Full Disclosure Mailing List
Previous Month
RSS Feed
About List
All ListsA public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
List Archives
- Jan
- Feb
- Mar
- Apr
- May
- Jun
- Jul
- Aug
- Sep
- Oct
- Nov
- Dec
- 2026
- 31
- 32
- 26
- 22
- –
- –
- –
- –
- –
- –
- –
- –
- 2025
- 24
- 20
- 9
- 32
- 24
- 28
- 40
- 19
- 80
- 33
- 22
- 37
- 2024
- 75
- 25
- 44
- 29
- 37
- 13
- 24
- 41
- 60
- 21
- 20
- 22
- 2023
- 29
- 17
- 27
- 14
- 28
- 10
- 52
- 33
- 21
- 32
- 15
- 30
- 2022
- 91
- 57
- 63
- 54
- 48
- 57
- 27
- 17
- 30
- 52
- 26
- 32
- 2021
- 84
- 93
- 81
- 77
- 81
- 60
- 72
- 39
- 59
- 79
- 56
- 50
- 2020
- 52
- 36
- 57
- 63
- 60
- 35
- 37
- 24
- 55
- 34
- 45
- 60
- 2019
- 71
- 54
- 64
- 41
- 52
- 49
- 40
- 37
- 45
- 59
- 34
- 37
- 2018
- 102
- 84
- 79
- 61
- 73
- 46
- 95
- 53
- 57
- 54
- 69
- 56
- 2017
- 99
- 103
- 91
- 113
- 108
- 52
- 95
- 58
- 98
- 71
- 51
- 89
- 2016
- 100
- 128
- 97
- 93
- 75
- 79
- 89
- 139
- 85
- 103
- 162
- 88
- 2015
- 134
- 101
- 165
- 115
- 133
- 112
- 126
- 86
- 121
- 115
- 111
- 129
- 2014
- 194
- 273
- 434
- 325
- 213
- 173
- 167
- 89
- 115
- 135
- 103
- 138
- 2013
- 282
- 162
- 290
- 263
- 227
- 259
- 277
- 303
- 187
- 294
- 222
- 224
- 2012
- 611
- 477
- 390
- 382
- 323
- 428
- 394
- 393
- 210
- 277
- 236
- 280
- 2011
- 580
- 687
- 439
- 561
- 572
- 565
- 367
- 393
- 370
- 995
- 466
- 511
- 2010
- 637
- 502
- 564
- 452
- 408
- 631
- 417
- 445
- 414
- 523
- 342
- 696
- 2009
- 979
- 380
- 465
- 318
- 282
- 291
- 550
- 455
- 421
- 339
- 386
- 502
- 2008
- 615
- 496
- 600
- 821
- 681
- 403
- 591
- 557
- 639
- 531
- 739
- 634
- 2007
- 593
- 629
- 573
- 744
- 555
- 661
- 662
- 530
- 709
- 935
- 582
- 641
- 2006
- 992
- 740
- 1865
- 865
- 789
- 1058
- 770
- 771
- 578
- 678
- 545
- 493
- 2005
- 927
- 676
- 950
- 654
- 678
- 437
- 766
- 1078
- 890
- 677
- 1065
- 1531
- 2004
- 1358
- 1534
- 1499
- 1153
- 1451
- 1031
- 1370
- 1314
- 1091
- 1174
- 1424
- 731
- 2003
- 505
- 405
- 296
- 500
- 421
- 890
- 1251
- 1942
- 1763
- 1806
- 1123
- 782
- 2002
- –
- –
- –
- –
- –
- –
- 314
- 835
- 684
- 381
- 454
- 313
Latest Posts
ESP-RFID-Tool v2 PRO — Full Public Disclosure
Milan Berger via Fulldisclosure (Apr 29)
# Security Advisory: ESP-RFID-Tool v2 PRO
**Product:** ESP-RFID-Tool v2 PRO
**Vendor:** Raik Schneider (Einstein2150), foto-video-it.de
**Repository:** https://github.com/Einstein2150/ESP-RFID-Tool-v2
**Affected Version:** v2.2.1 (latest as of 2026-04-28)
**Severity:** CRITICAL
**Disclosure Type:** Full Public Disclosure
**Disclosure Date:** 2026-04-28
**Researcher:** Milan 't4c' Berger
---
## Disclosure Timeline
| Date | Event |...
