A GPU device-ID validation flaw in the flow
Description
A GPU device-ID validation flaw in the flow
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Search and filter 17282 vulnerabilities with AI analyst insights
A GPU device-ID validation flaw in the flow
A GPU device-ID validation flaw in the flow
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Insecure default credentials in the Telnet service of UTT HiPER routers allow remote attackers to gain root access via automated scripts.
Insecure default credentials in the Telnet service of UTT HiPER routers allow remote attackers to gain root access via automated scripts.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
An issue in Aranda Service Desk Web Edition (ASDK API 8
An issue in Aranda Service Desk Web Edition (ASDK API 8
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system
Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Incorrect access control in the selectDept function of RuoYi v4
Incorrect access control in the selectDept function of RuoYi v4
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope.
Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope.
---METADATA---
VENDOR: RuoYi
PRODUCT: RuoYi
AFFECTED_VERSIONS: v4.8.2
CONFIDENCE: high
MISSING: patch
---END_METADATA---
Description Summary:
An incorrect access control vulnerability in the RuoYi update function allows unauthorized attackers to modify data outside of their intended scope.
Executive Summary:
A critical access control vulnerability in RuoYi v4.8.2 enables unauthorized users to perform arbitrary data modification, threatening the integrity of the application.
Vulnerability Details
CVE-ID: CVE-2025-70985
Affected Software: RuoYi
Affected Versions: v4.8.2
Vulnerability: The vulnerability stems from improper access control logic within the application's update function. This flaw allows an attacker to bypass intended security boundaries and perform unauthorized data modification.
Business Impact
The CVSS score of 9.1 highlights the severity of this flaw, as it permits unauthorized manipulation of sensitive data. Exploitation could lead to significant data corruption, loss of business logic integrity, and unauthorized state changes within the application, severely impacting operational reliability.
Remediation Plan
Immediate Action: Update RuoYi to the latest available version provided by the vendor to remediate the access control flaw.
Proactive Monitoring: Review application audit logs for unauthorized update attempts or modifications to records that should be restricted to administrative users.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to intercept and block suspicious POST or PUT requests targeting the identified update functions.
Exploitation Status
Public Exploit Available: False
Analyst Notes: As of Jan 23, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
This vulnerability presents a high risk to data integrity. Administrators must prioritize updating affected RuoYi installations to the latest version to prevent unauthorized data manipulation by malicious actors.
Update Incorrect access control in the update function of RuoYi Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Incorrect access control in the authRoutes function of SpringBlade v4.5.0 allows attackers with low-level privileges to escalate privileges.
Incorrect access control in the authRoutes function of SpringBlade v4.5.0 allows attackers with low-level privileges to escalate privileges.
---METADATA---
VENDOR: SpringBlade
PRODUCT: SpringBlade
AFFECTED_VERSIONS: v4.5.0
CONFIDENCE: high
MISSING: patch
---END_METADATA---
Description Summary:
An incorrect access control vulnerability in the SpringBlade authRoutes function allows low-privileged users to escalate their privileges.
Executive Summary:
A critical privilege escalation vulnerability in SpringBlade v4.5.0 allows low-level users to gain unauthorized administrative access, posing a severe threat to system security.
Vulnerability Details
CVE-ID: CVE-2025-70983
Affected Software: SpringBlade
Affected Versions: v4.5.0
Vulnerability: The flaw resides in the authRoutes function, which fails to properly enforce capability checks. This allows an attacker with low-level privileges to escalate their access level to that of an administrator.
Business Impact
With a CVSS score of 9.9, this is a critical vulnerability that facilitates full system compromise via privilege escalation. Unauthorized administrative access can lead to total loss of confidentiality, integrity, and availability, as the attacker can perform any action available to a legitimate administrator.
Remediation Plan
Immediate Action: Apply the latest vendor patch or update to SpringBlade v4.5.0 to enforce correct access control checks.
Proactive Monitoring: Monitor system logs for unusual administrative activities or unexpected privilege changes assigned to standard user accounts.
Compensating Controls: Implement strict role-based access control (RBAC) and restrict access to sensitive routing functions at the application gateway level.
Exploitation Status
Public Exploit Available: False
Analyst Notes: As of Jan 23, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Given the critical nature of this privilege escalation flaw, immediate remediation is essential. Organizations should update their SpringBlade deployment immediately to prevent unauthorized users from gaining elevated administrative control.
Update Incorrect access control in the authRoutes function of SpringBlade Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive u...
Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data.
Executive Summary:
A critical vulnerability has been identified in the SpringBlade framework, which could impact multiple products within the organization. This flaw, designated CVE-2025-70982, allows a low-privileged user to improperly access a user import function, enabling them to create or modify user accounts, potentially granting themselves full administrative control. Successful exploitation could lead to a complete system compromise, resulting in significant data breaches and operational disruption.
Vulnerability Details
CVE-ID: CVE-2025-70982
Affected Software: SpringBlade Framework and dependent products
Affected Versions: Version 4.5.0. See vendor advisory for a complete list of affected versions and products.
Vulnerability: The importUser function within the SpringBlade framework fails to properly enforce access control checks. This allows any authenticated user, regardless of their privilege level, to invoke this function. An attacker with low-level user credentials can craft a malicious data file (e.g., CSV or Excel) and use the import feature to add new users with elevated privileges or overwrite the details of existing users, including administrators. This effectively provides a direct path for a low-privilege attacker to escalate their privileges to the highest level within the application.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.9. Exploitation of this flaw could have a severe and direct impact on the business. An attacker gaining administrative access could lead to a catastrophic data breach, involving the theft of sensitive customer information, intellectual property, and internal corporate data. This could result in significant financial losses from regulatory fines (e.g., GDPR, CCPA), loss of customer trust, and severe reputational damage. Furthermore, an attacker could disrupt business operations by maliciously altering or deleting data, causing service outages and impacting business continuity.
Remediation Plan
Immediate Action: The primary remediation is to immediately update all instances of SpringBlade and affected products to the latest version as recommended by the vendor. Before and after applying the patch, security teams must thoroughly review application and audit logs for any suspicious activity related to the importUser function, looking for unauthorized user creation or modification events.
Proactive Monitoring: Implement continuous monitoring of application logs, specifically focusing on API calls to the importUser endpoint. Create alerts for any user import events initiated by non-administrative accounts or from untrusted IP addresses. Monitor for the creation of new user accounts with high privileges and validate their legitimacy with system owners.
Compensating Controls: If immediate patching is not feasible, consider these temporary measures:
importUser function, allowing access only from a small whitelist of administrative IP addresses.Exploitation Status
Public Exploit Available: false
Analyst Notes: As of January 26, 2026, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, due to the critical severity and the straightforward nature of an access control flaw, it is highly probable that exploit code will be developed and published in the near future. Organizations should assume that attackers will begin scanning for vulnerable systems imminently.
