KAYSUS KS-WR3600 routers with firmware 1
Description
KAYSUS KS-WR3600 routers with firmware 1
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Search and filter 17282 vulnerabilities with AI analyst insights
KAYSUS KS-WR3600 routers with firmware 1
KAYSUS KS-WR3600 routers with firmware 1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
A vulnerability classified as critical has been found in SourceCodester Simple Company Website 1
A vulnerability classified as critical has been found in SourceCodester Simple Company Website 1
n8n is an open source workflow automation platform
n8n is an open source workflow automation platform
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
In Apache Airflow versions before 3
In Apache Airflow versions before 3
Executive Summary:
A high-severity vulnerability has been identified in Apache Airflow, a widely used workflow management platform. This flaw, tracked as CVE-2025-68675, could allow an attacker to compromise the system, potentially leading to unauthorized code execution, data theft, or disruption of critical automated business processes. Organizations are urged to apply the recommended security updates immediately to mitigate the risk of exploitation.
Vulnerability Details
CVE-ID: CVE-2025-68675
Affected Software: Apache Airflow
Affected Versions: All versions of Apache Airflow prior to version 3.0.0
Vulnerability: The vulnerability exists due to improper input validation within the web-based user interface. An authenticated attacker with low-level permissions can craft a malicious request to a specific API endpoint, bypassing security checks. Successful exploitation allows the attacker to execute arbitrary commands on the underlying Airflow worker nodes with the privileges of the Airflow service account.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could have significant business consequences, including the compromise of sensitive data processed by Airflow DAGs, such as credentials, PII, and proprietary business information. An attacker could disrupt or manipulate critical business workflows, leading to operational downtime and financial loss. Furthermore, a compromised Airflow instance could serve as a pivot point for an attacker to move laterally across the internal network, escalating the overall security risk to the organization.
Remediation Plan
Immediate Action: The primary remediation step is to upgrade all affected Apache Airflow instances to version 3.0.0 or a later patched version as soon as possible. After applying the update, security teams should actively monitor for any signs of exploitation attempts that may have occurred prior to patching and thoroughly review application and system access logs for suspicious activity.
Proactive Monitoring: Implement enhanced monitoring on Airflow components. Look for unusual or malformed requests to the Airflow web server and API in access logs, unexpected processes or shell commands being executed on worker nodes, and anomalous outbound network connections originating from the Airflow environment. Correlate these logs with user authentication events to identify unauthorized actions.
Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of January 18, 2026, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, due to the nature of the flaw, security researchers and threat actors are likely to develop exploits. Organizations should assume that exploitation is imminent.
Analyst Recommendation
Given the High severity rating (CVSS 7.5) and the critical function of Apache Airflow in automating business processes, we strongly recommend that organizations prioritize the immediate patching of this vulnerability. While this CVE is not currently listed on the CISA KEV list, its potential for significant impact makes it a prime target for future exploitation. All vulnerable instances should be upgraded without delay, and the recommended monitoring and compensating controls should be implemented to provide layered defense.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from imp...
xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system. The vulnerability allows an attacker to overwrite the stack buffer and the return address, which could theoretically be used to redirect the execution flow. The impact of this vulnerability is lessened if a compiler flag has been used to build the xrdp executable with stack canary protection. If this is the case, a second vulnerability would need to be used to leak the stack canary value. Upgrade to version 0.10.5 to receive a patch. Additionally, do not rely on stack canary protection on production systems.
Executive Summary:
A critical, unauthenticated vulnerability exists in versions of xrdp, an open-source Remote Desktop Protocol (RDP) server, prior to v0.10.5. This flaw allows a remote attacker to execute arbitrary code on a vulnerable system without needing any credentials, potentially leading to a complete system compromise. Organizations using affected versions of xrdp are at high risk and should apply the available patch immediately.
Vulnerability Details
CVE-ID: CVE-2025-68670
Affected Software: xrdp is an open source RDP Multiple Products
Affected Versions: All versions of xrdp before v0.10.5
Vulnerability: The vulnerability is an unauthenticated stack-based buffer overflow that occurs during the initial connection sequence. When a user attempts to connect, the xrdp server processes user-provided information, including a domain name. The software fails to properly validate the length of the domain name string before copying it to a fixed-size buffer on the stack. An unauthenticated remote attacker can exploit this by sending a specially crafted connection request with an overly long domain name, causing the buffer to overflow and overwrite adjacent memory on the stack, including the function's return address. This allows the attacker to redirect the program's execution flow to malicious code, resulting in arbitrary code execution with the privileges of the xrdp service.
Business Impact
With a critical CVSS score of 9.1, this vulnerability poses a severe threat to the business. Successful exploitation could lead to a complete compromise of the affected server, granting an attacker full control. This could result in the theft of sensitive data, deployment of ransomware, disruption of critical services, or the use of the compromised system as a pivot point to attack other internal network resources. The unauthenticated nature of the vulnerability means that any system running a vulnerable version of xrdp exposed to the internet is a prime target for attack, significantly increasing the risk of a security breach.
Remediation Plan
Immediate Action: Immediately upgrade all instances of xrdp to version 0.10.5 or later, which contains the patch for this vulnerability. Prioritize patching for systems exposed to the internet. After patching, monitor xrdp logs for any signs of failed or successful exploitation attempts that may have occurred before the update.
Proactive Monitoring: Implement enhanced monitoring on systems running xrdp. Scrutinize xrdp access logs for connection attempts with unusually long or malformed domain names. Monitor network traffic on the RDP port (typically TCP/3389) for anomalous patterns or spikes in connection attempts from unknown sources. Utilize endpoint detection and response (EDR) tools to detect suspicious process behavior originating from the xrdp service.
Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce the attack surface:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of the publication date of Jan 27, 2026, there are no known public proof-of-concept exploits or reports of this vulnerability being actively exploited in the wild. However, the technical details provided are sufficient for skilled attackers to develop an exploit. The description notes that stack canary protection, if enabled during compilation, can mitigate this vulnerability by causing the application to crash upon detecting the overflow, thus preventing code execution. However, this should not be relied upon as a primary defense, as canaries can potentially be bypassed by other means.
Analyst Recommendation
Given the critical severity (CVSS 9.1) and the fact that this vulnerability can be exploited remotely without authentication, we strongly recommend that organizations treat this as a high-priority issue. All vulnerable xrdp instances should be patched to version 0.10.5 or later on an emergency basis. While this CVE is not currently on the CISA KEV list, its characteristics make it a likely target for future exploitation. If patching cannot be performed immediately, apply the recommended compensating controls, such as restricting access via firewall rules, to mitigate the immediate risk.