Re: SEC Consult SA-20260427-0 :: Missing TLS Certificate Validation leading to RCE in DeskTime Time Tracking App
SEC Consult Vulnerability Lab via Fulldisclosure (Apr 29)
*Update 2026-04-28:* The vendor contacted us and now provides a patched version v1.3.674 which can be obtained at the
following URL:
https://desktime.com/download
SEC Consult SA-20260427-0 :: Missing TLS Certificate Validation leading to RCE in DeskTime Time Tracking App
SEC Consult Vulnerability Lab via Fulldisclosure (Apr 29)
SEC Consult Vulnerability Lab Security Advisory < 20260427-0 >
=======================================================================
title: Missing TLS Certificate Validation leading to RCE
product: DeskTime Time Tracking App
vulnerable version: 1.3.671
fixed version: -
CVE number: CVE-2025-10539
impact: medium
homepage:https://desktime.com...
SEC Consult SA-20260423-0 :: DLL Hijacking in EfficientLab Controlio (cloud-based employee monitoring service)
SEC Consult Vulnerability Lab via Fulldisclosure (Apr 29)
SEC Consult Vulnerability Lab Security Advisory < 20260423-0 >
=======================================================================
title: DLL Hijacking
product: EfficientLab Controlio (cloud-based employee monitoring service)
vulnerable version: <1.3.95
fixed version: 1.3.95
CVE number: CVE-2025-10549
impact: High
homepage:https://controlio.net...
SEC Consult SA-20260421-0 :: Broken Access Control in Config Endpoint in LiteLLM
SEC Consult Vulnerability Lab via Fulldisclosure (Apr 29)
SEC Consult Vulnerability Lab Security Advisory < 20260421-0 >
=======================================================================
title: Broken Access Control in Config Endpoint
product: LiteLLM
vulnerable version: <=v1.83.0
fixed version: v1.83.0-nightly
CVE number: CVE-2026-35029
impact: high
homepage:https://www.litellm.ai/
...
SEC Consult SA-20260415-0 :: Exposed Private Key of X.509 Certificate in SAP HANA Cockpit & SAP HANA Database Explorer
SEC Consult Vulnerability Lab via Fulldisclosure (Apr 29)
SEC Consult Vulnerability Lab Security Advisory < 20260415-0 >
=======================================================================
title: Exposed Private Key of X.509 Certificate
product: SAP HANA Cockpit & SAP HANA Database Explorer
vulnerable version: HANA Cockpit <2.18.2 (HRTT <2.16.254002)
fixed version: HANA Cockpit 2.18.2 (HRTT 2.16.254002)
CVE number:...
APPLE-SA-04-22-2026-2 iOS 18.7.8 and iPadOS 18.7.8
Apple Product Security via Fulldisclosure (Apr 29)
APPLE-SA-04-22-2026-2 iOS 18.7.8 and iPadOS 18.7.8
iOS 18.7.8 and iPadOS 18.7.8 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/en-us/127003.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
Notification Services
Available for: iPhone XR, iPhone XS, iPhone XS Max, iPhone 11 (all...
APPLE-SA-04-22-2026-1 iOS 26.4.2 and iPadOS 26.4.2
Apple Product Security via Fulldisclosure (Apr 29)
APPLE-SA-04-22-2026-1 iOS 26.4.2 and iPadOS 26.4.2
iOS 26.4.2 and iPadOS 26.4.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/en-us/127002.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
Notification Services
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and...