Analyst Recommendation
This vulnerability presents a critical and immediate threat to the organization. Given the CVSS score of 9.9, the risk of a full system compromise is extremely high. All system owners must prioritize the immediate application of the vendor-supplied security patches across all affected assets. Although this vulnerability is not yet listed on the CISA KEV catalog, its severity makes it a prime candidate for future inclusion. We strongly recommend treating this with the highest urgency to prevent potential data breaches and system takeovers.
Update Incorrect access control in the importUser function of SpringBlade Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
CordysCRM 1.4.1 contains an SQL Injection vulnerability in the employee list query interface (/user/list) via the 'departmentIds' parameter.
CordysCRM 1.4.1 contains an SQL Injection vulnerability in the employee list query interface (/user/list) via the 'departmentIds' parameter.
---METADATA---
VENDOR: CordysCRM
PRODUCT: CordysCRM
AFFECTED_VERSIONS: 1.4.1
---END_METADATA---
Description Summary:
CordysCRM 1.4.1 contains an SQL Injection vulnerability in the employee list query interface (/user/list) via the 'departmentIds' parameter.
Executive Summary:
CordysCRM 1.4.1 is affected by a critical SQL Injection vulnerability that allows attackers to manipulate database queries and gain unauthorized access to sensitive employee information.
Vulnerability Details
CVE-ID: CVE-2025-70981
Affected Software: CordysCRM
Affected Versions: 1.4.1
Vulnerability: The vulnerability exists in the /user/list endpoint where the departmentIds parameter is not properly sanitized before being used in an SQL query. This allows an attacker to inject malicious SQL commands to bypass authentication or extract data from the CRM database.
Business Impact
The exposure of employee data and CRM records poses a significant privacy risk and potential compliance violation (e.g., GDPR). With a CVSS score of 9.8, this critical flaw could allow an attacker to gain administrative access to the CRM, leading to the total compromise of corporate human resources and client relationship data.
Remediation Plan
Immediate Action: Update CordysCRM to the latest version immediately to address the insecure handling of the departmentIds parameter.
Proactive Monitoring: Review web server and database logs for suspicious activity targeting the /user/list path, specifically looking for SQL keywords in URL parameters.
Compensating Controls: Implement strict input validation and use a Web Application Firewall (WAF) to detect and block SQL injection patterns in incoming HTTP requests.
Exploitation Status
Public Exploit Available: No
Analyst Notes: As of Feb 12, 2026, there is no public information indicating active exploitation of this vulnerability. Because CRM systems house highly sensitive internal data, they are high-value targets for corporate espionage and data theft.
Analyst Recommendation
Immediate remediation is required to protect sensitive corporate data. Administrators should prioritize patching CordysCRM and conduct a thorough audit of database access logs to ensure that no unauthorized data extraction has occurred prior to the update.
Update CordysCRM Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, th...
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
Executive Summary:
A critical remote code execution vulnerability, identified as CVE-2025-70974, exists in older versions of the Fastjson library. This flaw allows an unauthenticated attacker to take complete control of an affected server by sending a specially crafted data request, potentially leading to data theft, service disruption, and further network compromise. Due to its critical severity and history of active exploitation, immediate remediation is strongly advised.
Vulnerability Details
CVE-ID: CVE-2025-70974
Affected Software: Multiple products using the Fastjson library
Affected Versions: All versions of Fastjson prior to 1.2.48
Vulnerability:
This vulnerability is an insecure deserialization flaw rooted in Fastjson's "autoType" feature. When autoType is enabled, an attacker can submit a malicious JSON payload containing an @type key. This key specifies the name of a Java class on the server's classpath that Fastjson will then instantiate.
An attacker can leverage "gadget chains" by pointing the @type key to a class with specific public methods (e.g., setters or constructors) that are automatically invoked during deserialization. By providing an attacker-controlled value elsewhere in the JSON, such as a JNDI lookup URL (e.g., ldap://attacker.com/a), the gadget class can be tricked into connecting to an attacker's server. This server then responds with a malicious serialized Java object, which is executed on the victim's machine, resulting in unauthenticated Remote Code Execution (RCE).
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 10.0, reflecting the highest possible risk. Successful exploitation allows an unauthenticated attacker to execute arbitrary code with the permissions of the application server. This can lead to a complete system compromise, enabling the attacker to steal sensitive corporate or customer data, install ransomware, deploy cryptocurrency miners, or use the compromised server as a pivot point to attack other systems within the internal network. The potential consequences include severe financial loss, significant reputational damage, and potential regulatory fines.
Remediation Plan
Immediate Action:
The primary remediation is to upgrade the Fastjson library in all affected applications to version 1.2.48 or a later, secure version. After patching, administrators must monitor for any ongoing exploitation attempts by reviewing application, web server, and system access logs for suspicious JSON payloads or unusual outbound network activity.
Proactive Monitoring:
@type keyword followed by suspicious class names (e.g., com.sun.rowset.JdbcRowSetImpl, org.apache.xbean.propertyeditor.JndiConverter).sh, bash, cmd.exe, powershell.exe).Compensating Controls:
If immediate patching is not feasible, the following controls can help mitigate risk:
Exploitation Status
Public Exploit Available: true
Analyst Notes:
As of January 9, 2026, this vulnerability has a documented history of being actively exploited in the wild from 2023 through 2025, prior to its official public disclosure. This indicates that threat actors have been leveraging this flaw for an extended period, and many systems may already be compromised. The exploit is a bypass of a previous patch (CVE-2017-18349), and threat actors are highly proficient at weaponizing Fastjson vulnerabilities due to their prevalence and impact.
Analyst Recommendation
Given the critical CVSS score of 10.0 and confirmed long-term exploitation by threat actors, this vulnerability represents an extreme and immediate threat. All organizations must prioritize identifying and patching affected applications by upgrading the Fastjson library to version 1.2.48 or later without delay. While this CVE is not yet on the CISA KEV list as of its publication, its exploit history makes it a prime candidate for future inclusion. Due to the pre-disclosure exploitation, organizations should assume compromise and initiate incident response procedures, including hunting for indicators of compromise described in the Proactive Monitoring section.
Update Fastjson before Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
FreeImage 3.18.0 contains a Use After Free in PluginTARGA.cpp;loadRLE().
FreeImage 3.18.0 contains a Use After Free in PluginTARGA.cpp;loadRLE().
Executive Summary:
A critical Use-After-Free vulnerability has been identified in the FreeImage library, a widely used open-source component for image processing. An attacker can exploit this flaw by tricking a user or an automated process into opening a specially crafted TARGA (TGA) image file, which could lead to arbitrary code execution and a complete compromise of the affected system.
Vulnerability Details
CVE-ID: CVE-2025-70968
Affected Software: FreeImage Multiple Products
Affected Versions: Version 3.18.0 is confirmed vulnerable. See vendor advisory for a complete list of affected products and versions.
