Monthly
Denial-of-service vulnerability in Fleet device management software prior to version 4.81.0 allows authenticated hosts to crash the entire Fleet server process by sending a malformed log type value to the gRPC Launcher endpoint, disrupting all connected devices, MDM enrollments, and API consumers. The vulnerability requires prior authentication but affects availability across the entire infrastructure. Vendor-released patch: version 4.81.0.
2N Access Commander application version 3.4.2 and prior returns HTTP 500 Internal Server Error responses when receiving malformed or manipulated requests, indicating improper handling of invalid input and potential security or availability impacts. [CVSS 6.5 MEDIUM]
Malcontent versions before 1.21.0 fail to preserve nested archives that cannot be extracted, potentially allowing malicious content to evade detection during supply-chain compromise analysis. An attacker could exploit this by embedding malicious payloads in problematic nested archives that the tool would discard without scanning. The vulnerability has a patch available in version 1.21.0 and later.
iPhone Mirroring in iOS and iPadOS allows an attacker with physical device access to bypass UI protections and capture screenshots containing sensitive information that should remain hidden during the mirroring session. The vulnerability stems from insufficient state management in the user interface, enabling unauthorized viewing of private data on the iPhone while it is being mirrored to a Mac. No patch is currently available for this medium-severity issue.
HP OfficeJet Pro printers running affected firmware versions are susceptible to denial of service attacks through malformed Internet Printing Protocol (IPP) requests that prevent proper TCP connection establishment. An unauthenticated remote attacker can trigger this condition to disrupt printer availability, though no patch is currently available to mitigate the vulnerability.
chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.php) when a user is not authenticated but fails to call exit() afterward. [CVSS 7.5 HIGH]
EVerest is an EV charging software stack. Prior to version 2025.10.0, C++ exceptions are not properly handled for and by the `TbdController` loop, leading to its caller and itself to silently terminates. [CVSS 6.5 MEDIUM]
The RSA crate versions prior to 0.9.10 crash when constructing private keys with invalid prime components (such as 1), allowing an attacker to trigger a denial of service by providing malformed key material. This affects applications using the vulnerable RSA library for cryptographic operations. A patch is available in version 0.9.10 and later.
Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Denial-of-service vulnerability in Fleet device management software prior to version 4.81.0 allows authenticated hosts to crash the entire Fleet server process by sending a malformed log type value to the gRPC Launcher endpoint, disrupting all connected devices, MDM enrollments, and API consumers. The vulnerability requires prior authentication but affects availability across the entire infrastructure. Vendor-released patch: version 4.81.0.
2N Access Commander application version 3.4.2 and prior returns HTTP 500 Internal Server Error responses when receiving malformed or manipulated requests, indicating improper handling of invalid input and potential security or availability impacts. [CVSS 6.5 MEDIUM]
Malcontent versions before 1.21.0 fail to preserve nested archives that cannot be extracted, potentially allowing malicious content to evade detection during supply-chain compromise analysis. An attacker could exploit this by embedding malicious payloads in problematic nested archives that the tool would discard without scanning. The vulnerability has a patch available in version 1.21.0 and later.
iPhone Mirroring in iOS and iPadOS allows an attacker with physical device access to bypass UI protections and capture screenshots containing sensitive information that should remain hidden during the mirroring session. The vulnerability stems from insufficient state management in the user interface, enabling unauthorized viewing of private data on the iPhone while it is being mirrored to a Mac. No patch is currently available for this medium-severity issue.
HP OfficeJet Pro printers running affected firmware versions are susceptible to denial of service attacks through malformed Internet Printing Protocol (IPP) requests that prevent proper TCP connection establishment. An unauthenticated remote attacker can trigger this condition to disrupt printer availability, though no patch is currently available to mitigate the vulnerability.
chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.php) when a user is not authenticated but fails to call exit() afterward. [CVSS 7.5 HIGH]
EVerest is an EV charging software stack. Prior to version 2025.10.0, C++ exceptions are not properly handled for and by the `TbdController` loop, leading to its caller and itself to silently terminates. [CVSS 6.5 MEDIUM]
The RSA crate versions prior to 0.9.10 crash when constructing private keys with invalid prime components (such as 1), allowing an attacker to trigger a denial of service by providing malformed key material. This affects applications using the vulnerable RSA library for cryptographic operations. A patch is available in version 0.9.10 and later.
Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.