SOLDIERX.COM Nobody Can Stop Information Insemination

Posted by Apple Product Security via Fulldisclosure on May 17

APPLE-SA-05-11-2026-1 iOS 26.5 and iPadOS 26.5

iOS 26.5 and iPadOS 26.5 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/en-us/127110.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Accelerate
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro...

Posted by Juraj Kosik on May 17

VULNERABILITY
Non-sanitised submission of malicious SVG files on the Edupage portal in
combination with CSRF vulnerability allows triggering various actions on
behalf of other users, e.g. identity spoofing, sending fake messages,
giving fake approvals, etc.

Full disclosure report: https://jkosik.github.io/posts/edupage/
Reference: https://www.edupage.org/

VENDOR:
Applied Software Consultants

PRODUCT:
Edupage - https://www.edupage.org/
Web...

Posted by Juraj Kosik on May 17

VULNERABILITY
Both authenticated and publicly accessible anonymous guest accounts on
Edupage portal allow an attacker to capture the complete list of user IDs,
names (students, parents, and teachers), and the associated banking details
(IBAN codes)

Full disclosure report: https://jkosik.github.io/posts/edupage/
Reference: https://www.edupage.org/

VENDOR:
Applied Software Consultants

PRODUCT:
Edupage - https://www.edupage.org/
Web application...

Posted by Aki Tuomi on May 17

Hi!

We're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. This advisory is also published at
https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0002.html

---

Classification: TLP:GREEN

Internal reference: DOV-8967
Type: CWE-235 (Improper Handling of Extra Parameters)
Component: core
Report confidence: Confirmed
Solution...

Posted by Milan Berger via Fulldisclosure on Apr 29

# Security Advisory: ESP-RFID-Tool v2 PRO

**Product:** ESP-RFID-Tool v2 PRO
**Vendor:** Raik Schneider (Einstein2150), foto-video-it.de
**Repository:** https://github.com/Einstein2150/ESP-RFID-Tool-v2
**Affected Version:** v2.2.1 (latest as of 2026-04-28)
**Severity:** CRITICAL
**Disclosure Type:** Full Public Disclosure
**Disclosure Date:** 2026-04-28
**Researcher:** Milan 't4c' Berger

---

## Disclosure Timeline

| Date | Event |...

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 29

*Update 2026-04-28:* The vendor contacted us and now provides a patched version v1.3.674 which can be obtained at the
following URL:

https://desktime.com/download

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 29

SEC Consult Vulnerability Lab Security Advisory < 20260427-0 >
=======================================================================
title: Missing TLS Certificate Validation leading to RCE
product: DeskTime Time Tracking App
vulnerable version: 1.3.671
fixed version: -
CVE number: CVE-2025-10539
             impact: medium
homepage:https://desktime.com...

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 29

SEC Consult Vulnerability Lab Security Advisory < 20260423-0 >
=======================================================================
title: DLL Hijacking
product: EfficientLab Controlio (cloud-based employee monitoring service)
vulnerable version: <1.3.95
     fixed version: 1.3.95
        CVE number: CVE-2025-10549
            impact: High
homepage:https://controlio.net...

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 29

SEC Consult Vulnerability Lab Security Advisory < 20260421-0 >
=======================================================================
title: Broken Access Control in Config Endpoint
product: LiteLLM
vulnerable version: <=v1.83.0
      fixed version: v1.83.0-nightly
         CVE number: CVE-2026-35029
             impact: high
homepage:https://www.litellm.ai/
           ...

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 29

SEC Consult Vulnerability Lab Security Advisory < 20260415-0 >
=======================================================================
title: Exposed Private Key of X.509 Certificate
            product: SAP HANA Cockpit & SAP HANA Database Explorer
vulnerable version: HANA Cockpit <2.18.2 (HRTT <2.16.254002)
      fixed version: HANA Cockpit 2.18.2 (HRTT 2.16.254002)
         CVE number:...

