Full Disclosure Mailing List

A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

List Archives

Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
2026
20
–
–
–
–
–
–
–
–
–
–
–
2025
24
20
9
32
24
28
40
19
80
33
22
37
2024
75
25
44
29
37
13
24
41
60
21
20
22
2023
29
17
27
14
28
10
52
33
21
32
15
30
2022
91
57
63
54
48
57
27
17
30
52
26
32
2021
84
93
81
77
81
60
72
39
59
79
56
50
2020
52
36
57
63
60
35
37
24
55
34
45
60
2019
71
54
64
41
52
49
40
37
45
59
34
37
2018
102
84
79
61
73
46
95
53
57
54
69
56
2017
99
103
91
113
108
52
95
58
98
71
51
89
2016
100
128
97
93
75
79
89
139
85
103
162
88
2015
134
101
165
115
133
112
126
86
121
115
111
129
2014
194
273
434
325
213
173
167
89
115
135
103
138
2013
282
162
290
263
227
259
277
303
187
294
222
224
2012
611
477
390
382
323
428
394
393
210
277
236
280
2011
580
687
439
561
572
565
367
393
370
995
466
511
2010
637
502
564
452
408
631
417
445
414
523
342
696
2009
979
380
465
318
282
291
550
455
421
339
386
502
2008
615
496
600
821
681
403
591
557
639
531
739
634
2007
593
629
573
744
555
661
662
530
709
935
582
641
2006
992
740
1865
865
789
1058
770
771
578
678
545
493
2005
927
676
950
654
678
437
766
1078
890
677
1065
1531
2004
1358
1534
1499
1153
1451
1031
1370
1314
1091
1174
1424
731
2003
505
405
296
500
421
890
1251
1942
1763
1806
1123
782
2002
–
–
–
–
–
–
314
835
684
381
454
313

Latest Posts

[REVIVE-SA-2026-001] Revive Adserver Vulnerabilities Matteo Beccati (Jan 14)
========================================================================
Revive Adserver Security Advisory REVIVE-SA-2026-001
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2026-001
------------------------------------------------------------------------
Date: 2026-01-14
Risk Level: High
Applications affected: Revive...

Defense in depth -- the Microsoft way (part 95): the (shared) "Start Menu" is dispensable Stefan Kanthak via Fulldisclosure (Jan 10)
Hi @ll,

the following is a condensed form of
<https://skanthak.hier-im-netz.de/whispers.html#whisper3> and
<https://skanthak.hier-im-netz.de/whispers.html#whisper4>.

Windows Vista moved the shared start menu from "%ALLUSERSPROFILE%\Start Menu\"
to "%ProgramData%\Microsoft\Windows\Start Menu\", with some shortcuts (*.lnk)
"reflected" from the (immutable) component store below %SystemRoot%\WinSxS\

JFTR:...

Re: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group) Art Manion via Fulldisclosure (Jan 10)
Hi,

CVE IDs *can* be assigned for SaaS or similarly "cloud only" software. For a period of time, there was a restriction
that only the provider could make or request such an assignment. But the current CVE rules remove this restriction:

4.2.3 CNAs MUST NOT consider the type of technology (e.g., cloud, on-premises, artificial intelligence, machine
learning) as the sole basis for determining assignment.

It would have been...

RIOT OS 2026.01-devel-317 Stack-Based Buffer Overflow in RIOT ethos Serial Frame Parser Ron E (Jan 10)
A stack-based buffer overflow vulnerability exists in the RIOT OS ethos
utility due to missing bounds checking when processing incoming serial
frame data. The vulnerability occurs in the _handle_char() function, where
incoming frame bytes are appended to a fixed-size stack buffer
(serial->frame) without verifying that the current write index
(serial->framebytes) remains within bounds. An attacker capable of sending
crafted serial or...

RIOT OS 2026.01-devel-317 Stack-Based Buffer Overflow in tapslip6 Utility via Unbounded Device Path Construction Ron E (Jan 10)
A stack-based buffer overflow vulnerability exists in the tapslip6 utility
distributed with RIOT OS (and derived from the legacy uIP/Contiki
networking tools). The vulnerability is caused by unsafe string
concatenation in the devopen() function, which constructs a device path
using unbounded user-controlled input.
Specifically, tapslip6 uses strcpy() and strcat() to concatenate the fixed
prefix "/dev/" with a user-supplied device name...

TinyOS 2.1.2 Stack-Based Buffer Overflow in mcp2200gpio Ron E (Jan 10)
A stack-based buffer overflow vulnerability exists in the mcp2200gpio
utility due to unsafe use of strcpy() and strcat() when constructing device
paths during automatic device discovery. A local attacker can trigger the
vulnerability by creating a specially crafted filename under /dev/usb/,
resulting in stack memory corruption and a process crash. In non-hardened
builds, this may lead to arbitrary code execution.

