Auto-Update: 2025-09-03T02:00:12.239865+00:00

Author: cad-safe-bot

CVE-2020/CVE-2020-243xx/CVE-2020-24363.json

@@ -2,7 +2,7 @@
   "id": "CVE-2020-24363",
   "sourceIdentifier": "cve@mitre.org",
   "published": "2020-08-31T16:15:15.380",
-  "lastModified": "2025-08-29T17:15:31.950",
+  "lastModified": "2025-09-03T01:00:02.097",
   "vulnStatus": "Modified",
   "cveTags": [],
   "descriptions": [
@@ -84,6 +84,10 @@
       }
     ]
   },
+  "cisaExploitAdd": "2025-09-02",
+  "cisaActionDue": "2025-09-23",
+  "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
+  "cisaVulnerabilityName": "TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability",
   "weaknesses": [
     {
       "source": "nvd@nist.gov",

CVE-2025/CVE-2025-545xx/CVE-2025-54588.json

@@ -0,0 +1,64 @@
+{
+  "id": "CVE-2025-54588",
+  "sourceIdentifier": "security-advisories@github.com",
+  "published": "2025-09-03T00:15:30.067",
+  "lastModified": "2025-09-03T00:15:30.067",
+  "vulnStatus": "Received",
+  "cveTags": [],
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. Versions 1.34.0 through 1.34.4 and 1.35.0 contain a use-after-free (UAF) vulnerability in the DNS cache, causing abnormal process termination. The vulnerability is in Envoy's Dynamic Forward Proxy implementation, occurring when a completion callback for a DNS resolution triggers new DNS resolutions or removes existing pending resolutions. This condition may occur when the following conditions are met: dynamic Forwarding Filter is enabled, the `envoy.reloadable_features.dfp_cluster_resolves_hosts` runtime flag is enabled, and the Host header is modified between the Dynamic Forwarding Filter and Router filters. This issue is resolved in versions 1.34.5 and 1.35.1. To work around this issue, set the envoy.reloadable_features.dfp_cluster_resolves_hosts runtime flag to false."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security-advisories@github.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+          "baseScore": 7.5,
+          "baseSeverity": "HIGH",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "NONE",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "NONE",
+          "integrityImpact": "NONE",
+          "availabilityImpact": "HIGH"
+        },
+        "exploitabilityScore": 3.9,
+        "impactScore": 3.6
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security-advisories@github.com",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-416"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/envoyproxy/envoy/releases/tag/v1.34.5",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/envoyproxy/envoy/releases/tag/v1.35.1",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9vw-6pvx-7gmw",
+      "source": "security-advisories@github.com"
+    }
+  ]
+}

CVE-2025/CVE-2025-551xx/CVE-2025-55177.json

@@ -2,7 +2,7 @@
   "id": "CVE-2025-55177",
   "sourceIdentifier": "cve-assign@fb.com",
   "published": "2025-08-29T16:15:36.723",
-  "lastModified": "2025-09-02T15:15:32.373",
+  "lastModified": "2025-09-03T01:00:02.113",
   "vulnStatus": "Awaiting Analysis",
   "cveTags": [],
   "descriptions": [
@@ -35,6 +35,10 @@
       }
     ]
   },
+  "cisaExploitAdd": "2025-09-02",
+  "cisaActionDue": "2025-09-23",
+  "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
+  "cisaVulnerabilityName": "Meta Platforms WhatsApp Incorrect Authorization Vulnerability",
   "references": [
     {
       "url": "https://www.facebook.com/security/advisories/cve-2025-55177",

