Full Disclosure Mailing List

A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

List Archives

Latest Posts

Asterisk Security Release 23.2.2 Asterisk Development Team via Fulldisclosure (Feb 07)
The Asterisk Development Team would like to announce security release
Asterisk 23.2.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.2.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 23.2.2

## Change Log for Release asterisk-23.2.2

### Links:

- [Full ChangeLog](...

Asterisk Security Release 21.12.1 Asterisk Development Team via Fulldisclosure (Feb 07)
The Asterisk Development Team would like to announce security release
Asterisk 21.12.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.12.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 21.12.1

## Change Log for Release asterisk-21.12.1

### Links:

- [Full ChangeLog](...

Asterisk Security Release 22.8.2 Asterisk Development Team via Fulldisclosure (Feb 07)
The Asterisk Development Team would like to announce security release
Asterisk 22.8.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.8.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.8.2

## Change Log for Release asterisk-22.8.2

### Links:

- [Full ChangeLog](...

Asterisk Security Release 20.18.2 Asterisk Development Team via Fulldisclosure (Feb 07)
The Asterisk Development Team would like to announce security release
Asterisk 20.18.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.18.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.18.2

## Change Log for Release asterisk-20.18.2

### Links:

- [Full ChangeLog](...

Certified Asterisk Security Release certified-20.7-cert9 Asterisk Development Team via Fulldisclosure (Feb 07)
The Asterisk Development Team would like to announce security release
Certified Asterisk 20.7-cert9.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-20.7-cert9
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-20.7-cert9

## Change Log for Release asterisk-certified-20.7-cert9

###...

SEC Consult SA-20260202-0 :: Multiple vulnerabilities in Native Instruments Native Access (MacOS) SEC Consult Vulnerability Lab via Fulldisclosure (Feb 04)
SEC Consult Vulnerability Lab Security Advisory < 20260202-0 >
=======================================================================
title: Multiple vulnerabilities
product: Native Instruments - Native Access (MacOS)
vulnerable version: verified up to 3.22.0
fixed version: n/a
CVE number: CVE-2026-24070, CVE-2026-24071
             impact: high
homepage:...

CyberDanube Security Research 20260119-0 | Authenticated Command Injection in Phoenix Contact TC Router Series Thomas Weber | CyberDanube via Fulldisclosure (Feb 04)
CyberDanube Security Research 20260119-0
-------------------------------------------------------------------------------
title| Authenticated Command Injection
product| TC Router 5004T-5G EU
vulnerable version| 1.06.18
fixed version| 1.06.23
CVE number| CVE-2025-41717
impact| High
homepage| https://www.phoenixcontact.com/
found| 16.04.2025...

[KIS-2026-03] Blesta <= 5.13.1 (2Checkout) Multiple PHP Object Injection Vulnerabilities Egidio Romano (Feb 04)
--------------------------------------------------------------------------
Blesta <= 5.13.1 (2Checkout) Multiple PHP Object Injection Vulnerabilities
--------------------------------------------------------------------------

[-] Software Link:

https://www.blesta.com

[-] Affected Versions:

All versions from 3.0.0 to 5.13.1.

[-] Vulnerabilities Description:

The vulnerabilities exist because user input passed through the...

[KIS-2026-02] Blesta <= 5.13.1 (Admin Interface) Multiple PHP Object Injection Vulnerabilities Egidio Romano (Feb 04)
--------------------------------------------------------------------------------
Blesta <= 5.13.1 (Admin Interface) Multiple PHP Object Injection Vulnerabilities
--------------------------------------------------------------------------------

[-] Software Link:

https://www.blesta.com

[-] Affected Versions:

All versions from 3.0.0 to 5.13.1.

[-] Vulnerabilities Description:

The vulnerabilities exist because user input passed through the...

[KIS-2026-01] Blesta <= 5.13.1 (confirm_url) Reflected Cross-Site Scripting Vulnerability Egidio Romano (Feb 04)
---------------------------------------------------------------------------
Blesta <= 5.13.1 (confirm_url) Reflected Cross-Site Scripting Vulnerability
---------------------------------------------------------------------------

[-] Software Link:

https://www.blesta.com

[-] Affected Versions:

All versions from 3.2.0 to 5.13.1.

[-] Vulnerability Description:

User input passed through the "confirm_url" GET parameter to the...

Username Enumeration - elggv6.3.3 Andrey Stoykov (Jan 29)
# Exploit Title: Elgg - Username Enumeration
# Date: 1/2026
# Exploit Author: Andrey Stoykov
# Version: 6.3.3
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2026/01/friday-fun-pentest-series-47-lack-of.html

// HTTP Request - Resetting Password - Valid User

POST /action/user/requestnewpassword HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0)
Gecko/20100101 Firefox/148.0
Accept:...

Weak Password Complexity - elggv6.3.3 Andrey Stoykov (Jan 29)
# Exploit Title: Elgg - Lack of Password Complexity
# Date: 1/2026
# Exploit Author: Andrey Stoykov
# Version: 6.3.3
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2026/01/friday-fun-pentest-series-48-weak.html

// HTTP Request - Changing Password

POST /action/usersettings/save HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0)
Gecko/20100101 Firefox/148.0
Accept:...

Paper-Exploiting XAMPP Installations Andrey Stoykov (Jan 29)
Hi. I would like to publish my paper for exploiting XAMPP installations.

Thanks,
Andrey

CVE-2025-12758: Unicode Variation Selectors Bypass in 'validator' library (isLength) Karol Wrótniak (Jan 29)
Summary
=======
A vulnerability was discovered in the popular JavaScript library
'validator'.
The isLength() function incorrectly handles Unicode Variation Selectors
(U+FE0E and U+FE0F). An attacker can inject thousands of these zero-width
characters into a string, causing the library to report a much smaller
perceived length than the actual byte size. This leads to validation
bypasses,
potential database truncation, and Denial of...

Re: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group) Yuffie Kisaragi via Fulldisclosure (Jan 26)
Dear Art,

Thank you for sharing your detailed evaluation and for pointing out the relevant
sections of the CNA Rules.

Your argument is well reasoned, particularly with respect to the current
guidance on SaaS and exclusively hosted services.

I have forwarded your evaluation to the CNA for further consideration. It will
also be important to understand the vendor’s perspective in light of the points
you raised, especially regarding the...

More Lists

Dozens of other network security lists are archived at SecLists.Org.