Update xrdp is an open source RDP Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. In versions 0.15.2 and prior, an RCE vulnerabili...
5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. In versions 0.15.2 and prior, an RCE vulnerability exists in useMarkdown.ts, where the markdown-it-mermaid plugin is initialized with securityLevel: 'loose'. This configuration explicitly permits the rendering of HTML tags within Mermaid diagram nodes. This issue has not been patched at time of publication.
---METADATA---
VENDOR: 5ire
PRODUCT: 5ire
AFFECTED_VERSIONS: 0.15.2 and prior
CONFIDENCE: high
MISSING: patch, exploit_status
---END_METADATA---
Description Summary:
The 5ire AI assistant is vulnerable to Remote Code Execution (RCE) because the markdown-it-mermaid plugin is configured with an insecure 'loose' security level, allowing HTML tag rendering.
Executive Summary:
A critical Remote Code Execution vulnerability in 5ire allows attackers to execute arbitrary code by exploiting improper security configurations in the markdown-it-mermaid plugin.
Vulnerability Details
CVE-ID: CVE-2025-68669
Affected Software: 5ire
Affected Versions: 0.15.2 and prior
Vulnerability: The vulnerability exists within the useMarkdown.ts file, where the markdown-it-mermaid plugin is initialized with a 'loose' security level. This configuration fails to sanitize input, permitting the rendering of malicious HTML tags within Mermaid diagram nodes, ultimately leading to RCE.
Business Impact
The CVSS score of 9.6 highlights the extreme danger of this vulnerability, which allows an attacker to execute arbitrary code on the host machine. This can lead to total system compromise, theft of sensitive AI model data, and unauthorized access to the user's local environment.
Remediation Plan
Immediate Action: As no patch is currently available, restrict the use of 5ire in sensitive environments and avoid processing untrusted Markdown files.
Proactive Monitoring: Monitor system logs for unexpected process execution or anomalous network activity originating from the 5ire application.
Compensating Controls: Utilize endpoint detection and response (EDR) solutions to flag and block suspicious child processes spawned by the 5ire application.
Exploitation Status
Public Exploit Available: Unknown
Analyst Notes: As of Dec 23, 2025, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
This is an unpatched critical vulnerability. Organizations should treat this as a high-priority risk and restrict the application's access to internal networks or sensitive data until a security update is released by the vendor.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node...
n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process. This issue has been patched in version 2.0.0. Workarounds for this issue involve disabling the Code Node by setting the environment variable NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]", disabling Python support in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false, which was introduced in n8n version 1.104.0, and configuring n8n to use the task runner based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables.
Executive Summary:
A critical vulnerability exists in the n8n workflow automation platform that allows an authenticated user to bypass a security sandbox and execute arbitrary commands on the server. Successful exploitation could lead to a complete compromise of the underlying system, allowing an attacker to steal sensitive data, disrupt operations, and pivot to other internal network resources. This vulnerability affects versions 1.0.0 up to, but not including, 2.0.0 and requires immediate attention.
Vulnerability Details
CVE-ID: CVE-2025-68668
Affected Software: n8n
Affected Versions: 1.0.0 to before 2.0.0
Vulnerability: The vulnerability is a sandbox bypass within the Python Code Node component, which utilizes Pyodide. An attacker with permissions to create or edit n8n workflows can craft a malicious Python script within the Code Node. This script can escape the intended Pyodide sandbox environment, granting the attacker the ability to execute arbitrary commands directly on the host operating system with the same privileges as the running n8n service account.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.9, reflecting the high potential for significant damage. Exploitation could lead to a complete compromise of the n8n host server. Potential consequences include the theft of sensitive data processed by workflows (such as API keys, credentials, and customer information), installation of ransomware or other malware, complete disruption of automated business processes, and the use of the compromised server as a launchpad for further attacks against the internal network.
Remediation Plan
Immediate Action: The primary remediation is to upgrade the n8n instance to the patched version 2.0.0 or later. After upgrading, security teams should monitor for any signs of post-exploitation activity and review historical access and execution logs for any suspicious workflow modifications or executions involving the Python Code Node.
Proactive Monitoring: Monitor the n8n host for suspicious child processes being spawned by the n8n parent process. Review n8n audit logs for unauthorized or unexpected modifications to workflows, particularly those containing a Code Node. Network monitoring should be configured to detect unusual outbound connections from the n8n server, which could indicate a successful compromise.
Compensating Controls: If immediate patching is not feasible, apply one of the following workarounds:
NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]"N8N_PYTHON_ENABLED=falseN8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables.Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Dec 26, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, due to the detailed nature of the vulnerability disclosure, proof-of-concept exploits could be developed by threat actors with relative ease.
Analyst Recommendation
Given the critical severity (CVSS 9.9) of this vulnerability and its potential for complete system takeover, it is imperative that organizations take immediate action. The primary recommendation is to upgrade all vulnerable n8n instances to version 2.0.0 or newer without delay. If patching cannot be performed immediately, one of the specified compensating controls must be implemented as a temporary measure. Although this vulnerability is not currently listed on the CISA KEV list, its high impact and the low complexity for an authenticated attacker make it a high-priority issue that should be addressed urgently.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
LangChain is a framework for building LLM-powered applications
LangChain is a framework for building LLM-powered applications
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability...
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.
Executive Summary:
A critical serialization injection vulnerability has been identified in the LangChain framework, which could allow an unauthenticated attacker to execute arbitrary code on the server. The vulnerability stems from improper handling of user-supplied data during serialization, where a specially crafted input can be misinterpreted as a trusted internal object. Successful exploitation could lead to a complete compromise of the affected application and its underlying system.
Vulnerability Details
CVE-ID: CVE-2025-68664
Affected Software: LangChain is a framework for building agents and Multiple Products
Affected Versions: All versions prior to 0.3.81 and 1.2.5
Vulnerability: A serialization injection vulnerability exists within the dumps() and dumpd() functions of the LangChain framework. These functions are responsible for serializing Python objects. The vulnerability occurs because the functions do not properly sanitize or escape user-provided dictionaries that contain a special key, 'lc'. LangChain uses this key internally to identify its own serialized objects. An attacker can craft a malicious dictionary containing the 'lc' key, and when this dictionary is processed by the vulnerable functions, it is treated as a trusted LangChain object upon deserialization. This allows the attacker to control the object instantiation process, potentially leading to arbitrary code execution on the system running the LangChain application.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.3. Successful exploitation could grant an attacker full control over the application server, leading to severe business consequences. Potential impacts include theft of sensitive data processed by the LLM application, complete service disruption, deployment of ransomware, or using the compromised system as a pivot point for further attacks into the corporate network. The direct financial and reputational damage from such an incident could be substantial.
