Latest Security Advisories

CVE-2025-64155 is a critical command injection vulnerability affecting Fortinet FortiSIEM devices with a CVSS score of 9.4. The vulnerability allows remote, unauthenticated attackers to execute arbitrary code through specially crafted requests. Public exploit code has been released by Horizon3.ai researchers, significantly increasing the risk of exploitation. Fortinet has released patches for affected versions 7.1.9+, 7.2.7+, 7.3.5+, and 7.4.1+, while older versions require migration to fixed releases. The vulnerability affects multiple FortiSIEM versions from 6.7.0 through 7.4.0, with FortiSIEM 7.5 and Cloud versions unaffected. Given Fortinet's history of being targeted by attackers (23 CVEs on CISA KEV list), this vulnerability is expected to be actively exploited soon.

Tenda AX-1806 router version v1.0.0.1 contains a stack overflow vulnerability in the serviceName parameter of the sub_65A28 function. This vulnerability can be exploited by attackers through crafted requests to cause a Denial of Service (DoS) condition. The flaw represents a buffer overflow issue that could potentially allow attackers to disrupt router operations and network connectivity. The vulnerability has been assigned CVE-2025-70747 and affects the specific firmware version mentioned. Proof of concept details are available through security research documentation.

CVE-2025-71021 affects Tenda AX-1806 router firmware version 1.0.0.1. The vulnerability is a stack overflow in the serverName parameter of the sub_65A28 function. Attackers can exploit this flaw by sending a crafted request to the device. The successful exploitation results in a Denial of Service (DoS) condition. This is a buffer overflow vulnerability affecting network infrastructure equipment. The vulnerability allows remote attackers to disrupt router operations through malicious requests.

Rocket.Chat versions up to 6.12.0 contain a vulnerability where the OAuth apps API endpoint is exposed to any authenticated user regardless of permissions. The GET /api/v1/oauth-apps.get endpoint returns OAuth application details including sensitive client_id and client_secret fields when users know the application ID. This represents an authorization bypass that could lead to OAuth credential exposure. The vulnerability is fixed in version 6.12.0.

Shopware open commerce platform contains a vulnerability from version 6.7.0.0 to before 6.7.6.1 that represents a regression of CVE-2023-2017. The vulnerability involves crafted PHP Closures not being properly checked against an allow list for the map() override function. This security flaw allows potential code execution through improper validation of PHP closures. The issue has been addressed in version 6.7.6.1 with proper fixes implemented.

Pimcore, an Open Source Data & Experience Management Platform, contains a SQL injection vulnerability in the Admin Search Find API that affects versions prior to 12.3.1 and 11.5.14. The vulnerability stems from an incomplete patch for CVE-2023-30848, which attempted to mitigate SQL injection by removing SQL comments and catching syntax errors but was insufficient. Authenticated attackers can exploit this flaw to perform blind SQL injection attacks without relying on comments, potentially leading to database information disclosure through the admin interface. The vulnerability has been fixed in versions 12.3.1 and 11.5.14.

Black Lotus Labs at Lumen Technologies successfully null-routed traffic to over 550 command-and-control nodes associated with the AISURU/Kimwolf botnet since October 2025. AISURU and its Android counterpart Kimwolf have emerged as some of the largest botnets in recent times, capable of directing infected devices to participate in distributed denial-of-service attacks. The botnet infrastructure has infected over 2 million devices according to the article title reference. This represents a significant takedown operation against a major botnet threat that was actively compromising millions of devices globally.

Node.js patched a critical bug where AsyncLocalStorage could cause stack overflows to bypass error handlers and terminate production servers with exit code 7. The issue affected virtually every production Node.js app using async context tracking, including React Server Components, Next.js, and APM tools. Stack overflow errors would crash the entire server process instead of returning catchable RangeErrors. The fix was included in security releases for Node.js versions 20.20.0, 22.22.0, 24.13.0, and 25.3.0, though Node.js 24+ were less affected due to reimplemented AsyncLocalStorage.

A critical command injection vulnerability has been discovered in Fortinet's FortiSIEM solution that allows remote, unauthenticated attackers to execute arbitrary commands or code. Technical details and public exploit code have been published for this vulnerability, significantly increasing the risk of exploitation. The flaw affects Fortinet's Security Information and Event Management platform, which is widely used in enterprise environments for security monitoring and analysis. Organizations using FortiSIEM should prioritize patching this vulnerability due to its critical severity and the availability of public exploit code.

FreeImage version 3.18.0 contains a Use After Free vulnerability in the PluginTARGA.cpp file, specifically in the loadRLE() function. This memory corruption vulnerability could potentially allow attackers to execute arbitrary code or cause application crashes when processing malicious TARGA image files. The vulnerability has been documented with proof-of-concept code available on GitHub. Use After Free vulnerabilities are particularly dangerous as they can lead to remote code execution in applications that process untrusted image files. Organizations using FreeImage library should assess their exposure and consider updating or implementing mitigations.

Critical sandbox escape vulnerability in enclave-vm (versions prior to 2.7.0) allows untrusted JavaScript code to execute arbitrary code in the host Node.js runtime. The vulnerability occurs when tool invocation fails and exposes a host-side Error object to sandboxed code. Attackers can traverse the Error object's prototype chain to reach the host Function constructor, enabling arbitrary JavaScript compilation and execution in the host context. This completely bypasses the sandbox security model and grants access to sensitive resources including process environment, filesystem, and network. The vulnerability has been fixed in version 2.7.0.

