Defense in depth -- the Microsoft way (part 95): the (shared) "Start Menu" is dispensable

— January 11^th 2026 at 04:24

Posted by Stefan Kanthak via Fulldisclosure on Jan 10

Hi @ll,

the following is a condensed form of
<https://skanthak.hier-im-netz.de/whispers.html#whisper3> and
<https://skanthak.hier-im-netz.de/whispers.html#whisper4>.

Windows Vista moved the shared start menu from "%ALLUSERSPROFILE%\Start Menu\"
to "%ProgramData%\Microsoft\Windows\Start Menu\", with some shortcuts (*.lnk)
"reflected" from the (immutable) component store below %SystemRoot%\WinSxS\

JFTR:...

Full Disclosure

Re: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group)

— January 11^th 2026 at 04:24

Posted by Art Manion via Fulldisclosure on Jan 10

Hi,

CVE IDs *can* be assigned for SaaS or similarly "cloud only" software. For a period of time, there was a restriction
that only the provider could make or request such an assignment. But the current CVE rules remove this restriction:

4.2.3 CNAs MUST NOT consider the type of technology (e.g., cloud, on-premises, artificial intelligence, machine
learning) as the sole basis for determining assignment.

It would have been...

Full Disclosure

RIOT OS 2026.01-devel-317 Stack-Based Buffer Overflow in RIOT ethos Serial Frame Parser

— January 11^th 2026 at 04:24

Posted by Ron E on Jan 10

A stack-based buffer overflow vulnerability exists in the RIOT OS ethos
utility due to missing bounds checking when processing incoming serial
frame data. The vulnerability occurs in the _handle_char() function, where
incoming frame bytes are appended to a fixed-size stack buffer
(serial->frame) without verifying that the current write index
(serial->framebytes) remains within bounds. An attacker capable of sending
crafted serial or...

Full Disclosure

RIOT OS 2026.01-devel-317 Stack-Based Buffer Overflow in tapslip6 Utility via Unbounded Device Path Construction

— January 11^th 2026 at 04:23

Posted by Ron E on Jan 10

A stack-based buffer overflow vulnerability exists in the tapslip6 utility
distributed with RIOT OS (and derived from the legacy uIP/Contiki
networking tools). The vulnerability is caused by unsafe string
concatenation in the devopen() function, which constructs a device path
using unbounded user-controlled input.
Specifically, tapslip6 uses strcpy() and strcat() to concatenate the fixed
prefix "/dev/" with a user-supplied device name...

Full Disclosure

TinyOS 2.1.2 Stack-Based Buffer Overflow in mcp2200gpio

— January 11^th 2026 at 04:23

Posted by Ron E on Jan 10

A stack-based buffer overflow vulnerability exists in the mcp2200gpio
utility due to unsafe use of strcpy() and strcat() when constructing device
paths during automatic device discovery. A local attacker can trigger the
vulnerability by creating a specially crafted filename under /dev/usb/,
resulting in stack memory corruption and a process crash. In non-hardened
builds, this may lead to arbitrary code execution.

*Root Cause:*

The vulnerability...

Full Disclosure

TinyOS 2.1.2 printfUART Global Buffer Overflow via Unbounded Format Expansion

— January 11^th 2026 at 04:23

Posted by Ron E on Jan 10

A global buffer overflow vulnerability exists in the TinyOS printfUART
implementation used within the ZigBee / IEEE 802.15.4 networking stack. The
issue arises from an unsafe custom sprintf() routine that performs
unbounded string concatenation using strcat() into a fixed-size global
buffer. The global buffer debugbuf, defined with a size of 256 bytes, is
used as the destination for formatted output. When a %s format specifier is
supplied with a...

Full Disclosure

KL-001-2026-01: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking

— January 8^th 2026 at 21:03

Posted by KoreLogic Disclosures via Fulldisclosure on Jan 08

KL-001-2026-01: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking

Title: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking
Advisory ID: KL-001-2026-001
Publication Date: 2026-01-08
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2026-001.txt

1. Vulnerability Details

Affected Vendor: yintibao
Affected Product: Fun Print Mobile
Affected Version: 6.05.15
...

