Latest news as of 12/6/2025, 6:57:24 AM
Dark Reading
The vulnerability, which was assigned two CVEs with maximum CVSS scores of 10, may affect more than a third of cloud service providers.
The Register
Finish reading this, then patch A maximum-severity flaw in the widely used JavaScript library React, and several React-based frameworks including allows unauthenticated, remote attackers to execute malicious code on vulnerable instances. The flaw is easy to abuse, and mass exploitation is "imminent," according to security researchers.… Next.js
Bleeping Computer
Attackers are exploiting a critical-severity privilege escalation vulnerability (CVE-2025-8489) in the King Addons for Elementor plugin for WordPress, which lets them obtain administrative permissions during the registration process. [...]
Dark Reading
The suit alleges the Chinese retailer's app secretly accesses and harvests users' sensitive information without their knowledge or consent.
Bleeping Computer
Leroy Merlin is sending security breach notifications to customers in France, informing them that their personal data was compromised. [...]
Bleeping Computer
Freedom Mobile, the fourth-largest wireless carrier in Canada, has disclosed a data breach after attackers hacked into its customer account management platform and stole the personal information of an undisclosed number of customers. [...]
The Hacker News
A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0. It allows "unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints," the React Team said in
The Hacker News
Microsoft has silently plugged a security flaw that has been exploited by several threat actors since 2017 as part of the company's November 2025 Patch Tuesday updates, according to ACROS Security's 0patch. The vulnerability in question is CVE-2025-9491 (CVSS score: 7.8/7.0), which has been described as a Windows Shortcut (LNK) file UI misinterpretation vulnerability that could lead to remote
Bleeping Computer
Roskomnadzor, Russia's telecommunications watchdog, has blocked access to the Roblox online gaming platform for failing to stop the distribution of what it described as LGBT propaganda and extremist materials. [...]
Bleeping Computer
Google is expanding support for its Android's in-call scam protection to multiple banks and financial applications in the United States. [...]