Vulnerability: The vulnerability is a Use-After-Free error within the loadRLE() function of the PluginTARGA.cpp component. This function is responsible for parsing Run-Length Encoded (RLE) data in TARGA image files. An attacker can create a malicious TGA image that, when processed by the vulnerable library, causes the application to deallocate a memory region and then attempt to use (read from or write to) that same freed memory. This memory corruption can be leveraged by the attacker to hijack the application's control flow, leading to arbitrary code execution in the security context of the user or service running the application.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could have a severe impact on the business, leading to a full system compromise. An attacker could execute malicious code to steal sensitive data, install ransomware or other malware, disrupt operations, or use the compromised system as a pivot point to move laterally within the network. Given that the FreeImage library is embedded in numerous third-party applications (e.g., content management systems, graphic design tools, server-side image processors), the attack surface could be extensive and difficult to identify, posing a significant risk to confidentiality, integrity, and availability.
Remediation Plan
Immediate Action: Immediately identify all applications and systems utilizing the vulnerable FreeImage library and update them to the latest patched version as recommended by the vendor. After patching, monitor for any signs of exploitation attempts by reviewing application and system access logs for unusual activity related to image file processing.
Proactive Monitoring: Implement enhanced monitoring for applications that process image files, particularly TGA files from untrusted sources. Look for signs of compromise such as unexpected application crashes, suspicious child processes being spawned by image-processing applications, or unauthorized outbound network connections from affected systems. Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) systems should be configured with rules to detect anomalies associated with this type of exploit.
Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of the publication date (Jan 14, 2026), there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, due to the critical severity and the common nature of this vulnerability class in image parsing libraries, it is highly probable that threat actors will develop exploits in the near future.
Analyst Recommendation
Given the critical CVSS score of 9.8, this vulnerability poses a severe and immediate threat. We strongly recommend that organizations prioritize the patching of this vulnerability across all affected systems. A comprehensive inventory should be conducted to identify all instances of the FreeImage library, including those embedded within third-party software. Although this CVE is not currently listed on the CISA KEV list, its high impact score makes it a prime candidate for future inclusion and a high-value target for attackers. Remediate immediately to prevent potential system compromise.
Update FreeImage Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Gophish <=0
Gophish <=0
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
An issue in gohttp commit 34ea51 allows attackers to execute a directory traversal via supplying a crafted request
An issue in gohttp commit 34ea51 allows attackers to execute a directory traversal via supplying a crafted request
---METADATA---
VENDOR: gohttp
PRODUCT: gohttp
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
CONFIDENCE: medium
MISSING: patch, technical_details
---END_METADATA---
Description Summary:
A directory traversal vulnerability in gohttp allows unauthenticated attackers to access unauthorized files via crafted requests.
Executive Summary:
A directory traversal vulnerability in the gohttp library could allow remote attackers to read arbitrary files from the host filesystem.
Vulnerability Details
CVE-ID: CVE-2025-70950
Affected Software: gohttp gohttp
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability exists due to improper input validation in the gohttp library (specifically noted in commit 34ea51), allowing an unauthenticated attacker to supply a crafted request that escapes the intended directory structure.
Business Impact
Successful exploitation allows unauthorized access to sensitive configuration files, source code, or system data, leading to information disclosure and potential further compromise of the application environment. With a CVSS score of 7.3, this flaw poses a serious threat to confidentiality and should be treated as a high-priority remediation item.
Remediation Plan
Immediate Action: Update the gohttp dependency to the latest patched version provided by the maintainer or the vendor of the software incorporating this library.
Proactive Monitoring: Review web server and application access logs for directory traversal patterns, such as sequences like "../" or null-byte injections, targeting application endpoints.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules specifically configured to block directory traversal attempts and normalize URI requests.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of May 20, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Directory traversal vulnerabilities are frequently targeted for automated reconnaissance and data exfiltration. Organizations utilizing the gohttp library must audit their dependencies and apply updates immediately to prevent unauthorized file access.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
An observable timing discrepancy in @perfood/couch-auth v0
An observable timing discrepancy in @perfood/couch-auth v0
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
A time-based blind SQL Injection vulnerability exists in PHPGurukul Cyber Cafe Management System v1
A time-based blind SQL Injection vulnerability exists in PHPGurukul Cyber Cafe Management System v1
Executive Summary:
A high-severity vulnerability has been identified in the PHPGurukul Cyber Cafe Management System, which could allow an unauthenticated attacker to steal sensitive information from the underlying database. Successful exploitation of this flaw could lead to a complete data breach, exposing customer records, credentials, and other confidential data. Organizations are urged to apply the vendor-supplied patch immediately to mitigate this critical risk.
Vulnerability Details
CVE-ID: CVE-2025-70893
Affected Software: PHPGurukul Cyber Cafe Management System
Affected Versions: v1
Vulnerability: The vulnerability is a time-based blind SQL Injection. An attacker can exploit this by sending specially crafted input to the application, which is then passed to a database query without proper sanitization. The crafted input includes SQL commands that instruct the database to pause or delay its response for a specific amount of time if a certain condition is true. By measuring the server's response time, the attacker can infer the result of the condition, allowing them to exfiltrate data from the database one character at a time, bypass authentication, or potentially gain control over the database server.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 8.8. A successful attack could have significant business consequences, including unauthorized access to and exfiltration of sensitive data such as customer personal information, user credentials, and transaction history. This could lead to a major data breach, resulting in severe reputational damage, financial loss, and potential regulatory fines for non-compliance with data protection standards. If the database service account has excessive privileges, the attacker could also modify or delete data, or even escalate their privileges to compromise the underlying server.
Remediation Plan
Immediate Action: The primary and most effective remediation is to apply the security patches provided by the vendor immediately. In addition, conduct a thorough review of all database user accounts and access controls to ensure the application is operating with the principle of least privilege. It is also recommended to enable detailed database query logging to create an audit trail for detecting and investigating potential exploitation attempts.
Proactive Monitoring: Monitor web application and database logs for suspicious queries, particularly those containing SQL keywords like SLEEP, BENCHMARK, or other time-delay functions. Network traffic should be monitored for unusually long response times from the web server, which is a key indicator of time-based blind SQL injection exploitation.
Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with a strict ruleset designed to detect and block common SQL injection patterns. This can serve as a temporary mitigation by filtering malicious requests before they reach the vulnerable application. However, a WAF should be considered a temporary measure and not a substitute for patching the underlying vulnerability.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of January 16, 2026, there are no known public proof-of-concept exploits or reports of this vulnerability being actively exploited in the wild. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
Analyst Recommendation
Given the high CVSS score of 8.8, this vulnerability presents a critical risk to the organization. We strongly recommend that the vendor-provided patch for CVE-2025-70893 be applied as a top priority across all affected systems. While there is no current evidence of active exploitation, the nature of SQL injection vulnerabilities makes them a prime target for attackers. In addition to patching, the recommended actions for reviewing access controls and enabling logging should be implemented to strengthen the overall security posture and improve detection capabilities.
Apply vendor patches immediately. Review database access controls and enable query logging.
Phpgurukul Cyber Cafe Management System v1.0 contains a SQL Injection vulnerability in the user management module. The application fails to properly v...