Microsoft's Digital Crimes Unit investigated and disrupted RedVDS, a virtual desktop service provider that was facilitating worldwide cybercriminal operations. The investigation revealed a global network of disparate cybercriminals who were purchasing and using RedVDS services to target multiple sectors. Microsoft collaborated with law enforcement agencies worldwide to disrupt the RedVDS infrastructure and related criminal operations. This represents a significant takedown of cybercriminal infrastructure that was enabling attacks across various industries globally.

CVE-2026-23550 is an Incorrect Privilege Assignment vulnerability in Modular DS that allows privilege escalation attacks. The vulnerability affects all versions of Modular DS from the initial release through version 2.5.1. This security flaw enables attackers to escalate their privileges within the system, potentially gaining unauthorized access to sensitive functions or data. The vulnerability has been assigned a high criticality rating. Patches and security updates are available through Modular DS version 2.5.2 to address this privilege escalation issue.

The Integration Opvius AI for WooCommerce WordPress plugin versions up to 1.3.0 contains a critical path traversal vulnerability. The process_table_bulk_actions() function lacks authentication checks, nonce verification, and path validation when processing user-supplied file paths. Unauthenticated attackers can exploit this via the wsaw-log[] POST parameter to delete or download arbitrary server files. This vulnerability can be leveraged to delete critical files like wp-config.php or access sensitive configuration data, posing a significant security risk to affected WordPress installations.

The News and Blog Designer Bundle plugin for WordPress contains a Local File Inclusion vulnerability in versions up to 1.1. The vulnerability exists in the template parameter and allows unauthenticated attackers to include and execute arbitrary PHP files on the server. This can lead to code execution, bypassing access controls, and obtaining sensitive data. The vulnerability affects all versions up to and including 1.1 of the plugin.

ConsentFix is a new OAuth phishing technique that abuses browser-based authorization flows to hijack Microsoft accounts. Push Security provides insights from continued tracking and community research into this evolving attack method. The technique represents a sophisticated approach to account takeover through OAuth abuse. Attackers are continuing to evolve their techniques as the campaign progresses. The attack specifically targets Microsoft account credentials through authorization flow manipulation.

Security researchers have identified an active malware campaign exploiting a DLL side-loading vulnerability in the c-ares library. Attackers are pairing a malicious libcares-2.dll with legitimate signed ahost.exe binaries to bypass security controls. The campaign is being used to deploy various commodity trojans and stealers while evading detection through the abuse of legitimate software components.

Researchers discovered a new attack method called 'Reprompt' that enables attackers to infiltrate Microsoft Copilot sessions and execute commands to exfiltrate sensitive data. This attack technique poses a significant threat to organizations using Microsoft Copilot as it can compromise AI assistant sessions and potentially lead to data breaches. The vulnerability allows unauthorized access to user sessions through manipulation of AI prompts. The attack method represents a new class of AI-specific security threats targeting popular enterprise AI tools.

Fortinet has released updates to fix a critical security flaw in FortiSIEM that could allow unauthenticated attackers to achieve remote code execution. The vulnerability, tracked as CVE-2025-64155, is an OS command injection flaw with a CVSS score of 9.4 out of 10.0. The flaw is caused by improper neutralization of special elements used in OS commands, allowing attackers to execute arbitrary code on vulnerable FortiSIEM instances without authentication. This represents a significant security risk for organizations using FortiSIEM for security information and event management.

The Integration Opvius AI for WooCommerce plugin for WordPress contains a critical path traversal vulnerability affecting all versions up to 1.3.0. The vulnerability exists in the process_table_bulk_actions() function which processes user-supplied file paths without proper authentication checks, nonce verification, or path validation. Unauthenticated attackers can exploit this via the wsaw-log[] POST parameter to delete or download arbitrary files on the server. This can lead to deletion of critical files like wp-config.php or unauthorized access to sensitive configuration files, making it a high-severity security risk for WordPress sites using this plugin.

CVE-2026-23550 is an Incorrect Privilege Assignment vulnerability affecting Modular DS versions through 2.5.1. The vulnerability allows privilege escalation, potentially enabling attackers to gain elevated access rights within the affected system. This appears to be related to a WordPress plugin called Modular DS Monitor that handles website updates and backups. The vulnerability has been assigned a high criticality rating, indicating significant potential impact. Organizations using Modular DS versions up to and including 2.5.1 should prioritize patching to prevent potential privilege escalation attacks.

Microsoft released its first security update for 2026, addressing 114 security flaws in Windows. One vulnerability has been actively exploited in the wild. Of the 114 flaws, 8 are rated Critical and 106 are rated Important in severity. The vulnerabilities include 58 privilege escalation flaws, 22 information disclosure issues, and 21 remote code execution vulnerabilities. This represents a significant monthly patch release with active exploitation occurring.

The News and Blog Designer Bundle plugin for WordPress contains a Local File Inclusion vulnerability in all versions up to 1.1. The vulnerability exists in the template parameter and allows unauthenticated attackers to include and execute arbitrary PHP files on the server. This can lead to execution of malicious PHP code, bypassing access controls, obtaining sensitive data, or achieving code execution when PHP files can be uploaded and included. The vulnerability affects the plugin's AJAX functionality and poses a high security risk.

Node.js released critical security updates to fix a vulnerability affecting virtually every production Node.js application. The issue involves the async_hooks feature causing stack overflow conditions that can trigger denial-of-service attacks. The vulnerability exploits Node.js/V8's stack space exhaustion recovery mechanism that frameworks rely on for service availability. This represents a critical threat to Node.js-based production environments due to its widespread impact potential.

