CVE-2025-49181 – Apache Log Service Unauthenticated API Endpoint Information Disclosure and Configuration Modification Vulnerability CVE ID : CVE-2025-49181 Published : June 12, 2025, 2:15 p.m. | 4 hours, 28 minutes ago Description : Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET requests to gather sensitive information. An attacker could also send HTTP POST requests to modify the log files’ root p… https://whalers.ir/blog/cve-2025-49181-apache-log-service-unauthenticated-api-endpoint-information-disclosure-and-configuration-modification-vulnerability/7901/

CVE-2025-4278 – GitLab CE/EE HTML Injection Vulnerability CVE ID : CVE-2025-4278 Published : June 12, 2025, 10:16 a.m. | 8 hours, 27 minutes ago Description : An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions html injection in new search page could lead to account takeover. Severity: 8.7 | HIGH Visit the link for […] … https://whalers.ir/blog/cve-2025-4278-gitlab-ce-ee-html-injection-vulnerability/7898/

CVE-2025-2254 – GitLab Cross-Site Scripting (XSS) Vulnerability CVE ID : CVE-2025-2254 Published : June 12, 2025, 10:16 a.m. | 8 hours, 27 minutes ago Description : An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Improper output encoding in the snipper viewer functionality lead to Cross-Site scripting attacks. Severity: 8.7 | […] … https://whalers.ir/blog/cve-2025-2254-gitlab-cross-site-scripting-xss-vulnerability/7895/

CVE-2025-5012 – Workreap – Freelance Marketplace WordPress Theme File Upload Vulnerability CVE ID : CVE-2025-5012 Published : June 12, 2025, 6:15 a.m. | 12 hours, 29 minutes ago Description : The Workreap plugin for WordPress, used by the Workreap – Freelance Marketplace WordPress Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the ‘workreap_temp_upload_to_media’ function in all versions up to… https://whalers.ir/blog/cve-2025-5012-workreap-freelance-marketplace-wordpress-theme-file-upload-vulnerability/7892/

CVE-2025-4973 – Workreap WordPress Theme Authentication Bypass Vulnerability CVE ID : CVE-2025-4973 Published : June 12, 2025, 6:15 a.m. | 12 hours, 29 minutes ago Description : The Workreap plugin for WordPress, used by the Workreap – Freelance Marketplace WordPress Theme, is vulnerable to authentication bypass in all versions up to, and including, 3.3.1. This is due to the plugin not properly verifying a user’s […] … https://whalers.ir/blog/cve-2025-4973-workreap-wordpress-theme-authentication-bypass-vulnerability/7889/

CVE-2025-40912 – CryptX for Perl Malformed Unicode Injection Vulnerability CVE ID : CVE-2025-40912 Published : June 11, 2025, 6:15 p.m. | 1 day ago Description : CryptX for Perl before version 0.065 contains a dependency that may be susceptible to malformed unicode. CryptX embeds the tomcrypt library. The versions of that library in CryptX before 0.065 may be susceptible to CVE-2019-17362. Severity: 9.8 | CRITICAL […] … https://whalers.ir/blog/cve-2025-40912-cryptx-for-perl-malformed-unicode-injection-vulnerability/7886/

CVE-2025-6001 – VirtueMart CSRF File Upload Bypass CVE ID : CVE-2025-6001 Published : June 11, 2025, 5:15 p.m. | 1 day, 1 hour ago Description : A Cross-Site Request Forgery (CSRF) vulnerability exists in the product image upload function of VirtueMart that bypasses the CSRF protection token. An attacker is able to craft a special CSRF request which will allow unrestricted file upload into […] … https://whalers.ir/blog/cve-2025-6001-virtuemart-csrf-file-upload-bypass/7883/

CVE-2025-49146 – PostgreSQL pgjdbc Channel Binding Authentication Bypass CVE ID : CVE-2025-49146 Published : June 11, 2025, 3:15 p.m. | 1 day, 3 hours ago Description : pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed […] … https://whalers.ir/blog/cve-2025-49146-postgresql-pgjdbc-channel-binding-authentication-bypass/7880/

CVE-2025-48446 – Drupal Commerce Alphabank Redirect Authorization Bypass Vulnerability CVE ID : CVE-2025-48446 Published : June 11, 2025, 3:15 p.m. | 1 day, 3 hours ago Description : Incorrect Authorization vulnerability in Drupal Commerce Alphabank Redirect allows Functionality Misuse.This issue affects Commerce Alphabank Redirect: from 0.0.0 before 1.0.3. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affe… https://whalers.ir/blog/cve-2025-48446-drupal-commerce-alphabank-redirect-authorization-bypass-vulnerability/7877/

CVE-2025-48445 – Drupal Commerce Eurobank Redirect Authorization Bypass CVE ID : CVE-2025-48445 Published : June 11, 2025, 3:15 p.m. | 1 day, 3 hours ago Description : Incorrect Authorization vulnerability in Drupal Commerce Eurobank (Redirect) allows Functionality Misuse.This issue affects Commerce Eurobank (Redirect): from 0.0.0 before 2.1.1. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products… https://whalers.ir/blog/cve-2025-48445-drupal-commerce-eurobank-redirect-authorization-bypass/7874/

