
Full Disclosure Mailing List
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
List Archives
- Jan
- Feb
- Mar
- Apr
- May
- Jun
- Jul
- Aug
- Sep
- Oct
- Nov
- Dec
- 2026
- 31
- 32
- 26
- 22
- 26
- 22
- 17
- –
- –
- –
- –
- –
- 2025
- 24
- 20
- 9
- 32
- 24
- 28
- 40
- 19
- 80
- 33
- 22
- 37
- 2024
- 75
- 25
- 44
- 29
- 37
- 13
- 24
- 41
- 60
- 21
- 20
- 22
- 2023
- 29
- 17
- 27
- 14
- 28
- 10
- 52
- 33
- 21
- 32
- 15
- 30
- 2022
- 91
- 57
- 63
- 54
- 48
- 57
- 27
- 17
- 30
- 52
- 26
- 32
- 2021
- 84
- 93
- 81
- 77
- 81
- 60
- 72
- 39
- 59
- 79
- 56
- 50
- 2020
- 52
- 36
- 57
- 63
- 60
- 35
- 37
- 24
- 55
- 34
- 45
- 60
- 2019
- 71
- 54
- 64
- 41
- 52
- 49
- 40
- 37
- 45
- 59
- 34
- 37
- 2018
- 102
- 84
- 79
- 61
- 73
- 46
- 95
- 53
- 57
- 54
- 69
- 56
- 2017
- 99
- 103
- 91
- 113
- 108
- 52
- 95
- 58
- 98
- 71
- 51
- 89
- 2016
- 100
- 128
- 97
- 93
- 75
- 79
- 89
- 139
- 85
- 103
- 162
- 88
- 2015
- 134
- 101
- 165
- 115
- 133
- 112
- 126
- 86
- 121
- 115
- 111
- 129
- 2014
- 194
- 273
- 434
- 325
- 213
- 173
- 167
- 89
- 115
- 135
- 103
- 138
- 2013
- 282
- 162
- 290
- 263
- 227
- 259
- 277
- 303
- 187
- 294
- 222
- 224
- 2012
- 611
- 477
- 390
- 382
- 323
- 428
- 394
- 393
- 210
- 277
- 236
- 280
- 2011
- 580
- 687
- 439
- 561
- 572
- 565
- 367
- 393
- 370
- 995
- 466
- 511
- 2010
- 637
- 502
- 564
- 452
- 408
- 631
- 417
- 445
- 414
- 523
- 342
- 696
- 2009
- 979
- 380
- 465
- 318
- 282
- 291
- 550
- 455
- 421
- 339
- 386
- 502
- 2008
- 615
- 496
- 600
- 821
- 681
- 403
- 591
- 557
- 639
- 531
- 739
- 634
- 2007
- 593
- 629
- 573
- 744
- 555
- 661
- 662
- 530
- 709
- 935
- 582
- 641
- 2006
- 992
- 740
- 1865
- 865
- 789
- 1058
- 770
- 771
- 578
- 678
- 545
- 493
- 2005
- 927
- 676
- 950
- 654
- 678
- 437
- 766
- 1078
- 890
- 677
- 1065
- 1531
- 2004
- 1358
- 1534
- 1499
- 1153
- 1451
- 1031
- 1370
- 1314
- 1091
- 1174
- 1424
- 731
- 2003
- 505
- 405
- 296
- 500
- 421
- 890
- 1251
- 1942
- 1763
- 1806
- 1123
- 782
- 2002
- –
- –
- –
- –
- –
- –
- 314
- 835
- 684
- 381
- 454
- 313
Latest Posts
Whistleblowersoftware.com: confidentiality and anonymity leakage to third parties
Red Nanaki via Fulldisclosure (Jul 02)
Whistleblowersoftware.com: confidentiality and anonymity leakage to third
parties
## Summary
The anonymous reporting flow on `whistleblowersoftware.com` encrypts report
text end-to-end in the browser but does not extend the same guarantee to
attachments and exposes the reporter's network identity and timing to a US-based
third party. Together these weaken the confidentiality and anonymity
properties the platform is expected to provide.
##...
OpenBlow Multiple Deanonymization Vulnerabilities
Red Nanaki via Fulldisclosure (Jul 02)
OpenBlow Multiple Deanonymization Vulnerabilities
Summary
A production deployment was observed (HTTP archive of a full, real whistleblower
submission) to route its anonymous reporting flow through Google. The intake
CAPTCHA is Google reCAPTCHA, enforced as a mandatory, server-validated gate
on report submission, and the UI additionally pulls a web font from
fonts.gstatic.com. As a result, every prospective whistleblower's browser
makes...
Whistlelink: Site-access password exposed in web server access logs via GET query string
Red Nanaki via Fulldisclosure (Jul 02)
Whistlelink: Site-access password exposed in web server access logs via GET
query string
Severity: CRITICAL
SUMMARY
The Whistlelink reporting portal protects optionally-enabled, password-gated
whistleblowing sites with a site-access password. When a visitor unlocks such a
site, the client validates the password by issuing an HTTP GET request that
carries the password as a URL query-string parameter:
GET...
APPLE-SA-06-29-2026-3 Safari 26.5.2
Apple Product Security via Fulldisclosure (Jul 02)
APPLE-SA-06-29-2026-3 Safari 26.5.2
Safari 26.5.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/en-us/127685.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
Web Extensions
Available for: macOS Sonoma and macOS Sequoia
Impact: A malicious web extension may be able to cause an...
