Security
Headlines
HeadlinesLatestCVEs

Latest News

New SAP NetWeaver Bug Lets Attackers Take Over Servers Without Login

SAP has rolled out security fixes for 13 new security issues, including additional hardening for a maximum-severity bug in SAP NetWeaver AS Java that could result in arbitrary command execution. The vulnerability, tracked as CVE-2025-42944, carries a CVSS score of 10.0. It has been described as a case of insecure deserialization. "Due to a deserialization vulnerability in SAP NetWeaver, an

The Hacker News
Open in Source
#vulnerability#google#java#auth#sap#The Hacker News
CVE-2025-39964: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg

**Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?** One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.

CVE-2025-39965: xfrm: xfrm_alloc_spi shouldn't use 0 as SPI

**Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?** One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.

Patch Tuesday, October 2025 ‘End of 10’ Edition

Microsoft today released software updates to plug a whopping 172 security holes in its Windows operating systems, including at least three vulnerabilities that are already being actively exploited. October's Patch Tuesday also marks the final month that Microsoft will ship security updates for Windows 10 systems. If you're running a Windows 10 PC and you're unable or unwilling to migrate to Windows 11, read on for other options.

GHSA-9f2h-7v79-mxw3: Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs

### Summary Prototype pollution capabilities on various APIs. ### Details Injection of malicious payload allows attacker to remotely execute arbitrary code. `Parse.Object` and internal APIs are affected, specifically: - `ParseObject.fromJSON` - `ParseObject.pin` - `ParseObject.registerSubclass` - `ObjectStateMutations` (internal) - `encode`/`decode` (internal) ### PoC Demonstrative tests added as part of the fix. ### References - https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3 - Patch https://github.com/parse-community/Parse-SDK-JS/releases/tag/7.0.0-alpha.1

Microsoft Drops Terrifyingly Large October Patch Update

October 2025's enormous Patch Tuesday offers plenty of nightmares for admins, including actively exploited zero-days and insidious high-severity privilege-escalation bugs — and it spells curtains for Windows 10 updates.

GHSA-r4hh-pcgx-j5r2: Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages

Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to insecure use of integrated modules (Puppeteer and Playwright) within the nodevm execution environment. An authenticated attacker able to create or run a tool that leverages Puppeteer/Playwright can specify attacker-controlled browser binary paths and parameters. When the tool executes, the attacker-controlled executable/parameters are run on the host and circumvent the intended nodevm sandbox restrictions, resulting in execution of arbitrary code in the context of the host. **NOTE**: This vulnerability was incorrectly assigned as a duplicate CVE-2025-26319 and should be considered distinct from that identifier.

China's Flax Typhoon Turns Geo-Mapping Server into a Backdoor

Chinese APT threat actors compromised an organization's ArcGIS server, modifying the widely used geospatial mapping software for stealth access.

Microsoft Patch Tuesday for October 2025 — Snort rules and prominent vulnerabilities

Microsoft has released its monthly security update for October 2025, addressing 175 Microsoft CVEs and 21 non-Microsoft CVEs. Among these, 17 vulnerabilities are considered critical and 11 are flagged as important and considered more likely to be exploited.