❌

Normal view

Received β€” 9 February 2026 ⏭ Full Disclosure

Asterisk Security Release 23.2.2

βœ‡Full Disclosure
8 February 2026 at 05:15

Posted by Asterisk Development Team via Fulldisclosure on Feb 07

The Asterisk Development Team would like to announce security release
Asterisk 23.2.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.2.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 23.2.2

## Change Log for Release asterisk-23.2.2

### Links:

- [Full ChangeLog](...

Asterisk Security Release 21.12.1

βœ‡Full Disclosure
8 February 2026 at 05:15

Posted by Asterisk Development Team via Fulldisclosure on Feb 07

The Asterisk Development Team would like to announce security release
Asterisk 21.12.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.12.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 21.12.1

## Change Log for Release asterisk-21.12.1

### Links:

- [Full ChangeLog](...

Asterisk Security Release 22.8.2

βœ‡Full Disclosure
8 February 2026 at 05:15

Posted by Asterisk Development Team via Fulldisclosure on Feb 07

The Asterisk Development Team would like to announce security release
Asterisk 22.8.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.8.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.8.2

## Change Log for Release asterisk-22.8.2

### Links:

- [Full ChangeLog](...

Asterisk Security Release 20.18.2

βœ‡Full Disclosure
8 February 2026 at 05:15

Posted by Asterisk Development Team via Fulldisclosure on Feb 07

The Asterisk Development Team would like to announce security release
Asterisk 20.18.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.18.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.18.2

## Change Log for Release asterisk-20.18.2

### Links:

- [Full ChangeLog](...

Certified Asterisk Security Release certified-20.7-cert9

βœ‡Full Disclosure
8 February 2026 at 05:15

Posted by Asterisk Development Team via Fulldisclosure on Feb 07

The Asterisk Development Team would like to announce security release
Certified Asterisk 20.7-cert9.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-20.7-cert9
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-20.7-cert9

## Change Log for Release asterisk-certified-20.7-cert9

###...
Received β€” 5 February 2026 ⏭ Full Disclosure

SEC Consult SA-20260202-0 :: Multiple vulnerabilities in Native Instruments Native Access (MacOS)

βœ‡Full Disclosure
5 February 2026 at 05:51

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Feb 04

SEC Consult Vulnerability Lab Security Advisory < 20260202-0 >
=======================================================================
title: Multiple vulnerabilities
product: Native Instruments - Native Access (MacOS)
vulnerable version: verified up to 3.22.0
fixed version: n/a
CVE number: CVE-2026-24070, CVE-2026-24071
Β  Β  Β  Β  Β  Β  Β impact: high
homepage:...

CyberDanube Security Research 20260119-0 | Authenticated Command Injection in Phoenix Contact TC Router Series

βœ‡Full Disclosure
5 February 2026 at 05:51

Posted by Thomas Weber | CyberDanube via Fulldisclosure on Feb 04

CyberDanube Security Research 20260119-0
-------------------------------------------------------------------------------
title| Authenticated Command Injection
product| TC Router 5004T-5G EU
vulnerable version| 1.06.18
fixed version| 1.06.23
CVE number| CVE-2025-41717
impact| High
homepage| https://www.phoenixcontact.com/
found| 16.04.2025...

[KIS-2026-03] Blesta <= 5.13.1 (2Checkout) Multiple PHP Object Injection Vulnerabilities

βœ‡Full Disclosure
5 February 2026 at 05:50

Posted by Egidio Romano on Feb 04

--------------------------------------------------------------------------
Blesta <= 5.13.1 (2Checkout) Multiple PHP Object Injection Vulnerabilities
--------------------------------------------------------------------------

[-] Software Link:

https://www.blesta.com

[-] Affected Versions:

All versions from 3.0.0 to 5.13.1.

[-] Vulnerabilities Description:

The vulnerabilities exist because user input passed through the...

[KIS-2026-02] Blesta <= 5.13.1 (Admin Interface) Multiple PHP Object Injection Vulnerabilities

βœ‡Full Disclosure
5 February 2026 at 05:50

Posted by Egidio Romano on Feb 04

--------------------------------------------------------------------------------
Blesta <= 5.13.1 (Admin Interface) Multiple PHP Object Injection Vulnerabilities
--------------------------------------------------------------------------------

[-] Software Link:

https://www.blesta.com

[-] Affected Versions:

All versions from 3.0.0 to 5.13.1.

[-] Vulnerabilities Description:

The vulnerabilities exist because user input passed through the...

[KIS-2026-01] Blesta <= 5.13.1 (confirm_url) Reflected Cross-Site Scripting Vulnerability

βœ‡Full Disclosure
5 February 2026 at 05:50

Posted by Egidio Romano on Feb 04

---------------------------------------------------------------------------
Blesta <= 5.13.1 (confirm_url) Reflected Cross-Site Scripting Vulnerability
---------------------------------------------------------------------------

[-] Software Link:

https://www.blesta.com

[-] Affected Versions:

All versions from 3.2.0 to 5.13.1.