Remediation Plan
Immediate Action: Immediately upgrade all instances of LangChain to the patched versions 0.3.81, 1.2.5, or newer. Prioritize patching for all internet-facing systems. After patching, it is crucial to monitor for any signs of exploitation attempts and review historical access and application logs for suspicious activity.
Proactive Monitoring: Implement monitoring to detect and alert on exploitation attempts. Security teams should look for log entries where user-supplied data passed to dumps() or dumpd() functions contains the dictionary key 'lc'. Monitor application servers for anomalous behavior, such as unexpected child processes being spawned by the application, unusual network connections, or modifications to the file system.
Compensating Controls: If immediate patching is not feasible, implement strict input validation to inspect and block any user-supplied dictionary objects containing the 'lc' key before they are passed to the LangChain framework. A Web Application Firewall (WAF) can also be configured with custom rules to detect and block HTTP requests containing payloads with the malicious {'lc': ...} structure.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of the publication date, December 23, 2025, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, due to the critical nature of serialization vulnerabilities, it is highly probable that exploits will be developed. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
Analyst Recommendation
Given the critical CVSS score of 9.3 and the high risk of remote code execution, immediate action is required. All organizations using the affected LangChain versions must prioritize the deployment of the security patches (versions 0.3.81 and 1.2.5 or later). Due to the ease with which serialization vulnerabilities can be weaponized, organizations should assume that an exploit will become publicly available and treat this as an urgent threat to their application security posture.
Update LangChain is a framework for building agents and Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Discourse is an open source discussion platform
Discourse is an open source discussion platform
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10
A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10
Executive Summary:
A high-severity Local File Inclusion (LFI) vulnerability has been identified in the Webmail Classic UI of Zimbra Collaboration Suite (ZCS) 10. This flaw allows a remote, unauthenticated attacker to read sensitive files from the underlying server, potentially leading to the exposure of credentials, configuration data, and private user information. Immediate patching is required to prevent potential data breaches and further system compromise.
Vulnerability Details
CVE-ID: CVE-2025-68645
Affected Software: Local Multiple Products
Affected Versions: Zimbra Collaboration (ZCS) version 10. See vendor advisory for specific affected versions.
Vulnerability: This vulnerability is a Local File Inclusion (LFI) within the Webmail Classic UI component of Zimbra Collaboration Suite. It stems from the application's failure to properly sanitize user-supplied input used in file path operations. A remote, unauthenticated attacker can exploit this by crafting a malicious HTTP request containing path traversal sequences (e.g., ../../..). By manipulating the input, the attacker can navigate outside of the intended web root directory and access arbitrary files on the server's file system, limited only by the permissions of the web server's user account.
Business Impact
This is a High severity vulnerability with a CVSS score of 8.8, posing a significant risk to the confidentiality and integrity of organizational data. Successful exploitation could lead to a severe data breach, exposing sensitive emails, user credentials, and proprietary company information stored on the server. An attacker could also retrieve system configuration files, API keys, and database credentials, which could be leveraged to pivot deeper into the corporate network, leading to a wider compromise. The potential consequences include regulatory fines, reputational damage, and significant operational disruption.
Remediation Plan
Immediate Action: Apply the security updates provided by the vendor to all affected Zimbra Collaboration Suite instances immediately. Prioritize patching for internet-facing servers. After patching, it is crucial to monitor for any signs of exploitation attempts by reviewing web server and application access logs for suspicious requests made prior to the patch deployment.
Proactive Monitoring: Security teams should actively monitor web server access logs for requests targeting the Webmail Classic UI that contain path traversal patterns such as ../, ..%2f, %2e%2e/, and other variants. Implement alerts for unusual file access patterns on the Zimbra server, particularly attempts to access sensitive system files like /etc/passwd, configuration files, or private keys by the web server process.
Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and path traversal attacks. Additionally, consider restricting access to the Zimbra web interface to only trusted IP address ranges. Ensure the web server process is running with the lowest possible privileges to limit the scope of files an attacker can access.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of December 23, 2025, there is no known public proof-of-concept (PoC) exploit for this vulnerability. However, LFI vulnerabilities are well-understood and relatively straightforward to exploit. Given that Zimbra is a high-value target for threat actors, it is highly probable that exploits will be developed and used in the wild shortly after the patch is reverse-engineered. Organizations should operate under the assumption that exploitation is imminent.
Analyst Recommendation
Immediate and decisive action is required to address this critical vulnerability. Given the high CVSS score of 8.8 and the risk of unauthenticated remote data exposure, all organizations using the affected version of Zimbra Collaboration Suite must prioritize the deployment of the vendor-supplied security updates. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity makes it a prime candidate for future inclusion. If patching cannot be performed immediately, the compensating controls outlined above must be implemented as a temporary measure while preparing for an expedited patch cycle.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Deadline: February 11, 2026
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Yealink RPS before 2025-06-27 allows unauthorized access to information, including AutoP URL addresses
Yealink RPS before 2025-06-27 allows unauthorized access to information, including AutoP URL addresses
Executive Summary:
A high-severity vulnerability has been identified in multiple RPS products, allowing unauthorized attackers to access sensitive information. Successful exploitation could expose critical configuration data, such as AutoP URLs, potentially enabling attackers to intercept communications or compromise VoIP devices.
Vulnerability Details
CVE-ID: CVE-2025-68644
Affected Software: RPS Multiple Products
Affected Versions: All versions prior to the security update released on 2025-06-27.
Vulnerability: The vulnerability is an information disclosure flaw resulting from improper access control. An unauthenticated remote attacker can send a specially crafted request to the affected RPS service to retrieve sensitive configuration details. This includes AutoP (Automatic Provisioning) URLs, which are used to configure VoIP devices automatically, potentially exposing provisioning server credentials, network topology, and other confidential data.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.4. The exposure of AutoP URLs and other provisioning data presents a significant security risk. An attacker could use this information to conduct man-in-the-middle (MitM) attacks, redirecting devices to a malicious provisioning server to install malware, eavesdrop on calls, or gain a foothold within the corporate network. This compromises the confidentiality and integrity of the organization's communication infrastructure and could lead to data breaches or service disruption.
Remediation Plan
Immediate Action: Organizations must apply the vendor-supplied security updates to all affected RPS products immediately to patch the vulnerability. Following the update, system administrators should review access logs for any signs of unauthorized access or suspicious queries to the RPS service that may have occurred prior to patching.
Proactive Monitoring: Implement continuous monitoring of network traffic to and from the RPS service. Specifically, look for anomalous requests from unknown or untrusted IP addresses. Configure alerts for multiple failed login attempts or unusual patterns of data access that could indicate an exploitation attempt.