Full Disclosure

Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group)

— January 6^th 2026 at 07:00

Posted by Yuffie Kisaragi via Fulldisclosure on Jan 05

UPDATE:

Following the publication of these vulnerabilities and the subsequent CVE
assignments, the CVE identifiers have now been revoked.

The vendor (EQS Group) contacted the CVE Program (via a CNA) and disputed the
records, stating that the affected product is an exclusively hosted SaaS
platform with no customer-managed deployment or versioning. Based on this
argument, the CVE Program concluded that CVE assignment is “not a suitable...

Full Disclosure

Panda3d v1.10.16 Uncontrolled Format String in Panda3D egg-mkfont Allows Stack Memory Disclosure

— January 6^th 2026 at 06:59

Posted by Ron E on Jan 05

Panda3D’s egg-mkfont utility contains an uncontrolled format string
vulnerability that allows disclosure of stack-resident memory. The -gp
(glyph pattern) command-line option allows users to specify a formatting
pattern intended for generating glyph texture filenames. This pattern is
passed directly as the format string to sprintf() without validation or
sanitization. If the supplied pattern contains additional format specifiers
beyond the...

Full Disclosure

Panda3d v1.10.16 egg-mkfont Stack Buffer Overflow

— January 6^th 2026 at 06:59

Posted by Ron E on Jan 05

A stack-based buffer overflow vulnerability exists in the Panda3D
egg-mkfont utility due to the use of an unbounded sprintf() call with
attacker-controlled input. By supplying an excessively long glyph pattern
string via the -gp command-line option, an attacker can trigger a stack
buffer overflow, resulting in a deterministic crash of the egg-mkfont
process.

*Technical Details:*
The vulnerability occurs when egg-mkfont constructs output glyph...

Full Disclosure

Panda3d v1.10.16 deploy-stub Unbounded Stack Allocation Leading to Uninitialized Memory

— January 6^th 2026 at 06:59

Posted by Ron E on Jan 05

A memory safety vulnerability exists in the Panda3D deploy-stub executable
due to unbounded stack allocation using attacker-controlled input. The
issue allows a local attacker to trigger stack exhaustion and subsequent
use of uninitialized memory during Python interpreter initialization,
resulting in a reliable crash and undefined behavior. The vulnerability is
confirmed by MemorySanitizer (MSAN) as a use-of-uninitialized-value
originating from...

Full Disclosure

MongoDB v8.3.0 Integer Underflow in LMDB mdb_load

— January 6^th 2026 at 06:59

Posted by Ron E on Jan 05

This integer underflow vulnerability enables heap metadata corruption and
information disclosure through carefully crafted LMDB dump files.

*Impact:*

- *Denial of Service*: Immediate crash (confirmed)
- *Information Disclosure*: Heap metadata leak via OOB read

Root Cause:The readline() function fails to validate that the input line
length is non-zero before performing decrement operations, causing integer
underflow. An attacker can craft...

Full Disclosure

Bioformats v8.3.0 Untrusted Deserialization of Bio-Formats Memoizer Cache Files

— January 6^th 2026 at 06:59

Posted by Ron E on Jan 05

Bio-Formats performs unsafe Java deserialization of attacker-controlled
memoization cache files (.bfmemo) during image processing. The
loci.formats.Memoizer class automatically loads and deserializes memo files
associated with images without validation, integrity checks, or trust
enforcement.
An attacker can exploit this behavior by supplying a crafted or corrupted
.bfmemo file—either fully attacker-controlled or derived from a legitimate
memo...

Full Disclosure

Bioformats v8.3.0 Improper Restriction of XML External Entity Reference in Bio-Formats Leica Microsystems XML Parser

— January 6^th 2026 at 06:59

Posted by Ron E on Jan 05

Bio-Formats contains an XML External Entity (XXE) vulnerability in the
Leica Microsystems metadata parsing component. The vulnerability is caused
by the use of an insecurely configured DocumentBuilderFactory when
processing Leica XML-based metadata files (e.g., XLEF). When a crafted XML
file is supplied, the parser allows external entity resolution and external
DTD loading, enabling attackers to trigger arbitrary outbound network
requests, access...

