Posted by Andrey Stoykov on Jan 29

# Exploit Title: Elgg - Username Enumeration
# Date: 1/2026
# Exploit Author: Andrey Stoykov
# Version: 6.3.3
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2026/01/friday-fun-pentest-series-47-lack-of.html

// HTTP Request - Resetting Password - Valid User

POST /action/user/requestnewpassword HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0)
Gecko/20100101 Firefox/148.0
Accept:...

Posted by Andrey Stoykov on Jan 29

# Exploit Title: Elgg - Lack of Password Complexity
# Date: 1/2026
# Exploit Author: Andrey Stoykov
# Version: 6.3.3
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2026/01/friday-fun-pentest-series-48-weak.html

// HTTP Request - Changing Password

POST /action/usersettings/save HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0)
Gecko/20100101 Firefox/148.0
Accept:...

Posted by Andrey Stoykov on Jan 29

Hi. I would like to publish my paper for exploiting XAMPP installations.

Thanks,
Andrey

Posted by Karol Wrótniak on Jan 29

Summary
=======
A vulnerability was discovered in the popular JavaScript library
'validator'.
The isLength() function incorrectly handles Unicode Variation Selectors
(U+FE0E and U+FE0F). An attacker can inject thousands of these zero-width
characters into a string, causing the library to report a much smaller
perceived length than the actual byte size. This leads to validation
bypasses,
potential database truncation, and Denial of...

Posted by Yuffie Kisaragi via Fulldisclosure on Jan 26

Dear Art,

Thank you for sharing your detailed evaluation and for pointing out the relevant
sections of the CNA Rules.

Your argument is well reasoned, particularly with respect to the current
guidance on SaaS and exclusively hosted services.

I have forwarded your evaluation to the CNA for further consideration. It will
also be important to understand the vendor’s perspective in light of the points
you raised, especially regarding the...

Posted by Marco Ermini via Fulldisclosure on Jan 26

Hello everyone,

Kindly let me introduce myself. This is the first – and potentially, last – message on this mailing list. I am Marco,
the CISO of EQS Group. Kindly allow me to address some of the statements expressed publicly here.

About the Convercent application

Convercent was acquired by OneTrust in 2021, and in turn, EQS has acquired it from OneTrust at the end of 2024. Before
being acquired by EQS, the Convercent application has not...

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jan 26

SEC Consult Vulnerability Lab Security Advisory < 20260126-2 >
=======================================================================
title: UART Leaking Sensitive Data
            product: dormakaba registration unit 9002 (PIN pad)
vulnerable version: <SW0039
      fixed version: SW0039
         CVE number: CVE-2025-59109
             impact: medium
homepage:...

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jan 26

SEC Consult Vulnerability Lab Security Advisory < 20260126-1 >
=======================================================================
title: Multiple Critical Vulnerabilities
product: dormakaba Access Manager
vulnerable version: Multiple firmware and hardware revisions (details below)
fixed version: Multiple firmware and hardware revisions (details below)
         CVE number: CVE-2025-59097,...

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jan 26

SEC Consult Vulnerability Lab Security Advisory < 20260126-0 >
=======================================================================
title: Multiple Critical Vulnerabilities
product: dormakaba Kaba exos 9300
vulnerable version: < 4.4.1
fixed version: 4.4.1
CVE number: CVE-2025-59090, CVE-2025-59091, CVE-2025-59092
CVE-2025-59093, CVE-2025-59094, CVE-2025-59095...

Posted by Wade Sparks on Jan 21

Hello Yuffie,

Upon further investigation, the VulnCheck CNA determined that these
vulnerabilities were not suitable for CVE assignment. The
vulnerabilities exist within a SaaS product and are mitigated at the
CSP-level which in this case, would be the vendor, EQS Group. Rather than
contribute unactionable CVE records, the VulnCheck CNA used its
discretionary prowess to move forward with rejecting these records. This
policy aligns with a 2022...