Phpgurukul Cyber Cafe Management System v1.0 contains a SQL Injection vulnerability in the user management module. The application fails to properly validate user-supplied input in the username parameter of the add-users.php endpoint.
Executive Summary:
A critical SQL Injection vulnerability, identified as CVE-2025-70892, has been discovered in Phpgurukul Cyber Cafe Management System v1.0. This flaw allows an unauthenticated attacker to execute arbitrary commands on the backend database by sending malicious input to the user management module. Successful exploitation could lead to a complete compromise of the system, resulting in data theft, data corruption, and unauthorized system access.
Vulnerability Details
CVE-ID: CVE-2025-70892
Affected Software: Phpgurukul Cyber Cafe Management System Multiple Products
Affected Versions: Version 1.0 is confirmed to be vulnerable. See vendor advisory for a complete list of affected products and versions.
Vulnerability: The vulnerability is a classic SQL Injection that exists within the user management module, specifically in the add-users.php endpoint. The application fails to properly sanitize or validate the username parameter before incorporating it into a database query. An attacker can craft a malicious username value containing SQL syntax, which will then be executed by the database, allowing them to bypass security controls, exfiltrate sensitive data, modify database records, or potentially gain remote code execution on the server.
Business Impact
This vulnerability presents a critical risk to the organization, reflected by its CVSS score of 9.8. Successful exploitation could lead to a severe data breach, exposing sensitive user information, administrative credentials, and financial records managed by the cyber cafe system. An attacker could gain full control over the application and its underlying database, leading to service disruption, reputational damage, financial loss, and potential legal or regulatory penalties. The ability for an unauthenticated attacker to achieve this level of compromise makes it a high-priority threat.
Remediation Plan
Immediate Action: Organizations must immediately update all instances of Phpgurukul Cyber Cafe Management System to the latest patched version as recommended by the vendor. After patching, review system and database access logs for any signs of compromise or suspicious activity related to the add-users.php endpoint.
Proactive Monitoring: Implement enhanced monitoring on web server and database logs. Specifically, look for requests to add-users.php containing SQL keywords (e.g., SELECT, UNION, DROP, SLEEP) or special characters (', --, ;) within the username parameter. Monitor for unusual database queries, unauthorized user account creation, or unexpected system behavior.
Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL Injection attacks. Enforce the principle of least privilege for the database user account connected to the application to limit the potential impact of an exploit.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of the publication date, January 15, 2026, there are no known public exploits or active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. However, due to the ease of exploitation and high impact, it is highly likely that threat actors will develop exploits in the near future.
Analyst Recommendation
Given the critical severity (CVSS 9.8) and the potential for complete system compromise, it is strongly recommended that organizations prioritize the immediate application of the vendor-supplied patch. Although this vulnerability is not currently listed in the CISA KEV catalog, its high score indicates a significant risk. If patching is delayed, the implementation of compensating controls like a WAF is essential to mitigate the immediate threat. All internet-facing instances of this software should be considered at extreme risk and must be addressed without delay.
Update Phpgurukul Cyber Cafe Management System Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
An issue in halo v
An issue in halo v
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Dokans SaaS platform allows unauthenticated attackers to download the `.env` file, exposing encryption keys, database credentials, and API keys, leadi...
Dokans SaaS platform allows unauthenticated attackers to download the `.env` file, exposing encryption keys, database credentials, and API keys, leading to total multi-tenant system compromise.
---METADATA---
VENDOR: Dokans
PRODUCT: Multi-Tenancy Based eCommerce Platform SaaS
AFFECTED_VERSIONS: 3.9.2
---END_METADATA---
Description Summary:
Dokans SaaS platform allows unauthenticated attackers to download the .env file, exposing encryption keys, database credentials, and API keys, leading to total multi-tenant system compromise.
Executive Summary:
A critical information disclosure vulnerability in Dokans eCommerce SaaS allows unauthenticated attackers to steal sensitive configuration files, resulting in full compromise of all tenant data.
Vulnerability Details
CVE-ID: CVE-2025-70841
Affected Software: Dokans Multi-Tenancy Based eCommerce Platform SaaS
Affected Versions: 3.9.2
Vulnerability: The application permits unauthenticated remote attackers to access the /script/.env file directly. This file contains the Laravel APP_KEY, database credentials, and SMTP/SendGrid API keys.
Business Impact
The CVSS score of 10.0 reflects the absolute severity of this leak. Exposure of the APP_KEY allows for session token forgery and authentication bypass, while database credentials grant direct access to sensitive tenant information. Furthermore, the theft of API keys allows attackers to hijack email infrastructure, causing massive financial and reputational harm across the entire SaaS ecosystem.
Remediation Plan
Immediate Action: Update the platform to the latest version and immediately rotate all secrets, including the APP_KEY, database passwords, and API keys.
Proactive Monitoring: Inspect web server logs for any GET requests to the /script/.env path and monitor for unauthorized database logins.
Compensating Controls: Configure the web server (Nginx/Apache) to explicitly deny access to all hidden files and files starting with a dot (.) globally.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Feb 3, 2026, there is no public information indicating active exploitation. However, .env file exposure is a well-known and highly sought-after vulnerability by automated exploit scripts.
Analyst Recommendation
This is a "scorched earth" scenario; simply patching is insufficient. Administrators must rotate every single credential found in the .env file immediately after updating the software to prevent attackers who may have already harvested the data from maintaining access.
Update Arch Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Datart v1.0.0-rc.3 is vulnerable to Server-Side Template Injection (SSTI) in its Freemarker engine, allowing authenticated attackers to execute arbitr...
Datart v1.0.0-rc.3 is vulnerable to Server-Side Template Injection (SSTI) in its Freemarker engine, allowing authenticated attackers to execute arbitrary code.
---METADATA---
VENDOR: Datart
PRODUCT: Datart (using Freemarker engine)
AFFECTED_VERSIONS: v1.0.0-rc.3
---END_METADATA---
Description Summary:
Datart v1.0.0-rc.3 is vulnerable to Server-Side Template Injection (SSTI) in its Freemarker engine, allowing authenticated attackers to execute arbitrary code.
Executive Summary:
Datart is susceptible to a critical Server-Side Template Injection vulnerability that allows authenticated users to execute remote code through the SQL script field.
Vulnerability Details
CVE-ID: CVE-2025-70830
Affected Software: Datart
Affected Versions: v1.0.0-rc.3
Vulnerability: An authenticated attacker can inject malicious Freemarker template syntax into the SQL script field of the application. Because the engine does not properly sanitize this input, it executes the injected code on the server hosting the Datart application.
Business Impact
A successful SSTI attack allows an attacker to execute arbitrary code with the permissions of the application server. With a CVSS score of 9.9, this vulnerability poses a catastrophic risk to data confidentiality and system integrity, potentially leading to a full database or server breach.
Remediation Plan
Immediate Action: Update Datart to the latest available version that includes patches for Freemarker template injection.
Proactive Monitoring: Inspect SQL script logs for unusual template syntax (e.g., ${...}) and monitor the server for unauthorized outbound network connections or shell activity.
