A weakness has been identified in Portabilis i-Educar up to 2.10. This affects an unknown function of the file /intranet/educar_funcao_cad.php of the component Editar Função Page. This manipulation of the argument abreviatura/tipoacao causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.

CVE Database V5

Detailed information about CVE-2025-10591: Cross Site Scripting in Portabilis i-Educar affecting Portabilis i-Educar. Get real-time updates, technical details, 

CVE-2025-10591: Cross Site Scripting in Portabilis i-Educar - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-10591: Cross Site Scripting in Portabilis i-Educar

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.

CVE-2025-10156 is a critical vulnerability identified in the ZIP archive scanning component of the mmaitre314 picklescan tool, which is used to detect malicious Python pickle files. The vulnerability arises from improper handling of exceptional conditions, specifically when the scanner encounters a ZIP archive containing a file with a deliberately corrupted Cyclic Redundancy Check (CRC). When such a malformed ZIP file is processed, the scanner prematurely halts its analysis, erroneously considering the archive safe without fully inspecting its contents. This bypass allows an attacker to embed malicious pickle files within the ZIP archive that evade detection. If the compromised pickle file is subsequently loaded by an application relying on picklescan for security scanning, it can lead to arbitrary code execution. The vulnerability is notable because it requires no authentication or user interaction, can be exploited remotely by delivering a crafted ZIP archive, and impacts the confidentiality, integrity, and availability of affected systems. The CVSS 4.0 base score of 9.3 reflects its critical severity, with network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No patches are currently available, and no known exploits have been reported in the wild as of the publication date.

Detailed information about CVE-2025-10156: CWE-755: Improper Handling of Exceptional Conditions in mmaitre314 picklescan affecting mmaitre314 picklescan. Get re

CVE-2025-10156: CWE-755: Improper Handling of Exceptional Conditions in mmaitre314 picklescan - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-10156: CWE-755: Improper Handling of Exceptional Conditions in mmaitre314 picklescan

Hosting a website on a disposable vape

Source: https://bogdanthegeek.github.io/blog/projects/vapeserver/

The reported security news titled "Hosting a website on a disposable vape" describes a novel and unconventional use of hardware typically not associated with web hosting. The source references a project hosted on bogdanthegeek.github.io, which demonstrates the feasibility of running a web server on a disposable vape device. This concept leverages the embedded microcontroller and wireless capabilities within certain disposable vaping devices to serve web content. While this is an intriguing technical demonstration, it does not represent a traditional security vulnerability or threat vector by itself. There are no affected software versions, no known exploits in the wild, and no patches or mitigations issued. The discussion on Reddit's NetSec subreddit is minimal, with a low engagement score, indicating limited immediate security concern or community impact. The project appears to be more of a proof-of-concept or experimental demonstration rather than a direct cybersecurity threat. However, from a security perspective, the ability to host a website on such an unconventional device could raise concerns about unauthorized or covert web servers operating on networks, potentially bypassing traditional monitoring tools if such devices are connected to enterprise environments. This could theoretically be abused for data exfiltration or command and control in highly targeted attacks, but no evidence currently supports such use. Overall, this is an interesting technical novelty rather than a direct threat or vulnerability.

Reddit NetSec

Detailed information about Hosting a website on a disposable vape. Get real-time updates, technical details, and mitigation strategies.

Hosting a website on a disposable vape - Live Threat Intelligence - Threat Radar | OffSeq.com

Hosting a website on a disposable vape

Reddit Discussion: Hosting a website on a disposable vape

The N-Reporter, N-Cloud, and N-Probe developed by N-Partner has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server.

CVE-2025-9972 is a critical OS Command Injection vulnerability (CWE-78) identified in the Planet Technology ICG-2510WG-LTE device, specifically impacting the N-Reporter, N-Cloud, and N-Probe components developed by N-Partner. This vulnerability allows an authenticated remote attacker to inject arbitrary operating system commands and execute them on the affected server. The vulnerability is notable for its high CVSS 4.0 base score of 9.3, indicating a critical severity level. The CVSS vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) suggests that the attack can be performed remotely over the network without any privileges or user interaction, and it results in high impact on confidentiality, integrity, and availability. The vulnerability arises from improper neutralization of special elements used in OS commands, allowing malicious input to be interpreted as executable commands by the underlying operating system. Although no known exploits are currently reported in the wild, the lack of patches or mitigation links indicates that the vulnerability remains unpatched and exploitable. The affected product, ICG-2510WG-LTE, is deployed in both EU and US markets, which implies a broad geographical footprint. Given the nature of the device (likely a network communication or IoT gateway device with LTE capabilities), exploitation could lead to full system compromise, data exfiltration, disruption of network services, or pivoting attacks within the victim’s network environment.

Detailed information about CVE-2025-9972: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Planet Technology

CVE-2025-9972: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Planet Technology ICG-2510WG-LTE (EU/US) - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-9972: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Planet Technology ICG-2510WG-LTE (EU/US)

A security flaw has been discovered in Portabilis i-Educar up to 2.10. The impacted element is an unknown function of the file /intranet/educar_usuario_det.php. The manipulation of the argument ref_pessoa results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be exploited.

Detailed information about CVE-2025-10590: Cross Site Scripting in Portabilis i-Educar affecting Portabilis i-Educar. Get real-time updates, technical details, 

CVE-2025-10590: Cross Site Scripting in Portabilis i-Educar

CVE-2025-10590: Cross Site Scripting in Portabilis i-Educar

Description

Technical Details

Related Threats

CVE-2025-10591: Cross Site Scripting in Portabilis i-Educar

CVE-2025-10156: CWE-755: Improper Handling of Exceptional Conditions in mmaitre314 picklescan

CVE-2025-9972: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Planet Technology ICG-2510WG-LTE (EU/US)

CVE-2025-10155: CWE-20 Improper Input Validation in mmaitre314 picklescan

CVE-2025-0420: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Paraşüt Software Paraşüt

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility