Posted by Milan Berger via Fulldisclosure on Apr 29

# Security Advisory: ESP-RFID-Tool v2 PRO

**Product:** ESP-RFID-Tool v2 PRO
**Vendor:** Raik Schneider (Einstein2150), foto-video-it.de
**Repository:** https://github.com/Einstein2150/ESP-RFID-Tool-v2
**Affected Version:** v2.2.1 (latest as of 2026-04-28)
**Severity:** CRITICAL
**Disclosure Type:** Full Public Disclosure
**Disclosure Date:** 2026-04-28
**Researcher:** Milan 't4c' Berger

---

## Disclosure Timeline

| Date | Event |...

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 29

*Update 2026-04-28:* The vendor contacted us and now provides a patched version v1.3.674 which can be obtained at the
following URL:

https://desktime.com/download

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 29

SEC Consult Vulnerability Lab Security Advisory < 20260427-0 >
=======================================================================
title: Missing TLS Certificate Validation leading to RCE
product: DeskTime Time Tracking App
vulnerable version: 1.3.671
fixed version: -
CVE number: CVE-2025-10539
             impact: medium
homepage:https://desktime.com...

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 29

SEC Consult Vulnerability Lab Security Advisory < 20260423-0 >
=======================================================================
title: DLL Hijacking
product: EfficientLab Controlio (cloud-based employee monitoring service)
vulnerable version: <1.3.95
     fixed version: 1.3.95
        CVE number: CVE-2025-10549
            impact: High
homepage:https://controlio.net...

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 29

SEC Consult Vulnerability Lab Security Advisory < 20260421-0 >
=======================================================================
title: Broken Access Control in Config Endpoint
product: LiteLLM
vulnerable version: <=v1.83.0
      fixed version: v1.83.0-nightly
         CVE number: CVE-2026-35029
             impact: high
homepage:https://www.litellm.ai/
           ...

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 29

SEC Consult Vulnerability Lab Security Advisory < 20260415-0 >
=======================================================================
title: Exposed Private Key of X.509 Certificate
            product: SAP HANA Cockpit & SAP HANA Database Explorer
vulnerable version: HANA Cockpit <2.18.2 (HRTT <2.16.254002)
      fixed version: HANA Cockpit 2.18.2 (HRTT 2.16.254002)
         CVE number:...

Posted by Apple Product Security via Fulldisclosure on Apr 29

APPLE-SA-04-22-2026-2 iOS 18.7.8 and iPadOS 18.7.8

iOS 18.7.8 and iPadOS 18.7.8 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/en-us/127003.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Notification Services
Available for: iPhone XR, iPhone XS, iPhone XS Max, iPhone 11 (all...

Posted by Apple Product Security via Fulldisclosure on Apr 29

APPLE-SA-04-22-2026-1 iOS 26.4.2 and iPadOS 26.4.2

iOS 26.4.2 and iPadOS 26.4.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/en-us/127002.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Notification Services
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and...

Posted by Nir Yehoshua on Apr 29

Hi Full Disclosure list,

I published a technical research article titled:

When Trusted Tools Become Attack Primitives

The article examines how trusted local utilities can become
security-relevant primitives when used inside automated processing
pipelines.

It covers two case studies:

1. macOS textutil resolving remote resources during HTML-to-text
conversion.
2. KeePassXC KDBX-controlled KDF parameters creating significant...

Posted by Egidio Romano on Apr 29

-----------------------------------------------------------------
SocialEngine <= 7.8.0 (get-memberall) SQL Injection Vulnerability
-----------------------------------------------------------------

[-] Software Link:

https://socialengine.com

[-] Affected Versions:

Versions 7.8.0, 7.7.0, and likely prior versions.

[-] Vulnerability Description:

User input passed through the "text" request parameter to the...

Posted by Egidio Romano on Apr 29

---------------------------------------------------------------------
SocialEngine <= 7.8.0 Blind Server-Side Request Forgery Vulnerability
---------------------------------------------------------------------

[-] Software Link:

https://socialengine.com

[-] Affected Versions:

Versions 7.8.0, 7.7.0, and likely prior versions.

[-] Vulnerability Description:

User input passed through the "uri" request parameter to the...

Posted by malvuln on Apr 29

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2026
Original source:
https://malvuln.com/advisory/8c15ec5f0137d097a345b693f0bffedb.txt
Malvuln Intelligence Feed: https://intel.malvuln.com/
Contact: malvuln13 () gmail com
Media: x.com/malvuln

Threat: Trojan-Spy.Win32.Small
Vulnerability: Remote Command Execution
Description: The malware opens a listener on TCP port 65535, allowing
unauthenticated remote attackers with network access...

Posted by Artur Janicki via Fulldisclosure on Apr 29

[APOLOGIES FOR CROSS-POSTING]

CALL FOR PAPERS
15th International Workshop on Cyber Crime (IWCC 2026 -
https://www.ares-conference.eu/iwcc)
to be held in conjunction with the International Conference on Availability,
Reliability and Security (ARES 2026 - https://www.ares-conference.eu/) in
Linköping, Sweden, August 24-27, 2026

IMPORTANT DATES
Submission Deadline May 11, 2026
Author Notification May 29, 2026
Proceedings Version June...

Posted by SBA Research Security Advisory via Fulldisclosure on Apr 29

# GoAnywhere MFT Email HTML Injection #

Link: https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251120-01_GoAnywhere_MFT_Email_HTML_Injection

## Vulnerability Overview ##

GoAnywhere MFT before 7.10.0 is affected by an HTML injection vulnerability
in its email templating functionality. If an attacker is able to influence
the content of a template variable, malicious HTML can be embedded into
outgoing emails generated by the...