Compensating Controls: Implement strict input validation and use a security manager to restrict the capabilities of the Freemarker template engine.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Feb 17, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
The high CVSS score and the potential for remote code execution make this a top-priority fix. Organizations using Datart must apply the necessary updates immediately to protect their data visualization environments from compromise.
Update the Freemarker Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
An issue in Datart v1
An issue in Datart v1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
A vulnerability classified as critical has been found in Shenzhen Libituo Technology LBT-T300-T310 up to 2
A vulnerability classified as critical has been found in Shenzhen Libituo Technology LBT-T300-T310 up to 2
Tenda AX-1806 v1
Tenda AX-1806 v1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Tenda AX-1806 v1
Tenda AX-1806 v1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Tenda AX-1806 v1
Tenda AX-1806 v1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Tenda AX-1806 v1
Tenda AX-1806 v1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Tenda AX-1803 v1
Tenda AX-1803 v1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Tenda AX-1806 v1
Tenda AX-1806 v1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Tenda AX1803 v1
Tenda AX1803 v1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Tenda AX1803 v1
Tenda AX1803 v1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Tenda AX-1806 v1
Tenda AX-1806 v1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Tenda AX-1806 v1
Tenda AX-1806 v1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
A stack buffer overflow vulnerability exists in the Wincor Nixdorf wnBios64
A stack buffer overflow vulnerability exists in the Wincor Nixdorf wnBios64
---METADATA---
VENDOR: Diebold Nixdorf
PRODUCT: wnBios64
AFFECTED_VERSIONS: See vendor advisory for affected versions
---END_METADATA---
Description Summary:
A stack buffer overflow vulnerability in the Diebold Nixdorf (Wincor Nixdorf) wnBios64 component could allow for arbitrary code execution at the firmware level.
Executive Summary:
Diebold Nixdorf wnBios64 contains a high-severity stack buffer overflow that could allow an attacker to execute malicious code with high privileges, potentially compromising the entire system.
Vulnerability Details
CVE-ID: CVE-2025-70616
Affected Software: Diebold Nixdorf wnBios64
Affected Versions: See vendor advisory for affected versions
Vulnerability: A stack buffer overflow exists in the wnBios64 BIOS component. This type of vulnerability typically requires local or administrative access to the operating system to trigger the overflow in the firmware interface, allowing for code execution in a highly privileged environment.
Business Impact
A successful exploit at the BIOS level is catastrophic, as it allows attackers to bypass operating system security controls and establish persistence that survives OS reinstallation. The CVSS score of 7.8 reflects the severity of this hardware-level risk, which could lead to the total compromise of ATMs or point-of-sale systems, resulting in significant financial fraud and system downtime.
Remediation Plan
Immediate Action: Deploy the latest BIOS/firmware updates provided by Diebold Nixdorf to all affected hardware assets immediately.
Proactive Monitoring: Monitor for unauthorized firmware modification attempts or unusual system behavior during the boot process.
Compensating Controls: Ensure Secure Boot is enabled and implement strict physical security and OS-level hardening to prevent unauthorized users from accessing BIOS-related utilities.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of March 7, 2026, there is no public information indicating active exploitation. Firmware vulnerabilities are difficult to patch at scale but are highly prized by sophisticated attackers for their stealth and persistence.
Analyst Recommendation
This vulnerability represents a significant threat to the underlying trust of the hardware platform. It is imperative that organizations using Diebold Nixdorf systems identify affected hardware and apply firmware patches immediately to prevent deep-level system compromise.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
OpenCode Systems OC Messaging / USSD Gateway OC Release 6
OpenCode Systems OC Messaging / USSD Gateway OC Release 6
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Boltz 2
Boltz 2
---METADATA---
VENDOR: Molecule
PRODUCT: Boltz
AFFECTED_VERSIONS: 2; See vendor advisory for affected versions
---END_METADATA---
Description Summary:
A high-severity vulnerability has been identified in Molecule Boltz 2, potentially allowing for unauthorized system access or data manipulation.
Executive Summary:
Molecule Boltz 2 is affected by a high-severity vulnerability that could lead to a complete compromise of the application environment.
Vulnerability Details
CVE-ID: CVE-2025-70560
Affected Software: Molecule Boltz
Affected Versions: 2
Vulnerability: While the technical specifics are limited in the summary, the CVSS score of 8.4 indicates a critical flaw, likely involving an unauthenticated attacker. The vulnerability exists within the core logic of the Boltz 2 application.
Business Impact
The business impact of this vulnerability is high, as reflected by its CVSS score. Potential consequences include unauthorized access to proprietary data, loss of system integrity, and significant downtime. Organizations relying on Boltz 2 for critical operations face a high risk of service disruption.
Remediation Plan
Immediate Action: Apply the security updates for Boltz 2 provided by Molecule immediately to close the security gap.
Proactive Monitoring: Enable detailed application logging and monitor for anomalous behavior, such as unexpected file modifications or unauthorized user creations.
Compensating Controls: Restrict network access to the Boltz 2 application using firewalls and ensure that the principle of least privilege is applied to all service accounts.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of February 5, 2026, there is no public information indicating active exploitation of this vulnerability. The high severity suggests a high likelihood of exploitation if the software remains unpatched.
Analyst Recommendation
Immediate remediation is required. Administrators should prioritize the deployment of the vendor's patch to Boltz 2 instances to mitigate the risk of unauthorized access and maintain the security posture of their application stack.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5
The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5
Executive Summary:
A high-severity Cross-Site Request Forgery (CSRF) vulnerability has been identified in the LatePoint plugin for WordPress. This flaw could allow an unauthenticated attacker to trick a logged-in administrator into unknowingly executing malicious actions, potentially leading to a full compromise of the affected website's settings, user data, or functionality.
Vulnerability Details
CVE-ID: CVE-2025-7052
Affected Software: WordPress Multiple Products
Affected Versions: All versions of the LatePoint plugin up to, and including, version 5.
Vulnerability: The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF). This is due to a lack of sufficient security nonces or other token-based validation on state-changing requests. An attacker can craft a malicious link, form, or script and trick an authenticated administrator into clicking it or visiting a malicious page. The administrator's browser would then automatically submit the forged request to the vulnerable website, executing actions with the administrator's privileges without their consent or knowledge.
Business Impact
This is a High severity vulnerability with a CVSS score of 8.8. Successful exploitation could have a significant negative impact on the business. An attacker could perform unauthorized actions such as modifying the plugin's configuration, deleting appointments and customer data, or potentially escalating privileges by creating a new rogue administrator account. This could lead to operational disruption, data breaches, reputational damage, and financial loss associated with remediation and customer notification.
Remediation Plan
Immediate Action: Immediately update the LatePoint WordPress plugin to the latest version provided by the vendor, which contains the necessary security patch. After updating, review all WordPress security settings to ensure they are correctly configured. If the plugin is no longer needed, it should be deactivated and uninstalled to reduce the overall attack surface.
