admin action), with a CVSS score of 8.0 indicating significant real-world risk.
A security vulnerability in versions (CVSS 8.0). Risk factors: public PoC available. Vendor patch is available.
XWiki's macro rights analyzer introduced in version 15.9RC1 contains incomplete validation that allows attackers to hide malicious script macros (Groovy, Python) by exploiting non-lowercase parameter handling and unanalyzed macro parameters. An authenticated attacker with limited privileges can inject hidden malicious macros that execute when a higher-privileged user edits the page, enabling remote code execution. This vulnerability affects XWiki versions 15.9RC1 through 16.4.6, 16.10.0-16.10.2, and 16.x-17.0.0-rc1, with patches available in versions 16.4.7, 16.10.3, and 17.0.0.