A critical remote code execution flaw, tracked as CVE-2025-55182 and dubbed React2Shell, affects React Server Components in the React 19 ecosystem and popular frameworks like Next.js.
Attackers can exploit it via unauthenticated HTTP requests to execute arbitrary code on servers, rated at CVSS 10.0....
Attackers have abused CVE-2025-9491, a flaw in how Windows displays shortcut file properties, since 2017, to hide malicious commands in .LNK files during real-world campaigns.
This issue, tracked as ZDI-25-148 or ZDI-CAN-25373, allows threat actors to craft shortcuts that appear benign when users check their...
Attackers exploit a critical privilege escalation flaw in the King Addons for Elementor WordPress plugin, allowing unauthenticated users to create administrator accounts and seize control of sites.
This vulnerability, tracked as CVE-2025-8489 with a CVSS score of 9.8, affects over 10,000 installations and has...
Security researchers have uncovered a stored cross-site scripting (XSS) vulnerability in Angular's Template Compiler that lets attackers inject and execute malicious JavaScript via specially crafted SVG animations.
The flaw stems from an incomplete internal security schema that fails to properly sanitize specific URL-holding attributes,...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory warning of a high-severity authentication flaw in Iskra's iHUB and iHUB Lite intelligent metering gateways.
Released on December 2, 2025, under alert code ICSA-25-336-02, the vulnerability enables remote attackers to reconfigure...
The Django project released security patches on December 2, 2025, addressing two vulnerabilities in versions 5.2.9, 5.1.15, and 4.2.27.
Posted by maintainer Natalia Bidart, these updates fix a high-severity SQL injection risk on PostgreSQL and a moderate-severity denial-of-service (DoS) flaw in the XML serializer....