Proactive Monitoring: Monitor web server access logs for unusual or unauthorized POST requests to the LatePoint plugin's administrative functions, especially those originating from unexpected referrers. Security teams should also set up alerts for the creation of new administrative user accounts or unexpected configuration changes within the WordPress dashboard.
Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block CSRF attacks. Enforce strict referrer policies and ensure administrators log out of their sessions when not in use. Restricting access to the WordPress administrative area (/wp-admin/) to trusted IP addresses can also reduce the risk of exploitation.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of September 30, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, CSRF vulnerabilities are often straightforward to exploit once the weakness is identified. Organizations should assume that threat actors may develop and deploy exploits rapidly.
Analyst Recommendation
Given the high CVSS score of 8.8, this vulnerability poses a significant risk to affected WordPress sites. We strongly recommend that all organizations using the LatePoint plugin prioritize the immediate installation of the patched version. Although this vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high potential for impact warrants urgent attention. Proactive patching is the most effective defense against potential exploitation.
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
On N-central, it is possible for any authenticated user to read, write and modify syslog configuration across customers on an N-central server
On N-central, it is possible for any authenticated user to read, write and modify syslog configuration across customers on an N-central server
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
The Use-your-Drive | Google Drive plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in...
The Use-your-Drive | Google Drive plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in file metadata in all versions up to, and including, 3
Executive Summary:
A high-severity vulnerability has been identified in the "Use-your-Drive | Google Drive plugin for WordPress," which could allow an attacker to inject malicious code into a website. If exploited, this could lead to the compromise of user and administrator accounts, theft of sensitive data, or a complete takeover of the affected website. Organizations using this plugin are urged to apply security updates immediately to mitigate the significant risk to their web presence and data security.
Vulnerability Details
CVE-ID: CVE-2025-7050
Affected Software: Google Multiple Products (Specifically: Use-your-Drive | Google Drive plugin for WordPress)
Affected Versions: All versions up to, and including, version 3.
Vulnerability: The vulnerability is a Stored Cross-Site Scripting (XSS) flaw. An attacker with permissions to upload or manage files in the Google Drive account connected to the WordPress plugin can craft a malicious file title containing executable JavaScript code. When the plugin renders this file's metadata on the WordPress site, it fails to properly sanitize the 'title' parameter, causing the malicious script to be stored on the server and executed in the browser of any user who views the page displaying the file. This allows for session hijacking, credential theft, website defacement, or redirecting users to malicious websites.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.2. Exploitation could have a significant business impact, including reputational damage resulting from a defaced website or compromised user data. An attacker could steal session cookies to impersonate logged-in users, including administrators, potentially leading to a full compromise of the WordPress site. This could result in the theft of sensitive business or customer information, unauthorized content changes, and the use of the compromised website to launch further attacks against its visitors.
Remediation Plan
Immediate Action: Immediately update the "Use-your-Drive | Google Drive plugin for WordPress" to a patched version (greater than 3) as recommended by the vendor. After patching, review web server and application logs for any signs of past exploitation attempts, such as suspicious script tags in requests or logs related to the plugin's file display functions.
Proactive Monitoring: Implement continuous monitoring of web application logs, specifically looking for patterns indicative of XSS attacks. This includes searching for HTML tags like <script>, <img>, or <iframe> and JavaScript event handlers like onerror or onload within data fields associated with the plugin. A properly configured Web Application Firewall (WAF) can be instrumental in detecting and blocking such malicious injection attempts in real-time.
Compensating Controls: If immediate patching is not feasible, consider implementing the following controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of August 5, 2025, there are no known public proof-of-concept exploits or active malicious campaigns targeting this vulnerability. However, Stored XSS vulnerabilities in popular WordPress plugins are common targets for threat actors, and exploits can be developed with relative ease. Organizations should assume that this vulnerability will be targeted in the near future.
Analyst Recommendation
Given the high severity (CVSS 7.2) and the nature of the Stored XSS vulnerability, we strongly recommend that organizations identify all WordPress instances using the "Use-your-Drive | Google Drive" plugin and prioritize applying the vendor-supplied patch immediately. Although this CVE is not currently on the CISA KEV list, its potential impact on website integrity and data confidentiality is severe. Proactive patching is the most effective defense and should be completed urgently to prevent potential exploitation.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67
Executive Summary:
A high-severity privilege escalation vulnerability has been identified in the WPGYM - Wordpress Gym Management System plugin. This flaw could allow a low-privileged attacker, such as a subscriber, to gain unauthorized administrative access to the WordPress website. Successful exploitation would result in a complete compromise of the site, enabling the attacker to steal data, deface the site, or install malware.
Vulnerability Details
CVE-ID: CVE-2025-7049
Affected Software: WPGYM - Wordpress Gym Management System plugin for WordPress
Affected Versions: All versions up to, and including, 67
Vulnerability: The vulnerability allows for privilege escalation within the affected WordPress plugin. An authenticated attacker with low-level permissions (e.g., a subscriber account) can exploit a flaw in the plugin to elevate their privileges to that of an administrator. This typically occurs due to missing or improper authorization checks, allowing a user to access and execute administrative functions that should be restricted.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 8.8, posing a significant risk to the organization. A successful exploit would grant an attacker full administrative control over the affected website. This could lead to severe business consequences, including the theft of sensitive customer data, website defacement causing reputational damage, distribution of malware to visitors, and potential financial losses. A compromised website could also be used as a pivot point to launch further attacks against the organization's internal network.
Remediation Plan
Immediate Action: Immediately update the WPGYM - Wordpress Gym Management System plugin to the latest version (greater than version 67). After patching, review all user accounts, especially those with administrative privileges, to ensure no unauthorized accounts have been created. If the plugin is no longer required for business operations, it should be deactivated and completely removed from the WordPress installation.
Proactive Monitoring: Monitor WordPress audit logs for any unexpected changes in user roles, particularly any escalation to an administrator role. Scrutinize logs for unusual activity from low-privileged accounts attempting to access administrative functions. System administrators should also monitor for the creation of suspicious files on the web server or unauthorized modifications to core WordPress files.
Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to block privilege escalation attempts. Restrict access to the WordPress administrative dashboard (/wp-admin/) to trusted IP addresses only. Enforce the principle of least privilege for all user accounts and conduct regular security reviews of all installed plugins and themes.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of September 10, 2025, there is no known public proof-of-concept exploit code or evidence of this vulnerability being actively exploited in the wild. However, vulnerabilities of this nature in popular WordPress plugins are often quickly weaponized by threat actors once details become public. The high CVSS score indicates that the vulnerability is relatively easy to exploit.
Analyst Recommendation
Given the high severity (CVSS 8.8) of this vulnerability, we strongly recommend that all instances of the WPGYM plugin be patched immediately. The potential for a complete website compromise presents a critical risk that must be addressed with urgency. Although this CVE is not currently on the CISA KEV list, its impact warrants immediate attention. After remediation, a thorough security audit should be performed to search for any indicators of compromise, such as newly created admin accounts or suspicious files.
