Posts

All the articles we've posted.

• [CVE-2025-9083] Unauthenticated PHP Object Injection in Ninja Forms Hands WordPress Attackers the Keys

  18 Sep, 2025

  A flaw in the Repeatable Fieldset component lets anyone send a crafted form submission that Ninja Forms unserializes. If a gadget chain exists on the site, the attacker can pivot to remote code execution without logging in.

• [CVE-2025-51586] PrestaShop Admin Login Controller Leaks Administrator Emails

  8 Sep, 2025

  A logic error in the password-reset flow of PrestaShop Back Office lets anyone enumerate administrator accounts and harvest their email addresses. A simple loop over numeric IDs is all that is required.

• [CVE-2025-58056] Netty’s lenient chunk extension parsing opens the door to HTTP request smuggling

  5 Sep, 2025

  Netty 4.1.124.Final and 4.2.0.Alpha3 through 4.2.4.Final accept an LF on its own as the terminator for chunk extensions. A single byte is enough to desynchronise upstream and backend parsers, letting attackers smuggle hidden requests through proxy chains.

• [CVE-2025-50707] ThinkPHP 3 File Inclusion Lets Attackers Execute Arbitrary Code

  6 Aug, 2025

  A template-handling flaw in ThinkPHP 3.2.5 lets remote users include and run server-side files without authentication, leading to full remote code execution.