Monroe University disclosed a cyberattack in December 2024 that resulted in a significant data breach affecting over 320,000 individuals. Threat actors successfully breached the university's systems and stole personal, financial, and health information belonging to students, faculty, staff, and other associated individuals. The breach represents a major security incident for the educational institution, exposing sensitive data that could be used for identity theft and other malicious purposes. The university has likely begun notification processes for affected individuals and is working to secure their systems and prevent future incidents.

CERT-UA disclosed cyber attacks targeting Ukrainian defense forces using PLUGGYAPE malware between October-December 2025. The attacks are attributed with medium confidence to Russian hacking group Void Blizzard (aka Laundry Bear or UAC-0190). The malware leverages Signal and WhatsApp messaging platforms in its attack methodology. This represents ongoing cyber warfare activities against Ukrainian military infrastructure. The threat actor has been active since at least previously reported timeframes.

A critical sandbox escape vulnerability in enclave-vm prior to version 2.7.0 allows untrusted JavaScript code to execute arbitrary code in the host Node.js runtime. The vulnerability occurs when tool invocations fail and enclave-vm exposes a host-side Error object to sandboxed code. Attackers can traverse the prototype chain to reach the host Function constructor, enabling arbitrary JavaScript execution in the host context. This bypasses the sandbox entirely, granting access to sensitive resources including process.env, filesystem, and network. The vulnerability breaks enclave-vm's core security guarantee of isolating untrusted code and has been fixed in version 2.7.0.

Ukraine's Defense Forces officials were targeted in a charity-themed malware campaign between October and December 2025. The campaign delivered backdoor malware called PluggyApe through deceptive charity-related communications. This represents a targeted attack against military personnel using social engineering tactics focused on charitable activities. The timing and targeting suggest this may be part of ongoing cyber warfare activities against Ukrainian military infrastructure.

A newly discovered advanced cloud-native Linux malware framework named VoidLink has been identified targeting cloud environments. The sophisticated framework provides attackers with custom loaders, implants, rootkits, and plugins specifically designed for modern cloud infrastructures. VoidLink represents a significant threat to Linux-based cloud servers and demonstrates the evolution of malware targeting cloud-native environments. The framework's modular design allows for flexible deployment and persistence in compromised cloud systems.

A heap-based buffer overflow vulnerability (CVE-2026-22861) exists in the iccDEV library prior to version 2.3.1.2. The vulnerability is located in the SIccCalcOp::Describe() function at IccProfLib/IccMpeCalc.cpp and affects users who process ICC color management profiles. iccDEV provides libraries and tools for interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. The vulnerability has been fixed in version 2.3.1.2. This buffer overflow could potentially allow attackers to execute arbitrary code or cause denial of service when processing malicious ICC profiles.

MongoDB disclosed CVE-2025-14847, nicknamed MongoBleed, which is an unauthenticated memory disclosure vulnerability. The vulnerability has a high CVSS score of 8.7, indicating significant security impact. This is a memory disclosure issue that affects the MongoDB database platform. The vulnerability allows unauthenticated attackers to potentially access sensitive information from memory. Given the high CVSS score and the nature of the vulnerability affecting a widely-used database platform, this represents a significant security concern for organizations using MongoDB.

An Information Disclosure vulnerability (CVE-2025-66566) exists in the yawkat LZ4 Java library used by Elasticsearch that allows attackers to read previous buffer contents through specially crafted compressed input sent via the transport layer. The vulnerability affects Elasticsearch versions 7.14.0+ through 7.17.29, 8.0.0+ through 8.19.9, and multiple 9.x versions. Users should upgrade to versions 8.19.10, 9.1.10, or 9.2.4. Workarounds include switching to deflate compression or disabling compression entirely. The vulnerability has a high CVSS score of 8.4.

A high severity vulnerability (CVE-2026-0532) affects Kibana's Google Gemini connector, combining external control of file name/path (CWE-73) with Server-Side Request Forgery (CWE-918). Attackers with connector modification privileges can exploit this through specially crafted credentials JSON payloads to achieve arbitrary file disclosure and network requests. The vulnerability affects Kibana versions 8.15.0-8.19.9, 9.0.0-9.1.9, and 9.2.0-9.2.3. Users should upgrade to versions 8.19.10, 9.1.10, or 9.2.4, or disable the connector type as a temporary mitigation. The CVSS score is 8.6 (High), indicating significant risk to confidentiality.

CVE-2026-22817 affects Hono Web application framework versions prior to 4.11.4. The vulnerability exists in the JWK/JWKS JWT verification middleware where the JWT header's algorithm value could influence signature verification when the selected JWK did not specify an algorithm. This flaw enables JWT algorithm confusion attacks, potentially allowing forged tokens to be accepted in certain configurations. The fix requires explicit specification of the algorithm option in JWT middleware to prevent algorithm confusion by ensuring verification algorithms are not derived from untrusted JWT header values.

CVE-2026-22818 affects Hono Web application framework versions prior to 4.11.4. The vulnerability exists in the JWK/JWKS JWT verification middleware, which allowed JWT header algorithm specifications to influence signature verification when the selected JWK didn't explicitly define an algorithm. This flaw could enable JWT algorithm confusion attacks and allow forged tokens to be accepted in certain configurations. The issue has been fixed in version 4.11.4 by requiring an explicit allowlist of asymmetric algorithms and preventing the middleware from deriving verification algorithms from untrusted JWT header values.

A security vulnerability (CVE-2026-0543) in Kibana's Email Connector allows authenticated attackers with view-level privileges to cause service unavailability through improper input validation. The vulnerability affects all Kibana 7.x versions, 8.x versions up to 8.19.9, and specific 9.x versions up to 9.1.9 and 9.2.3. Attackers can exploit specially crafted email address parameters to cause excessive allocation, resulting in complete service unavailability requiring manual restart. The issue has been patched in versions 8.19.10, 9.1.10, and 9.2.4. CVSS score is 6.5 (Medium severity) with high availability impact.