Research: When Trusted Tools Become Attack Primitives
Nir Yehoshua (Apr 29)
Hi Full Disclosure list,
I published a technical research article titled:
When Trusted Tools Become Attack Primitives
The article examines how trusted local utilities can become
security-relevant primitives when used inside automated processing
pipelines.
It covers two case studies:
1. macOS textutil resolving remote resources during HTML-to-text
conversion.
2. KeePassXC KDBX-controlled KDF parameters creating significant...
[KIS-2026-08] SocialEngine <= 7.8.0 (get-memberall) SQL Injection Vulnerability
Egidio Romano (Apr 29)
-----------------------------------------------------------------
SocialEngine <= 7.8.0 (get-memberall) SQL Injection Vulnerability
-----------------------------------------------------------------
[-] Software Link:
https://socialengine.com
[-] Affected Versions:
Versions 7.8.0, 7.7.0, and likely prior versions.
[-] Vulnerability Description:
User input passed through the "text" request parameter to the...
[KIS-2026-07] SocialEngine <= 7.8.0 Blind Server-Side Request Forgery Vulnerability
Egidio Romano (Apr 29)
---------------------------------------------------------------------
SocialEngine <= 7.8.0 Blind Server-Side Request Forgery Vulnerability
---------------------------------------------------------------------
[-] Software Link:
https://socialengine.com
[-] Affected Versions:
Versions 7.8.0, 7.7.0, and likely prior versions.
[-] Vulnerability Description:
User input passed through the "uri" request parameter to the...
Trojan-Spy.Win32.Small / Remote Command Execution
malvuln (Apr 29)
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2026
Original source:
https://malvuln.com/advisory/8c15ec5f0137d097a345b693f0bffedb.txt
Malvuln Intelligence Feed: https://intel.malvuln.com/
Contact: malvuln13 () gmail com
Media: x.com/malvuln
Threat: Trojan-Spy.Win32.Small
Vulnerability: Remote Command Execution
Description: The malware opens a listener on TCP port 65535, allowing
unauthenticated remote attackers with network access...
[IWCC 2026] CfP: 15th International Workshop on Cyber Crime - Linköping, Sweden, Aug 24-27, 2026
Artur Janicki via Fulldisclosure (Apr 29)
[APOLOGIES FOR CROSS-POSTING]
CALL FOR PAPERS
15th International Workshop on Cyber Crime (IWCC 2026 -
https://www.ares-conference.eu/iwcc)
to be held in conjunction with the International Conference on Availability,
Reliability and Security (ARES 2026 - https://www.ares-conference.eu/) in
Linköping, Sweden, August 24-27, 2026
IMPORTANT DATES
Submission Deadline May 11, 2026
Author Notification May 29, 2026
Proceedings Version June...
[SBA-ADV-20251120-01] CVE-2026-0972: GoAnywhere MFT Email HTML Injection
SBA Research Security Advisory via Fulldisclosure (Apr 29)
# GoAnywhere MFT Email HTML Injection #
Link: https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251120-01_GoAnywhere_MFT_Email_HTML_Injection
## Vulnerability Overview ##
GoAnywhere MFT before 7.10.0 is affected by an HTML injection vulnerability
in its email templating functionality. If an attacker is able to influence
the content of a template variable, malicious HTML can be embedded into
outgoing emails generated by the...
CyberDanube Security Research 20260408-1 | Multiple Vulnerabilities in Siemens SICAM A8000
Thomas Weber | CyberDanube via Fulldisclosure (Apr 14)
CyberDanube Security Research 20260408-1
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities
product| Siemens SICAM A8000 CP-8050/CP-8031/CP-8010/CP-8012
vulnerable version| <=V25.30
fixed version| V26.10
CVE number| CVE-2026-27664
impact| High
homepage| https://siemens.com/
found|...
More Lists
Dozens of other network security lists are archived at SecLists.Org.