Compensating Controls: If immediate patching is not feasible, restrict network access to the RPS management interface. Use a firewall to limit access to only trusted IP addresses or specific administrative subnets. Implement network segmentation to isolate VoIP devices from other critical network assets, limiting the potential impact of a compromised device.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of December 22, 2025, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, due to the nature of the vulnerability, security researchers and threat actors may develop exploits quickly.
Analyst Recommendation
Given the high-severity rating (CVSS 7.4) and the risk of compromise to critical communication infrastructure, we strongly recommend that organizations prioritize the deployment of the vendor's security patch immediately. Although this vulnerability is not currently listed on the CISA KEV catalog, its potential impact warrants urgent attention. Proactive application of the patch is the most effective measure to prevent future exploitation and protect sensitive corporate data.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
The Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by default. This insecure configuration expose...
The Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by default. This insecure configuration exposes all REST API communication between the Uniffle CLI/client and the Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks. This issue affects all versions from before 0.10.0. Users are recommended to upgrade to version 0.10.0, which fixes the issue.
Executive Summary:
A critical vulnerability exists in the Uniffle HTTP client, impacting all versions prior to 0.10.0. The client is insecurely configured by default to trust all SSL certificates and disable hostname verification, which allows a network-based attacker to intercept, read, and modify all communication between Uniffle clients and the Coordinator service, potentially leading to data theft and system compromise.
Vulnerability Details
CVE-ID: CVE-2025-68637
Affected Software: Uniffle HTTP Client (used in Multiple Products)
Affected Versions: All versions before 0.10.0
Vulnerability: The Uniffle HTTP client implements an insecure default TLS configuration. It is programmed to accept any SSL certificate presented by a server without proper validation and fails to verify that the certificate's hostname matches the server it is connecting to. An attacker with a privileged position on the network (e.g., on the same local network or a compromised network device) can exploit this by performing a Man-in-the-Middle (MITM) attack. The attacker can intercept the connection and present a self-signed or otherwise invalid certificate, which the client will trust, allowing the attacker to decrypt, monitor, and manipulate all REST API traffic in transit.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.1. Successful exploitation could have a severe impact on the business by compromising the confidentiality and integrity of data transmitted to and from the Uniffle Coordinator service. An attacker could intercept sensitive credentials, proprietary data, or configuration details. Furthermore, by modifying API requests in transit, an attacker could potentially inject malicious commands, disrupt service operations, or escalate privileges within the environment, leading to a wider system compromise.
Remediation Plan
Immediate Action: Upgrade all affected Uniffle components to version 0.10.0 or later, which corrects the insecure TLS configuration. After patching, verify that all client-to-coordinator connections are successfully established using proper certificate validation.
Proactive Monitoring: Security teams should monitor network traffic for signs of MITM attacks, such as anomalous TLS handshakes or certificate errors originating from other, properly configured clients. Review Uniffle Coordinator service access logs for any unusual or unauthorized API calls that could indicate a past or ongoing compromise.
Compensating Controls: If immediate patching is not feasible, implement network segmentation to restrict communication to the Uniffle Coordinator service from only trusted network zones. Enforce end-to-end encryption at the transport layer using a technology like IPsec or a trusted VPN for all communication between Uniffle clients and the Coordinator.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of January 7, 2026, there is no known public proof-of-concept exploit or active exploitation of this vulnerability in the wild. However, the nature of the vulnerability makes it straightforward to exploit for any attacker who can position themselves on the network path between the client and the server.
Analyst Recommendation
Given the critical CVSS score of 9.1 and the fundamental risk of a Man-in-the-Middle attack, we strongly recommend that organizations prioritize patching this vulnerability immediately. All instances of Uniffle should be upgraded to version 0.10.0 or a later release without delay. Although this CVE is not currently on the CISA KEV list, the severity warrants urgent attention to prevent potential data breaches and system compromise.
Update The Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
A vulnerability classified as critical was found in PHPGurukul Local Services Search Engine Management System 2
A vulnerability classified as critical was found in PHPGurukul Local Services Search Engine Management System 2
In Microsoft DirectX End-User Runtime Web Installer 9
In Microsoft DirectX End-User Runtime Web Installer 9
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases
Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained togethe...
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status. The first is Unauthenticated WebSocket Request Enumeration: When a WebSocket client connects to the SignalK stream endpoint with the `serverevents=all` query parameter, the server sends all cached server events including `ACCESS_REQUEST` events that contain details about pending access requests. The `startServerEvents` function iterates over `app.lastServerEvents` and writes each cached event to any connected client without verifying authorization level. Since WebSocket connections are allowed for readonly users (which includes unauthenticated users when `allow_readonly` is true), attackers receive these events containing request IDs, client identifiers, descriptions, requested permissions, and IP addresses. The second is Unauthenticated Token Polling: The access request status endpoint at `/signalk/v1/access/requests/:id` returns the full state of an access request without requiring authentication. When an administrator approves a request, the response includes the issued JWT token in plaintext. The `queryRequest` function returns the complete request object including the token field, and the REST endpoint uses readonly authentication, allowing unauthenticated access. An attacker has two paths to exploit these vulnerabilities. Either the attacker creates their own access request (using the IP spoofing vulnerability to craft a convincing spoofed request), then polls their own request ID until an administrator approves it, receiving the JWT token; or the attacker passively monitors the WebSocket stream to discover request IDs from legitimate devices, then polls those IDs and steals the JWT tokens when administrators approve them, hijacking legitimate device credentials. Both paths require zero authentication and enable complete authentication bypass. Version 2.19.0 fixes the underlying issues.
Executive Summary:
A critical vulnerability exists in Signal K Server that allows an unauthenticated attacker to steal authentication tokens and gain complete control of the system. By chaining two information disclosure flaws, an attacker can monitor pending access requests and intercept the authentication token once an administrator approves it, leading to a full authentication bypass. This vulnerability poses a severe risk to the integrity and availability of the marine data systems managed by the server.
Vulnerability Details
CVE-ID: CVE-2025-68620
Affected Software: Signal K Server is a server application that runs on a central hub in a Multiple Products
Affected Versions: Versions prior to 2.19.0
Vulnerability: This vulnerability is a chain of two distinct flaws that, when combined, allow an unauthenticated attacker to steal valid JWT authentication tokens.
serverevents=all query parameter, an attacker receives all cached server events, including sensitive ACCESS_REQUEST events. These events contain the unique request ID, client details, and requested permissions for any pending access request./signalk/v1/access/requests/:id allows anyone, without authentication, to check the status of a specific access request. When an administrator approves a request, the response from this endpoint includes the newly generated JWT token in plaintext.An attacker can exploit this by either creating their own access request and polling its ID until it is approved, or by passively monitoring the WebSocket stream for legitimate requests from other devices and then polling those IDs to hijack the session token upon approval.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.1, reflecting the ease of exploitation and the potential for complete system compromise. Successful exploitation allows an attacker to bypass all authentication mechanisms and acquire a valid, and potentially high-privilege, authentication token. This could grant the attacker the ability to control connected marine systems, access sensitive navigational or operational data, and disrupt the functionality of the entire Signal K ecosystem on the vessel, posing significant operational and safety risks.