Posted by Apple Product Security via Fulldisclosure on Apr 29

APPLE-SA-04-22-2026-2 iOS 18.7.8 and iPadOS 18.7.8

iOS 18.7.8 and iPadOS 18.7.8 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/en-us/127003.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Notification Services
Available for: iPhone XR, iPhone XS, iPhone XS Max, iPhone 11 (all...

Posted by Apple Product Security via Fulldisclosure on Apr 29

APPLE-SA-04-22-2026-1 iOS 26.4.2 and iPadOS 26.4.2

iOS 26.4.2 and iPadOS 26.4.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/en-us/127002.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Notification Services
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and...

Posted by Nir Yehoshua on Apr 29

Hi Full Disclosure list,

I published a technical research article titled:

When Trusted Tools Become Attack Primitives

The article examines how trusted local utilities can become
security-relevant primitives when used inside automated processing
pipelines.

It covers two case studies:

1. macOS textutil resolving remote resources during HTML-to-text
conversion.
2. KeePassXC KDBX-controlled KDF parameters creating significant...

Posted by Egidio Romano on Apr 29

-----------------------------------------------------------------
SocialEngine <= 7.8.0 (get-memberall) SQL Injection Vulnerability
-----------------------------------------------------------------

[-] Software Link:

https://socialengine.com

[-] Affected Versions:

Versions 7.8.0, 7.7.0, and likely prior versions.

[-] Vulnerability Description:

User input passed through the "text" request parameter to the...

Posted by Egidio Romano on Apr 29

---------------------------------------------------------------------
SocialEngine <= 7.8.0 Blind Server-Side Request Forgery Vulnerability
---------------------------------------------------------------------

[-] Software Link:

https://socialengine.com

[-] Affected Versions:

Versions 7.8.0, 7.7.0, and likely prior versions.

[-] Vulnerability Description:

User input passed through the "uri" request parameter to the...

Posted by malvuln on Apr 29

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2026
Original source:
https://malvuln.com/advisory/8c15ec5f0137d097a345b693f0bffedb.txt
Malvuln Intelligence Feed: https://intel.malvuln.com/
Contact: malvuln13 () gmail com
Media: x.com/malvuln

Threat: Trojan-Spy.Win32.Small
Vulnerability: Remote Command Execution
Description: The malware opens a listener on TCP port 65535, allowing
unauthenticated remote attackers with network access...

Posted by Artur Janicki via Fulldisclosure on Apr 29

[APOLOGIES FOR CROSS-POSTING]

CALL FOR PAPERS
15th International Workshop on Cyber Crime (IWCC 2026 -
https://www.ares-conference.eu/iwcc)
to be held in conjunction with the International Conference on Availability,
Reliability and Security (ARES 2026 - https://www.ares-conference.eu/) in
Linköping, Sweden, August 24-27, 2026

IMPORTANT DATES
Submission Deadline May 11, 2026
Author Notification May 29, 2026
Proceedings Version June...

Posted by SBA Research Security Advisory via Fulldisclosure on Apr 29

# GoAnywhere MFT Email HTML Injection #

Link: https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251120-01_GoAnywhere_MFT_Email_HTML_Injection

## Vulnerability Overview ##

GoAnywhere MFT before 7.10.0 is affected by an HTML injection vulnerability
in its email templating functionality. If an attacker is able to influence
the content of a template variable, malicious HTML can be embedded into
outgoing emails generated by the...

Posted by Thomas Weber | CyberDanube via Fulldisclosure on Apr 14

CyberDanube Security Research 20260408-1
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities
product| Siemens SICAM A8000 CP-8050/CP-8031/CP-8010/CP-8012
vulnerable version| <=V25.30
fixed version| V26.10
CVE number| CVE-2026-27664
impact| High
homepage| https://siemens.com/
found|...

Posted by Thomas Weber | CyberDanube via Fulldisclosure on Apr 14

CyberDanube Security Research 20260408-0
-------------------------------------------------------------------------------
title| Remote Operation Denial of Service
product| Siemens SICAM A8000 CP-8050/CP-8031/CP-8010/CP-8012
vulnerable version| <=V25.30
fixed version| V26.10
CVE number| CVE-2026-27663
impact| Medium
homepage| https://siemens.com/...