Update Wordpress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
An Improper Input Validation vulnerability exists in the user websocket handler of MAAS
An Improper Input Validation vulnerability exists in the user websocket handler of MAAS
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
A SQL injection vulnerability exists in Genesys Latitude v25
A SQL injection vulnerability exists in Genesys Latitude v25
Apply vendor patches immediately. Review database access controls and enable query logging.
Use After Free vulnerability exists in the IPT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025
Use After Free vulnerability exists in the IPT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
The Cloud SAML SSO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'set_organization_...
The Cloud SAML SSO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'set_organization_settings' action of the csso_handle_actions() function in all versions up to, and including, 1
Executive Summary:
A high-severity vulnerability has been identified in the Cloud SAML SSO plugin for WordPress, which could allow an unauthorized user to modify critical organization settings. This flaw exists because the plugin fails to properly check user permissions before allowing changes, creating a risk of security misconfiguration, authentication bypass, or data manipulation. Organizations using this plugin should apply the recommended update immediately to prevent potential exploitation.
Vulnerability Details
CVE-ID: CVE-2025-7040
Affected Software: WordPress Cloud SAML SSO plugin
Affected Versions: All versions up to, and including, 1.
Vulnerability: The vulnerability is a missing capability check within the csso_handle_actions() function of the plugin. Specifically, when the function is called with the set_organization_settings action, it does not verify if the user initiating the request has the appropriate administrative privileges. A low-privileged authenticated attacker, such as a subscriber, can craft a malicious request to this function to modify the plugin's organizational settings, potentially altering SAML SSO configurations without authorization.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 8.2. Successful exploitation could lead to significant business disruption and security compromise. An attacker could modify Single Sign-On (SSO) settings to lock out legitimate administrators, redirect users to malicious identity providers to steal credentials, or disable security features, thereby weakening the overall security posture of the WordPress site. This poses a direct risk to the confidentiality, integrity, and availability of the application and its associated user data.
Remediation Plan
Immediate Action: Immediately update the Cloud SAML SSO plugin to the latest available version, which will be a version greater than 1. If the plugin is not essential for business operations, consider deactivating and removing it to eliminate the attack surface entirely.
Proactive Monitoring: Monitor web server access logs for POST requests targeting the WordPress AJAX handler (/wp-admin/admin-ajax.php) that contain the action=set_organization_settings parameter. Scrutinize any such requests originating from IP addresses or user accounts that do not have administrative privileges. A sudden change in the plugin's configuration files should also trigger an alert.
Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block or flag requests containing the set_organization_settings action from non-administrative users. Additionally, enforce the principle of least privilege for all WordPress user accounts, ensuring users only have the permissions necessary for their roles.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of September 7, 2025, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, given the ease of exploitation for authenticated users and the high-impact nature of the flaw, it is highly probable that threat actors will develop exploits in the near future.
Analyst Recommendation
Given the high CVSS score of 8.2, organizations are strongly advised to treat this vulnerability with high priority. The potential for an authenticated, low-privileged user to escalate privileges or compromise the site's authentication mechanism presents a significant risk. Although this CVE is not currently listed on the CISA KEV catalog, immediate patching is the most effective mitigation. All instances of the Cloud SAML SSO plugin should be identified and updated without delay.
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
jizhicms 2
jizhicms 2
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route...
The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5
Executive Summary:
A high-severity authentication bypass vulnerability has been identified in the LatePoint plugin for WordPress. This flaw allows an unauthenticated attacker to bypass security checks and gain unauthorized access to functions within the plugin, potentially leading to data exposure, modification of appointments, and further compromise of the affected website. Immediate patching is required to mitigate the significant risk to data confidentiality and integrity.
Vulnerability Details
CVE-ID: CVE-2025-7038
Affected Software: LatePoint plugin for WordPress
Affected Versions: All versions up to, and including, 5
Vulnerability: The vulnerability exists due to insufficient identity verification in the latepoint_route_call AJAX action, specifically when handling the steps__load_step route. An unauthenticated attacker can send a specially crafted request to this endpoint. Because the endpoint fails to properly validate the user's session or privileges, the attacker can bypass authentication controls and execute functions that should be restricted to authenticated, privileged users.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 8.2. Successful exploitation could lead to significant business disruption and data compromise. An attacker could potentially access and exfiltrate sensitive customer information and personally identifiable information (PII) stored by the booking plugin, modify or delete existing appointments, or create fraudulent ones. This poses a direct threat to data confidentiality and integrity, potentially resulting in reputational damage, customer distrust, and regulatory fines.
Remediation Plan
Immediate Action: Immediately update the LatePoint plugin to the latest version available (a version greater than 5) which contains the security patch for this vulnerability. After updating, review the WordPress site's security settings and user accounts for any signs of compromise. If the plugin is no longer required for business operations, it should be deactivated and removed completely.
Proactive Monitoring: Monitor web server and WAF (Web Application Firewall) logs for suspicious POST requests to the /wp-admin/admin-ajax.php endpoint. Specifically, look for requests containing action=latepoint_route_call and route_name=steps__load_step originating from untrusted or unusual IP addresses. Monitor for unauthorized changes to appointments or user data within the LatePoint system.
Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block or flag requests to the vulnerable AJAX endpoint. Restrict access to the WordPress admin area (/wp-admin/) to trusted IP addresses only. Ensure the principle of least privilege is applied to all user accounts.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of September 30, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, authentication bypass vulnerabilities in popular WordPress plugins are highly sought after by threat actors, and it is likely that a proof-of-concept exploit will be developed and published. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
Analyst Recommendation
Given the high severity (CVSS 8.2) and the critical nature of an authentication bypass, it is strongly recommended that organizations prioritize the immediate update of the LatePoint plugin on all WordPress instances. Although there is no evidence of active exploitation at this time, the risk of compromise is significant. Proactive patching is the most effective defense to prevent potential unauthorized access and protect sensitive customer data.
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
The CleverReach® WP plugin for WordPress is vulnerable to time-based SQL Injection via the ‘title’ parameter in all versions up to, and including, 1
The CleverReach® WP plugin for WordPress is vulnerable to time-based SQL Injection via the ‘title’ parameter in all versions up to, and including, 1
Executive Summary:
A high-severity vulnerability has been identified in the CleverReach® WP WordPress plugin, which could allow an unauthenticated attacker to steal sensitive information from the website's database. This flaw, a time-based SQL Injection, can be exploited remotely to extract data such as user credentials, personal information, and confidential site content. Organizations using this plugin are at significant risk of a data breach and should take immediate action to mitigate the threat.
Vulnerability Details
CVE-ID: CVE-2025-7036
Affected Software: CleverReach® WP plugin for WordPress
Affected Versions: All versions up to, and including, 1
Vulnerability: The vulnerability is a time-based blind SQL Injection. An unauthenticated attacker can send specially crafted SQL queries through the 'title' parameter of the plugin. By injecting commands that cause a time delay in the database response (e.g., SLEEP()), the attacker can infer the contents of the database one character at a time based on how long the server takes to respond. This allows for the gradual exfiltration of sensitive data without directly seeing the query output.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to a complete compromise of the confidentiality of the website's database. The potential business impact includes the theft of sensitive customer data, user credentials, and proprietary business information, leading to significant reputational damage, financial loss, and potential regulatory penalties (e.g., under GDPR or CCPA). Furthermore, stolen administrator credentials could be used to gain full control over the affected WordPress site, enabling further malicious activities.
