🚨 CISA KEV 1[−]
6 Dec KEVCritical React2Shell Flaw Added to CISA KEV After Confirmed Active ExploitationThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw impacting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild. The vulnerability,…THEHACKERNEWS.COM
🐛 COMMON VULNERABILITIES AND EXPOSURES 81[−]
6 DecCVE-2025-40262 Input: imx_sc_key - fix memory corruption on unloadInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40242 gfs2: Fix unlikely race in gdlm_put_lockInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40240 sctp: avoid NULL dereference when chunk data buffer is missingInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40245 nios2: ensure that memblock.current_limit is set when setting pfn limitsInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40258 mptcp: fix race condition in mptcp_schedule_work()Information published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40254 net: openvswitch: remove never-working support for setting nsh fieldsInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40252 net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()Information published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40223 most: usb: Fix use-after-free in hdm_disconnectInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40264 be2net: pass wrb_params in case of OS2BMCInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40233 ocfs2: clear extent cache after moving/defragmenting extentsInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40247 drm/msm: Fix pgtable prealloc error pathInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40250 net/mlx5: Clean up only new IRQ glue on request_irq() failureInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40251 devlink: rate: Unset parent pointer in devl_rate_nodes_destroyInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-12385 Improper validation of <img> tag size in Text component parserInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40261 nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()Information published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40257 mptcp: fix a race in mptcp_pm_del_add_timer()Information published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40259 scsi: sg: Do not sleep in atomic contextInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40244 hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()Information published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40248 vsock: Ignore signal/timeout on connect() if already establishedInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40243 hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()Information published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40266 KVM: arm64: Check the untrusted offset in FF-A memory shareInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-40263 Input: cros_ec_keyb - fix an invalid memory accessInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-61727 Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509Information published.MSRC.MICROSOFT.COM
6 DecCVE-2025-12084 Quadratic complexity in node ID cache clearingInformation published.MSRC.MICROSOFT.COM
6 Dec2.15M Next.js Web Services Exposed Online, Active Attacks Reported – Update ImmediatelySecurity teams worldwide are rushing to patch systems after the disclosure of a critical React vulnerability, CVE-2025-55182, widely known as “React2Shell.” The flaw affects React Server Components (RSC) and has a maximum CVSS score of 10, the highest possible rating, signaling c…GBHACKERS.COM
6 DecReact2Shell flaw exploited to breach 30 orgs, 77k IP addresses vulnerableOver 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182), with researchers now confirming that attackers have already compromised over 30 organizations across multiple sectors. [...]BLEEPINGCOMPUTER.COM
6 DecCVE-2025-55551 An issue in the component torch.linalg.lu of pytorch v2.8.0 allows attackers to cause a Denial of Service (DoS) when performing a slice operation.Information published.MSRC.MICROSOFT.COM
6 DecCVE-2022-50303 drm/amdkfd: Fix double release compute pasidInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-8277 Libssh: memory exhaustion via repeated key exchange in libsshInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-10911 Libxslt: use-after-free with key data stored cross-rvtInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-55560 An issue in pytorch v2.7.0 can lead to a Denial of Service (DoS) when a PyTorch model consists of torch.Tensor.to_sparse() and torch.Tensor.to_dense() and is compiled by Inductor.Information published.MSRC.MICROSOFT.COM
6 DecCVE-2025-55554 pytorch v2.8.0 was discovered to contain an integer overflow in the component torch.nan_to_num-.long().Information published.MSRC.MICROSOFT.COM
6 DecCVE-2022-50304 mtd: core: fix possible resource leak in init_mtd()Information published.MSRC.MICROSOFT.COM
6 DecCVE-2023-53209 wifi: mac80211_hwsim: Fix possible NULL dereferenceInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2024-45336 Sensitive headers incorrectly sent after cross-domain redirect in net/httpInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2024-45341 Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509Information published.MSRC.MICROSOFT.COM
6 DecCVE-2025-1151 GNU Binutils ld xmemdup.c xmemdup memory leakInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-1149 GNU Binutils ld xmalloc.c xstrdup memory leakInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-1152 GNU Binutils ld xstrdup.c xstrdup memory leakInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2023-45229 Out-of-Bounds Read in EDK II Network PackageInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2023-45231 Out-of-Bounds Read in EDK II Network PackageInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-8114 : null pointer dereference in libssh kex session id calculationInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-7425 Libxslt: heap use-after-free in libxslt caused by atype corruption in xmlattrptrInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-7424 Libxslt: type confusion in xmlnode.psvi between stylesheet and source nodesInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-51480 Path Traversal vulnerability in onnx.external_data_helper.save_external_data in ONNX 1.17.0 allows attackers to overwrite arbitrary files by supplying crafted external_data.location paths containing traversal sequences, bypassing intended directory restrictions.Information published.MSRC.MICROSOFT.COM
6 DecCVE-2025-58185 Parsing DER payload can cause memory exhaustion in encoding/asn1Information published.MSRC.MICROSOFT.COM
6 DecCVE-2025-58188 Panic when validating certificates with DSA public keys in crypto/x509Information published.MSRC.MICROSOFT.COM
