Posts

All the articles we've posted.

• [CVE-2025-48827] vBulletin’s Reflection Mix-up Lets Anyone Reach Protected API Methods

  27 May, 2025

  When vBulletin runs on PHP 8.1 or later, a change in the Reflection API breaks the application’s access controls. Unauthenticated attackers can call protected controller methods, a primitive that has already been chained to remote code execution in the wild.

• [CVE-2025-47276] Actualizer Uses Weak SHA-512 Password Hashing in Generated Debian Images

  13 May, 2025

  Actualizer versions below 1.2.0 hard-code the OpenSSL -passwd option for root and alpha accounts, producing fast SHA-512 hashes that modern GPUs can brute-force in hours. Upgrading to 1.2.0 and resetting both passwords replaces the insecure hashes with Yescrypt.

• [CVE-2025-4396] Unauthenticated SQL Injection in Relevanssi Gives Attackers a Direct Line to Your WordPress Database

  13 May, 2025

  A logic flaw in the popular Relevanssi search plugin lets anyone craft time-based SQL queries through public search parameters. The bug leaks or modifies WordPress data without needing an account.

• [CVE-2025-46814] FastAPI Guard’s X-Forwarded-For Handling Lets Attackers Impersonate Trusted IPs

  6 May, 2025

  Versions of the fastapi-guard authentication library prior to 2.0.0 trust the X-Forwarded-For header without proper validation. A single crafted request is enough to bypass IP allow-lists and poison audit logs.