Overview A critical vulnerability, identified as CVE-2025-12974, has been discovered in the Gravity Forms plugin for WordPress. This vulnerability allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution (RCE) on the affected server. The vulnerability resides in the legacy chunked upload mechanism and affects all Gravity Forms versions up to, and including, 2.9.21.1. Failure to address this vulnerability can result in severe consequences, including website defacement, data theft, and complete server compromise. Technical Details The vulnerability stems from inadequate file type validation in the legacy chunked upload mechanism. Specifically, the extension blacklist implemented in Gravity Forms…

Overview A high-severity vulnerability, identified as CVE-2025-8693, has been discovered in Zyxel DX3300-T0 routers running firmware version 5.50(ABVY.6.3)C0 and earlier. This vulnerability allows an authenticated attacker to execute arbitrary operating system (OS) commands on the affected device. This poses a significant security risk to users of these routers. Technical Details The vulnerability stems from a post-authentication command injection flaw in the handling of the “priv” parameter. Specifically, the application fails to properly sanitize user-supplied input to the ‘priv’ parameter, allowing an attacker with valid credentials to inject and execute arbitrary OS commands with elevated privileges. Exploitation requires successful authentication, but…

Overview CVE-2025-6599 is a medium severity vulnerability affecting the web server of Zyxel DX3301-T0 routers. This vulnerability allows an attacker to perform Slowloris-style denial-of-service (DoS) attacks, potentially disrupting access to the web management interface and legitimate HTTP requests. Technical Details The vulnerability stems from an uncontrolled resource consumption issue within the Zyxel DX3301-T0’s web server. Specifically, the web server fails to properly manage concurrent HTTP connections, making it susceptible to Slowloris attacks. Slowloris exploits this weakness by sending partial HTTP requests and keeping the connections open for extended periods. By sending a large number of these incomplete requests, an attacker…

Overview CVE-2025-12792 is a low-severity security vulnerability affecting the Mac App Store distribution of the Canva for Mac desktop application. Specifically, versions prior to 1.117.1 were built without enabling Hardened Runtime. This omission could allow a local, unprivileged attacker to execute arbitrary code with the same Transparency, Consent, and Control (TCC) permissions as the Canva application itself. This means an attacker could potentially bypass some macOS security restrictions by piggybacking on Canva’s existing permissions. Technical Details The root cause of this vulnerability is the absence of Hardened Runtime in the affected Canva for Mac application builds. Hardened Runtime is a…

Overview CVE-2025-13325 is a medium severity vulnerability affecting itsourcecode Student Information System version 1.0. This vulnerability allows a remote attacker to inject arbitrary SQL commands through the en_id parameter in the /enrollment_edit1.php file. Successful exploitation can lead to unauthorized data access, modification, or even complete database compromise. The exploit has been publicly disclosed, making immediate mitigation crucial. Technical Details The vulnerability stems from insufficient input sanitization of the en_id parameter within the /enrollment_edit1.php file. By injecting malicious SQL code into this parameter, an attacker can bypass intended security measures and execute arbitrary SQL queries against the underlying database. This could…

Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13323, has been discovered in the Simple Pizza Ordering System version 1.0 developed by code-projects. This flaw allows a remote attacker to execute arbitrary SQL commands by manipulating the ID argument in the /listorder.php file. The vulnerability is publicly known and an exploit is available, increasing the risk of exploitation. Technical Details The vulnerability resides in the /listorder.php file of the Simple Pizza Ordering System 1.0. Specifically, an unknown function within this file is susceptible to SQL injection. An attacker can manipulate the ID parameter within a request to this file to…

Overview A critical security vulnerability, identified as CVE-2025-13306, has been discovered in several D-Link router models. This flaw allows for remote command injection, potentially giving attackers control over vulnerable devices. The affected models include D-Link DWR-M920, DWR-M921, DIR-822K and DIR-825M, all running firmware version 1.1.5. This is a serious issue, as successful exploitation could lead to data breaches, denial of service, and other malicious activities. Technical Details The vulnerability resides within the /boafrm/formDebugDiagnosticRun file in the affected D-Link router firmware. Specifically, the host argument is susceptible to command injection. An attacker can manipulate this argument to inject arbitrary commands that…

Overview CVE-2025-13230 is a high-severity vulnerability affecting Google Chrome versions prior to 142.0.7444.59. This vulnerability is a type confusion error within the V8 JavaScript engine. A remote attacker could exploit this flaw by crafting a malicious HTML page, potentially leading to heap corruption and arbitrary code execution. Technical Details The vulnerability stems from a type confusion error in the V8 JavaScript engine. Type confusion occurs when a program attempts to use a value of one type as if it were another type. In the context of V8, this can lead to memory corruption if the engine misinterprets the structure of…

Overview CVE-2025-13229 is a high-severity vulnerability affecting Google Chrome versions prior to 142.0.7444.59. This vulnerability stems from a type confusion error within the V8 JavaScript engine. Successful exploitation of this flaw could allow a remote attacker to potentially trigger heap corruption through a specially crafted HTML page. Technical Details The root cause of CVE-2025-13229 lies in the way V8 handles certain data types during JavaScript execution. Due to incorrect type checking or validation, the engine can misinterpret the type of a variable or object. This type confusion can lead to memory corruption, specifically heap corruption, when V8 attempts to access…

Overview CVE-2025-13228 is a high-severity vulnerability affecting the V8 JavaScript engine in Google Chrome versions prior to 142.0.7444.59. This vulnerability, classified as a type confusion, could be exploited by a remote attacker to potentially cause heap corruption by crafting a malicious HTML page. This could lead to arbitrary code execution, making it a critical security concern for Chrome users. Technical Details The core of CVE-2025-13228 lies in a type confusion error within the V8 engine. Type confusion vulnerabilities occur when the code incorrectly handles data types, leading to unexpected behavior and potential memory corruption. In this specific instance, a specially…