Belgian hospital AZ Monica was targeted in a cyberattack that forced administrators to shut down all servers as a precautionary measure. The attack disrupted hospital operations significantly, requiring the cancellation of scheduled medical procedures and the transfer of critical patients to other facilities. The hospital took immediate action to contain the incident by isolating their IT infrastructure. This represents a serious attack on healthcare infrastructure that directly impacted patient care and safety. The incident highlights the growing threat to healthcare organizations and critical infrastructure from cybercriminals.

A critical OS command injection vulnerability (CVE-2025-64155) affects multiple versions of Fortinet FortiSIEM, including versions 6.7.0 through 7.4.0. The vulnerability stems from improper neutralization of special elements used in OS commands. Attackers can exploit this flaw by sending crafted TCP requests to execute unauthorized code or commands on affected systems. The vulnerability impacts a wide range of FortiSIEM versions across major release branches. This represents a significant security risk for organizations using FortiSIEM for security information and event management.

OpenC3 COSMOS versions 5.0.0 to 6.10.1 contain a critical remote code execution vulnerability in the JSON-RPC API. The vulnerability occurs when attacker-controlled parameter text is parsed using String#convert_to_value, which executes eval() for array-like inputs. Unauthenticated attackers can trigger Ruby code execution through the cmd code path before authorization checks occur. The vulnerability affects embedded systems command and control functionality. Fixed in version 6.10.2.

Microsoft patched numerous vulnerabilities in Windows affecting various components including Secure Boot bypass, zero-day exploitation, and privilege escalation flaws. CVE-2026-21265 allows Secure Boot bypass and is publicly discussed. CVE-2026-20805 was exploited as zero-day requiring local access. CVE-2023-31096 affects older Broadcom modem drivers with known PoC code. The update addresses critical vulnerabilities in Windows Management Services, RRAS, and other core components with CVSS scores up to 8.8. Multiple privilege escalation and arbitrary code execution vulnerabilities were resolved across kernel, graphics, and system services.

Cybersecurity researchers discovered a major web skimming campaign active since January 2022. The campaign targets multiple major payment networks including American Express, Diners Club, Discover, JCB Co., Ltd., Mastercard, and UnionPay. Enterprise organizations that are clients of these payment providers are most likely to be impacted. The campaign involves stealing credit card information from online checkout pages through web skimming techniques. Silent Push published a report detailing the long-running nature of this threat.

Microsoft Windows contains an information disclosure vulnerability identified as CVE-2026-20805. The vulnerability allows an authorized attacker to disclose information locally on affected Windows systems. This represents a security flaw in Microsoft Windows that could potentially expose sensitive information to attackers who have local access to the system. The vulnerability has been assigned a high criticality rating, indicating significant security implications for Windows environments.

CVE-2025-71023 affects Tenda AX-3 router firmware version 16.03.12.10_CN with a stack overflow vulnerability in the fromAdvSetMacMtuWan function. The vulnerability is located in the mac2 parameter and allows attackers to cause a Denial of Service (DoS) through crafted requests. This is a buffer overflow vulnerability that could potentially be exploited remotely. The vulnerability affects network infrastructure equipment, making it particularly concerning for network security. The issue has been documented with proof-of-concept details available on GitHub.

Multiple current and former Target employees have confirmed that source code samples leaked by a threat actor are authentic and match real internal systems. The leak prompted Target to implement an accelerated lockdown of its Git server, now requiring VPN access for all connections. The confirmation came after BleepingComputer contacted the company about the leaked code. This represents a significant security incident for the major retailer, as source code exposure can lead to discovery of vulnerabilities and potential system compromises. The incident highlights the risks of inadequate source code repository security and the potential for insider threats or compromised developer access.

Multiple critical vulnerabilities discovered in YoSmart YoLink Smart Hub ecosystem allowing remote control of other users' smart home devices, session hijacking, and data interception. Four CVEs affect different components: CVE-2025-59449 enables cross-account attacks due to insufficient authorization controls, CVE-2025-59452 uses predictable endpoint URLs derived from MAC addresses, CVE-2025-59448 transmits sensitive data over unencrypted MQTT, and CVE-2025-59451 involves session tokens with excessively long lifetimes. The vulnerabilities could allow attackers to gain full control over any YoLink user's devices worldwide. YoSmart has released patches and automatic updates to address these issues.

A denial-of-service vulnerability (CVE-2025-9368) affects Rockwell Automation 432ES-IG3 Series A GuardLink EtherNet/IP Interface. The vulnerability involves allocation of resources without limits or throttling, with CVSS score 7.5 (HIGH). Exploitation results in denial-of-service requiring manual power cycle to recover. Affected version V1.001 should be upgraded to V2.001.9 or later. The vulnerability impacts critical manufacturing infrastructure worldwide and was reported by Rockwell Automation to CISA.

CISA published an advisory for CVE-2025-12807, a high-severity SQL injection vulnerability in Rockwell Automation FactoryTalk DataMosaix Private Cloud versions 7.11, 8.00, and 8.01. The vulnerability allows low-privilege users to perform unauthorized sensitive database operations through exposed API endpoints. With a CVSS score of 8.8, successful exploitation could lead to unauthorized database access. Rockwell Automation has released version 8.01.02 as a fix for affected systems. The vulnerability affects critical manufacturing infrastructure worldwide.

