π¨ CVE-2025-54594
react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a forked pull request to be executed in a privileged context. An attacker could create a pull request containing a malicious preinstall script in the package.json file and then trigger the vulnerable workflow by posting a specific comment (!canary). This allowed for arbitrary code execution, leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN, and could have allowed an attacker to push malicious code to the repository or publish compromised packages to the NPM registry. There is a remediation commit which removes github/workflows/release-canary.yml, but a version with this fix has yet to be released.
π@cveNotify
react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a forked pull request to be executed in a privileged context. An attacker could create a pull request containing a malicious preinstall script in the package.json file and then trigger the vulnerable workflow by posting a specific comment (!canary). This allowed for arbitrary code execution, leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN, and could have allowed an attacker to push malicious code to the repository or publish compromised packages to the NPM registry. There is a remediation commit which removes github/workflows/release-canary.yml, but a version with this fix has yet to be released.
π@cveNotify
callstack on Notion
Post-Incident Security Measures: GitHub Actions Workflow Vulnerability | Notion
Following the discovery of a high-severity vulnerability in one of our GitHub Actions workflows (release-canary.yml, described in github.com), Callstack as an organization undertook a thorough review and implemented several key improvements to strengthenβ¦
π¨ CVE-2025-54801
Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If the idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. This is fixed in version 2.52.9.
π@cveNotify
Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If the idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. This is fixed in version 2.52.9.
π@cveNotify
GitHub
Merge commit from fork Β· gofiber/fiber@e115c08
* BodyParser: slice/array invalid range
- add test case
* BodyParser: slice/array invalid range
- add test case
* BodyParser: slice/array invalid range
π₯1
π¨ CVE-2020-25078
An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. The unauthenticated /config/getuser endpoint allows for remote administrator password disclosure.
π@cveNotify
An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. The unauthenticated /config/getuser endpoint allows for remote administrator password disclosure.
π@cveNotify
π¨ CVE-2020-25079
An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. cgi-bin/ddns_enc.cgi allows authenticated command injection.
π@cveNotify
An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. cgi-bin/ddns_enc.cgi allows authenticated command injection.
π@cveNotify
π¨ CVE-2025-54606
Status verification vulnerability in the lock screen module.
Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.
π@cveNotify
Status verification vulnerability in the lock screen module.
Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.
π@cveNotify
π¨ CVE-2025-54607
Authentication management vulnerability in the ArkWeb module.
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
π@cveNotify
Authentication management vulnerability in the ArkWeb module.
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
π@cveNotify
π¨ CVE-2025-54608
Vulnerability that allows setting screen rotation direction without permission verification in the screen management module.
Impact: Successful exploitation of this vulnerability may cause device screen orientation to be arbitrarily set.
π@cveNotify
Vulnerability that allows setting screen rotation direction without permission verification in the screen management module.
Impact: Successful exploitation of this vulnerability may cause device screen orientation to be arbitrarily set.
π@cveNotify
π¨ CVE-2025-54609
Out-of-bounds access vulnerability in the audio codec module.
Impact: Successful exploitation of this vulnerability may affect availability.
π@cveNotify
Out-of-bounds access vulnerability in the audio codec module.
Impact: Successful exploitation of this vulnerability may affect availability.
π@cveNotify
π¨ CVE-2025-54610
Out-of-bounds access vulnerability in the audio codec module.
Impact: Successful exploitation of this vulnerability may affect availability.
π@cveNotify
Out-of-bounds access vulnerability in the audio codec module.
Impact: Successful exploitation of this vulnerability may affect availability.
π@cveNotify
π¨ CVE-2025-54611
EXTRA_REFERRER resource read vulnerability in the Gallery module.
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
π@cveNotify
EXTRA_REFERRER resource read vulnerability in the Gallery module.
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
π@cveNotify
π¨ CVE-2025-54624
Unexpected injection event vulnerability in the multimodalinput module.
Impact: Successful exploitation of this vulnerability may affect availability.
π@cveNotify
Unexpected injection event vulnerability in the multimodalinput module.
Impact: Successful exploitation of this vulnerability may affect availability.
π@cveNotify
π¨ CVE-2025-54625
Race condition vulnerability in the kernel file system module.
Impact: Successful exploitation of this vulnerability may affect availability.
π@cveNotify
Race condition vulnerability in the kernel file system module.
Impact: Successful exploitation of this vulnerability may affect availability.
π@cveNotify
π¨ CVE-2025-54626
Pointer dangling vulnerability in the cjwindow module.
Impact: Successful exploitation of this vulnerability may affect function stability.
π@cveNotify
Pointer dangling vulnerability in the cjwindow module.
Impact: Successful exploitation of this vulnerability may affect function stability.
π@cveNotify
π¨ CVE-2025-54627
Out-of-bounds write vulnerability in the skia module.
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
π@cveNotify
Out-of-bounds write vulnerability in the skia module.
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
π@cveNotify
π¨ CVE-2025-54628
Vulnerability of incomplete verification information in the communication module.
Impact: Successful exploitation of this vulnerability may affect availability.
π@cveNotify
Vulnerability of incomplete verification information in the communication module.
Impact: Successful exploitation of this vulnerability may affect availability.
π@cveNotify
π¨ CVE-2025-54629
Race condition issue occurring in the physical page import process of the memory management module.
Impact: Successful exploitation of this vulnerability may affect service integrity.
π@cveNotify
Race condition issue occurring in the physical page import process of the memory management module.
Impact: Successful exploitation of this vulnerability may affect service integrity.
π@cveNotify
π¨ CVE-2025-20990
Improper access control in accessing system device node prior to SMR Aug-2025 Release 1 allows local attackers to access device identifier.
π@cveNotify
Improper access control in accessing system device node prior to SMR Aug-2025 Release 1 allows local attackers to access device identifier.
π@cveNotify
π¨ CVE-2025-21010
Improper privilege management in SamsungAccount prior to SMR Aug-2025 Release 1 allows local privileged attackers to deactivate Samsung account.
π@cveNotify
Improper privilege management in SamsungAccount prior to SMR Aug-2025 Release 1 allows local privileged attackers to deactivate Samsung account.
π@cveNotify
π¨ CVE-2025-21011
Improper access control in SemSensorService for Galaxy Watch prior to SMR Aug-2025 Release 1 allows local attackers to access sensitive information related to motion and body sensors.
π@cveNotify
Improper access control in SemSensorService for Galaxy Watch prior to SMR Aug-2025 Release 1 allows local attackers to access sensitive information related to motion and body sensors.
π@cveNotify
π¨ CVE-2025-21012
Improper access control in fall detection for Galaxy Watch prior to SMR Aug-2025 Release 1 allows local attackers to modify fall detection configuration.
π@cveNotify
Improper access control in fall detection for Galaxy Watch prior to SMR Aug-2025 Release 1 allows local attackers to modify fall detection configuration.
π@cveNotify
π¨ CVE-2025-21013
Improper access control in SemSensorManager for Galaxy Watch prior to SMR Aug-2025 Release 1 allows local attackers to access sensitive information related to outdoor exercise and sleep time.
π@cveNotify
Improper access control in SemSensorManager for Galaxy Watch prior to SMR Aug-2025 Release 1 allows local attackers to access sensitive information related to outdoor exercise and sleep time.
π@cveNotify