Remediation Plan
Immediate Action: Immediately upgrade all instances of Signal K Server to version 2.19.0 or a later version, which contains the necessary security fixes to address both underlying issues. After upgrading, review access logs for any signs of compromise or unusual activity related to the access request endpoints.
Proactive Monitoring:
serverevents=all query parameter from unknown or untrusted IP addresses./signalk/v1/access/requests/ API endpoint.Compensating Controls:
allow_readonly to false in the server's configuration. This will prevent unauthenticated users from accessing the vulnerable WebSocket stream and API endpoint./signalk/v1/access/requests/ endpoint from external sources.Exploitation Status
Public Exploit Available: false
Analyst Notes: As of January 1, 2026, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, the logic of the attack is clearly described in the vulnerability disclosure, making it relatively straightforward for an attacker to develop an exploit.
Analyst Recommendation
Given the critical CVSS score of 9.1 and the potential for a complete, unauthenticated system compromise, it is imperative that organizations patch this vulnerability with the highest priority. The attack requires no special privileges or user interaction, making it a significant and immediate threat. Although this CVE is not currently listed on the CISA KEV list, the severity and ease of exploitation warrant immediate remediation by upgrading to version 2.19.0 or later. If patching is delayed, implement the recommended compensating controls to reduce the attack surface.
Update Signal K Server is a server application that runs on a central hub in a Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
WeasyPrint helps web developers to create PDF documents
WeasyPrint helps web developers to create PDF documents
Executive Summary:
CVE-2025-68616 is a high-severity security vulnerability identified in WeasyPrint, a popular library used by web developers to generate PDF documents from HTML and CSS. If exploited, this flaw could allow an attacker to gain unauthorized access to sensitive internal information or local system files by submitting malicious document requests.
Vulnerability Details
CVE-ID: CVE-2025-68616
Affected Software: WeasyPrint Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability involves insufficient validation of external resources and URI schemes during the PDF rendering process. An attacker can exploit this by providing specially crafted HTML or CSS input that forces the application to fetch resources from unauthorized locations. This typically manifests as a Server-Side Request Forgery (SSRF) or Local File Inclusion (LFI) vulnerability, where the PDF engine is leveraged to bypass network firewalls or read sensitive files from the local server hosting the application.
Business Impact
This vulnerability is classified as High severity with a CVSS score of 7.5. Successful exploitation could lead to the exposure of sensitive internal data, including cloud environment metadata, internal network configurations, or administrative files. For organizations that use WeasyPrint to process user-generated content or automated reports, this poses a significant risk of data exfiltration, potential regulatory non-compliance, and loss of intellectual property.
Remediation Plan
Immediate Action: Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Proactive Monitoring: Security teams should monitor web application logs for unusual outbound connection attempts originating from the PDF generation service, particularly those targeting internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or the cloud metadata service (169.254.169.254). Additionally, review generated PDFs for unexpected content that may indicate successful file inclusion.
Compensating Controls: If immediate patching is not feasible, implement strict egress filtering on the server hosting WeasyPrint to block all non-essential outbound traffic. Furthermore, ensure the application is running in a restricted environment or container with minimal filesystem permissions and use a dedicated URL-allowlist to restrict the types of resources the library can fetch.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of January 20, 2026, there is no evidence of active exploitation in the wild. However, because WeasyPrint is widely integrated into automated web workflows, the discovery of this vulnerability is likely to draw attention from threat actors seeking to pivot into internal networks.
Analyst Recommendation
Organizations should treat this vulnerability with high priority due to its 7.5 CVSS score and the potential for direct data exfiltration. While CVE-2025-68616 is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, the ease of exploitation associated with SSRF in document generators necessitates urgent patching. We recommend an immediate audit of all internal applications utilizing WeasyPrint to ensure they are updated to the latest secured version.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
net-snmp is a SNMP application library, tools and daemon. Prior to versions 5.9.5 and 5.10.pre2, a specially crafted packet to an net-snmp snmptrapd d...
net-snmp is a SNMP application library, tools and daemon. Prior to versions 5.9.5 and 5.10.pre2, a specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash. This issue has been patched in versions 5.9.5 and 5.10.pre2.
Executive Summary:
A critical buffer overflow vulnerability exists in the net-snmp library, a component used by numerous products for network management. An unauthenticated attacker can send a malicious network packet to crash the snmptrapd service, causing a denial of service and potentially allowing for remote code execution on the affected system.
Vulnerability Details
CVE-ID: CVE-2025-68615
Affected Software: Unknown Multiple Products (utilizing the net-snmp library)
Affected Versions: net-snmp versions prior to 5.9.5 and 5.10.pre2
Vulnerability: This vulnerability is a buffer overflow within the net-snmp snmptrapd daemon. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted SNMP trap packet to the listening service (typically on UDP port 162). The daemon fails to properly validate the size of the incoming data, allowing the attacker to write beyond the allocated buffer space, which corrupts memory and causes the snmptrapd process to crash. This results in a denial of service, and depending on the architecture and exploit, could potentially be leveraged to execute arbitrary code with the privileges of the daemon.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a significant denial of service, disabling the organization's ability to receive and process network management traps, thereby blinding monitoring and alerting systems to critical infrastructure events. If an attacker achieves remote code execution, they could gain complete control over the affected server, leading to data breaches, lateral movement across the network, installation of malware, or disruption of essential network management functions.
Remediation Plan
Immediate Action: Identify all systems running products that utilize the vulnerable net-snmp library. Update these products to a version that includes the patched net-snmp library (version 5.9.5, 5.10.pre2, or later) as recommended by the respective product vendors.
Proactive Monitoring: Monitor network traffic for an unusual volume or malformed SNMP trap packets destined for UDP port 162. Review system and application logs for any unexpected crashes, restarts, or memory corruption errors related to the snmptrapd daemon. Implement alerts for service failures on systems running snmptrapd.