[-] Vulnerability Description:

User input passed through the "confirm_url" GET parameter to the...
Received β€” 29 January 2026 ⏭ Full Disclosure

Username Enumeration - elggv6.3.3

βœ‡Full Disclosure
29 January 2026 at 22:31

Posted by Andrey Stoykov on Jan 29

# Exploit Title: Elgg - Username Enumeration
# Date: 1/2026
# Exploit Author: Andrey Stoykov
# Version: 6.3.3
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2026/01/friday-fun-pentest-series-47-lack-of.html

// HTTP Request - Resetting Password - Valid User

POST /action/user/requestnewpassword HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0)
Gecko/20100101 Firefox/148.0
Accept:...

Weak Password Complexity - elggv6.3.3

βœ‡Full Disclosure
29 January 2026 at 22:31

Posted by Andrey Stoykov on Jan 29

# Exploit Title: Elgg - Lack of Password Complexity
# Date: 1/2026
# Exploit Author: Andrey Stoykov
# Version: 6.3.3
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2026/01/friday-fun-pentest-series-48-weak.html

// HTTP Request - Changing Password

POST /action/usersettings/save HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0)
Gecko/20100101 Firefox/148.0
Accept:...

CVE-2025-12758: Unicode Variation Selectors Bypass in 'validator' library (isLength)

βœ‡Full Disclosure
29 January 2026 at 22:30

Posted by Karol WrΓ³tniak on Jan 29

Summary
=======
A vulnerability was discovered in the popular JavaScript library
'validator'.
The isLength() function incorrectly handles Unicode Variation Selectors
(U+FE0E and U+FE0F). An attacker can inject thousands of these zero-width
characters into a string, causing the library to report a much smaller
perceived length than the actual byte size. This leads to validation
bypasses,
potential database truncation, and Denial of...
Received β€” 27 January 2026 ⏭ Full Disclosure

Re: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group)

βœ‡Full Disclosure
27 January 2026 at 05:32

Posted by Yuffie Kisaragi via Fulldisclosure on Jan 26

Dear Art,

Thank you for sharing your detailed evaluation and for pointing out the relevant
sections of the CNA Rules.

Your argument is well reasoned, particularly with respect to the current
guidance on SaaS and exclusively hosted services.

I have forwarded your evaluation to the CNA for further consideration. It will
also be important to understand the vendor’s perspective in light of the points
you raised, especially regarding the...

Re: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group)

βœ‡Full Disclosure
27 January 2026 at 05:32

Posted by Marco Ermini via Fulldisclosure on Jan 26

Hello everyone,

Kindly let me introduce myself. This is the first – and potentially, last – message on this mailing list. I am Marco,
the CISO of EQS Group. Kindly allow me to address some of the statements expressed publicly here.

About the Convercent application

Convercent was acquired by OneTrust in 2021, and in turn, EQS has acquired it from OneTrust at the end of 2024. Before
being acquired by EQS, the Convercent application has not...

SEC Consult SA-20260126-2 :: UART Leaking Sensitive Data in dormakaba registration unit 9002 (PIN pad)

βœ‡Full Disclosure
27 January 2026 at 05:30

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jan 26

SEC Consult Vulnerability Lab Security Advisory < 20260126-2 >
=======================================================================
title: UART Leaking Sensitive Data
Β  Β  Β  Β  Β  Β  product: dormakaba registration unit 9002 (PIN pad)
vulnerable version: <SW0039
Β  Β  Β  fixed version: SW0039
Β  Β  Β  Β  Β CVE number: CVE-2025-59109
Β  Β  Β  Β  Β  Β  Β impact: medium
homepage:...

SEC Consult SA-20260126-1 :: Multiple Critical Vulnerabilities in dormakaba Access Manager

βœ‡Full Disclosure
27 January 2026 at 05:30

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jan 26

SEC Consult Vulnerability Lab Security Advisory < 20260126-1 >
=======================================================================
title: Multiple Critical Vulnerabilities
product: dormakaba Access Manager
vulnerable version: Multiple firmware and hardware revisions (details below)
fixed version: Multiple firmware and hardware revisions (details below)
Β  Β  Β  Β  Β CVE number: CVE-2025-59097,...

SEC Consult SA-20260126-0 :: Multiple Critical Vulnerabilities in dormakaba Kaba exos 9300

βœ‡Full Disclosure
27 January 2026 at 05:30

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jan 26

SEC Consult Vulnerability Lab Security Advisory < 20260126-0 >
=======================================================================
title: Multiple Critical Vulnerabilities
product: dormakaba Kaba exos 9300
vulnerable version: < 4.4.1
fixed version: 4.4.1
CVE number: CVE-2025-59090, CVE-2025-59091, CVE-2025-59092
CVE-2025-59093, CVE-2025-59094, CVE-2025-59095...
Received β€” 22 January 2026 ⏭ Full Disclosure

Re: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group)

βœ‡Full Disclosure
21 January 2026 at 21:32

Posted by Wade Sparks on Jan 21

Hello Yuffie,

Upon further investigation, the VulnCheck CNA determined that these
vulnerabilities were not suitable for CVE assignment. The
vulnerabilities exist within a SaaS product and are mitigated at the
CSP-level which in this case, would be the vendor, EQS Group. Rather than
contribute unactionable CVE records, the VulnCheck CNA used its
discretionary prowess to move forward with rejecting these records. This
policy aligns with a 2022...
❌