Posted by Daniel Owens via Fulldisclosure on Mar 12

As previously mentioned, via "Struts2 and Related Framework Array/Collection DoS" (26 October 2025), hundreds of
JavaScript object notation (JSON) libraries are vulnerable to unconstrained resource consumption through large JSON
arrays, which, when deserialised, create arbitrarily large collections/arrays/data structures. This work looks
specifically at the Apache Struts2 JSON Plugin, using it as an example for why this...

Posted by Stefan Kanthak via Fulldisclosure on Mar 12

Hi @ll,

about 2 months ago I posted
<https://seclists.org/fulldisclosure/2025/Dec/29>
"Defense in depth -- the Microsoft way (part 94):
SAFER (SRPv1 and AppLocker alias SRPv2) bypass for dummies"

Here's the continuation...

About 23 years ago, 64-bit Windows introduced the WoW64 subsystem, which
performs a transpatent redirection of file system and registry accesses
for 32-bit applications.
To allow consistent appearance...

Posted by Feng Ning via Fulldisclosure on Mar 12

Subject: Alipay DeepLink+JSBridge Attack Chain: Silent GPS Exfiltration, 17 Vulns, 6 CVEs (CVSS 9.3)

# Alipay DeepLink + JSBridge Attack Chain
# Silent GPS Exfiltration via Crafted URL

## Overview

Researcher: Jiqiang Feng / Innora AI Security Research
Vendor: Ant Group (蚂蚁集团) / Alibaba Group
Product: Alipay (支付宝) v10.x (Android & iOS)
Users Affected: 1 billion+
CVEs: 6 submitted to MITRE CNA-LR (2026-03-12)
CVSS: 7.4–9.3...

Posted by GregD via Fulldisclosure on Mar 12

Hi,

I'm disclosing five vulnerabilities discovered during an authorised
security assessment of the Cohesity TranZman Migration Appliance
(formerly Stone Ram TranZman), Release 4.0 Build 14614.

CVE-2025-67840 - Web API Command Injection (CVSS 7.2 High)
The /api/v1/scheduler/run and /api/v1/actions/run endpoints allow
authenticated administrators to execute arbitrary commands as root by
injecting into POST request parameters. Input is...

Posted by Apple Product Security via Fulldisclosure on Mar 12

APPLE-SA-03-11-2026-2 iOS 15.8.7 and iPadOS 15.8.7

iOS 15.8.7 and iPadOS 15.8.7 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/126632.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Kernel
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad...

Posted by Apple Product Security via Fulldisclosure on Mar 12

APPLE-SA-03-11-2026-1 iOS 16.7.15 and iPadOS 16.7.15

iOS 16.7.15 and iPadOS 16.7.15 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/126646.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

WebKit
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,
iPad Pro 9.7-inch,...

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Mar 12

SEC Consult Vulnerability Lab Security Advisory < 20260224-0 >
=======================================================================
title: Multiple vulnerabilities
            product: CPSD CryptoPro Secure Disk for BitLocker
 vulnerable version: 7.6.4.16432 (76212)
fixed version: 7.6.6 / 7.7.1
CVE number: CVE-2025-10010
             impact: high
           homepage:...

WordPress Backup Migration 1.3.7 - Remote Command Execution

mailcow 2025-01a - Host Header Password Reset Poisoning

Easy File Sharing Web Server v7.2 - Buffer Overflow

WeGIA 3.5.0 - SQL Injection

Boss Mini v1.4.0 - Local File Inclusion (LFI)

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Feb 22

SEC Consult Vulnerability Lab Security Advisory < 20260218-0 >
=======================================================================
title: Multiple Critical Vulnerabilities
product: NesterSoft WorkTime (on-prem/cloud)
vulnerable version: <= 11.8.8
fixed version: No patch available, vendor unresponsive.
CVE number: CVE-2025-15563, CVE-2025-15562, CVE-2025-15561...

Posted by Egidio Romano on Feb 22

----------------------------------------------------------------------------
SmarterMail <= 9518 (MailboxId) Reflected Cross-Site Scripting Vulnerability
----------------------------------------------------------------------------

[-] Software Link:

https://www.smartertools.com/smartermail/business-email-server

[-] Affected Versions:

Build 9518 and prior builds.

[-] Vulnerability Description:

User input passed through the...

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Feb 16

SEC Consult Vulnerability Lab Security Advisory < 20260212-0 >
=======================================================================
title: Multiple Vulnerabilities
            product: Various Solax Power Pocket WiFi models
 vulnerable version: See section below
      fixed version: See section below
         CVE number: CVE-2025-15573, CVE-2025-15574, CVE-2025-15575
             impact: High...

Posted by privexploits via Fulldisclosure on Feb 16

Advisory: Authenticated Remote Code Execution in pfSense CECVEs: CVE-2025-69690, CVE-2025-69691
Researcher: Nelson Adhepeau (privexploits () protonmail com)
Date: February 2026

== RESPONSIBLE DISCLOSURE NOTICE ==

This advisory is published in accordance with responsible disclosure practices. 

The vendor was notified on December 2, 2025, acknowledged the reports, and indicated no patches would be issued.
Publication follows standard 90-day...

Posted by Apple Product Security via Fulldisclosure on Feb 16

APPLE-SA-02-11-2026-9 Safari 26.3

Safari 26.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/126354.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

CFNetwork
Available for: macOS Sonoma and macOS Sequoia
Impact: A remote user may be able to write arbitrary files
Description: A path...

Posted by Apple Product Security via Fulldisclosure on Feb 16

APPLE-SA-02-11-2026-8 visionOS 26.3

visionOS 26.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/126353.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

AppleMobileFileIntegrity
Available for: Apple Vision Pro (all models)
Impact: An app may be able to access sensitive user data...

Posted by Apple Product Security via Fulldisclosure on Feb 16

APPLE-SA-02-11-2026-7 watchOS 26.3

watchOS 26.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/126352.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Bluetooth
Available for: Apple Watch Series 6 and later
Impact: An attacker in a privileged network position may be able to
perform...

Posted by Apple Product Security via Fulldisclosure on Feb 16

APPLE-SA-02-11-2026-6 tvOS 26.3

tvOS 26.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/126351.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Bluetooth
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An attacker in a privileged network position may be able to...