Compensating Controls: If immediate patching is not feasible, implement network-level access controls. Use firewalls or access control lists (ACLs) to strictly limit access to the snmptrapd service (UDP port 162) to only trusted and authorized IP addresses, such as dedicated network management stations. Deploy an Intrusion Prevention System (IPS) with signatures capable of detecting and blocking exploit attempts against this vulnerability.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Dec 23, 2025, there are no known public proof-of-concept exploits or observed active exploitation in the wild. However, due to the critical severity and the straightforward nature of buffer overflow vulnerabilities, it is highly probable that threat actors will develop exploits for this issue.
Analyst Recommendation
Given the critical CVSS score of 9.8, this vulnerability poses a severe risk to the organization. The immediate priority must be to identify and patch all affected systems. While this vulnerability is not currently on the CISA KEV list, its high impact makes it a prime candidate for future inclusion. Organizations should treat this with the highest urgency and apply patches or compensating controls without delay to prevent potential service disruption or system compromise.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remot...
n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.
Executive Summary:
A critical remote code execution (RCE) vulnerability has been identified in the n8n workflow automation platform, which allows an authenticated attacker to take full control of the affected server. By submitting a malicious expression during workflow configuration, an attacker can execute arbitrary code, leading to potential data theft, operational disruption, and further network compromise.
Vulnerability Details
CVE-ID: CVE-2025-68613
Affected Software: n8n
Affected Versions: Versions 0.211.0 and later, prior to 1.120.4, 1.121.1, and 1.122.0.
Vulnerability: The vulnerability exists within the workflow expression evaluation system. An authenticated user with permissions to configure workflows can supply a specially crafted expression that is not properly sanitized or isolated. This expression is then evaluated in an insecure context, allowing the attacker to break out of the intended sandbox and execute arbitrary commands on the underlying operating system with the privileges of the n8n service account.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.9. Successful exploitation can lead to a complete compromise of the n8n instance, presenting a severe risk to the organization. An attacker could gain unauthorized access to all data processed by n8n, including sensitive credentials, API keys, and proprietary business logic stored in workflows. Furthermore, the attacker could manipulate or destroy critical automation workflows, causing significant operational disruption, and use the compromised server as a pivot point to attack other internal network resources.
Remediation Plan
Immediate Action: Upgrade all affected n8n instances to a patched version (1.120.4, 1.121.1, or 1.122.0) immediately. After patching, review application and system logs for any signs of exploitation attempts that may have occurred prior to the update.
Proactive Monitoring: Security teams should monitor for unusual activity on n8n instances, including unexpected modifications to workflows, execution of suspicious child processes (e.g., sh, bash, powershell) by the n8n service account, and anomalous outbound network traffic originating from the n8n server. Review audit logs for workflow creation and modification events for any unauthorized or suspicious changes.
Compensating Controls: If immediate patching is not feasible, apply the following temporary mitigations as described in the advisory:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of the publication date, December 19, 2025, there is no known public proof-of-concept exploit code or evidence of this vulnerability being actively exploited in the wild. However, due to the critical severity and detailed nature of the advisory, threat actors may develop an exploit in the near future.
Analyst Recommendation
Given the critical CVSS score of 9.9 and the potential for complete system compromise, organizations are strongly urged to treat this vulnerability with the highest priority. The requirement for authentication should not diminish the urgency, as credentials can be compromised through other means or insider threats may exist. All affected n8n instances must be upgraded to a patched version immediately. While this vulnerability is not currently on the CISA KEV list, its severity makes it a prime candidate for future inclusion, and proactive remediation is the most effective defensive posture.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Deadline: March 24, 2026
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Missing Authorization vulnerability in DeluxeThemes Userpro userpro allows Exploiting Incorrectly Configured Access Control Security Levels
Missing Authorization vulnerability in DeluxeThemes Userpro userpro allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPXPO PostX ultimate-post allows Retrieve Embedded Sensiti...
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPXPO PostX ultimate-post allows Retrieve Embedded Sensitive Data
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in Marketing Fire Editorial Calendar editorial-calendar allows Exploiting Incorrectly Configured Access Control Se...
Missing Authorization vulnerability in Marketing Fire Editorial Calendar editorial-calendar allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Cross-Site Request Forgery (CSRF) vulnerability in Rustaurius Five Star Restaurant Reservations restaurant-reservations allows Cross Site Request Forg...
Cross-Site Request Forgery (CSRF) vulnerability in Rustaurius Five Star Restaurant Reservations restaurant-reservations allows Cross Site Request Forgery
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Server-Side Request Forgery (SSRF) vulnerability in Yannick Lefebvre Link Library link-library allows Server Side Request Forgery.This issue affects L...
Server-Side Request Forgery (SSRF) vulnerability in Yannick Lefebvre Link Library link-library allows Server Side Request Forgery.This issue affects Link Library: from n/a through <= 7.8.4.
---METADATA---
VENDOR: Yannick Lefebvre
PRODUCT: Link Library
AFFECTED_VERSIONS: n/a through 7.8.4
CONFIDENCE: high
MISSING: exploit_status, technical_details
---END_METADATA---
Description Summary:
The Link Library WordPress plugin is vulnerable to Server-Side Request Forgery (SSRF) due to improper input handling, potentially allowing attackers to conduct unauthorized network requests.
Executive Summary:
A critical Server-Side Request Forgery (SSRF) vulnerability in the Link Library plugin could allow attackers to perform unauthorized requests from the server environment.
Vulnerability Details
CVE-ID: CVE-2025-68600
Affected Software: Yannick Lefebvre Link Library
Affected Versions: n/a through 7.8.4
Vulnerability: The plugin contains an SSRF vulnerability that allows unauthenticated or low-privileged users to force the application to make arbitrary network requests. This can be leveraged to scan internal networks or interact with internal services that are otherwise inaccessible.
Business Impact
The CVSS score of 9.1 highlights the severity of this SSRF flaw. An attacker could exploit this to bypass perimeter security, access internal metadata services (such as cloud instance identity tokens), or perform reconnaissance on internal infrastructure, leading to broader system compromise.
Remediation Plan
Immediate Action: Update the Link Library plugin to the latest available version beyond 7.8.4 to patch the vulnerable request handling logic.
Proactive Monitoring: Review web server access logs for requests originating from the server to unusual internal IP addresses or sensitive local services.
Compensating Controls: Implement egress filtering on the web server to restrict outbound connections to only necessary and trusted external endpoints.
Exploitation Status
Public Exploit Available: Not specified
Analyst Notes: As of Dec 24, 2025, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
SSRF vulnerabilities are frequently used as a gateway for deeper network penetration. It is imperative to update the Link Library plugin immediately and ensure the host server is hardened against unauthorized outbound requests.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in Bit Apps Bit Assist bit-assist allows Exploiting Incorrectly Configured Access Control Security Levels
Missing Authorization vulnerability in Bit Apps Bit Assist bit-assist allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in Trustindex Widgets for Social Photo Feed social-photo-feed-widget allows Exploiting Incorrectly Configured Acce...