Remediation Plan
Immediate Action: The primary remediation is to update the CleverReach® WP plugin to the latest patched version (greater than version 1) as recommended by the vendor. If the plugin is not essential for business operations, the most secure course of action is to deactivate and completely remove it to eliminate the attack surface.
Proactive Monitoring: Monitor web server access logs for unusual or lengthy requests targeting the plugin's functionality, specifically looking for malicious payloads in the 'title' parameter. Implement and review Web Application Firewall (WAF) logs for alerts related to SQL Injection attempts. Database monitoring should be configured to flag abnormally long-running queries or those containing SLEEP or BENCHMARK commands.
Compensating Controls: If patching cannot be performed immediately, deploy a properly configured Web Application Firewall (WAF) with rules designed to detect and block SQL Injection attacks. This can serve as a virtual patch by inspecting incoming traffic and blocking malicious requests before they reach the vulnerable plugin. Additionally, ensure the database user associated with WordPress has the least privileges necessary, which can limit the scope of data an attacker can access if the exploit is successful.
Exploitation Status
Public Exploit Available: False
Analyst Notes: As of August 6, 2025, there are no known public exploits for this vulnerability. However, the CISA KEV status is "No", meaning it is not currently known to be actively exploited in the wild. Given the popularity of WordPress and the relative simplicity of exploiting SQL injection flaws, it is highly probable that threat actors will develop exploits and begin scanning for vulnerable systems in the near future.
Analyst Recommendation
Given the High severity rating (CVSS 7.5) and the risk of a complete database compromise, we strongly recommend that organizations immediately identify all WordPress instances running the vulnerable CleverReach® WP plugin. The plugin must be updated to the latest secure version without delay. If the plugin is no longer required, it should be removed entirely. The lack of a "Yes" on the CISA KEV list should not be a reason for inaction; proactive patching is critical to prevent exploitation by opportunistic attackers who actively target WordPress vulnerabilities.
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
Insecure permissions in App-Auto-Patch v3
Insecure permissions in App-Auto-Patch v3
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
TOTOLink X5000R v9
TOTOLink X5000R v9
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
webfsd 1.21 is vulnerable to a buffer overflow through the 'filename' variable in crafted requests, potentially allowing remote attackers to execute a...
webfsd 1.21 is vulnerable to a buffer overflow through the 'filename' variable in crafted requests, potentially allowing remote attackers to execute arbitrary code.
---METADATA---
VENDOR: webfsd
PRODUCT: webfsd
AFFECTED_VERSIONS: 1.21
---END_METADATA---
Description Summary:
webfsd 1.21 is vulnerable to a buffer overflow through the 'filename' variable in crafted requests, potentially allowing remote attackers to execute arbitrary code.
Executive Summary:
A critical buffer overflow in webfsd 1.21 allows remote attackers to execute arbitrary code and compromise the host system via specially crafted requests.
Vulnerability Details
CVE-ID: CVE-2025-70314
Affected Software: webfsd
Affected Versions: 1.21
Vulnerability: The vulnerability is caused by insufficient bounds checking on the filename variable within the webfsd service. By sending a crafted request with an excessively long filename, a remote attacker can trigger a buffer overflow, overwriting memory and hijacking the execution flow of the application.
Business Impact
A successful exploit of this buffer overflow allows for remote code execution (RCE) on the server hosting webfsd. Given its CVSS score of 9.8, this represents a critical threat to the availability and security of the server, as an attacker could gain full control, disrupt services, or use the system to launch further attacks.
Remediation Plan
Immediate Action: Update webfsd to the latest version immediately. Consult the vendor's security advisory for specific patch details and installation instructions.
Proactive Monitoring: Monitor for unusual service crashes or restarts of the webfsd process, as these can be indicators of failed or successful buffer overflow exploitation attempts.
Compensating Controls: Deploy memory protection mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), and use a firewall to limit access to the webfsd service to trusted IP addresses only.
Exploitation Status
Public Exploit Available: No
Analyst Notes: As of Feb 12, 2026, there is no public information indicating active exploitation of this vulnerability. However, buffer overflows in file-handling variables are classic targets for automated exploitation scripts.
Analyst Recommendation
The ability to achieve RCE through a simple crafted request makes this a high-priority vulnerability. It is strongly recommended to apply the vendor's patch immediately or transition to a more secure file-serving alternative if updates are not available.
Update webfsd Multiple Products to the latest version. Check vendor security advisory for specific patch details. Monitor for exploitation attempts and review access logs.
An out-of-bounds read in the GSF demuxer filter component of GPAC v2
An out-of-bounds read in the GSF demuxer filter component of GPAC v2
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
A stack overflow in the dump_ttxt_sample function of GPAC v2
A stack overflow in the dump_ttxt_sample function of GPAC v2
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: UTT
PRODUCT: HiPER 810 / nv810v4 router firmware
AFFECTED_VERSIONS: v1.5.0-140603
---END_METADATA---
Description Summary:
Insecure default credentials in the Telnet service of UTT HiPER routers allow remote attackers to gain root access via automated scripts.
Executive Summary:
The use of default credentials in UTT HiPER 810 and nv810v4 routers exposes the devices to full remote takeover by unauthenticated attackers.
Vulnerability Details
CVE-ID: CVE-2025-70998
Affected Software: UTT HiPER 810 / nv810v4 router firmware
Affected Versions: v1.5.0-140603
Vulnerability: The firmware contains hardcoded or insecure default credentials for the Telnet management service. An unauthenticated remote attacker can exploit this by using a crafted script to log in and gain root-level privileges.
Business Impact
Unauthorized root access to a core networking device allows attackers to intercept traffic, redirect data, or use the router as a foothold for lateral movement within the corporate network. The CVSS score of 9.8 reflects the ease of exploitation and the critical impact on network infrastructure security.
Remediation Plan
Immediate Action: Update the router firmware to the latest version and immediately change all default administrative passwords to strong, unique credentials.
Proactive Monitoring: Review Telnet access logs for successful logins from unrecognized IP addresses and monitor for unusual configuration changes on the router.
Compensating Controls: Disable Telnet entirely in favor of SSH and implement access control lists (ACLs) to restrict management interface access to trusted internal IP addresses only.
Exploitation Status
Public Exploit Available: No
Analyst Notes: As of Feb 18, 2026, there is no public information indicating active exploitation of this vulnerability. However, default credential vulnerabilities are frequently targeted by botnets and automated scanning tools.
Analyst Recommendation
Default credentials are a primary target for automated attacks. Administrators must treat this as a high-priority item, ensuring that firmware is updated and that management services are secured behind strong authentication and network-level restrictions.