CVE-2025-4922 – Nomad Prefix-Based ACL Policy Vulnerability (Insufficient ACL Resolution) CVE ID : CVE-2025-4922 Published : June 11, 2025, 2:15 p.m. | 1 day, 4 hours ago Description : Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1. … https://whalers.ir/blog/cve-2025-4922-nomad-prefix-based-acl-policy-vulnerability-insufficient-acl-resolution/7871/

CVE-2025-40914 – Perl CryptX Integer Overflow Vulnerability CVE ID : CVE-2025-40914 Published : June 11, 2025, 2:15 p.m. | 1 day, 4 hours ago Description : Perl CryptX before version 0.087 contains a dependency that may be susceptible to an integer overflow. CryptX embeds a version of the libtommath library that is susceptible to an integer overflow associated with CVE-2023-36328. Severity: 9.8 | CRITICAL […] … https://whalers.ir/blog/cve-2025-40914-perl-cryptx-integer-overflow-vulnerability/7868/

CVE-2025-32711 – Microsoft 365 Copilot Command Injection Vulnerability CVE ID : CVE-2025-32711 Published : June 11, 2025, 2:15 p.m. | 1 day, 4 hours ago Description : Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network. Severity: 9.3 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more… Go to Source … https://whalers.ir/blog/cve-2025-32711-microsoft-365-copilot-command-injection-vulnerability/7865/

CVE-2025-49710 – Mozilla Firefox Integer Overflow Vulnerability CVE ID : CVE-2025-49710 Published : June 11, 2025, 12:15 p.m. | 1 day, 6 hours ago Description : An integer overflow was present in `OrderedHashTable` used by the JavaScript engine This vulnerability affects Firefox < 139.0.4. Severity: 9.8 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more… Go […] … https://whalers.ir/blog/cve-2025-49710-mozilla-firefox-integer-overflow-vulnerability/7862/

137 Key Cybersecurity Statistics for 2025 and Beyond 137 Key Cybersecurity Statistics for 2025 and Beyond Top cybersecurity facts Staying ahead in cybersecurity means getting the lay of the land—what’s working, what’s not, and what’s changing. This cybersecurity data isn’t just numbers; it’s deep insights … Read more Published Date: Jun 13, 2025 (0 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2024-1709 […] … https://whalers.ir/blog/137-key-cybersecurity-statistics-for-2025-and-beyond/7859/

Insecure Bootstrap Process in Google’s Cloud SQL Proxy Summary The bootstrap process for Google’s cloud SQL Proxy CLI uses the “curl | bash” pattern and didn’t document a way to verify authenticity of the downloaded binaries. The vendor updated documentation with information on how to use checksums to verify the downloaded binaries. Vulnerability Details As part of our ongoing research into supply chain […] … https://whalers.ir/blog/insecure-bootstrap-process-in-googles-cloud-sql-proxy/7856/

RFC 9116 / “security.txt” Has Been Published After 5 years of work, security.txt is officially an RFC. I am pleased to announce RFC 9116: https://t.co/uIqSRo28ak. I would like to use this opportunity to thank those who made this possible. Thank you. pic.twitter.com/Z8SNxd81ZO — Ed (@EdOverflow) April 27, 2022 See: https://www.rfc-editor.org/rfc/rfc9116 Go to Source … https://whalers.ir/blog/rfc-9116-security-txt-has-been-published/7853/

GitBleed – Finding Secrets in Mirrored Git Repositories – CVE-2022-24975 Summary Due to a discrepancy in Git behavior, partial parts of a source code repository are visible when making copies via the “git clone” command. There are additional parts of the repository that only become visible when using the “–mirror” option. This can lead to secrets being exposed via git repositories when not removed properly, […] … https://whalers.ir/blog/gitbleed-finding-secrets-in-mirrored-git-repositories-cve-2022-24975/7850/

Insecure Bootstrap Process in Oracle Cloud CLI Summary The bootstrap process for Oracle Cloud CLI using the “curl | bash” pattern was insecure since there was no way to verify authenticity of the downloaded binaries. The vendor is now publishing checksums that can be used to verify the downloaded binaries. Vulnerability Details As part of our ongoing research into supply chain attacks, […] … https://whalers.ir/blog/insecure-bootstrap-process-in-oracle-cloud-cli/7847/

Three Reasons Why Log4J Is So Bad: Ubiquity, Severity and Exploitability Over the last few weeks, security teams everywhere have been busy patching Log4J vulnerabilities. In this article we want to talk about the three things you can tell your friends why this is way worse. Ubiquity This vulnerability impacts impacts Java applications and those can be found almost anywhere: enterprise, vendor applications, database drivers, Android […] … https://whalers.ir/blog/three-reasons-why-log4j-is-so-bad-ubiquity-severity-and-exploitability/7844/