youlai-boot V2
Description
youlai-boot V2
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Search and filter 17282 vulnerabilities with AI analyst insights
youlai-boot V2
youlai-boot V2
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Null pointer dereference in free5gc pcf 1
Null pointer dereference in free5gc pcf 1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
An issue was discovered in Free5gc NRF 1.4.0. In the access-token generation logic of free5GC, the AccessTokenScopeCheck() function in file internal/s...
An issue was discovered in Free5gc NRF 1.4.0. In the access-token generation logic of free5GC, the AccessTokenScopeCheck() function in file internal/sbi/processor/access_token.go bypasses all scope validation when the attacker uses a crafted targetNF value. This allows attackers to obtain an access token with any arbitrary scope.
Update An issue was discovered in Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations...
A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
An issue in Semantic machines v5
An issue in Semantic machines v5
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
A buffer over-read in the PublicKey::verify() method of Binance - Trust Wallet Core before commit 5668c67 allows attackers to cause a Denial of Servic...
A buffer over-read in the PublicKey::verify() method of Binance - Trust Wallet Core before commit 5668c67 allows attackers to cause a Denial of Service (DoS) via a crafted input
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Doom Launcher 3
Doom Launcher 3
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
An issue in the WiseDelfile64
An issue in the WiseDelfile64
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
vega-functions provides function implementations for the Vega expression language
vega-functions provides function implementations for the Vega expression language
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Array Networks ArrayOS AG before 9
Array Networks ArrayOS AG before 9
Deadline: December 28, 2025
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Stack-based buffer overflow vulnerability exists in SEIKO EPSON Web Config
Stack-based buffer overflow vulnerability exists in SEIKO EPSON Web Config
Executive Summary:
A high-severity vulnerability has been identified in the SEIKO EPSON Web Config software, which could allow a remote, unauthenticated attacker to execute arbitrary code and potentially take full control of affected systems. Successful exploitation of this flaw could lead to data theft, service disruption, or the use of the compromised device as a pivot point for further network intrusion.
Vulnerability Details
CVE-ID: CVE-2025-66635
Affected Software: SEIKO EPSON Web Config
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This vulnerability is a stack-based buffer overflow. An attacker can exploit this flaw by sending a specially crafted network request to the Web Config interface of an affected device. The software fails to properly validate the length of user-supplied input, allowing an attacker to write data beyond the intended buffer on the stack. This can overwrite critical control data, such as a function's return address, enabling the attacker to redirect the program's execution flow to malicious code (shellcode) and achieve remote code execution with the privileges of the Web Config service.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.2. Exploitation could have a significant impact on business operations. A successful attacker could gain complete control over the affected printer or device, leading to a breach of confidentiality by accessing sensitive documents, a loss of integrity by modifying device configurations or print jobs, and a loss of availability by rendering the device inoperable. Furthermore, a compromised network device can serve as an entry point for an attacker to move laterally within the corporate network, posing a broader risk to the organization's security posture.
Remediation Plan
Immediate Action: Identify all vulnerable SEIKO EPSON devices within the environment and apply the vendor-supplied security updates immediately. After patching, monitor device logs for any unusual activity or connection attempts that may indicate prior or ongoing exploitation attempts.
Proactive Monitoring:
Compensating Controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of December 16, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. This vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. However, stack-based buffer overflows are a well-understood vulnerability class, and proof-of-concept exploits could be developed by threat actors in the near future.
Analyst Recommendation
Due to the high severity (CVSS 7.2) and the potential for remote code execution, it is strongly recommended that organizations prioritize the identification and patching of all affected SEIKO EPSON devices without delay. While this vulnerability is not yet known to be exploited in the wild, its severity warrants immediate attention to prevent future compromise. If patching is not immediately feasible, implement the suggested compensating controls, such as network segmentation and access restriction, to significantly reduce the attack surface and mitigate risk.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
GStreamer H266 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
GStreamer H266 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
Here is the security assessment in the requested format.
Executive Summary:
A high-severity vulnerability exists within the GStreamer multimedia framework, which could allow an attacker to execute arbitrary code on a vulnerable system. Successful exploitation occurs when a user opens a specially crafted media file, potentially leading to a full system compromise.