APPLE-SA-06-29-2026-2 macOS Tahoe 26.5.2
Apple Product Security via Fulldisclosure (Jul 02)
APPLE-SA-06-29-2026-2 macOS Tahoe 26.5.2
macOS Tahoe 26.5.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/en-us/127595.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
IOGPUFamily
Available for: macOS Tahoe
Impact: An app may be able to cause unexpected system termination...
APPLE-SA-06-29-2026-1 iOS 26.5.2 and iPadOS 26.5.2
Apple Product Security via Fulldisclosure (Jul 02)
APPLE-SA-06-29-2026-1 iOS 26.5.2 and iPadOS 26.5.2
iOS 26.5.2 and iPadOS 26.5.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/en-us/127594.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
IOGPUFamily
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later,...
pwnlift: symlink following and TOCTOU in privileged upload handler allow arbitrary file write as root
Greg via Fulldisclosure (Jul 02)
1. Advisory information
-----------------------
Title: Symlink following and TOCTOU in pwnlift upload handler allow arbitrary file write as root
Advisory: https://github.com/GregDurys/security-advisories
GHSA: GHSA-2v7v-rhpw-m9w4
CVE: CVE-2026-56815
Class: CWE-59 (Improper Link Resolution Before File Access),
CWE-367 (Time-of-check Time-of-use Race Condition)
CVSS: 7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Date: 2026-06-27...
[KIS-2026-12] Control Web Panel <= 0.9.8.1224 (userRes) SQL Injection Vulnerability
Egidio Romano (Jul 02)
---------------------------------------------------------------------
Control Web Panel <= 0.9.8.1224 (userRes) SQL Injection Vulnerability
---------------------------------------------------------------------
[-] Software Link:
https://control-webpanel.com
[-] Affected Versions:
Version 0.9.8.1224 and prior versions.
[-] Vulnerability Description:
User input passed through the "userRes" POST parameter to...
[fulldis] CVE-2026-58451 - Horde Groupware IMP path traversal vuln
ㅤevan via Fulldisclosure (Jul 02)
this is my first time sending to a mailing list so ive chosen
something easy. here goes:
Summary: Horde Groupware’s IMP Webmail solution contains a path
traversal/local file inclusion vulnerability which could be exploited
to escalate privileges or bypass authentication (through CSRF if
unauthenticated).
the vulnerability is in here:
} elseif (strcasecmp($node->tagName, 'IMG') === 0) {
/* Check for smileys. They...
Samsung Galaxy Buds – Zero-Click HFP/A2DP Takeover via L2CAP Session Preemption (Vendor Response: Working as Intended)
490h3fqwomf via Fulldisclosure (Jul 02)
Hello Full Disclosure,
The following publicly available research describes a Bluetooth attack against Samsung Galaxy Buds that leverages
connection arbitration behavior between HFP and A2DP profiles to preempt an active audio session.
Title:
Zero-Click HFP/A2DP Takeover via L2CAP Session Preemption
Exploiting Seamless Earbud Connection Arbitration to Bypass Pairing Trust Boundaries
According to the published research, an attacker within...
Asterisk Security Release 23.4.1
Asterisk Development Team via Fulldisclosure (Jul 02)
The Asterisk Development Team would like to announce security release
Asterisk 23.4.1.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.4.1
and
https://downloads.asterisk.org/pub/telephony/asterisk
Repository: https://github.com/asterisk/asterisk
Tag: 23.4.1
## Change Log for Release asterisk-23.4.1
### Links:
- [Full ChangeLog](...
Asterisk Security Release 22.10.1
Asterisk Development Team via Fulldisclosure (Jul 02)
The Asterisk Development Team would like to announce security release
Asterisk 22.10.1.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.10.1
and
https://downloads.asterisk.org/pub/telephony/asterisk
Repository: https://github.com/asterisk/asterisk
Tag: 22.10.1
## Change Log for Release asterisk-22.10.1
### Links:
- [Full ChangeLog](...
Asterisk Security Release 21.12.3
Asterisk Development Team via Fulldisclosure (Jul 02)
The Asterisk Development Team would like to announce security release
Asterisk 21.12.3.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.12.3
and
https://downloads.asterisk.org/pub/telephony/asterisk
Repository: https://github.com/asterisk/asterisk
Tag: 21.12.3
## Change Log for Release asterisk-21.12.3
### Links:
- [Full ChangeLog](...
Asterisk Security Release 20.20.1
Asterisk Development Team via Fulldisclosure (Jul 02)
The Asterisk Development Team would like to announce security release
Asterisk 20.20.1.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.20.1
and
https://downloads.asterisk.org/pub/telephony/asterisk
Repository: https://github.com/asterisk/asterisk
Tag: 20.20.1
## Change Log for Release asterisk-20.20.1
### Links:
- [Full ChangeLog](...
Certified Asterisk Security Release certified-22.8-cert3
Asterisk Development Team via Fulldisclosure (Jul 02)
The Asterisk Development Team would like to announce security release
Certified Asterisk 22.8-cert3.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-22.8-cert3
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk
Repository: https://github.com/asterisk/asterisk
Tag: certified-22.8-cert3
## Change Log for Release asterisk-certified-22.8-cert3
###...
More Lists
Dozens of other network security lists are archived at SecLists.Org.
