Auth bypass in Open-WebUI. https://www.cve.org/CVERecord?id=CVE-2025-63391 > An authentication bypass vulnerability exists in Open-WebUI <=0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers.

Perfect 10 in HPE OneView with no description and the advisory behind a login? Must be good. Go hack that shit please. 🥳 https://www.cve.org/CVERecord?id=CVE-2025-37164

> Public preview of synced passkeys brings the security benefits of MFA with simpler usability, while avoiding the security risks of weaker MFA options like SMS. However, even the simplest MFA can fail when credentials are lost, making account recovery a critical part of the user experience. To improve usability in such cases, we are introducing public preview for account recovery with AI-powered biometric match against government issued IDs across 192 countries. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/synced-passkeys-and-high-assurance-account-recovery/3627343

RE:

Infosec Exchange

BleepingComputer (@BleepingComputer@infosec.exchange)

Hackers are exploiting critical-severity vulnerabilities affecting multiple Fortinet products to get unauthorized access to admin accounts and ste...

Apparently CVE-2025-59718 and CVE-2025-59719 are now EITW. View quoted note →

../ in FreshRSS. How did no one recommend that one to me yesterday? A new ../ would have been fun.

GitHub

Authenticated RCE via path traversal inside include()

### Summary Using a path traversal inside the `language` user configuration parameter, it's possible to call `install.php` and perform various a...

A couple vulns in Trail of Bits' Fickling.

GitHub

Bypass via marshal.loads() and types.FunctionType()

## Our assessment Based on the test case provided in the original report below, this bypass was caused by `marshal` and `types` missing from our...

GitHub

Bypass via pty.spawn()

## Our assessment Based on the test case provided in the original report below, this bypass was caused by `pty` missing from our block list of u...

RE:

Mastodon

Miguel de Icaza ᯅ🍉 (@Migueldeicaza@mastodon.social)

Jesus fucking christ. https://hey.paris/posts/appleid/

This is terrible, obviously. But another lesson for self hosting weirdos like me who offer services to friends and family is that the same outcome is possible with a simple accident or mistake. Be careful with other people's data. There's more to it than just encryption. View quoted note →

Ten CVEs in GitLab fixed, including four sev:HIGH ones.

GitLab Patch Release: 18.6.2, 18.5.4, 18.4.6

Learn more about GitLab Patch Release: 18.6.2, 18.5.4, 18.4.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).