6 DecCVE-2025-6075 Quadratic complexity in os.path.expandvars() with user-controlled templateInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-47912 Insufficient validation of bracketed IPv6 hostnames in net/urlInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-58186 Lack of limit when parsing cookies can cause memory exhaustion in net/httpInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-61724 Excessive CPU consumption in Reader.ReadResponse in net/textprotoInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-61723 Quadratic complexity when parsing some invalid inputs in encoding/pemInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-29477 An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the function consume_event.Information published.MSRC.MICROSOFT.COM
6 DecCVE-2025-29478 An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the cfl_list_size in cfl_list.h:165.Information published.MSRC.MICROSOFT.COM
6 DecCVE-2025-9288 Missing type checks leading to hash rewind and passing on crafted dataInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-8961 LibTIFF tiffcrop tiffcrop.c main memory corruptionInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2024-38796 Integer overflow in PeCoffLoaderRelocateImageInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2024-8354 Qemu-kvm: usb: assertion failure in usb_ep_get()Information published.MSRC.MICROSOFT.COM
6 DecCVE-2024-8612 Qemu-kvm: information leak in virtio devicesInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-10966 missing SFTP host verification with wolfSSHInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-64436 KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between NodesInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-64434 KubeVirt Improper TLS Certificate Management Handling Allows API Identity SpoofingInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-64435 KubeVirt VMI Denial-of-Service (DoS) Using Pod ImpersonationInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-64437 KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission ChangesInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-10158 Rsync: Out of bounds array access via negative indexInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-64432 KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation LayerInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2024-47866 RGW DoS attack with empty HTTP header in S3 object copyInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-12817 PostgreSQL CREATE STATISTICS does not check for schema CREATE privilegeInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-11230 Denial of service vulnerability in HAProxy mjson libraryInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-2486 UEFI Shell accessible in AAVMF with Secure Boot enabled on UbuntuInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-5918 Libarchive: reading past eof may be triggered for piped file streamsInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-5917 Libarchive: off by one error in build_ustar_entry_name() at archive_write_set_format_pax.cInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-5916 Libarchive: integer overflow while reading warc files at archive_read_support_format_warc.cInformation published.MSRC.MICROSOFT.COM
6 DecCVE-2025-4435 Tarfile extracts filtered members when errorlevel=0Information published.MSRC.MICROSOFT.COM
⚠️ VULNERABILITY DISCLOSURE 6[−]
6 DecCybersecurity Today Month In Review - December 5th, 2025Cybersecurity Today: The Rise of Living Off the Land Strategies & More In this episode of Cybersecurity Today's Month in Review, host Jim Love is joined by Laura Payne from White Tuque and David Shipley from Beauceron Security. They discuss several pressing cybersecurity issues, …CYBERSECURITYTODAY.LIBSYN.COM
6 DecResearchers Uncover 30+ Flaws in AI Coding Tools Enabling Data Theft and RCE AttacksOver 30 security vulnerabilities have been disclosed in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs) that combine prompt injection primitives with legitimate features to achieve data exfiltration and remote code execution. The security s…THEHACKERNEWS.COM
6 DecBarts Health NHS Reveals Data Breach Linked to Oracle Zero-Day Exploited by Clop RansomwareBarts Health NHS Trust has disclosed a significant data breach affecting patient and staff information after the Cl0p ransomware gang exploited a critical vulnerability in Oracle E-Business Suite software. The criminal syndicate stole files from an invoice database. It published …GBHACKERS.COM
6 DecType Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)Information published.MSRC.MICROSOFT.COM
6 DecType Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)Information published.MSRC.MICROSOFT.COM
6 DecTo Catch a Predator: Leak exposes the internal operations of Intellexa’s mercenary spywaresubmitted by cm0002 to cybersecurity 1 points | 0 comments https://securitylab.amnesty.org/latest/2025/12/intellexa-leaks-predator-spyware-operations-exposed/INFOSEC.PUB
🔥 INCIDENT REPORTING 1[−]
6 DecKinoKong - 817,808 breached accountsIn March 2021, the Russian online streaming service KinoKong suffered a data breach that was later redistributed as part of a larger corpus of data . The breach exposed over 800k unique email addresses along with names, usernames, IP addresses and MD5 password hashes.HAVEIBEENPWNED.COM
🕵️ THREAT INTELLIGENCE 4[−]
6 DecFvncBot Android Malware Steals Keystrokes and Injects Harmful PayloadsA newly discovered Android banking trojan, FvncBot, has emerged as a sophisticated threat targeting mobile banking users in Poland. Researchers from Intel 471 first identified this malware on November 25, 2025, disguised as a security application from mBank, one of Poland’s…GBHACKERS.COM
6 DecMetaverse and Beyond: Understanding Your Threat VectorsIn today's digital landscape, third-party dependencies like VMware, Metaverse, and more are reshaping our threat models. As enterprises integrate these components, they face new cybersecurity challenges and potential vulnerabilities. Are you prepared to manage these hidden risks?…YOUTUBE.COM
6 DecSVG Filters - Clickjacking 2.0submitted by codeinabox to security 1 points | 0 comments https://lyra.horse/blog/2025/12/svg-clickjacking/PROGRAMMING.DEV
6 DecMalicious Go Packages Impersonate Google’s UUID Library to Steal Sensitive DataA hidden danger has been lurking in the Go programming ecosystem for over four years. Security researchers from the Socket Threat Research Team have discovered two malicious software packages that impersonate popular Google tools. These fake packages, designed to trick busy devel…GBHACKERS.COM
📡 INFOSEC NEWS 2[−]
6 DecDrones to Diplomas: How Russia’s Largest Private University is Linked to a $25M Essay MillA sprawling academic cheating network turbocharged by Google Ads that has generated nearly $25 million in revenue has curious connections to a Kremlin-connected oligarch whose Russian university builds drones for Russia's war against Ukraine.KREBSONSECURITY.COM
6 DecNew wave of VPN login attempts targets Palo Alto GlobalProtect portalsA campaign has been observed targeting Palo Alto GlobalProtect portals with login attempts and launching scanning activity against SonicWall SonicOS API endpoints. [...]BLEEPINGCOMPUTER.COM