A security vulnerability in Semantic machines version 5.4.8 allows attackers to bypass authentication mechanisms by sending specially crafted HTTP requests to various API endpoints. This authentication bypass vulnerability could allow unauthorized access to protected resources and API functionality. The vulnerability has been assigned CVE-2025-66698 and affects the specific version 5.4.8 of the Semantic machines software. Proof of concept code appears to be available on GitHub, indicating potential for exploitation.

Cybersecurity researchers discovered a malicious Google Chrome extension named MEXC API Automator that steals API keys from MEXC cryptocurrency exchange users. The extension masquerades as a legitimate trading automation tool while secretly harvesting sensitive API credentials. Despite having only 29 downloads, the extension remains available on the Chrome Web Store. The malware targets users of MEXC, a centralized cryptocurrency exchange operating in over 170 countries. This represents a significant threat to cryptocurrency traders who use browser extensions for trading automation.

Memory safety vulnerabilities discovered in Firefox 146 and Thunderbird 146 that could potentially allow arbitrary code execution. The bugs showed evidence of memory corruption and Mozilla presumes they could be exploited with sufficient effort. The vulnerability affects Firefox versions prior to 147. Mozilla has released security advisories and bug reports documenting these issues. Users should update to Firefox 147 or later to mitigate the risk.

A privilege escalation vulnerability has been identified in the Nessus Agent Tray App on Windows systems. The vulnerability occurs during the installation and uninstallation process of the application. This security flaw could allow attackers to escalate their privileges on affected Windows hosts. The vulnerability affects the Tenable Nessus Agent, a widely used vulnerability scanner component. Organizations using Nessus Agent on Windows should prioritize patching this vulnerability.

Multiple current and former Target employees confirmed that leaked source code samples posted by a threat actor are authentic and match real internal systems. Following contact from BleepingComputer, Target implemented an accelerated lockdown of its Git server infrastructure, now requiring VPN access for all connections. This represents a significant security incident involving the exposure of proprietary retail system source code. The rapid response suggests the leak poses substantial operational and security risks to Target's infrastructure. The incident highlights vulnerabilities in code repository security at major retail organizations.

Cybersecurity researchers have discovered VoidLink, a previously undocumented and sophisticated malware framework specifically designed to target Linux-based cloud and container environments. The malware is engineered for long-term, stealthy access and persistence in cloud infrastructure. VoidLink is described as a feature-rich, cloud-native framework that comprises custom loaders, implants, rootkits, and modular components. The malware represents an advanced threat to cloud security, particularly targeting containerized environments. Check Point Research published details about this new threat, highlighting its advanced capabilities and cloud-focused design.

Unit 42 researchers identified remote code execution vulnerabilities in open-source AI/ML libraries published by major technology companies including Apple, Salesforce, and NVIDIA. These vulnerabilities affect modern AI/ML formats and libraries, potentially allowing attackers to execute arbitrary code remotely. The discovery highlights security risks in the rapidly expanding AI/ML ecosystem where libraries are widely used across various applications and platforms. Given the popularity and widespread adoption of AI/ML technologies, these vulnerabilities could have significant impact on organizations using affected libraries. The vulnerabilities were found in Python-based AI/ML libraries commonly used in machine learning workflows and applications.

ServiceNow patched a critical security vulnerability (CVE-2025-12420) in its AI Platform with a CVSS score of 9.3. The flaw allows unauthenticated attackers to impersonate other users and perform arbitrary actions as that user. This represents a severe authentication bypass vulnerability in ServiceNow's enterprise platform that could lead to unauthorized access and privilege escalation. The high CVSS score indicates significant potential impact on confidentiality, integrity, and availability of affected systems.

A new malware campaign called SHADOW#REACTOR uses a multi-stage attack chain to deliver Remcos RAT, a commercially available remote administration tool. The campaign employs an evasive infection process that starts with an obfuscated VBS launcher executed through wscript.exe. The attack is designed to establish persistent, covert remote access to compromised Windows systems through a tightly orchestrated execution path.

CISA has warned of active exploitation of a high-severity vulnerability in Gogs, tracked as CVE-2025-8110 with a CVSS score of 8.7. The vulnerability relates to path traversal in the repository file editor that enables code execution. The flaw has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog due to confirmed active exploitation in the wild.

WebErpMesv2, a Resource Management and Manufacturing execution system for industry, contains a critical vulnerability prior to version 1.19. The application exposes multiple sensitive API endpoints without authentication middleware, allowing unauthenticated remote attackers to access business-critical data including companies, quotes, orders, tasks, and whiteboards. Attackers also have limited write access to create company records and manipulate collaboration whiteboards. This represents a significant security risk for manufacturing and industrial organizations using this system. The vulnerability has been addressed in version 1.19.

Multiple SQL injection vulnerabilities discovered in amansuryawanshi Gym-Management-System-PHP version 1.0. Vulnerabilities exist in three PHP files: submit_contact.php (name, email, comment parameters), secure_login.php (username, pass_key parameters), and change_s_pwd.php (login_id, pwfield, login_key parameters). Both unauthenticated and authenticated attackers can exploit these flaws to bypass authentication, execute arbitrary SQL commands, modify database records, delete data, or escalate privileges to administrator level. The vulnerabilities affect critical functions including contact submission, login authentication, and password change functionality.

Appsmith platform vulnerability allows attackers to manipulate Origin header values to redirect password reset and email verification links to attacker-controlled domains. The server fails to validate the Origin header before using it as the email link baseUrl. This leads to authentication token exposure and potential account takeover attacks. The vulnerability affects versions prior to 1.93 and has been patched in version 1.93. The attack vector exploits the email-based authentication flow by intercepting tokens meant for legitimate users.