Full Disclosure

MongoDB v8.3.0 Heap Buffer Underflow in OpenLDAP LMDB mdb_load

— January 6^th 2026 at 06:59

Posted by Ron E on Jan 05

A heap buffer underflow vulnerability exists in the readline() function of
OpenLDAP's Lightning Memory-Mapped Database (LMDB) mdb_load utility. The
vulnerability is triggered through malformed input data and results in an
out-of-bounds read one byte before an allocated heap buffer. This can lead
to information disclosure through heap memory leakage.

*Root Cause:*
The vulnerability occurs in the readline() function at line 214 of
mdb_load.c....

Full Disclosure

zlib v1.3.1.2 Global Buffer Overflow in TGZfname() of zlib untgz Utility via Unbounded strcpy() on User-Supplied Archive Name

— January 6^th 2026 at 06:59

Posted by Ron E on Jan 05

A global buffer overflow vulnerability exists in the TGZfname() function of
the zlib untgz utility due to the use of an unbounded strcpy() call on
attacker-controlled input. The utility copies a user-supplied archive name
(argv[arg]) into a fixed-size static global buffer of 1024 bytes without
performing any length validation. Supplying an archive name longer than
1024 bytes results in an out-of-bounds write past the end of the global
buffer,...

Full Disclosure

SigInt-Hombre v1 / dynamic Suricata detection rules from real-time threat feeds

— January 6^th 2026 at 06:58

Posted by malvuln on Jan 05

SigInt-Hombre, generates derived Suricata detection rules from live
URLhaus threat indicators at runtime and deploy them to the Security
Onion platform for high-coverage real-time network monitoring.

https://github.com/malvuln/sigint-hombre

What it does:
Pulls the public URLhaus feed in real time (not mirrored or redistributed)

Skips:
Comments, empty lines, malformed URLs, and feed self-references
Normalizes and extracts:

Protocol, host, URI...

Full Disclosure

Security Vulnerability in Koller Secret: Real Hidden App (com.koller.secret.hidemyphoto)

— January 6^th 2026 at 06:57

Posted by duykham on Jan 05

Hello Full Disclosure,

I would like to disclose a security vulnerability identified in a
smartphone application: *Koller Secret: Real Hidden App*.

This report is shared in the interest of responsible disclosure and
improving overall security awareness.

---

*Summary*
- Application: Koller Secret: Real Hidden App
- Package / Bundle ID: com.koller.secret.hidemyphoto
- Platform: Android
- Affected Version(s): v.1.0.27 and below
- Vulnerability...

Full Disclosure

Linux Kernel Block Subsystem Vulnerabilities

— January 6^th 2026 at 06:56

Posted by Agent Spooky's Fun Parade via Fulldisclosure on Jan 05

================================================================================
FULL DISCLOSURE: Linux Kernel Block Subsystem Vulnerabilities
Date: 2025-12-29
Affected: Linux Kernel (all versions with affected code)
================================================================================

================================================================================
[1/4] Integer Overflow in LDM Partition Parser - Heap Overflow...

Full Disclosure

[KIS-2025-14] PKP-WAL <= 3.5.0-1 Login Cross-Site Request Forgery Vulnerability

— December 28^th 2025 at 05:19

Posted by Egidio Romano on Dec 27

-----------------------------------------------------------------
PKP-WAL <= 3.5.0-1 Login Cross-Site Request Forgery Vulnerability
-----------------------------------------------------------------

[-] Software Links:

https://pkp.sfu.ca
https://github.com/pkp/pkp-lib

[-] Affected Versions:

Version 3.3.0-21 and prior versions.
Version 3.4.0-9 and prior versions.
Version 3.5.0-1 and prior versions.

[-] Vulnerability Description:

Open...

Full Disclosure

[KIS-2025-13] PKP-WAL <= 3.5.0-3 (X-Forwarded-Host) LESS Code Injection Vulnerability

— December 28^th 2025 at 05:19

Posted by Egidio Romano on Dec 27

-----------------------------------------------------------------------
PKP-WAL <= 3.5.0-3 (X-Forwarded-Host) LESS Code Injection Vulnerability
-----------------------------------------------------------------------

[-] Software Links:

https://pkp.sfu.ca
https://github.com/pkp/pkp-lib

[-] Affected Versions:

PKP Web Application Library (aka PKP-WAL or pkp-lib) version 3.4.0-10
and prior versions, and version 3.5.0-3 and prior versions, as...

