In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between November 29-30, 2025.
During this period, The National Vulnerability Database published 27, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 2
Medium: 9
Low: 1
Severity Not Assigned: 14
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2025-65112
Base Score: 9.4
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.5
Description: PubNet is a self-hosted Dart & Flutter package service. Prior to version 1.1.3, the /api/storage/upload endpoint in PubNet allows unauthenticated users to upload packages as any user by providing arbitrary author-id values. This enables identity spoofing, privilege escalation, and supply chain attacks. This issue has been patched in version 1.1.3.
References: https://github.com/ricardoboss/PubNet/security/advisories/GHSA-pg82-fqrg-q6j5
CWE-ID: CWE-306 CWE-862
Common Platform Enumerations (CPE): Not Found
2. CVE-2025-53896
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.2
Description: Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, a bug in Kiteworks MFT could cause under certain circumstances that a user's active session would not properly time out due to inactivity. This issue has been patched in version 9.1.0.
References: https://github.com/kiteworks/security-advisories/security/advisories/GHSA-23h2-3jj8-58hm
CWE-ID: CWE-613
Common Platform Enumerations (CPE): Not Found
3. CVE-2025-53899
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, the back-end of Kiteworks MFT is vulnerable to an incorrectly specified destination in a communication channel which allows an attacker with administrative privileges on the system under certain circumstances to intercept upstream communication which could lead to an escalation of privileges. This issue has been patched in version 9.1.0.
References: https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gx5-vcpp-8cr5
CWE-ID: CWE-941
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between November 29-30, 2025.
During this period, The National Vulnerability Database published 27, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 2
Medium: 9
Low: 1
Severity Not Assigned: 14
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2025-65112
Base Score: 9.4
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.5
Description: PubNet is a self-hosted Dart & Flutter package service. Prior to version 1.1.3, the /api/storage/upload endpoint in PubNet allows unauthenticated users to upload packages as any user by providing arbitrary author-id values. This enables identity spoofing, privilege escalation, and supply chain attacks. This issue has been patched in version 1.1.3.
References: https://github.com/ricardoboss/PubNet/security/advisories/GHSA-pg82-fqrg-q6j5
CWE-ID: CWE-306 CWE-862
Common Platform Enumerations (CPE): Not Found
2. CVE-2025-53896
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.2
Description: Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, a bug in Kiteworks MFT could cause under certain circumstances that a user's active session would not properly time out due to inactivity. This issue has been patched in version 9.1.0.
References: https://github.com/kiteworks/security-advisories/security/advisories/GHSA-23h2-3jj8-58hm
CWE-ID: CWE-613
Common Platform Enumerations (CPE): Not Found
3. CVE-2025-53899
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, the back-end of Kiteworks MFT is vulnerable to an incorrectly specified destination in a communication channel which allows an attacker with administrative privileges on the system under certain circumstances to intercept upstream communication which could lead to an escalation of privileges. This issue has been patched in version 9.1.0.
References: https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gx5-vcpp-8cr5
CWE-ID: CWE-941
Common Platform Enumerations (CPE): Not Found