Socket's Threat Research Team identified a malicious Chrome extension called 'MEXC API Automator' that steals API keys from the MEXC cryptocurrency exchange. The extension, published by threat actor 'jorjortan142', automates API key creation while secretly enabling withdrawal permissions and hiding this from users. It exfiltrates stolen API keys and secrets to a hardcoded Telegram bot, giving attackers full account control including trading and withdrawal capabilities. The extension remains active on Chrome Web Store and targets multiple languages to reach a global victim base.

Multiple SQL injection vulnerabilities discovered in AbhishekMali21 GYM-MANAGEMENT-SYSTEM version 1.0. Four separate vulnerabilities affect search functionality through the 'name' parameter in member_search.php, trainer_search.php, and gym_search.php files, and the 'id' parameter in payment_search.php. These vulnerabilities allow unauthenticated remote attackers to inject malicious SQL commands. Successful exploitation can lead to unauthorized data extraction, authentication bypass, and modification of database contents. The vulnerabilities pose a significant risk as they require no authentication to exploit.

A SQL injection vulnerability has been discovered in the Kashipara Online Exam System V1.0, specifically in the /exam/user/profile.php page. The vulnerability allows remote attackers to execute arbitrary SQL commands and gain unauthorized database access. The attack vector involves manipulating multiple parameters (rname, rcollage, rnumber, rgender, rpassword) through POST HTTP requests. This vulnerability affects the user profile update functionality and could lead to complete database compromise. The issue has been assigned CVE-2025-51567 and represents a critical security flaw in the educational software platform.

CVE-2023-36331 affects xmall v1.1, an e-commerce application. The vulnerability exists in the /member/orderList API endpoint due to incorrect access control implementation. Attackers can manipulate the userId query parameter to access other users' order details without proper authorization. This represents a classic Insecure Direct Object Reference (IDOR) vulnerability that allows horizontal privilege escalation. The flaw enables unauthorized access to sensitive customer order information, potentially exposing personal and financial data. The vulnerability has been reported on GitHub and assigned a high criticality rating.

LibreChat, a ChatGPT clone application, contains a critical vulnerability in versions prior to v0.8.2-rc2. The vulnerability exists in the MCP stdio transport component which accepts arbitrary commands without proper validation. Any authenticated user can exploit this flaw to execute shell commands with root privileges inside the container through a single API request. This represents a severe privilege escalation vulnerability that allows complete compromise of the containerized application. The issue has been patched in version v0.8.2-rc2.

Envoy Gateway versions prior to 1.5.7 and 1.6.2 contain a vulnerability where EnvoyExtensionPolicy Lua scripts can leak proxy credentials. These leaked credentials enable unauthorized communication with the control plane and access to all Envoy proxy secrets including TLS private keys and communication credentials. The vulnerability affects both standalone and Kubernetes-based Envoy Gateway deployments. Fixed versions 1.5.7 and 1.6.2 are available to address this security issue.

CVE-2026-22783 affects DFIR-IRIS (Iris web collaborative platform) versions prior to 2.4.24. The vulnerability involves mass assignment of the file_local_name field combined with path trust issues in the delete operation, allowing authenticated users to delete arbitrary filesystem paths. The attack chain involves uploading a file, modifying the file_local_name field to point to arbitrary paths, and triggering deletion without proper path validation. This vulnerability has been patched in version 2.4.24.

CISA has ordered federal agencies to patch a high-severity remote code execution (RCE) vulnerability in Gogs that has been actively exploited in zero-day attacks. The vulnerability allows attackers to execute arbitrary code on affected systems. Government agencies are required to secure their systems against this actively exploited flaw. The exploitation in the wild makes this a critical security issue requiring immediate attention from organizations using Gogs software.

Sourcecodester Covid-19 Contact Tracing System version 1.0 contains a critical Remote Code Execution (RCE) vulnerability. The vulnerability allows attackers to upload malicious PHP files through the user image upload functionality, enabling them to execute arbitrary code on the server. This can be exploited to establish reverse shells and gain unauthorized access to the system. The flaw appears to be related to insufficient input validation and file upload restrictions in the application's image handling component.

A critical vulnerability in DDSN Interactive Acora CMS v10.7.1 allows attackers to perform full account takeover through a static password reset token flaw. The vulnerability enables arbitrary password resets via replay attacks due to the use of static tokens in the password reset function. This security flaw permits complete compromise of user accounts without requiring initial authentication or user interaction.

Threat actors uploaded eight malicious packages on the npm registry masquerading as n8n workflow automation platform integrations. The packages, including one named 'n8n-nodes-hfgjf-irtuinvcm-lasdqewriit', mimic legitimate integrations like Google Ads to steal developers' OAuth credentials. The attack targets the n8n community by abusing the trust in community-developed nodes. Users are prompted to link their accounts through seemingly legitimate forms that actually harvest authentication tokens. This represents a sophisticated supply chain attack targeting the automation platform's ecosystem.

CVE-2025-8110 is a path traversal vulnerability in Gogs that affects improper symbolic link handling in the PutContents API. This vulnerability could potentially allow attackers to achieve code execution by exploiting the path traversal flaw. The issue has been addressed with a fix available in the Gogs repository. Given the potential for code execution, this vulnerability represents a significant security risk for organizations using affected versions of Gogs.

The University of Hawaii Cancer Center was hit by a ransomware attack in August 2025. The breach resulted in the theft of data belonging to study participants, including sensitive documents from the 1990s that contained Social Security numbers. This represents a significant data breach affecting healthcare research data and personal information of cancer research participants spanning multiple decades.