*Root Cause:*

The vulnerability...

TinyOS 2.1.2 printfUART Global Buffer Overflow via Unbounded Format Expansion Ron E (Jan 10)
A global buffer overflow vulnerability exists in the TinyOS printfUART
implementation used within the ZigBee / IEEE 802.15.4 networking stack. The
issue arises from an unsafe custom sprintf() routine that performs
unbounded string concatenation using strcat() into a fixed-size global
buffer. The global buffer debugbuf, defined with a size of 256 bytes, is
used as the destination for formatted output. When a %s format specifier is
supplied with a...

KL-001-2026-01: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking KoreLogic Disclosures via Fulldisclosure (Jan 08)
KL-001-2026-01: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking

Title: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking
Advisory ID: KL-001-2026-001
Publication Date: 2026-01-08
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2026-001.txt

1. Vulnerability Details

Affected Vendor: yintibao
Affected Product: Fun Print Mobile
Affected Version: 6.05.15
...

Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group) Yuffie Kisaragi via Fulldisclosure (Jan 05)
UPDATE:

Following the publication of these vulnerabilities and the subsequent CVE
assignments, the CVE identifiers have now been revoked.

The vendor (EQS Group) contacted the CVE Program (via a CNA) and disputed the
records, stating that the affected product is an exclusively hosted SaaS
platform with no customer-managed deployment or versioning. Based on this
argument, the CVE Program concluded that CVE assignment is “not a suitable...

Panda3d v1.10.16 Uncontrolled Format String in Panda3D egg-mkfont Allows Stack Memory Disclosure Ron E (Jan 05)
Panda3D’s egg-mkfont utility contains an uncontrolled format string
vulnerability that allows disclosure of stack-resident memory. The -gp
(glyph pattern) command-line option allows users to specify a formatting
pattern intended for generating glyph texture filenames. This pattern is
passed directly as the format string to sprintf() without validation or
sanitization. If the supplied pattern contains additional format specifiers
beyond the...

Panda3d v1.10.16 egg-mkfont Stack Buffer Overflow Ron E (Jan 05)
A stack-based buffer overflow vulnerability exists in the Panda3D
egg-mkfont utility due to the use of an unbounded sprintf() call with
attacker-controlled input. By supplying an excessively long glyph pattern
string via the -gp command-line option, an attacker can trigger a stack
buffer overflow, resulting in a deterministic crash of the egg-mkfont
process.

*Technical Details:*
The vulnerability occurs when egg-mkfont constructs output glyph...

Panda3d v1.10.16 deploy-stub Unbounded Stack Allocation Leading to Uninitialized Memory Ron E (Jan 05)
A memory safety vulnerability exists in the Panda3D deploy-stub executable
due to unbounded stack allocation using attacker-controlled input. The
issue allows a local attacker to trigger stack exhaustion and subsequent
use of uninitialized memory during Python interpreter initialization,
resulting in a reliable crash and undefined behavior. The vulnerability is
confirmed by MemorySanitizer (MSAN) as a use-of-uninitialized-value
originating from...

MongoDB v8.3.0 Integer Underflow in LMDB mdb_load Ron E (Jan 05)
This integer underflow vulnerability enables heap metadata corruption and
information disclosure through carefully crafted LMDB dump files.

*Impact:*

- *Denial of Service*: Immediate crash (confirmed)
- *Information Disclosure*: Heap metadata leak via OOB read

Root Cause:The readline() function fails to validate that the input line
length is non-zero before performing decrement operations, causing integer
underflow. An attacker can craft...

Bioformats v8.3.0 Untrusted Deserialization of Bio-Formats Memoizer Cache Files Ron E (Jan 05)
Bio-Formats performs unsafe Java deserialization of attacker-controlled
memoization cache files (.bfmemo) during image processing. The
loci.formats.Memoizer class automatically loads and deserializes memo files
associated with images without validation, integrity checks, or trust
enforcement.
An attacker can exploit this behavior by supplying a crafted or corrupted
.bfmemo file—either fully attacker-controlled or derived from a legitimate
memo...

Bioformats v8.3.0 Improper Restriction of XML External Entity Reference in Bio-Formats Leica Microsystems XML Parser Ron E (Jan 05)
Bio-Formats contains an XML External Entity (XXE) vulnerability in the
Leica Microsystems metadata parsing component. The vulnerability is caused
by the use of an insecurely configured DocumentBuilderFactory when
processing Leica XML-based metadata files (e.g., XLEF). When a crafted XML
file is supplied, the parser allows external entity resolution and external
DTD loading, enabling attackers to trigger arbitrary outbound network
requests, access...

More Lists

Dozens of other network security lists are archived at SecLists.Org.