Full Disclosure

[KIS-2025-12] PKP-WAL <= 3.5.0-1 (baseColour) LESS Code Injection Vulnerability

— December 28^th 2025 at 05:19

Posted by Egidio Romano on Dec 27

-----------------------------------------------------------------
PKP-WAL <= 3.5.0-1 (baseColour) LESS Code Injection Vulnerability
-----------------------------------------------------------------

[-] Software Links:

https://pkp.sfu.ca
https://github.com/pkp/pkp-lib

[-] Affected Versions:

PKP Web Application Library (aka PKP-WAL or pkp-lib) version 3.4.0-9
and prior versions, and version 3.5.0-1 and prior versions, as used in
Open Journal...

Full Disclosure

[KIS-2025-11] Open Journal Systems <= 3.5.0-1 (NativeXmlIssueGalleyFilter.php) Path Traversal Vulnerability

— December 28^th 2025 at 05:19

Posted by Egidio Romano on Dec 27

---------------------------------------------------------------------------------------------
Open Journal Systems <= 3.5.0-1 (NativeXmlIssueGalleyFilter.php) Path
Traversal Vulnerability
---------------------------------------------------------------------------------------------

[-] Software Links:

https://pkp.sfu.ca/software/ojs/
https://github.com/pkp/ojs

[-] Affected Versions:

Version 3.3.0-21 and prior versions.
Version 3.4.0-9 and...

Full Disclosure

[KIS-2025-10] PKP-WAL <= 3.5.0-1 (Institution Collector) SQL Injection Vulnerability

— December 28^th 2025 at 05:19

Posted by Egidio Romano on Dec 27

----------------------------------------------------------------------
PKP-WAL <= 3.5.0-1 (Institution Collector) SQL Injection Vulnerability
----------------------------------------------------------------------

[-] Software Links:

https://pkp.sfu.ca
https://github.com/pkp/pkp-lib

[-] Affected Versions:

PKP Web Application Library (aka PKP-WAL or pkp-lib) version 3.4.0-9
and prior versions, and version 3.5.0-1 and prior versions, as used...

Full Disclosure

Backdoor.Win32.Poison.jh / Insecure Permissions

— December 28^th 2025 at 05:19

Posted by malvuln on Dec 27

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2025
Original source:
https://malvuln.com/advisory/3d9821cbe836572410b3c5485a7f76ca.txt
Malvuln Intelligence Feed: https://intel.malvuln.com/
Contact: malvuln13 () gmail com
Media: x.com/malvuln

Threat: Backdoor.Win32.Poison.jh
Vulnerability: Insecure Permissions
Description: The malware creates the directory 28463 under
C:\Windows\SysWOW64, granting Full (F) permissions to the Everyone...

Full Disclosure

Backdoor.Win32.Netbus.170 / Insecure Credential Storage / MVID-2025-0703

— December 28^th 2025 at 05:19

Posted by malvuln on Dec 27

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2025
Original source:
https://malvuln.com/advisory/086f0693f81f6d40460c215717349a1f.txt
Malvuln Intelligence Feed: https://intel.malvuln.com/
Contact: malvuln13 () gmail com
Media: x.com/malvuln

Threat: Backdoor.Win32.Netbus.170
Vulnerability: Insecure Credential Storage
Family: Netbus
Type: PE32
Attack-pattern TTP: Unsecured Credentials (T1552)
MD5: 086f0693f81f6d40460c215717349a1f...

