CVE-2025-49113
RoundCube Webmail Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
Critical vulnerabilities, curated daily for security professionals
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Thursday's vulnerability disclosures include 24 critical and 100 high-priority CVEs across major enterprise platforms, with two maximum-severity (CVSS 10.0) flaws in Microsoft Azure Entra (CVE-2026-31957) and Apple App Store (CVE-2026-31852) requiring immediate attention. Critical CVE volume decreased slightly from 25 to 24 (-4%), while high-priority disclosures held steady at 100. Additional critical vulnerabilities affect Zoom Workplace (CVE-2026-30903, CVSS 9.6), Kubernetes Argo Workflows (CVE-2026-28229, CVSS 9.8), and HP products (CVE-2026-27591, CVSS 9.9). Attack patterns span remote code execution, authentication bypass, and privilege escalation across cloud infrastructure, mobile platforms, and enterprise management tools. No patches are currently available for these disclosures; organizations should implement compensating controls and monitor vendor advisories closely.
Immediate action: Prioritize assessment of Microsoft Azure Entra, Apple App Store, Zoom Workplace, and Kubernetes Argo Workflows environments for exposure to the maximum-severity flaws disclosed this cycle. With no patches currently available, apply network segmentation, restrict access to affected services, and enable enhanced logging while monitoring vendor channels for remediation guidance.
RoundCube Webmail Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
RoundCube Webmail Cross-site Scripting Vulnerability - Active in CISA KEV catalog.
FileZen is affected by a high-severity OS command injection vulnerability that allows a threat actor to execute arbitrary commands on the underlying operating system.
Omnissa Workspace ONE Server-Side Request Forgery - Active in CISA KEV catalog.
Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability - Active in CISA KEV catalog.
VMware Aria Operations contains a command injection vulnerability that could allow an attacker to execute arbitrary commands on the affected system.
A memory corruption vulnerability exists in memory allocation processes when handling specific alignments, potentially leading to arbitrary code execution or system instability.
n8n Improper Control of Dynamically-Managed Code Resources Vulnerability - Active in CISA KEV catalog.
Hikvision Multiple Products Improper Authentication Vulnerability - Active in CISA KEV catalog.
Rockwell Multiple Products Insufficient Protected Credentials Vulnerability - Active in CISA KEV catalog.
Apple Multiple products Use-After-Free Vulnerability - Active in CISA KEV catalog.
Apple Multiple Products Integer Overflow or Wraparound Vulnerability - Active in CISA KEV catalog.
Apple iOS and iPadOS Use-After-Free Vulnerability - Active in CISA KEV catalog.
WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The remover_produto_ocultar.php script uses extract($_REQUEST) to populate local variables and then directly concatenates these variables into a SQL query executed via PDO::query. This allows an authenticated (or auth-bypassed) attacker to execute arbitrary SQL commands. This can be used to exfiltrate sensitive data from the database or, as demonstrated in this PoC, cause a time-based delay (denial of service). This vulnerability is fixed in 3.6.6.
Himmelblau allows unauthenticated remote attackers to bypass tenant-scoped authentication when no tenant domain is configured, enabling unauthorized access via dynamic provider registration.
Unity Catalog 0.4.0 and earlier contains a critical authentication bypass in the token exchange endpoint due to improper validation of the issuer claim in incoming JSON Web Tokens (JWTs).
The jellyfin-ios GitHub Actions workflow is vulnerable to arbitrary code execution via pull requests, potentially leading to full repository takeover and App Store supply chain attacks.
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any level of access. This vulnerability is fixed in 1.0.477, 1.1.12, and 1.2.12.
A path traversal vulnerability in the Mail feature of Zoom Workplace for Windows allows unauthenticated users to conduct an escalation of privilege via network access.
The Datalogics Ecommerce Delivery plugin for WordPress before 2.6.60 contains an unauthenticated REST endpoint vulnerability allowing remote attackers to modify site options and gain admin access.