Posted by BUG on Jan 21

#### Title:OpenMetadata <= 1.11.3 Authenticated SQL Injection
#### Affected versions: <= 1.11.3
#### Credits: echo
#### Vendor: https://open-metadata.org/

OpenMetadata versions 1.11.3 and earlier are vulnerable to an
authenticated SQL injection issue.
Low-privileged users can exploit this vulnerability to gain unauthorized
access to the database in the context of the database user associated
with the application.

POC:

request:

GET...

Posted by Matteo Beccati on Jan 14

========================================================================
Revive Adserver Security Advisory REVIVE-SA-2026-001
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2026-001
------------------------------------------------------------------------
Date: 2026-01-14
Risk Level: High
Applications affected: Revive...

Posted by Stefan Kanthak via Fulldisclosure on Jan 10

Hi @ll,

the following is a condensed form of
<https://skanthak.hier-im-netz.de/whispers.html#whisper3> and
<https://skanthak.hier-im-netz.de/whispers.html#whisper4>.

Windows Vista moved the shared start menu from "%ALLUSERSPROFILE%\Start Menu\"
to "%ProgramData%\Microsoft\Windows\Start Menu\", with some shortcuts (*.lnk)
"reflected" from the (immutable) component store below %SystemRoot%\WinSxS\

JFTR:...

Posted by Art Manion via Fulldisclosure on Jan 10

Hi,

CVE IDs *can* be assigned for SaaS or similarly "cloud only" software. For a period of time, there was a restriction
that only the provider could make or request such an assignment. But the current CVE rules remove this restriction:

4.2.3 CNAs MUST NOT consider the type of technology (e.g., cloud, on-premises, artificial intelligence, machine
learning) as the sole basis for determining assignment.

It would have been...

Posted by Ron E on Jan 10

A stack-based buffer overflow vulnerability exists in the RIOT OS ethos
utility due to missing bounds checking when processing incoming serial
frame data. The vulnerability occurs in the _handle_char() function, where
incoming frame bytes are appended to a fixed-size stack buffer
(serial->frame) without verifying that the current write index
(serial->framebytes) remains within bounds. An attacker capable of sending
crafted serial or...

Posted by Ron E on Jan 10

A stack-based buffer overflow vulnerability exists in the tapslip6 utility
distributed with RIOT OS (and derived from the legacy uIP/Contiki
networking tools). The vulnerability is caused by unsafe string
concatenation in the devopen() function, which constructs a device path
using unbounded user-controlled input.
Specifically, tapslip6 uses strcpy() and strcat() to concatenate the fixed
prefix "/dev/" with a user-supplied device name...

Posted by Ron E on Jan 10

A stack-based buffer overflow vulnerability exists in the mcp2200gpio
utility due to unsafe use of strcpy() and strcat() when constructing device
paths during automatic device discovery. A local attacker can trigger the
vulnerability by creating a specially crafted filename under /dev/usb/,
resulting in stack memory corruption and a process crash. In non-hardened
builds, this may lead to arbitrary code execution.

*Root Cause:*

The vulnerability...

Posted by Ron E on Jan 10

A global buffer overflow vulnerability exists in the TinyOS printfUART
implementation used within the ZigBee / IEEE 802.15.4 networking stack. The
issue arises from an unsafe custom sprintf() routine that performs
unbounded string concatenation using strcat() into a fixed-size global
buffer. The global buffer debugbuf, defined with a size of 256 bytes, is
used as the destination for formatted output. When a %s format specifier is
supplied with a...

Posted by KoreLogic Disclosures via Fulldisclosure on Jan 08

KL-001-2026-01: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking

Title: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking
Advisory ID: KL-001-2026-001
Publication Date: 2026-01-08
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2026-001.txt

1. Vulnerability Details

     Affected Vendor: yintibao
     Affected Product: Fun Print Mobile
     Affected Version: 6.05.15
   ...

Posted by Yuffie Kisaragi via Fulldisclosure on Jan 05

UPDATE:

Following the publication of these vulnerabilities and the subsequent CVE
assignments, the CVE identifiers have now been revoked.

The vendor (EQS Group) contacted the CVE Program (via a CNA) and disputed the
records, stating that the affected product is an exclusively hosted SaaS
platform with no customer-managed deployment or versioning. Based on this
argument, the CVE Program concluded that CVE assignment is “not a suitable...