Posts

All the articles we've posted.

• [CVE-2025-54352] WordPress XML-RPC Pingback Leaks Titles of Private and Draft Posts

  21 Jul, 2025

  A flaw in the longstanding pingback feature exposes the titles of unpublished WordPress content to the internet. An attacker needs nothing more than access to xmlrpc.php to enumerate every confidential headline.

• [CVE-2025-49005] Cache-poisoning in Next.js App Router swaps HTML for raw React code

  3 Jul, 2025

  A header-mismatch in Next.js 15.3.0-15.3.2 and Vercel CLI 41.4.1-42.2.0 lets browsers or intermediate CDNs cache React Server Component streams where HTML was expected, breaking pages and opening the door to response-smuggling tricks.

• [CVE-2025-34039] Yonyou UFIDA NC BeanShell Servlet Hands Over Remote Code Execution

  23 Jun, 2025

  A forgotten BeanShell test servlet inside Yonyou UFIDA NC up to 6.5 lets unauthenticated users inject Java code and run operating-system commands. Although the framework is popular mainly in mainland China, many ERP deployments expose the vulnerable endpoint to the internet.

• [CVE-2025-49125] Apache Tomcat Pre/Post-Resource Authentication Bypass Exposes Protected Content

  16 Jun, 2025

  Mounting PreResources or PostResources outside the root path lets attackers reach files through an alternate URL that ignores security constraints, undermining Java web application access control.