FileThingie 2.5.7 is vulnerable to arbitrary file upload via the ft2.php endpoint, allowing attackers to execute remote commands by uploading and unzipping malicious PHP shells.
Argo Workflows template endpoints allow unauthenticated clients to leak sensitive WorkflowTemplates and Secret manifests by providing a malformed "Bearer nothing" authorization token.
NetGain EM Plus 10.1.68 contains an unauthenticated remote code execution vulnerability in the script_test.jsp endpoint via the 'content' parameter.
Vociferous prior to 4.4.2 contains an unauthenticated directory traversal vulnerability in the export_file route, enabling arbitrary file writes to any location accessible by the application.
Asseco SEE Live 2.0 contains insecure access control in its communication components, allowing remote attackers to access and execute attachments via computable URLs.
An unauthenticated remote attacker can bypass authentication controls on AOS-CX switches, potentially allowing them to reset the administrative password and gain full control.
A Local File Inclusion (LFI) vulnerability in WellChoose IFTOP allows unauthenticated remote attackers to execute arbitrary code on the server.
Sapido RB-1732 V2.0.43 is vulnerable to unauthenticated remote command execution via the formSysCmd endpoint, allowing attackers to execute arbitrary shell commands with router privileges.
AdGuard Home is vulnerable to an unauthenticated authentication bypass via HTTP/2 cleartext (h2c) upgrades, allowing attackers to process requests as fully authenticated.
Plunk contains an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in its SNS webhook handler, allowing attackers to make arbitrary outbound GET requests.
Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands. This vulnerability is fixed in 1.24.0.
Authentication bypass issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to bypass authentication and change the device configuration.
The use of hard-coded credentials in Mitsubishi Electric MR-GM series routers allows attackers to gain unauthorized administrative access to the device.
The Lantronix EDS3000PS Filesystem Browser page contains a command injection vulnerability in the TFTP client host parameter, allowing root-level arbitrary command execution.
An issue in Lantronix EDS3000PS v.3.1.0.0R2 allows an attacker to execute arbitrary code and obtain sensitive information via the ltrx_evo component
Epross AVCON6 systems management platform contains an object-graph navigation language (OGNL) injection vulnerability that allows unauthenticated attackers to execute arbitrary commands by injecting malicious OGNL expressions. Attackers can send crafted requests to the login.action endpoint with OGNL payloads in the redirect parameter to instantiate ProcessBuilder objects and execute system commands with root privileges.
Taskosaur 1.0.0 allows unauthenticated attackers to register accounts with SUPER_ADMIN privileges by manually modifying the role parameter during the registration process.
A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device
A vulnerability in task group assignment for a specific CLI command in Cisco IOS XR Software could allow an authenticated, local attacker to elevate privileges and gain full administrative control of an affected device
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network
Heap-based buffer overflow in Azure Linux Virtual Machines allows an authorized attacker to elevate privileges locally
Improper input validation in Microsoft Office SharePoint allows an authorized attacker to execute code over a network
Server-side request forgery (ssrf) in Azure MCP Server allows an authorized attacker to elevate privileges over a network
The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1
In Microsoft DirectX End-User Runtime Web Installer 9
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune
Adobe Commerce versions 2
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally
Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally
Untrusted pointer dereference in Microsoft Office allows an unauthorized attacker to execute code locally
Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network
Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network
External initialization of trusted variables or data stores in Azure Entra ID allows an unauthorized attacker to elevate privileges locally
Adobe Commerce versions 2
Adobe Commerce versions 2
Adobe Commerce versions 2
Improper access control in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally
Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network
Use after free in Windows Print Spooler Components allows an authorized attacker to execute code over a network
Heap-based buffer overflow in Windows File Server allows an authorized attacker to elevate privileges locally
Heap-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to elevate privileges over an adjacent network