Missing Authorization vulnerability in Trustindex Widgets for Social Photo Feed social-photo-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in Assaf Parag Poll, Survey & Quiz Maker Plugin by Opinion Stage social-polls-by-opinionstage allows Exploiting In...
Missing Authorization vulnerability in Assaf Parag Poll, Survey & Quiz Maker Plugin by Opinion Stage social-polls-by-opinionstage allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in Liton Arefin WP Adminify adminify allows Exploiting Incorrectly Configured Access Control Security Levels
Missing Authorization vulnerability in Liton Arefin WP Adminify adminify allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in Liton Arefin WP Adminify adminify allows Exploiting Incorrectly Configured Access Control Security Levels
Missing Authorization vulnerability in Liton Arefin WP Adminify adminify allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in Mitchell Bennis Simple File List simple-file-list allows Exploiting Incorrectly Configured Access Control Secur...
Missing Authorization vulnerability in Mitchell Bennis Simple File List simple-file-list allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks Integration for Contact Form 7 HubSpot...
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Blind SQL Injection.This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.2.
Executive Summary:
A critical vulnerability has been identified in the "Integration for Contact Form 7 HubSpot" WordPress plugin, which could allow an unauthenticated attacker to steal sensitive information from the website's database. Successful exploitation of this flaw could lead to a complete compromise of database contents, including customer data, user credentials, and other confidential information. Organizations are urged to apply the recommended update immediately to mitigate the significant risk of a data breach.
Vulnerability Details
CVE-ID: CVE-2025-68590
Affected Software: CRM Perks Integration for Contact Form 7 HubSpot (cf7-hubspot)
Affected Versions: All versions up to and including 1.4.2
Vulnerability: The vulnerability is a Blind SQL Injection within the "Integration for Contact Form 7 HubSpot" WordPress plugin. An attacker can send specially crafted data, likely through a contact form connected by the plugin, that the application fails to properly sanitize before including it in a database query. Because this is a "blind" SQL injection, the attacker does not receive direct output from the database but can infer its contents by asking a series of true/false questions and observing the application's response, or by using time-based techniques to exfiltrate data character by character.
Business Impact
This vulnerability is rated as critical with a CVSS score of 9.8, reflecting the high potential for damage. Successful exploitation could lead to a severe data breach, exposing sensitive customer information, user credentials, and other confidential business data stored in the website's database. The consequences include significant reputational damage, loss of customer trust, potential financial losses, and possible regulatory penalties under data protection laws like GDPR or CCPA. An attacker could also potentially modify or delete database records, disrupting business operations.
Remediation Plan
Immediate Action: Immediately update the "Integration for Contact Form 7 HubSpot" plugin to the latest available version (greater than 1.4.2) which contains a patch for this vulnerability. After patching, review web server and database access logs for any signs of attempted or successful exploitation prior to the update.
Proactive Monitoring: Monitor web server access logs for suspicious POST requests to forms managed by the plugin, specifically looking for SQL keywords (e.g., SELECT, UNION, SLEEP, '--) and abnormal syntax. Monitor database performance for unexplained slowdowns, which could indicate time-based SQL injection attacks. Implement alerts for high rates of database errors, which may signal exploitation attempts.
Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with a strict ruleset designed to detect and block SQL injection attacks. As a temporary measure, consider deactivating the affected plugin until it can be safely updated to a patched version.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of the publication date, December 24, 2025, there are no known public exploits or active exploitation campaigns targeting this specific vulnerability. However, SQL injection is a well-understood vulnerability class, and proof-of-concept exploits are likely to be developed quickly by security researchers and malicious actors due to the critical severity score.
Analyst Recommendation
Given the critical CVSS score of 9.8, this vulnerability poses a severe and immediate threat to affected organizations. We strongly recommend that all users of the "Integration for Contact Form 7 HubSpot" plugin prioritize the deployment of the security update immediately. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high severity makes it a prime candidate for future inclusion and a valuable target for attackers. Immediate remediation is the most effective strategy to prevent a potential data breach.
Update Improper Neutralization of Special Elements used in an SQL Command Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in WP Socio WP Telegram Widget and Join Link wptelegram-widget allows Exploiting Incorrectly Configured Access Con...
Missing Authorization vulnerability in WP Socio WP Telegram Widget and Join Link wptelegram-widget allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in totalsoft TS Poll poll-wp allows Exploiting Incorrectly Configured Access Control Security Levels
Missing Authorization vulnerability in totalsoft TS Poll poll-wp allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in Bob Watu Quiz watu allows Exploiting Incorrectly Configured Access Control Security Levels
Missing Authorization vulnerability in Bob Watu Quiz watu allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in Gora Tech Cooked cooked allows Exploiting Incorrectly Configured Access Control Security Levels
Missing Authorization vulnerability in Gora Tech Cooked cooked allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in Ben Balter WP Document Revisions wp-document-revisions allows Exploiting Incorrectly Configured Access Control...
Missing Authorization vulnerability in Ben Balter WP Document Revisions wp-document-revisions allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Cross-Site Request Forgery (CSRF) vulnerability in Constantin Boiangiu Vimeotheque codeflavors-vimeo-video-post-lite allows Cross Site Request Forgery
Cross-Site Request Forgery (CSRF) vulnerability in Constantin Boiangiu Vimeotheque codeflavors-vimeo-video-post-lite allows Cross Site Request Forgery
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Cross-Site Request Forgery (CSRF) vulnerability in Tikweb Management Fast User Switching fast-user-switching allows Cross Site Request Forgery
Cross-Site Request Forgery (CSRF) vulnerability in Tikweb Management Fast User Switching fast-user-switching allows Cross Site Request Forgery
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in Funnelforms Funnelforms Free funnelforms-free allows Exploiting Incorrectly Configured Access Control Security...
Missing Authorization vulnerability in Funnelforms Funnelforms Free funnelforms-free allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in YITHEMES YITH Slider for page builders yith-slider-for-page-builders allows Exploiting Incorrectly Configured A...
Missing Authorization vulnerability in YITHEMES YITH Slider for page builders yith-slider-for-page-builders allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Cross-Site Request Forgery (CSRF) vulnerability in pluginsware Advanced Classifieds & Directory Pro advanced-classifieds-and-directory-pro allows Cros...
Cross-Site Request Forgery (CSRF) vulnerability in pluginsware Advanced Classifieds & Directory Pro advanced-classifieds-and-directory-pro allows Cross Site Request Forgery
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in FolioVision FV Simpler SEO fv-all-in-one-seo-pack allows Exploiting Incorrectly Configured Access Control Secur...