Exploit-DB Updates

[webapps] FreeBSD rtsold 15.x - Remote Code Execution via DNSSL

— December 25^th 2025 at 00:00

FreeBSD rtsold 15.x - Remote Code Execution via DNSSL

Exploit-DB Updates

[webapps] Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie

— December 25^th 2025 at 00:00

Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie

Exploit-DB Updates

[webapps] WordPress Quiz Maker 6.7.0.56 - SQL Injection

— December 25^th 2025 at 00:00

WordPress Quiz Maker 6.7.0.56 - SQL Injection

Full Disclosure

Defense in depth -- the Microsoft way (part 94): SAFER (SRPv1 and AppLocker alias SRPv2) bypass for dummies

— December 23^rd 2025 at 00:45

Posted by Stefan Kanthak via Fulldisclosure on Dec 22

Hi @ll,

since 30 years Microsoft ships Windows with "Windows Script Host",
an empty registry key and the following registry entries:

[HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"ActiveDebugging"="1"
"DisplayLogo"="1"
"SilentTerminate"="0"
"UseWINSAFER"="1"

The...

Full Disclosure

Backdoor.Win32.ControlTotal.t / Insecure Credential Storage / MVID-2025-0702

— December 23^rd 2025 at 00:45

Posted by malvuln on Dec 22

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2025
Original source:
https://malvuln.com/advisory/6c0eda1210da81b191bd970cb0f8660a.txt
Malvuln Intelligence Feed: https://intel.malvuln.com/
Contact: malvuln13 () gmail com
Media: x.com/malvuln

Threat: Backdoor.Win32.ControlTotal.t
Vulnerability: Insecure Credential Storage
Description: The malware listens on TCP port 2032 and requires
authentication. The password "jdf4df4vdf"...

Full Disclosure

HEUR.Backdoor.Win32.Poison.gen / Arbitrary Code Execution / MVID-2025-0701

— December 23^rd 2025 at 00:45

Posted by malvuln on Dec 22

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2025
Original source:
https://malvuln.com/advisory/b2e50fa38510a5ea8e11f614b1c1d0d5.txt
Malvuln Intelligence Feed: https://intel.malvuln.com/
Contact: malvuln13 () gmail com
Media: x.com/malvuln

Threat: HEUR.Backdoor.Win32.Poison.gen
Vulnerability: Arbitrary Code Execution
Description: The malware looks for and executes a x32-bit
"WININET.dll" PE file in its current directory....

Full Disclosure

CyberDanube Security Research 20251215-0 | Multiple Vulnerabilities in Phoenix Contact FL Switch Series

— December 18^th 2025 at 06:52

Posted by Thomas Weber | CyberDanube via Fulldisclosure on Dec 17

CyberDanube Security Research 20251215-0
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities
product| FL Switch
vulnerable version| 3.40
fixed version| TODO
CVE number| CVE-2025-41692, CVE-2025-41693, CVE-2025-41694,
| CVE-2025-41695, CVE-2025-41696, CVE-2025-41697,
| CVE-2025-41745,...

Full Disclosure

[KIS-2025-09] Control Web Panel <= 0.9.8.1208 (admin/index.php) OS Command Injection Vulnerability

— December 18^th 2025 at 06:52

Posted by Egidio Romano on Dec 17

------------------------------------------------------------------------------------
Control Web Panel <= 0.9.8.1208 (admin/index.php) OS Command Injection
Vulnerability
------------------------------------------------------------------------------------

[-] Software Link:

https://control-webpanel.com

[-] Affected Versions:

Version 0.9.8.1208 and prior versions.

[-] Vulnerability Description:

User input passed via the "key" GET...

Full Disclosure

Raydium CP Swap: Unchecked Account Allows Creator Fee Hijacking

— December 18^th 2025 at 06:52

Posted by LRKTBEYK LRKTBEYK on Dec 17

I tried to report these vulnerabilities to ImmuneFi, but they closed it
(report 62070) as "out of scope." I believe them when they tell me
something is out of scope, so now it's public.

https://github.com/raydium-io/raydium-cp-swap/pull/62

These vulnerabilities collectively enable fee theft, creator fee hijacking,
and potential user exploitation through uncapped fee rates. Issue #3 allows
attackers to steal all creator fees from...