CVE-2025-46067 is a vulnerability in Automai Director version 25.2.0 that allows remote attackers to escalate privileges and obtain sensitive information through a crafted JavaScript file. This vulnerability poses a high risk as it enables both privilege escalation and sensitive information disclosure. The vulnerability affects Automai Director, which appears to be an automation or management platform. Additional research and proof-of-concept details are available through ZeroBreach GmbH's GitHub repository.

CVE-2025-46068 is a vulnerability in Automai Director version 25.2.0 that allows remote attackers to execute arbitrary code through the application's update mechanism. This is a high-severity issue that could allow complete system compromise. The vulnerability affects the software's update functionality, potentially allowing attackers to inject malicious code during update processes. Remote code execution vulnerabilities are particularly dangerous as they can lead to full system takeover without requiring local access.

CVE-2025-46066 is a privilege escalation vulnerability in Automai Director version 25.2.0 that allows remote attackers to escalate privileges. This vulnerability affects the Automai Director automation platform and poses a significant security risk due to its remote exploitability and privilege escalation capabilities. The issue has been assigned a high criticality rating and requires immediate attention for organizations using the affected version.

CVE-2025-68472 is an unauthenticated path traversal vulnerability in MindsDB's file upload API that allows attackers to read arbitrary files from the server filesystem. The vulnerability exists in the PUT handler in file.py which directly joins user-controlled data into filesystem paths for JSON uploads without proper sanitization. Only multipart and URL-sourced uploads receive proper validation through clear_filename checks, while JSON uploads bypass these security measures entirely. This allows any unauthenticated caller to access sensitive data by moving arbitrary server files into MindsDB's storage. The vulnerability affects all versions prior to 25.11.1 and has been patched in the latest release.

Hackers are claiming to sell internal source code belonging to Target Corporation after publishing what appears to be stolen code repositories on a public software development platform. Following notification from BleepingComputer, the files were taken offline and Target's developer Git server became inaccessible. This represents a significant data breach involving proprietary source code that could expose internal systems and security mechanisms.

CVE-2025-46070 is a vulnerability in Automai BotManager v.25.2.0 that allows remote attackers to execute arbitrary code via the BotManager.exe component. This represents a critical security flaw in the automation software that could enable complete system compromise. The vulnerability affects the core executable component of the BotManager application. Remote code execution vulnerabilities are considered high severity due to their potential for complete system takeover. The issue has been documented by security researchers at ZeroBreach GmbH.

CVE-2025-71063 affects Errands application versions before 46.2.10, where the software fails to verify TLS certificates when connecting to CalDAV servers. This vulnerability allows potential man-in-the-middle attacks against calendar synchronization connections. The issue has been addressed in version 46.2.10 with proper TLS certificate verification implemented. Multiple GitHub references document the fix and related issues.

A maximum-severity vulnerability dubbed 'Ni8mare' affects nearly 60,000 n8n instances exposed online. The flaw remains unpatched across the majority of affected systems, posing significant security risks. n8n is a workflow automation tool that allows users to connect different services and APIs. The vulnerability's maximum severity rating indicates it could allow for complete system compromise. With tens of thousands of instances remaining vulnerable, this represents a widespread security threat requiring immediate attention from administrators.

Threat actors are actively exploiting CVE-2024-36401, a remote code execution vulnerability in GeoServer, to deploy cryptocurrency miners. The vulnerability allows unauthenticated attackers to execute arbitrary commands on vulnerable GeoServer instances. Multiple threat actors have been systematically scanning for exposed GeoServer installations since the vulnerability's disclosure in 2024. The exploitation involves deploying coinminer malware on compromised systems. This represents an active campaign targeting organizations running vulnerable GeoServer instances for cryptocurrency mining operations.

A new wave of GoBruteforcer botnet attacks is targeting cryptocurrency and blockchain project databases. The botnet exploits weak credentials to compromise systems and recruit them for brute-force attacks against FTP, MySQL, PostgreSQL, and phpMyAdmin services on Linux servers. The current campaign is driven by mass reuse of AI-generated server deployment examples that contain common vulnerabilities. The attacks specifically focus on crypto projects to build a larger botnet infrastructure for credential brute-forcing operations.

A SQL injection vulnerability has been discovered in code-projects Online Music Site version 1.0. The vulnerability affects the /Administrator/PHP/AdminUpdateUser.php file where manipulation of the ID argument leads to SQL injection. The attack can be executed remotely and exploits have been publicly released, making this an active threat. The vulnerability allows attackers to potentially access or manipulate database information through the compromised parameter.

CVE-2026-0851 identifies a SQL injection vulnerability in code-projects Online Music Site 1.0. The vulnerability affects the AdminAddUser.php file where manipulation of the txtusername parameter leads to SQL injection. The attack can be exploited remotely and the exploit is publicly available, making it a significant security risk for affected installations.

CVE-2026-0839 is a buffer overflow vulnerability in UTT 进取 520W version 1.7.7-180627. The vulnerability affects the strcpy function in /goform/APSecurity file through manipulation of the wepkey1 argument. The attack can be performed remotely and a public exploit is available. The vendor was notified but did not respond to the disclosure.

A buffer overflow vulnerability has been discovered in UTT 进取 520W version 1.7.7-180627 affecting the strcpy function in /goform/ConfigWirelessBase. The vulnerability can be exploited remotely by manipulating the ssid argument. A public exploit has been released and is available for attacks. The vendor was contacted about the disclosure but did not respond. This represents a high-severity security flaw with active exploitation potential.

