╔════[ CRITICAL_CVE ]═════════
│ CVE ID : CVE-2025-36754
Published : Dec. 13, 2025, 4:16 p.m. | 9 hours, 42 minutes ago
Description : The authentication mechanism on web interface is not properly implemented. It is possible to bypass authentication checks by crafting a post request with new settings since there is no session token or authentication in place. This would allow an attacker for instance to point the device to an arbitrary address for domain name resolution to e.g. facililitate a man-in-the-middle (MitM) attack.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
┌─[ METADATA ]───────────────────────┐
│ Source: https://cvefeed.io
| CVE: {{cve-id}}
| CVSS: {{score}}
└────────────────────────────────────┘
╔════[ CRITICAL_CVE ]═════════
│ CVE ID : CVE-2025-36752
Published : Dec. 13, 2025, 4:16 p.m. | 9 hours, 42 minutes ago
Description : Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
┌─[ METADATA ]───────────────────────┐
│ Source: https://cvefeed.io
| CVE: {{cve-id}}
| CVSS: {{score}}
└────────────────────────────────────┘
╔════[ CRITICAL_CVE ]═════════
│ CVE ID : CVE-2025-36751
Published : Dec. 13, 2025, 4:16 p.m. | 9 hours, 42 minutes ago
Description : Encryption is missing on the configuration interface for Growatt ShineLan-X and MIC 3300TL-X. This allows an attacker with access to the network to intercept and potentially manipulate communication requests between the inverter and its cloud endpoint.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
┌─[ METADATA ]───────────────────────┐
│ Source: https://cvefeed.io
| CVE: {{cve-id}}
| CVSS: {{score}}
└────────────────────────────────────┘
╔════[ CRITICAL_CVE ]═════════
│ CVE ID : CVE-2025-36747
Published : Dec. 13, 2025, 4:16 p.m. | 9 hours, 42 minutes ago
Description : ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
┌─[ METADATA ]───────────────────────┐
│ Source: https://cvefeed.io
| CVE: {{cve-id}}
| CVSS: {{score}}
└────────────────────────────────────┘
╔════[ CRITICAL_CVE ]═════════
│ CVE ID : CVE-2025-14440
Published : Dec. 13, 2025, 4:16 p.m. | 9 hours, 42 minutes ago
Description : The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jay_login_register_process_switch_back' function with the 'jay_login_register_process_switch_back' cookie value. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
┌─[ METADATA ]───────────────────────┐
│ Source: https://cvefeed.io
| CVE: {{cve-id}}
| CVSS: {{score}}
└────────────────────────────────────┘
╔════[ CRITICAL_CVE ]═════════
│ CVE ID : CVE-2025-11693
Published : Dec. 13, 2025, 4:16 p.m. | 9 hours, 42 minutes ago
Description : The Export WP Page to Static HTML & PDF plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.4 through publicly exposed cookies.txt files containing authentication cookies. This makes it possible for unauthenticated attackers to cookies that may have been injected into the log file if the site administrator triggered a back-up using a specific user role like 'administrator.'
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
┌─[ METADATA ]───────────────────────┐
│ Source: https://cvefeed.io
| CVE: {{cve-id}}
| CVSS: {{score}}
└────────────────────────────────────┘
╔════[ CRITICAL_CVE ]═════════
│ CVE ID : CVE-2025-10738
Published : Dec. 13, 2025, 4:16 p.m. | 9 hours, 42 minutes ago
Description : The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to SQL Injection via the ‘analytic_id’ parameter in all versions up to, and including, 3.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
┌─[ METADATA ]───────────────────────┐
│ Source: https://cvefeed.io
| CVE: {{cve-id}}
| CVSS: {{score}}
└────────────────────────────────────┘
╔════[ THREAT ]══════════════
│ UK's ICO fines LastPass £1.2M for the 2022 data breach that exposed 1.6 million users’ data. Learn how a flaw in an employee's personal PC led to the massive security failure.…
┌─[ METADATA ]───────────────────────┐
│ Source: https://hackread.com
│ Author: Deeba Ahmed
└────────────────────────────────────┘