If you just updated React / NextJS for #react2shell , you now get to update again. Two additional vulnerabilities identified in follow-up work were just published: CVE-2025-55183 (DoS), CVE-2025-55184 (Source Code Exposure)

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

https://nextjs.org/blog/security-update-2025-12-11

[RSS] The FreePBX Rabbit Hole: CVE-2025-66039 and others

https://horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/

[RSS] exploits.club Weekly(ish) Newsletter 93 - Old QEMU Bugs, Android Auto Bluetooth PoCs, BeeStation P20, and More

https://blog.exploits.club/exploits-club-weekly-ish-newsletter-92-s23-n-day-pocs-printer-overflows-dng-oob-writes-and-more-2/

@Viss you don't really talk about it because 1) NDA 2) you look at the damn code all the time?

@mttaggart I thought the "can't be bothered" needs a bit more nuance, that's all

Finally pushed an update to my #DecemberAdventure

tl;dr life is distracting and having a young kid makes this harder to keep-up with

https://git.sr.ht/~louismerlin/december-adventure

@mttaggart Hiring is hard though, esp for SMBs. And at that level you are proper f'd if the guy says bye after a year for whatever reason. SaaS/cloud is more reliable than that.

Exim 4.99: Remote heap corruption https://www.openwall.com/lists/oss-security/2025/12/10/1
In vulnerable configurations, a remote, unauthenticated attacker can achieve heap corruption. No exploit for remote code execution yet, but it may be possible. No further details published yet, until the fix goes public.

CVE-2025-66293: libpng: Out-of-bounds read vulnerability fixed in 1.6.52 https://www.openwall.com/lists/oss-security/2025/12/03/5
Unlike typical image parsing vulnerabilities, this bug is triggered by valid PNG files. Web browsers use the low-level API rather than the simplified API and are not affected by this.

@tallison I'm sure Fedi can also cheer you up, we have quality memes!

BoF in glib.

https://access.redhat.com/security/cve/CVE-2025-14512

A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.

We're so cooked

https://gizmodo.com/librarians-arent-hiding-secret-books-from-you-that-only-ai-knows-about-2000698176

New vulnerability report from Talos:

The Biosig Project libbiosig MFER parsing multiple stack-based buffer overflow vulnerabilities

https://talosintelligence.com/vulnerability_reports/TALOS-2025-2296

CVE-2025-66048,CVE-2025-66043,CVE-2025-66047,CVE-2025-66044,CVE-2025-66046,CVE-2025-66045,CVE-2025-66043,CVE-2025-66044,CVE-2025-66045,CVE-2025-66046,CVE-2025-66047,CVE-2025-66048

A modern tale of Blinkenlights, cheap Christmas shopping and curiosity, narrated by @virtualabs

Firmware extraction and reverse engineering of a smartwatch FTW!

https://blog.quarkslab.com/modern-tale-blinkenlights.html

@cR0w @catsalad sounds like the same principle as googling "google"

[RSS] Introducing mrva, a terminal-first approach to CodeQL multi-repo variant analysis

https://blog.trailofbits.com/2025/12/11/introducing-mrva-a-terminal-first-approach-to-codeql-multi-repo-variant-analysis/

vim user doing God's work

@cR0w Microservices deserve work-life balance too yknow #unionize

In #IBMi 7.6 TR1 and 7.5 TR7 three new date formats have been introduced that will make solving 2040 issue easier.
💙 #IBMi #rpgpgm #IBMChampion
https://www.rpgpgm.com/2025/12/new-date-formats-for-rpg.html

We currently have three pending CVEs to be announced in the next #curl release (severity low + medium x 2)

All three found with AI powered tooling.

So it is happening.

@robpike