Overview CVE-2025-41729 is a high-severity vulnerability affecting devices utilizing the Modbus protocol. This vulnerability allows an unauthenticated remote attacker to trigger a denial-of-service (DoS) condition by sending a specially crafted Modbus read command. Successful exploitation can disrupt critical operations in industrial control systems (ICS) and SCADA environments. Technical Details The vulnerability stems from insufficient input validation when processing Modbus read commands. An attacker can craft a malicious request that, when parsed by the vulnerable device, consumes excessive resources, leading to a denial of service. Specifically, the crafted read command could request an unusually large data range, overwhelming the device’s processing…

Overview This article details a significant security vulnerability identified as CVE-2025-41087, affecting the Taclia web application. This vulnerability is a stored Cross-Site Scripting (XSS) flaw arising from improper sanitization of uploaded SVG image files. Attackers can exploit this weakness to inject malicious scripts into SVG files, which are then stored on the server. When other users access these compromised SVG images (e.g., profile pictures, included graphics), the injected scripts execute within their browser context, potentially leading to account compromise, data theft, or other malicious activities. Technical Details The root cause of CVE-2025-41087 lies in the Taclia application’s failure to adequately…

Overview A significant security vulnerability, identified as CVE-2025-12741, has been discovered in Looker. This vulnerability could allow a Looker user with the Developer role to create a database connection using the Denodo driver and, by manipulating LookML, cause Looker to execute a malicious command. Both Looker-hosted and self-hosted instances were vulnerable. Good news for Looker-hosted users: this issue has already been mitigated on those instances. No further action is required. However, users with self-hosted Looker instances are strongly advised to upgrade to a patched version as soon as possible. Technical Details CVE-2025-12741 leverages the combination of the Denodo driver and…

Overview A critical security vulnerability, identified as CVE-2025-12740, has been discovered in Looker. This vulnerability affects both Looker-hosted and self-hosted instances. A user with Developer role could leverage this vulnerability to execute malicious commands. The good news is that Looker-hosted instances have already been automatically mitigated. However, users of self-hosted Looker instances must take immediate action to upgrade their systems to the patched versions. Technical Details CVE-2025-12740 stems from inadequate filtering of parameters within the IBM DB2 driver when creating a database connection. A Looker user with a Developer role could craft malicious LookML, exploiting this lack of filtering to…

Overview A significant security vulnerability, identified as CVE-2025-12739, has been discovered in Looker, affecting both Looker-hosted and self-hosted instances. This vulnerability allows an attacker with viewer permissions to potentially execute arbitrary code on the Looker instance by crafting a malicious URL. The attacker needs a Looker admin to open this URL, and for successful exploitation, at least one Looker extension needs to be installed on the instance. This poses a substantial risk to data security and system integrity. Important: This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Technical Details CVE-2025-12739 allows a…

Overview CVE-2025-13596 describes a sensitive information disclosure vulnerability affecting ATISoluciones CIGES Application version 2.15.6 and earlier. This vulnerability resides within the application’s error handling mechanism. When unexpected errors occur, the application inadvertently leaks sensitive information, such as internal file paths, SQL queries, database credentials, and environment configurations, to potentially malicious, unauthenticated actors. While this vulnerability doesn’t directly compromise the system, it provides valuable information that can be used for reconnaissance and subsequent attacks. Technical Details The root cause of CVE-2025-13596 lies in the application’s inadequate handling of exceptions. Instead of gracefully handling errors and presenting user-friendly messages, the application returns…

Overview CVE-2025-13588 is a medium severity vulnerability affecting lKinderBueno Streamity Xtream IPTV Player up to version 2.8. This vulnerability is a Server-Side Request Forgery (SSRF) and resides in the public/proxy.php file, allowing attackers to potentially make unauthorized requests from the server. Technical Details The vulnerability stems from insufficient input validation within the public/proxy.php file. By manipulating specific parameters, a remote attacker can force the server to make HTTP requests to arbitrary external servers. This could allow attackers to scan internal networks, access sensitive data behind firewalls, or even perform other malicious activities by leveraging the server’s trust relationship with other…

Overview CVE-2025-13586 describes a medium-severity SQL injection vulnerability found in SourceCodester Online Student Clearance System version 1.0. This flaw allows a remote attacker to potentially execute arbitrary SQL commands on the system’s database, potentially leading to data breaches, modification, or deletion. The vulnerability resides within the /Admin/changepassword.php file and is triggered by manipulating the txtconfirm_password argument. Technical Details The vulnerability lies in the insufficient sanitization of user-supplied input within the /Admin/changepassword.php script. Specifically, the txtconfirm_password parameter, intended for confirming a new password, is not properly validated or escaped before being used in a SQL query. An attacker can inject malicious…

Overview CVE-2025-13585 is a high-severity SQL injection vulnerability discovered in the COVID Tracking System version 1.0, developed by code-projects. This vulnerability allows a remote attacker to inject malicious SQL code into the system, potentially leading to unauthorized data access, modification, or deletion. The vulnerability is located in the /login.php file and is triggered through manipulation of the code argument. A public exploit is currently available, increasing the risk of exploitation. Technical Details The vulnerability resides within the /login.php script of the COVID Tracking System 1.0. The application fails to properly sanitize user-supplied input within the code parameter before using it…

Overview A critical Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Broken Link Manager WordPress plugin, affecting versions up to and including 0.6.5. This vulnerability, tracked as CVE-2025-12629, could allow attackers to inject malicious scripts into websites using the plugin, potentially compromising sensitive user data or gaining administrative control. Technical Details The vulnerability stems from the plugin’s failure to properly sanitize and escape a specific parameter before outputting it back into the web page. This lack of proper input validation allows an attacker to craft a malicious URL containing JavaScript code. When a user, particularly one with high…