Overview A critical security vulnerability, identified as CVE-2025-13542, has been discovered in the DesignThemes LMS plugin for WordPress. This vulnerability affects all versions up to and including 1.0.4. It allows unauthenticated attackers to escalate their privileges to administrator, potentially leading to complete site compromise. If you are using the DesignThemes LMS plugin, immediate action is required. Technical Details The vulnerability resides in the dtlms_register_user_front_end function. This function lacks proper validation and authorization, specifically regarding user roles during registration. An attacker can exploit this flaw by providing the ‘administrator’ role as part of the registration process. Due to the insufficient role…

Overview A critical vulnerability, identified as CVE-2025-13510, has been discovered in the Iskra iHUB and iHUB Lite smart metering gateway. This vulnerability allows unauthenticated users to access the web management interface without requiring any credentials. This poses a significant security risk, potentially allowing malicious actors to access and modify critical device settings. This advisory is based on information published on December 2nd, 2025. Immediate action is recommended to mitigate this risk. Technical Details CVE-2025-13510 stems from the lack of proper authentication controls on the web management interface of the Iskra iHUB and iHUB Lite devices. An attacker on the same…

Overview A high-severity stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-66468, has been discovered in the Aimeos GrapesJS CMS extension. This flaw allows malicious editors to inject arbitrary JavaScript code into content pages, potentially compromising the security and integrity of websites using the affected versions. The vulnerability exists because the extension, prior to versions 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, lacks sufficient input sanitization when a standard Content Security Policy (CSP) is disabled. This allows attackers to persist malicious code within the CMS, affecting other users who access the compromised pages. Technical Details The Aimeos GrapesJS CMS extension provides a…

Overview CVE-2025-66460 identifies a vulnerability in Lookyloo, a web interface for capturing website pages and analyzing their domain relationships. Versions prior to 1.35.3 are affected by improper data escaping within datatables that use the orthogonal-data feature. This flaw could lead to Cross-Site Scripting (XSS) attacks, allowing malicious actors to inject arbitrary code into the application through manipulated data. Technical Details The vulnerability stems from Lookyloo’s failure to properly sanitize user-supplied data before rendering it within datatables. Specifically, the orthogonal-data feature, which allows for different display and sorting data for the same column, is susceptible to this flaw. Unescaped values passed…

Overview CVE-2025-66459 identifies a Cross-Site Scripting (XSS) vulnerability found in Lookyloo, a web interface used for capturing website pages and displaying a tree of domain calls. This vulnerability affects versions prior to 1.35.3. Specifically, the XSS is triggered when a user submits a list of URLs for capture, and one of those URLs contains a malicious HTML element that causes the capture to fail. The error message, intended to inform the user about the failed capture, then inadvertently reflects the malicious URL, executing the embedded script within the user’s browser. Technical Details The vulnerability lies in how Lookyloo handles error…

Overview CVE-2025-66458 identifies a cross-site scripting (XSS) vulnerability found in Lookyloo, a web interface for capturing website pages and displaying domain call trees. Versions prior to 1.35.3 are affected. The vulnerability stems from the unsafe use of f-strings in Markup, potentially allowing malicious third-party servers to inject JavaScript code. An update to version 1.35.3 resolves this critical security flaw. Technical Details The XSS vulnerability in Lookyloo arises from the application’s handling of data received from external servers. Specifically, the unsafe use of f-strings in the Markup component allows a malicious actor to inject arbitrary JavaScript code into the rendered web…

Overview CVE-2025-66416 describes a DNS rebinding vulnerability affecting the MCP Python SDK, known as `mcp` on PyPI. This Python library implements the Model Context Protocol (MCP). Prior to version 1.23.0, the SDK did not enable DNS rebinding protection by default for HTTP-based servers. This could allow a malicious website to interact with a locally running MCP server under specific circumstances. Technical Details The vulnerability exists when an HTTP-based MCP server is running on localhost without authentication, utilizes FastMCP with streamable HTTP or SSE transport, and hasn’t explicitly configured TransportSecuritySettings. In this scenario, a malicious website could exploit DNS rebinding techniques…

Overview CVE-2025-66414 identifies a security vulnerability in the Model Context Protocol (MCP) TypeScript SDK, the official TypeScript SDK for MCP servers and clients. Specifically, prior to version 1.24.0, the SDK does not enable DNS rebinding protection by default for HTTP-based servers. This can expose users to potential attacks when running an HTTP-based MCP server on localhost without authentication. Technical Details The vulnerability arises because the MCP TypeScript SDK, when configured to run an HTTP-based server (using StreamableHTTPServerTransport or SSEServerTransport) on localhost without authentication, doesn’t automatically enable DNS rebinding protection. DNS rebinding is a technique where a malicious website manipulates DNS…

This article provides a detailed analysis of CVE-2025-66409, a security vulnerability affecting Espressif’s ESP-IDF (IoT Development Framework). This vulnerability, if exploited, could lead to an out-of-bounds read, potentially exposing sensitive information or causing unexpected behavior on ESP32 devices. Overview CVE-2025-66409 is an out-of-bounds read vulnerability discovered in the ESP-IDF Bluetooth stack. Specifically, when AVRCP (Audio/Video Remote Control Profile) is enabled, a malformed VENDOR DEPENDENT command received from a paired Bluetooth device can cause the stack to access memory locations beyond the boundaries of the allocated buffer. This can occur because the command buffer length is not properly validated before memory…

Overview A significant SQL injection vulnerability, identified as CVE-2025-65896, has been discovered in the long2ice asyncmy library, specifically affecting versions up to and including 0.2.10. This flaw allows malicious actors to inject and execute arbitrary SQL commands through carefully crafted dictionary keys, potentially leading to severe data breaches and system compromise. Technical Details The vulnerability resides in how the asyncmy library processes dictionary keys when constructing SQL queries. By manipulating these keys, an attacker can inject malicious SQL code that bypasses intended sanitization and is then executed directly against the database. This can occur wherever the library constructs SQL statements…