Full Disclosure

[CFP] Security BSidesLjubljana 0x7EA | March 13, 2026

— December 18^th 2025 at 06:51

Posted by Andraz Sraka on Dec 17

MMMMMMMMMMMMMMMMNmddmNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMN..-..--+MMNy:...-.-/yNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMy..ymd-.:Mm::-:osyo-..-mMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MM:..---.:dM/..+NNyyMN/..:MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
Mm../dds.-oy.-.dMh--mMds++MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
My:::::/ydMmo..-hMMMmo//omMs/+Mm+++++shNMN+//+//+oMNy+///ohM
MMMs//yMNo+hMh---m:-:hy+sMN..+Mo..os+.-:Ny--ossssdN-.:yyo+mM...

Full Disclosure

[KIS-2025-08] 1C-Bitrix <= 25.100.500 (Translate Module) Remote Code Execution Vulnerability

— December 16^th 2025 at 05:19

Posted by Egidio Romano on Dec 15

------------------------------------------------------------------------------
1C-Bitrix <= 25.100.500 (Translate Module) Remote Code Execution Vulnerability
------------------------------------------------------------------------------

[-] Software Link:

https://www.1c-bitrix.ru

[-] Affected Versions:

Version 25.100.500 and prior versions.

[-] Vulnerability Description:

The vulnerability is located within the "Translate...

Full Disclosure

[KIS-2025-07] Bitrix24 <= 25.100.300 (Translate Module) Remote Code Execution Vulnerability

— December 16^th 2025 at 05:19

Posted by Egidio Romano on Dec 15

-----------------------------------------------------------------------------
Bitrix24 <= 25.100.300 (Translate Module) Remote Code Execution Vulnerability
-----------------------------------------------------------------------------

[-] Software Link:

https://www.bitrix24.com

[-] Affected Versions:

Version 25.100.300 and prior versions.

[-] Vulnerability Description:

The vulnerability is located within the "Translate Module",...

Full Disclosure

nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality

— December 16^th 2025 at 05:19

Posted by Onur Tezcan via Fulldisclosure on Dec 15

[Attack Vectors]
> It was identified Cross-Site Request Forgery (CSRF) vulnerability on the "Run now" button of Schedule tasks
functionality. Exploiting this vulnerability, an attacker can run a scheduled task without the victim users consent or
knowledge.

Assigned CVE code:
> CVE-2025-65593

[Discoverer]
> AlterSec t/a PenTest.NZ

Full Disclosure

nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality

— December 16^th 2025 at 05:19

Posted by Onur Tezcan via Fulldisclosure on Dec 15

[Attack Vectors]
> It was detected that multiple Stored Cross-Site Scripting (Stored XSS) vulnerabilities in the product
management functionality. Malicious JavaScript payloads inserted into the "Product Name" and "Short Description" fields
are stored in the backend database and executed automatically whenever a user (administrator or customer) views the
affected pages.

Assigned CVE code:
...

Full Disclosure

nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality.

— December 16^th 2025 at 05:19

Posted by Onur Tezcan via Fulldisclosure on Dec 15

[Attack Vectors]
> It was detected that a Stored XSS vulnerability on the "Currencies" functionality, specifically on the
following input field: "Configuration > Currencies > Edit one of the currencies > "Custom formatting" input field.
After saving the payload, the vulnerability can be triggered by visiting the following pages:
- Bestsellers,
- "Sales" > "Orders"...

Full Disclosure

nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area

— December 16^th 2025 at 05:19

Posted by Onur Tezcan via Fulldisclosure on Dec 15

[Attack Vectors]
> It was detected that a Stored XSS vulnerability in the "Content Management" > "Blog posts" area. Malicious
HTML/JavaScript added to the Body overview field of a blog post is stored in the backend and executes when the blog
page is visited (http://localhost/blog/)

Assigned CVE code:
> CVE-2025-65590

[Discoverer]
> AlterSec t/a PenTest.NZ

Full Disclosure

nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality

— December 16^th 2025 at 05:19

Posted by Onur Tezcan via Fulldisclosure on Dec 15

[Attack Vectors]
> It was detected that a Stored XSS vulnerability in the Attributes management workflow. An attacker can insert
JavaScript into the Name field when adding a new Attribute Group (Catalog > Attributes > Specification attributes > Add
Group > Name input field). To exploit the vulnerability, privileged users should visit the "Specification attributes
page.

Assigned CVE code:
>...

Full Disclosure

Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group)