CVE-2025/CVE-2025-578xx/CVE-2025-57806.json

@@ -0,0 +1,90 @@
+{
+  "id": "CVE-2025-57806",
+  "sourceIdentifier": "security-advisories@github.com",
+  "published": "2025-09-03T01:15:30.043",
+  "lastModified": "2025-09-03T01:15:30.043",
+  "vulnStatus": "Received",
+  "cveTags": [],
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Local Deep Research is an AI-powered research assistant for deep, iterative research. Versions 0.2.0 through 0.6.7 stored confidential information, including API keys, in a local SQLite database without encryption. This behavior was not clearly documented outside of the database architecture page. Users were not given the ability to configure the database location, allowing anyone with access to the container or host filesystem to retrieve sensitive data in plaintext by accessing the .db file. This is fixed in version 1.0.0."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV40": [
+      {
+        "source": "security-advisories@github.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "4.0",
+          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
+          "baseScore": 6.9,
+          "baseSeverity": "MEDIUM",
+          "attackVector": "LOCAL",
+          "attackComplexity": "LOW",
+          "attackRequirements": "NONE",
+          "privilegesRequired": "NONE",
+          "userInteraction": "NONE",
+          "vulnConfidentialityImpact": "HIGH",
+          "vulnIntegrityImpact": "NONE",
+          "vulnAvailabilityImpact": "NONE",
+          "subConfidentialityImpact": "NONE",
+          "subIntegrityImpact": "NONE",
+          "subAvailabilityImpact": "NONE",
+          "exploitMaturity": "NOT_DEFINED",
+          "confidentialityRequirement": "NOT_DEFINED",
+          "integrityRequirement": "NOT_DEFINED",
+          "availabilityRequirement": "NOT_DEFINED",
+          "modifiedAttackVector": "NOT_DEFINED",
+          "modifiedAttackComplexity": "NOT_DEFINED",
+          "modifiedAttackRequirements": "NOT_DEFINED",
+          "modifiedPrivilegesRequired": "NOT_DEFINED",
+          "modifiedUserInteraction": "NOT_DEFINED",
+          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
+          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
+          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
+          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
+          "modifiedSubIntegrityImpact": "NOT_DEFINED",
+          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
+          "Safety": "NOT_DEFINED",
+          "Automatable": "NOT_DEFINED",
+          "Recovery": "NOT_DEFINED",
+          "valueDensity": "NOT_DEFINED",
+          "vulnerabilityResponseEffort": "NOT_DEFINED",
+          "providerUrgency": "NOT_DEFINED"
+        }
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security-advisories@github.com",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-312"
+        },
+        {
+          "lang": "en",
+          "value": "CWE-522"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "http://github.com/LearningCircuit/local-deep-research/releases/tag/v1.0.0",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/LearningCircuit/local-deep-research/pull/578",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/LearningCircuit/local-deep-research/security/advisories/GHSA-4h8c-qrcq-cv5c",
+      "source": "security-advisories@github.com"
+    }
+  ]
+}

CVE-2025/CVE-2025-89xx/CVE-2025-8941.json

@@ -2,7 +2,7 @@
   "id": "CVE-2025-8941",
   "sourceIdentifier": "secalert@redhat.com",
   "published": "2025-08-13T15:15:41.873",
-  "lastModified": "2025-09-01T09:15:34.680",
+  "lastModified": "2025-09-03T01:15:30.260",
   "vulnStatus": "Awaiting Analysis",
   "cveTags": [],
   "descriptions": [
@@ -56,6 +56,10 @@
       "url": "https://access.redhat.com/errata/RHSA-2025:14557",
       "source": "secalert@redhat.com"
     },
+    {
+      "url": "https://access.redhat.com/errata/RHSA-2025:15100",
+      "source": "secalert@redhat.com"
+    },
     {
       "url": "https://access.redhat.com/security/cve/CVE-2025-8941",
       "source": "secalert@redhat.com"

CVE-2025/CVE-2025-92xx/CVE-2025-9260.json

@@ -0,0 +1,64 @@
+{
+  "id": "CVE-2025-9260",
+  "sourceIdentifier": "security@wordfence.com",
+  "published": "2025-09-03T00:15:30.273",
+  "lastModified": "2025-09-03T00:15:30.273",
+  "vulnStatus": "Received",
+  "cveTags": [],
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "The Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to PHP Object Injection in versions 5.1.16 to 6.1.1 via deserialization of untrusted input in the parseUserProperties function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to read arbitrary files. If allow_url_include is enabled on the server, remote code execution is possible.\r\nWhile the vendor patched this issue in version 6.1.0, the patch caused a fatal error in the vulnerable code, due to a missing class import, so we consider 6.1.2 to be the most complete and best patched version"
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security@wordfence.com",
+        "type": "Primary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+          "baseScore": 6.5,
+          "baseSeverity": "MEDIUM",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "LOW",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "HIGH",
+          "integrityImpact": "NONE",
+          "availabilityImpact": "NONE"
+        },
+        "exploitabilityScore": 2.8,
+        "impactScore": 3.6
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security@wordfence.com",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-502"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://plugins.trac.wordpress.org/browser/fluentform/tags/6.0.2/app/Services/FormBuilder/EditorShortcodeParser.php#L214",
+      "source": "security@wordfence.com"
+    },
+    {
+      "url": "https://plugins.trac.wordpress.org/browser/fluentform/tags/6.0.2/vendor/wpfluent/framework/src/WPFluent/View/View.php#L7",
+      "source": "security@wordfence.com"
+    },
+    {
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/938e5d6b-1ad6-4021-a148-1d1c9e8a0a83?source=cve",
+      "source": "security@wordfence.com"
+    }
+  ]
+}