Luxembourg, 2026/01/07 - The GCVE initiative is proud to announce the public launch of db.gcve.eu , a new open and freely accessible vulnerability advisory database. The platform aggregates and correlates vulnerability information from more than 25 public sources, including GCVE GNA (Numbering Authority) sources and other established vulnerability databases.

🔗 For more details - https://gcve.eu/2026/01/07/gcve-db-announce/
🔗 https://db.gcve.eu/

#cve #gcve #cybersecurity #vulnerabilitymanagement #vulnerability

Luxembourg, 2026/01/07 - The GCVE initiative is proud to announce the public launch of db.gcve.eu , a new open and freely accessible vulnerability advisory database. The platform aggregates and correlates vulnerability information from more than 25 public sources, including GCVE GNA (Numbering Authority) sources and other established vulnerability databases.

🔗 For more details - https://gcve.eu/2026/01/07/gcve-db-announce/
🔗 https://db.gcve.eu/

#cve #gcve #cybersecurity #vulnerabilitymanagement #vulnerability

When you think that things like turning off #Bluetooth as a precaution are overkill, security researchers drop a bomb like this. (long, but interesting read)

https://insinuator.net/2025/12/bluetooth-headphone-jacking-full-disclosure-of-airoha-race-vulnerabilities/

#CVE #security #cyberSecurity

#CVECrowd, your go-to place for #CVE discussions on the Fediverse and Bluesky, now supports email alerts.

https://cvecrowd.com

Here's how it works:

- You define one or more alert keywords
- Keywords are matched against vendor, product, and package names from official CVE data
- If a post mentions a CVE that matches one of your keywords, you receive an email notification

Read more below 🧵

#Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking

#CVECrowd, your go-to place for #CVE discussions on the Fediverse and Bluesky, now supports email alerts.

https://cvecrowd.com

Here's how it works:

- You define one or more alert keywords
- Keywords are matched against vendor, product, and package names from official CVE data
- If a post mentions a CVE that matches one of your keywords, you receive an email notification

Read more below 🧵

#Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking

Before you know it, it’ll be time for EU Open Source Week and #FOSDEM in Brussels!

We’re planning on being at many events that week (more details soon). A few to put in your calendar now:

a) 28 Jan 2026: The 1st #GVIP Summit on #vulnerabilitymanagement, existing & future systems, from the new #EUVD to the #CVE program and other platforms. Registration: https://www.gvip-project.org/

b) 31 Jan 2026: Funding the FOSS Ecosystem Devroom
https://fosdem.org/2026/schedule/track/funding-the-foss-ecosystem/

Looking forward to seeing you there!

Hey #Javascript folks, why does no one talking about the recent #React #CVE mentions defensive mechanisms like node's --disallow-code-generation-from-strings which from what I've seen would have prevented the RCE (there may be ways to exploit the prototype pollution but would make the attacker's job much harder).

There is also --disable-proto=delete but I don't know if it's practical.

Using Content Security Policies in the frontend is table stakes, why not also on the server?

#NodeJS #NextJS

Hey #Javascript folks, why does no one talking about the recent #React #CVE mentions defensive mechanisms like node's --disallow-code-generation-from-strings which from what I've seen would have prevented the RCE (there may be ways to exploit the prototype pollution but would make the attacker's job much harder).

There is also --disable-proto=delete but I don't know if it's practical.

Using Content Security Policies in the frontend is table stakes, why not also on the server?

#NodeJS #NextJS

A public service announcement regarding CVEs: one identified vulnerability gets one #CVE.

Each vendor doesn't get their own CVE that corresponds to their security bulletin.

CVE-2025-66478 is REJECTED as duplicate of CVE-2025-55182

#CVE_2025_66478 #CVE_2025_55182 #React #RCE #InfoSec

https://www.cve.org/CVERecord?id=CVE-2025-66478

Critical RCE Vulnerabilities in React and Next.js

https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

#HackerNews #CriticalRCE #Vulnerabilities #React #Nextjs #Cybersecurity #Vulnerabilities #CVE-2025-55182

Moving Beyond the NPM elliptic Package

If you're in a hurry, head on over to soatok/elliptic-to-noble and follow the instructions in the README in order to remove the elliptic package from your project and all dependencies in node_modules. Art: CMYKat Why replace the elliptic package? Yesterday, the Trail of Bits blog published a post about finding cryptographic bugs in the elliptic library (a Javascript package on NPM) by using the Wycheproof.

http://soatok.blog/2025/11/19/moving-beyond-the-npm-elliptic-package/

#npm #crypto #cryptography #elliptic #security #infosec #cve #mitigation #appsec #javascript #js #npm #npmsecurity #npmpackages

Moving Beyond the NPM elliptic Package

If you're in a hurry, head on over to soatok/elliptic-to-noble and follow the instructions in the README in order to remove the elliptic package from your project and all dependencies in node_modules. Art: CMYKat Why replace the elliptic package? Yesterday, the Trail of Bits blog published a post about finding cryptographic bugs in the elliptic library (a Javascript package on NPM) by using the Wycheproof.

http://soatok.blog/2025/11/19/moving-beyond-the-npm-elliptic-package/

#npm #crypto #cryptography #elliptic #security #infosec #cve #mitigation #appsec #javascript #js #npm #npmsecurity #npmpackages

Django Software Foundation is now a CVE Numbering Authority (CNA) assigning CVE IDs for only supported and end-of-life Django versions available at https://www.djangoproject.com/download/ and projects listed at https://github.com/django (such as Django, channels, and daphne), excluding distributions maintained by third-party redistributors.

cve.org/Media/News/item/news/2025/10/28/Django-Added-as-CNA

#CVE #CNA #Vulnerability #VulnerabilityManagement #Cybersecurity

Django Software Foundation is now a CVE Numbering Authority (CNA) assigning CVE IDs for only supported and end-of-life Django versions available at https://www.djangoproject.com/download/ and projects listed at https://github.com/django (such as Django, channels, and daphne), excluding distributions maintained by third-party redistributors.

cve.org/Media/News/item/news/2025/10/28/Django-Added-as-CNA

#CVE #CNA #Vulnerability #VulnerabilityManagement #Cybersecurity

Understanding the Worst .NET Vulnerability

https://andrewlock.net/understanding-the-worst-dotnet-vulnerability-request-smuggling-and-cve-2025-55315/

#HackerNews #Understanding #.NET #Vulnerability #Request #Smuggling #CVE-2025-55315 #Cybersecurity

Are these real CVEs? VulDB entries for dnsmasq rely on replacing config files

https://seclists.org/oss-sec/2025/q4/79

#HackerNews #CVE #Vulnerabilities #dnsmasq #VulDB #SecurityIssues #ConfigFiles

Just a thought as I work through some bugs reported to NodeBB... would there be interest in ActivityPub.space hosting a "security" category for discussion around vulnerabilities, CVEs, and such that are related to ActivityPub?

For example, if NodeBB were to receive a bug bounty report and responsibly disclose the details, it would be ideal to have it archived in a place where it won't just disappear off the feed in a matter of minutes.

Just a thought as I work through some bugs reported to NodeBB... would there be interest in ActivityPub.space hosting a "security" category for discussion around vulnerabilities, CVEs, and such that are related to ActivityPub?

For example, if NodeBB were to receive a bug bounty report and responsibly disclose the details, it would be ideal to have it archived in a place where it won't just disappear off the feed in a matter of minutes.