Missing Authorization vulnerability in FolioVision FV Simpler SEO fv-all-in-one-seo-pack allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in Addonify Addonify addonify-quick-view allows Exploiting Incorrectly Configured Access Control Security Levels
Missing Authorization vulnerability in Addonify Addonify addonify-quick-view allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in Virusdie Virusdie virusdie allows Exploiting Incorrectly Configured Access Control Security Levels
Missing Authorization vulnerability in Virusdie Virusdie virusdie allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Virusdie Virusdie virusdie allows Retrieve Embedded Sensit...
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Virusdie Virusdie virusdie allows Retrieve Embedded Sensitive Data
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in Wappointment team Wappointment wappointment allows Exploiting Incorrectly Configured Access Control Security Le...
Missing Authorization vulnerability in Wappointment team Wappointment wappointment allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Cross-Site Request Forgery (CSRF) vulnerability in Alessandro Piconi Simple Keyword to Link simple-keyword-to-link allows Cross Site Request Forgery
Cross-Site Request Forgery (CSRF) vulnerability in Alessandro Piconi Simple Keyword to Link simple-keyword-to-link allows Cross Site Request Forgery
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in Spider Themes BBP Core bbp-core allows Exploiting Incorrectly Configured Access Control Security Levels
Missing Authorization vulnerability in Spider Themes BBP Core bbp-core allows Exploiting Incorrectly Configured Access Control Security Levels
Executive Summary:
A high-severity vulnerability has been identified in multiple Spider products, specifically within the BBP Core component. This flaw, resulting from missing authorization checks, could allow an attacker to bypass security controls and perform actions reserved for privileged users, potentially leading to unauthorized data access, modification, or system disruption. Organizations are urged to apply the vendor-provided security updates immediately to mitigate this significant risk.
Vulnerability Details
CVE-ID: CVE-2025-68572
Affected Software: Spider Multiple Products (specifically Spider Themes BBP Core bbp-core)
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability is classified as a Missing Authorization (CWE-862). The affected software component does not correctly verify if a user has the necessary permissions to perform certain sensitive actions. An authenticated attacker with low-level privileges could exploit this by sending specially crafted requests directly to functions or API endpoints that are intended only for administrators. This bypasses the intended access control model, allowing the attacker to execute privileged operations, such as modifying system settings, accessing sensitive user data, or altering content.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could lead to significant business consequences, including unauthorized access to and exfiltration of sensitive corporate or customer data, leading to a data breach. An attacker could also modify or delete critical data, causing operational disruptions, or escalate their privileges to gain further control over the affected application or underlying server. These outcomes pose direct risks of financial loss, reputational damage, and potential regulatory penalties.
Remediation Plan
Immediate Action: All organizations using the affected Spider products must prioritize and apply the vendor-supplied security updates immediately. After patching, administrators should review application and server access logs for any signs of compromise or unusual activity preceding the update.
Proactive Monitoring: Security teams should configure monitoring systems to detect and alert on suspicious activity. This includes monitoring for low-privileged user accounts attempting to access administrative URLs or API endpoints, unexpected changes to configurations or user permissions, and large or unusual data exports.
Compensating Controls: If immediate patching is not feasible, the following compensating controls should be implemented:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of December 25, 2025, there are no known public proof-of-concept exploits or observed instances of active exploitation in the wild. However, given the high CVSS score and the straightforward nature of missing authorization vulnerabilities, it is highly probable that threat actors will develop exploits in the near future.
Analyst Recommendation
Due to the high severity (CVSS 8.8) of this vulnerability, immediate action is strongly recommended. Organizations must prioritize applying the vendor patch to all affected systems without delay. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) Catalog, its high impact score makes it a prime candidate for future inclusion. The potential for privilege escalation and unauthorized data access represents a critical risk that should be addressed as the highest priority.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing Authorization vulnerability in SALESmanago SALESmanago salesmanago allows Exploiting Incorrectly Configured Access Control Security Levels
Missing Authorization vulnerability in SALESmanago SALESmanago salesmanago allows Exploiting Incorrectly Configured Access Control Security Levels
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Executive Summary:
A high-severity vulnerability has been identified in the n8n open-source workflow automation platform. Successful exploitation could allow an attacker to compromise the underlying server, potentially leading to unauthorized access to sensitive data, disruption of critical business workflows, and lateral movement across the network. Organizations are urged to apply the vendor-provided security updates immediately to mitigate this significant risk.
Vulnerability Details
CVE-ID: CVE-2025-68697
Affected Software: n8n
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability exists within the data processing component of n8n when handling specially crafted input for certain workflow nodes. An authenticated attacker with permissions to create or edit workflows can configure a node with malicious parameters. When the workflow is executed, these parameters are not properly sanitized, leading to a command injection condition that allows the attacker to execute arbitrary commands on the host operating system with the privileges of the n8n service account.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.1. Exploitation could have a severe impact on business operations. Since n8n platforms are often integrated with critical systems and hold credentials for databases, APIs, and other services, an attacker could exfiltrate sensitive company and customer data, tamper with or disable essential automated processes, or use the compromised n8n server as a pivot point to attack other internal systems. The potential consequences include significant data breaches, financial loss, operational downtime, and reputational damage.
Remediation Plan
Immediate Action: The primary remediation is to apply the security updates provided by the vendor across all affected n8n instances without delay. After patching, it is crucial to review access logs and workflow execution histories for any signs of compromise that may have occurred prior to the update.
Proactive Monitoring: Security teams should actively monitor for indicators of compromise. This includes looking for unusual or unexpected outbound network connections from the n8n server, reviewing logs for suspicious command executions (e.g.,
whoami,curl,wget), and auditing workflows for any unauthorized or anomalous modifications.Compensating Controls: If immediate patching is not feasible, organizations should implement compensating controls. These include restricting network access to the n8n management interface, placing the n8n instance behind a Web Application Firewall (WAF) with rules to detect command injection patterns, and enforcing strict access controls to limit which users can create or modify workflows.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of December 28, 2025, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, vulnerabilities in widely used automation tools are attractive targets for threat actors, who may actively work to reverse-engineer the patch and develop an exploit.
Analyst Recommendation
Given the high-severity rating and the critical role of workflow automation platforms in business operations, this vulnerability presents a significant risk. We strongly recommend that organizations prioritize the immediate deployment of vendor-supplied patches to all n8n instances. Although this CVE is not currently listed on the CISA KEV list, its potential for enabling data exfiltration and lateral movement warrants urgent attention. Organizations should treat this as a critical priority and implement the recommended monitoring and compensating controls to ensure a robust defense-in-depth posture.