#vulnerability

An issue in ThinkPHP Framework v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function.

### Impact This is a significant Denial of Service (DoS) vulnerability. Any application that uses FPDI to process user-supplied PDF files is at risk. An attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion. Repeated attacks can lead to sustained service unavailability. ### Patches Fixed as of version 2.6.4 ### Workarounds No.

Pandora cyber attack exposes customer data via third-party breach. No passwords or payment info leaked, but phishing risks remain.

Google has patched 6 vulnerabilities in Android including two critical ones, one of which can compromise a device without the user needing to do anything.

### Summary A command injection vulnerability exists in the `mcp-package-docs` MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (`|`, `>`, `&&`, etc.). ### Details The MCP Server exposes tools to access documentation for several types of packages. An MCP Client can be instructed to execute additional actions for example via prompt injection when asked to read package documentation. Below some example of vulnerable code and different ways to test this vulnerability including a real example of indirect prompt injection that can lead to arbitrary command injection. ### Vulnerable...

Google has released security updates to address multiple security flaws in Android, including fixes for two Qualcomm bugs that were flagged as actively exploited in the wild. The vulnerabilities include CVE-2025-21479 (CVSS score: 8.6) and CVE-2025-27038 (CVSS score: 7.5), both of which were disclosed alongside CVE-2025-21480 (CVSS score: 8.6), by the chipmaker back in June 2025. CVE-2025-21479

Cybersecurity researchers have disclosed a high-severity security flaw in the artificial intelligence (AI)-powered code editor Cursor that could result in remote code execution. The vulnerability, tracked as CVE-2025-54136 (CVSS score: 7.2), has been codenamed MCPoison by Check Point Research, owing to the fact that it exploits a quirk in the way the software handles modifications to Model

Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling “ReVault”.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Tigo Energy Equipment: Cloud Connect Advanced Vulnerabilities: Use of Hard-coded Credentials, Command Injection, Predictable Seed in Pseudo-Random Number Generator (PRNG). 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized administrative access using hard-coded credentials, escalate privileges to take full control of the device, modify system settings, disrupt solar energy production, interfere with safety mechanisms, execute arbitrary commands via command injection, cause service disruptions, expose sensitive data, and recreate valid session IDs to access sensitive device functions on connected solar inverter systems due to insecure session ID generation. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Cloud Connect Advanced are affected: Cloud Connect Advanced: Versions 4.0.1 and prior 3.2 VULNERABILI...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 4.1 ATTENTION: Low attack complexity Vendor: Mitsubishi Electric Iconics Digital Solutions, Mitsubishi Electric Equipment: ICONICS Product Suite and Mitsubishi Electric MC Works64 Vulnerability: Windows Shortcut Following (.LNK) 2. RISK EVALUATION Successful exploitation of this vulnerability could result in information tampering. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of ICONICS Product Suite and Mitsubishi Electric MC Works64 are affected: GENESIS64: All versions GENESIS: Version 11.00 Mitsubishi Electric MC Works64: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 Windows Shortcut Following (.LNK) CWE-64 An information tampering vulnerability due to Windows Shortcut Following exists in multiple processes in GENESIS64, MC Works64, and GENESIS. An attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability. By creating a symbolic link, an attacker can cause the p...