LiveActive security incident?Get immediate response
CVE archive

December 2025

Browse CVE records published in December 2025, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 4378 matching CVEs · Page 1 of 88.

Medium · CVSS 4.2

CVE-2025-67780: SpaceX Starlink Dish devices with firmware 2024.12.04.mr46620 (e.g., on Mini1_prod2) allow administrative a...

SpaceX Starlink Dish devices with firmware 2024.12.04.mr46620 (e.g., on Mini1_prod2) allow administrative actions via unauthenticated LAN gRPC requests, aka MARMALADE 2. The cross-origin policy can be bypassed by omitting a Referer header. In some cases, an attacker's ability to read tilt, rotation, and elevation data via gRPC can make it easier to infer the geographical location of the dish. NOTE: this is disputed by the Supplier because unauthenticated LAN gRPC is intended behavior for certain mobile app integration, and because the cross-origin policy is correctly enforced for gRPC-Web (port 9201), i.e., it is not a valid vulnerability report.

Published Dec 11, 2025 · Updated Jul 9, 2026

Critical · CVSS 10

CVE-2025-67288: An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by...

An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself. The Supplier also states that PDF JavaScript runs in a completely isolated sandbox, not the browser's DOM context, which means that privilege boundaries would not be crossed, a related issue to CVE-2023-49279.

Published Dec 22, 2025 · Updated Jul 8, 2026

Critical · CVSS 9.8

CVE-2025-65856: Authentication bypass vulnerability in Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.34662...

Authentication bypass vulnerability in Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 allows unauthenticated remote attackers to access sensitive device information and live video streams. The ONVIF implementation fails to enforce authentication on 31 critical endpoints, enabling direct unauthorized video stream access.

Published Dec 22, 2025 · Updated Jul 5, 2026

High · CVSS 7.5

CVE-2025-65568: A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-p...

A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. After PFCP association, a PFCP Session Establishment Request that includes a CreateFAR with an empty or truncated IPv4 address field is not properly validated. During parsing, parseFAR() calls ip2int(), which performs an out-of-bounds read on the IPv4 address buffer and triggers an index-out-of-range panic. An attacker who can send PFCP Session Establishment Request messages to the UPF's N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF and disrupt user-plane services.

Published Dec 18, 2025 · Updated Jul 5, 2026

Medium · CVSS 6.2

CVE-2025-65841: Aquarius Desktop 3.0.069 for macOS stores user authentication credentials in the local file ~/Library/Appli...

Aquarius Desktop 3.0.069 for macOS stores user authentication credentials in the local file ~/Library/Application Support/Aquarius/aquarius.settings using a weak obfuscation scheme. The password is "encrypted" through predictable byte-substitution that can be trivially reversed, allowing immediate recovery of the plaintext value. Any attacker who can read this settings file can fully compromise the victim's Aquarius account by importing the stolen configuration into their own client or login through the vendor website. This results in complete account takeover, unauthorized access to cloud-synchronized data, and the ability to perform authenticated actions as the user.

Published Dec 3, 2025 · Updated Jul 5, 2026

Critical · CVSS 9.8

CVE-2025-56157: Default credentials in Dify thru 1.5.1.

Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version 1.0.1 or later.

Published Dec 18, 2025 · Updated Jul 5, 2026

Critical · CVSS 9.8

CVE-2025-67418: ClipBucket 5.5.2 is affected by an improper access control issue where the product is shipped or deployed w...

ClipBucket 5.5.2 is affected by an improper access control issue where the product is shipped or deployed with hardcoded default administrative credentials. An unauthenticated remote attacker can log in to the administrative panel using these default credentials, resulting in full administrative control of the application.

Published Dec 22, 2025 · Updated Jul 5, 2026

Medium · CVSS 6.5

CVE-2025-65828: An unauthenticated attacker within proximity of the Meatmeet device can issue several commands over Bluetoo...

An unauthenticated attacker within proximity of the Meatmeet device can issue several commands over Bluetooth Low Energy (BLE) to these devices which would result in a Denial of Service. These commands include: shutdown, restart, clear config. Clear config would disassociate the current device from its user and would require re-configuration to re-enable the device. As a result, the end user would be unable to receive updates from the Meatmeet base station which communicates with the cloud services until the device had been fixed or turned back on.

Published Dec 10, 2025 · Updated Jul 5, 2026