Heap buffer overflow in the Audio/Video: Playback component in Firefox for Android
A buffer copy without checking size of input ('classic buffer overflow') vulnerability in Fortinet FortiSwitchAXFixed 1
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally
Deserialization of untrusted data in Windows System Image Manager allows an authorized attacker to execute code locally
Memory safety bugs present in Firefox 148
The ExactMetrics â Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8
The ExactMetrics â Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7
A Stack-based Buffer Overflow vulnerability [CWE-121] vulnerability in Fortinet FortiManager 7
The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4
The divi-booster WordPress plugin before 5
Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability
Out-of-bounds read in Windows Resilient File System (ReFS) allows an authorized attacker to elevate privileges locally
External control of file name or path in Windows Kernel allows an authorized attacker to elevate privileges locally
Improper access control in Windows Projected File System allows an authorized attacker to elevate privileges locally
Incorrect permission assignment for critical resource in Windows Accessibility Infrastructure (ATBroker
Null pointer dereference in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally
Improper authentication in Windows SMB Server allows an authorized attacker to elevate privileges locally
Null pointer dereference in Windows Performance Counters allows an authorized attacker to elevate privileges locally
Out-of-bounds read in Windows Extensible File Allocation allows an authorized attacker to elevate privileges locally
MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira)
An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing
A UNIX symbolic link (Symlink) following vulnerability in Fortinet FortiClientLinux 7
WeGIA is a web manager for charitable institutions
Dependency on vulnerable third-party component in GitHub Repo: zero-shot-scfoundation allows an unauthorized attacker to execute code over a network
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node
A flaw has been found in Tenda i3 1
A vulnerability has been found in Tenda i3 1
A vulnerability was found in Tenda W3 1
A vulnerability was determined in Tenda W3 1
A vulnerability was identified in Tenda W3 1
A security flaw has been discovered in Tenda W3 1
A weakness has been identified in Tenda W3 1
A vulnerability was detected in D-Link DIR-513 1
A vulnerability was detected in Tenda W3 1
A flaw has been found in Tenda W3 1
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10
OneUptime is a solution for monitoring and managing online services
Illustrator versions 29
A vulnerability in the command parameters of a certain AOS-CX CLI command could allow a low-privilege authenticated remote attacker to inject malicious commands resulting in unwanted behavior
Easy File Sharing Web Server 7
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network
An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion
Use after free in Connected Devices Platform Service (Cdpsvc) allows an authorized attacker to elevate privileges locally
FileBrowser Quantum is a free, self-hosted, web-based file manager
Shopware is an open commerce platform
Improper input validation in System Center Operations Manager allows an authorized attacker to elevate privileges over a network
Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network
Improper restriction of names for files and other resources in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network
Improper validation of specified type of input in SQL Server allows an authorized attacker to elevate privileges over a network
StudioCMS is a server-side-rendered, Astro native, headless content management system
Craft Commerce is an ecommerce platform for Craft CMS
Craft Commerce is an ecommerce platform for Craft CMS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node
OpenClaw version 2026
OpenClaw versions prior to 2026
OpenEMR is a free and open source electronic health records and medical practice management application
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services
OliveTin gives access to predefined shell commands from a web interface
In hyp_alloc of arch/arm64/kvm/hyp/nvhe/alloc
In gmc_ddr_handle_mba_mr_req of gmc_mba_ddr
In mfc_dec_dqbuf of mfc_dec_v4l2
In oobconfig, there is a possible bypass of carrier restrictions due to a logic error
In multiple places, there is a possible out of bounds write due to memory corruption
In EfwApTransport::ProcessRxRing of efw_ap_transport
Verypdf docPrint Pro 8
Comtrend AR-5310 GE31-412SSG-C01_R10
SiYuan is a personal knowledge management system
Sylius is an Open Source eCommerce Framework on Symfony
Striae is a firearms examiner's comparison companion
Varient 1
PX4 Autopilot versions 1
PX4 Autopilot versions 1
An issue in ClasroomIO before v