Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Archived Security Brief
Monday's disclosure activity shows 1 critical vulnerability, down 75% from Sunday's 4 critical CVEs. High-priority vulnerabilities also decreased significantly to 12 (down 65% from 34). Three actively exploited vulnerabilities require attention, including CVE-2025-14847 affecting MongoDB, a resurfaced CVE-2009-0556 targeting Microsoft Office, and CVE-2025-37164 impacting HPE OneView. The critical vulnerability CVE-2025-52694 (CVSS 10) is an unauthenticated SQL injection flaw affecting multiple products that could allow remote attackers to execute arbitrary SQL commands. Patch availability stands at 0%, requiring organizations to implement compensating controls until vendor fixes are released.
1 critical vulnerability disclosed (down 75% from prior day)
12 high-priority CVEs identified (down 65% from 34)
3 actively exploited vulnerabilities affecting MongoDB, Microsoft Office, and HPE OneView
0% patch availability for disclosed vulnerabilities
CVE-2025-52694 presents maximum severity SQL injection risk to exposed services
Immediate action: Organizations using MongoDB, Microsoft Office, or HPE OneView should prioritize reviewing exposure to the three actively exploited vulnerabilities. With no patches currently available, implement network segmentation and monitoring for the critical SQL injection vulnerability CVE-2025-52694 until vendor fixes are released.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2025-14847
9.5
MongoDBMongoDB and MongoDB Server
β° Federal Deadline:January 18, 2026(7 days remaining)
MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2009-0556 (reserved 2009, disclosed 2026)
9.5
MicrosoftOffice
β° Federal Deadline:January 27, 2026(16 days remaining)
Microsoft Office PowerPoint Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-37164 (reserved 2025, disclosed 2026)
9.5π
Hewlett Packard Enterprise (HPE)OneView
β° Federal Deadline:January 27, 2026(16 days remaining)
Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2025-52694 (reserved 2025, disclosed 2026)
10π
Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to theMultiple Products
Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet.
CVSS Base10
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2026-0854
8.8π
CertainMultiple Products
Certain DVR/NVR models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device
CVSS Base8.8
β
CRSSelect profile
CVE-2026-0855
8.8π
CertainMultiple Products
Certain IP Camera models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device
CVSS Base8.8
β
CRSSelect profile
CVE-2026-0836
8.8π
wasMultiple Products
A vulnerability was determined in UTT θΏε 520W 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-0837
8.8π
wasMultiple Products
A vulnerability was identified in UTT θΏε 520W 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-0838
8.8π
securityMultiple Products
A security flaw has been discovered in UTT θΏε 520W 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-0839
8.8π
weaknessMultiple Products
A weakness has been identified in UTT θΏε 520W 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-0840
8.8π
securityMultiple Products
A security vulnerability has been detected in UTT θΏε 520W 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-0841
8.8π
wasMultiple Products
A vulnerability was detected in UTT θΏε 520W 1
CVSS Base8.8
β
CRSSelect profile
CVE-2025-14279 (reserved 2025, disclosed 2026)
8.1π
andMultiple Products
MLFlow versions up to and including 3
CVSS Base8.1
β
CRSSelect profile
CVE-2026-0821
7.3π
wasMultiple Products
A vulnerability was determined in quickjs-ng quickjs up to 0
CVSS Base7.3
β
CRSSelect profile
CVE-2026-0851
7.3π
MusicMultiple Products
A vulnerability was identified in code-projects Online Music Site 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-0852
7.3π
MusicMultiple Products
A security flaw has been discovered in code-projects Online Music Site 1