Overview CVE-2025-13635 is a low-severity security vulnerability identified in Google Chrome’s Downloads feature. Specifically, an inappropriate implementation allowed a local attacker to perform UI (User Interface) spoofing. This vulnerability affected Google Chrome versions prior to 143.0.7499.41. The fix was included in the stable channel update released in December 2025. Technical Details The vulnerability stems from how Chrome handles certain aspects of the Downloads UI. A crafted HTML page, when loaded locally, could manipulate elements of the download interface, potentially misleading the user about the source or nature of a downloaded file. While the exact mechanism isn’t publicly detailed beyond the…
-
-
Overview CVE-2025-13634 is a medium severity security vulnerability found in Google Chrome on Windows. Specifically, it affects the Downloads functionality in versions prior to 143.0.7499.41. This vulnerability allows a local attacker to bypass the “Mark of the Web” (MOTW) security mechanism by crafting a malicious HTML page. Technical Details The vulnerability stems from an inappropriate implementation in how Chrome handles downloaded files, particularly HTML pages, on Windows systems. Mark of the Web is a Windows security feature that adds a zone identifier to files downloaded from the internet. This identifier informs Windows and applications like Internet Explorer and Edge about…
-
Overview CVE-2025-13633 is a high-severity vulnerability affecting Google Chrome versions prior to 143.0.7499.41. This vulnerability is classified as a use-after-free issue within the Digital Credentials component. A remote attacker, having already compromised the renderer process, could potentially exploit heap corruption through a specially crafted HTML page. Google Chrome has addressed this vulnerability in version 143.0.7499.41. Technical Details The vulnerability stems from a use-after-free error in the Digital Credentials functionality of Google Chrome. Use-after-free vulnerabilities occur when a program attempts to access memory that has already been freed. In this case, a compromised renderer process can trigger the vulnerability by manipulating…
-
Overview CVE-2025-13632 identifies a high-severity vulnerability affecting Google Chrome versions prior to 143.0.7499.41. This vulnerability resides within the DevTools component and stems from an inappropriate implementation that could allow a malicious actor to bypass the Chrome sandbox. The exploit requires a user to be convinced to install a crafted, malicious Chrome Extension. Successful exploitation could allow the attacker to execute code outside the intended security boundaries of the Chrome sandbox. Technical Details The vulnerability lies in the handling of specific operations within Chrome DevTools. A crafted Chrome Extension, when installed and executed, can leverage weaknesses in how DevTools interacts with…
-
Overview CVE-2025-13630 is a high-severity vulnerability affecting Google Chrome’s V8 JavaScript engine. This vulnerability, classified as a type confusion, could be exploited by a remote attacker to cause heap corruption by enticing a user to visit a specially crafted HTML page. The vulnerability was addressed in Chrome version 143.0.7499.41 and later. Technical Details The root cause of CVE-2025-13630 lies in the V8 JavaScript engine’s handling of object types. A type confusion occurs when the engine incorrectly infers the type of an object, leading to incorrect memory operations. In this case, a specially crafted HTML page could trigger the type confusion,…
-
Overview A critical input validation vulnerability, identified as CVE-2025-66399, has been discovered in Cacti, an open-source network monitoring and fault management framework. This flaw affects versions prior to 1.2.29 and stems from improper handling of SNMP community strings during device configuration. An authenticated user can inject malicious content, potentially leading to command execution on the Cacti server. Technical Details The vulnerability lies within the SNMP device configuration functionality of Cacti. Specifically, the application fails to properly sanitize user-supplied SNMP community strings. An attacker with valid Cacti credentials can craft an SNMP community string containing control characters, including newline characters. These…
-
Overview CVE-2025-65881 describes a Cross-Site Scripting (XSS) vulnerability discovered in Sourcecodester Zoo Management System version 1.0. This vulnerability resides in the /classes/Login.php file and can be exploited by attackers to inject malicious scripts into the web application, potentially compromising user accounts and data. Technical Details The vulnerability exists due to insufficient input validation and output encoding in the /classes/Login.php file. An attacker can inject malicious JavaScript code through a vulnerable parameter during the login process. This injected script will then be executed in the context of other users accessing the application, allowing the attacker to perform actions on their behalf.…
-
Overview CVE-2025-65844 details a critical vulnerability affecting EverShop version 2.0.1. This vulnerability allows an unauthenticated attacker to upload arbitrary files and create directories within the /api/images endpoint. This poses a significant security risk as malicious files could be uploaded and executed, potentially leading to remote code execution, data breaches, and system compromise. Technical Details The vulnerability stems from insufficient access control and input validation on the /api/images endpoint. An attacker can directly send a crafted HTTP request to this endpoint to upload any file type, bypassing any intended authentication mechanisms. Furthermore, the attacker can create arbitrary directories within the images…
-
Overview This article details CVE-2025-65215, a Cross-Site Scripting (XSS) vulnerability found in Sourcecodester Web-based Pharmacy Product Management System version 1.0. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user accounts, data, and the overall security of the system. Technical Details The vulnerability resides in the /product_expiry/add-supplier.php file within the application. Specifically, the Supplier Name field is susceptible to reflected XSS. An attacker can inject malicious JavaScript code into this field, which will then be executed in the browser of anyone who views the page after the malicious data is submitted. The lack of proper…
-
Overview CVE-2025-65105 describes a medium severity security vulnerability in Apptainer, an open-source container platform. This flaw allows a container to disable the --security=apparmor:<profile> and --security=selinux:<label> options, potentially bypassing intended security restrictions. This impacts systems where AppArmor or SELinux are relied upon to limit container operations. The vulnerability affects Apptainer versions prior to 1.4.5. Technical Details The --security option in Apptainer is designed to allow the root user to apply additional security restrictions to containers, using AppArmor or SELinux profiles/labels. While documentation indicates this is a root-only feature, it functions for unprivileged users on systems where AppArmor or SELinux are enabled.…