A buffer overflow vulnerability (CVE-2026-0840) has been discovered in UTT 进取 520W router firmware version 1.7.7-180627. The vulnerability affects the strcpy function in /goform/formConfigNoticeConfig file, where manipulation of the timestart argument leads to buffer overflow. The attack can be initiated remotely and the exploit has been publicly disclosed. The vendor was contacted about the vulnerability but did not respond.

A buffer overflow vulnerability (CVE-2026-0841) was discovered in UTT 进取 520W version 1.7.7-180627. The vulnerability affects the strcpy function in /goform/formPictureUrl file through manipulation of the importpictureurl argument. The flaw can be exploited remotely and public exploits are available. The vendor was contacted but did not respond to disclosure attempts. This represents a high-risk security issue due to remote exploitability and public exploit availability.

A buffer overflow vulnerability was identified in UTT 进取 520W router version 1.7.7-180627. The vulnerability affects the strcpy function in the /goform/formFireWall file and can be exploited remotely by manipulating the GroupName argument. A publicly available exploit exists for this vulnerability. The vendor was contacted about the disclosure but did not respond.

A buffer overflow vulnerability (CVE-2026-0836) has been identified in UTT 进取 520W version 1.7.7-180627. The vulnerability exists in the strcpy function within the /goform/formConfigFastDirectionW file, where manipulation of the ssid argument causes a buffer overflow. The vulnerability can be exploited remotely and exploit code has been publicly disclosed. The vendor was contacted about this disclosure but did not respond. This represents a significant security risk for affected UTT router devices.

CVE-2025-65091 affects XWiki Full Calendar Macro prior to version 2.4.5, allowing users with view rights to the Calendar.JSONService page (including guest users) to exploit a SQL injection vulnerability. The vulnerability enables attackers to access database information or launch denial of service attacks. This represents a significant security risk as guest users can potentially compromise the system without authentication. The issue has been patched in version 2.4.5.

React Router versions prior to 1.23.2 and react-router 7.0.0 through 7.11.0 contain an open redirect vulnerability in SPA navigation. The vulnerability affects Framework Mode, Data Mode, and unstable RSC modes, allowing unsafe URLs to cause unintended JavaScript execution on the client. The issue only occurs when creating redirect paths from untrusted content or via open redirects. Declarative Mode using BrowserRouter is not affected. Patches are available in @remix-run/router version 1.23.2 and react-router version 7.12.0.

CVE-2026-22687 affects WeKnora, an LLM-powered framework for document understanding and semantic retrieval. Prior to version 0.2.5, the Agent service allows attackers to use prompt-based bypass techniques to evade database query restrictions. This vulnerability enables unauthorized access to sensitive information from target servers and databases due to insufficient backend validation. The issue has been patched in version 0.2.5.

A vulnerability in Ghost Node.js content management system affected versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3. The flaw in Staff Token authentication handling allowed unauthorized access to endpoints that should only be accessible via Staff Session authentication. External systems authenticated with Staff Tokens for Admin/Owner-role users could access restricted endpoints. The issue has been patched in versions 5.130.6 and 6.11.0.

CVE-2026-22700 affects RustCrypto: Elliptic Curves library versions 0.14.0-pre.0 and 0.14.0-rc.0. A denial-of-service vulnerability exists in the SM2 public-key encryption implementation where the decrypt() function performs unchecked slice::split_at operations on untrusted input buffers. Attackers can submit malformed ciphertext or crafted DER-encoded structures to trigger bounds-check panics that crash the calling thread or process. The vulnerability has been patched in commit e60e991. This affects the general purpose Elliptic Curve Cryptography support library used for representing elliptic curve forms, scalars, points, and cryptographic keys.

HAX CMS, a platform for managing microsite universe with PHP or NodeJs backends, contains a stored XSS vulnerability in versions 11.0.6 to before 25.0.0. The vulnerability could lead to account takeover attacks. The issue affects both PHP and NodeJs implementations of the content management system. A patch has been released in version 25.0.0 to address this security flaw. Organizations using affected versions should upgrade immediately to prevent potential exploitation.

CVE-2026-21884 is a cross-site scripting (XSS) vulnerability in React Router's ScrollRestoration API. The vulnerability affects @remix-run/react versions prior to 2.17.3 and react-router versions 7.0.0 through 7.11.0. The issue occurs in Framework Mode during Server-Side Rendering when using getKey/storageKey props with untrusted content. This could allow arbitrary JavaScript execution during SSR. The vulnerability does not impact users with disabled server-side rendering in Framework Mode or those using Declarative Mode or Data Mode. Patches are available in @remix-run/react version 2.17.3 and react-router version 7.12.0.

A path traversal vulnerability (CVE-2026-22685) exists in DevToys desktop app versions 2.0.0.0 to before 2.0.9.0. The vulnerability occurs in the extension installation mechanism when processing NUPKG archives. DevToys fails to properly validate file paths within extension packages, allowing malicious packages to include crafted file entries like ../../target-file. This enables attackers to write files outside the intended extensions directory and overwrite arbitrary files with DevToys process privileges. The flaw can lead to code execution, configuration tampering, or corruption of system files. The issue has been patched in version 2.0.9.0.

CVE-2026-22699 affects RustCrypto Elliptic Curves library versions 0.14.0-pre.0 and 0.14.0-rc.0. A denial-of-service vulnerability exists in the SM2 PKE decryption path where invalid elliptic-curve points cause application panics. The vulnerability occurs when AffinePoint::from_encoded_point returns None for syntactically valid coordinates that don't lie on the SM2 curve, but the code uses unwrap() without proper checking. This results in panic conditions when malformed input is processed. The issue has been patched in commit 085b7be.