Overview CVE-2025-0504 is a medium severity vulnerability affecting Black Duck Software Composition Analysis (SCA) versions prior to 2025.10.0. This security flaw arises from overly broad user role permissions, specifically within the Project Manager role when coupled with Global User Read access. This combination allows Project Managers to access certain Project Administrator functionalities that should be restricted to users with higher privileges. While this vulnerability does not grant full system control, it poses a risk of unauthorized modification of project configurations and potential access to sensitive system information. Technical Details The vulnerability stems from the configuration of user role permissions within…

Overview A critical security vulnerability, identified as CVE-2025-11087, has been discovered in the Zegen Core plugin for WordPress. This vulnerability allows unauthenticated attackers to upload arbitrary files to the affected WordPress server. The risk stems from a Cross-Site Request Forgery (CSRF) vulnerability in the plugin’s file upload functionality. This could potentially lead to remote code execution if an attacker successfully exploits the vulnerability. This vulnerability affects versions up to and including 2.0.1 of the Zegen Core plugin. Technical Details The Zegen Core plugin fails to implement proper nonce validation and file type validation in the /custom-font-code/custom-fonts-uploads.php file. This means that…

Overview CVE-2025-36149 is a medium severity security vulnerability affecting IBM Concert Software versions 1.0.0 through 2.0.0. This vulnerability allows a remote attacker to perform a clickjacking attack, potentially hijacking the clicking actions of a victim user. This blog post provides a detailed analysis of the vulnerability, its potential impact, and recommended mitigation steps. Technical Details The vulnerability stems from a lack of proper protection against clickjacking techniques within the IBM Concert Software interface. An attacker can exploit this by overlaying malicious content on top of legitimate elements of the IBM Concert application. Unsuspecting users, believing they are interacting with the…

Overview A security vulnerability, identified as CVE-2025-13524, has been discovered in AWS Wickr, Wickr Gov, and Wickr Enterprise desktop applications running on Windows, macOS, and Linux. This vulnerability allows a call participant to potentially continue receiving audio input from another user after they have closed their call window. This issue, classified as a medium severity flaw, can be exploited under specific circumstances requiring user interaction. Technical Details The core of CVE-2025-13524 lies in an improper resource release during the call termination process within AWS Wickr. Under certain conditions, when a user takes a specific action within the application while ending…

Overview A critical vulnerability, identified as CVE-2025-64767, has been discovered in hpke-js, a Hybrid Public Key Encryption (HPKE) module built on top of the Web Cryptography API. This vulnerability exists in versions prior to 1.7.5 and stems from a race condition within the public SenderContext Seal() API. This race condition allows for the potential re-use of the same AEAD (Authenticated Encryption with Associated Data) nonce across multiple Seal() calls. Successful exploitation of this vulnerability could lead to a complete loss of confidentiality and integrity of the encrypted messages. Technical Details The vulnerability lies in the SenderContext Seal() function within the…

Overview This article details CVE-2025-64169, a vulnerability affecting Wazuh, a free and open-source platform for threat prevention, detection, and response. Specifically, this vulnerability impacts versions 3.7.0 up to, but not including, version 4.12.0. A maliciously crafted message from a compromised agent could lead to a crash of the analysisd process on the Wazuh manager. It is crucial to update to version 4.12.0 or later to mitigate this risk. Technical Details The vulnerability resides within the fim_alert() implementation of Wazuh. The issue stems from a missing null check before dereferencing oldsum->md5. If oldsum->md5 is NULL, attempting to dereference it will result…

Overview CVE-2025-62626 describes a potential vulnerability in AMD CPUs related to the handling of insufficient entropy when using the RDSEED instruction. This flaw could allow a local attacker to influence the values returned by RDSEED, potentially leading to the consumption of insufficiently random values. The vulnerability was published on 2025-11-21. Technical Details The RDSEED instruction is intended to provide random numbers seeded from a hardware random number generator (HRNG). This vulnerability arises from a situation where the hardware RNG doesn’t possess sufficient entropy. If the entropy source is weak or predictable, the output of RDSEED can also become predictable. An…

Overview CVE-2025-62609 describes a security vulnerability found in MLX, an array framework for machine learning on Apple silicon. Specifically, versions prior to 0.29.4 are susceptible to a segmentation fault when loading crafted, malicious GGUF (GPT-2 Unified Format) files. This can lead to application crashes and potentially denial-of-service conditions. Technical Details The vulnerability arises from the mlx::core::load_gguf() function within the MLX framework. When processing GGUF files, the code dereferences a pointer received from the external gguflib library. Crucially, this pointer is not validated before being dereferenced. A malicious GGUF file can be crafted to provide an invalid or untrusted pointer, leading…

Published: 2025-11-21T19:16:02.267 Overview A critical heap buffer overflow vulnerability, identified as CVE-2025-62608, has been discovered in MLX, an array framework for machine learning on Apple silicon. This vulnerability affects versions prior to 0.29.4 and stems from the parsing of potentially malicious NumPy .npy files. Exploitation could lead to a crash or information disclosure. Technical Details The vulnerability lies within the mlx::core::load() function, which handles the loading of .npy files. A maliciously crafted .npy file can trigger a 13-byte out-of-bounds read due to inadequate bounds checking during the parsing process. This out-of-bounds read occurs on the heap, potentially allowing an attacker…

Overview CVE-2025-54866 identifies a security vulnerability in the Wazuh agent, a key component of the Wazuh open-source security platform. This vulnerability, affecting versions 4.3.0 up to (but not including) 4.13.0, exposes the authd.pass password file to all authenticated users on the local machine. This unintended access allows these users to potentially impersonate the agent, leading to serious security risks. The issue has been resolved in Wazuh version 4.13.0. Technical Details The vulnerability stems from a missing Access Control List (ACL) on the C:\Program Files (x86)\ossec-agent\authd.pass file. This file stores the password used by the Wazuh agent for authentication with the…