Vulnerability Details
CVE-ID: CVE-2025-6663
Affected Software: GStreamer Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability is a heap-based buffer overflow within a GStreamer plugin responsible for parsing media container formats. When processing a specially crafted media file (e.g., an MKV or MP4 file), the component fails to properly validate the size of a metadata field before copying it into a fixed-size buffer. An attacker can create a malicious media file with an oversized field, triggering an overflow that overwrites adjacent memory, which can be leveraged to execute arbitrary code in the context of the user running the GStreamer-based application.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.8. The primary business impact is the risk of a full system compromise on user workstations or servers that process untrusted media files. Exploitation could lead to the theft of sensitive corporate or personal data, the installation of ransomware, or the use of the compromised system as a staging point for lateral movement within the corporate network. Any application that relies on the GStreamer framework, including custom-built software, media players, and some web-rendering engines, is a potential attack vector.
Remediation Plan
Immediate Action: The vendor, GStreamer, has released patches to address this vulnerability. Organizations must identify all systems and applications using the GStreamer library and update them to the latest secure version as specified in the official GStreamer security advisory.
Proactive Monitoring: Monitor for application crashes related to media players or other GStreamer-dependent processes in system event logs. Network monitoring should be configured to detect unusual outbound connections from workstations, which could indicate a successful exploit communicating with a command-and-control server. Endpoint Detection and Response (EDR) solutions should be used to flag suspicious child processes spawned by media applications.
Compensating Controls: If immediate patching is not feasible, organizations should implement application sandboxing to limit the impact of a potential exploit. Additionally, restrict users from opening media files from untrusted sources and enforce strong egress filtering on firewalls to block potential C2 traffic.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of May 23, 2024, there are no known public exploits for CVE-2025-6663. However, given the nature of the vulnerability (RCE in a widely used library) and its low complexity, it is highly probable that proof-of-concept (PoC) code will be developed by security researchers or malicious actors in the near future.
Analyst Recommendation
Due to the high severity (CVSS 7.8) of this vulnerability and the potential for remote code execution, we strongly recommend that all affected systems be patched immediately. Although this CVE is not currently on the CISA KEV list and no public exploit is available, the risk of future exploitation is high. Organizations should prioritize the identification and remediation of this vulnerability to prevent potential system compromise, data breaches, or other malicious activities.
Apply security patches immediately for internet-facing systems. Monitor for exploitation attempts and review access logs.
ImageMagick is a software suite to create, edit, compose, or convert bitmap images
ImageMagick is a software suite to create, edit, compose, or convert bitmap images
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Wasmi is a WebAssembly interpreter focused on constrained and embedded systems
Wasmi is a WebAssembly interpreter focused on constrained and embedded systems
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services
BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services
Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations
Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations
Executive Summary:
A high-severity vulnerability has been identified in Strimzi, a platform for managing Apache Kafka clusters on Kubernetes. This flaw could allow an attacker with limited access to a Kubernetes cluster to escalate their privileges, potentially leading to a complete compromise of the cluster. Successful exploitation could result in unauthorized access to sensitive data streams, service disruption, and lateral movement across the network.
Vulnerability Details
CVE-ID: CVE-2025-66623
Affected Software: Strimzi (running on Kubernetes/OpenShift)
Affected Versions: See vendor advisory for specific affected versions.
Vulnerability: This vulnerability is an improper authorization flaw within the Strimzi Operator. An attacker with permissions to create or modify Strimzi Custom Resource Definitions (CRDs), such as KafkaTopic or KafkaUser, can craft a malicious resource definition. When the Strimzi Operator processes this malicious CRD, it fails to properly sanitize and validate the inputs, leading to the execution of commands or the granting of permissions with the operator's own elevated service account privileges. This allows the attacker to bypass standard Kubernetes Role-Based Access Control (RBAC) and escalate their privileges within the cluster, potentially to a cluster-admin level.
Business Impact
This is a High severity vulnerability with a CVSS score of 7.4, posing a significant risk to the organization's cloud-native infrastructure. Exploitation could lead to a complete takeover of the Kubernetes cluster where Strimzi is deployed. The direct business impacts include a high risk of a data breach, as an attacker could gain access to all data managed by Kafka and other applications in the cluster. Furthermore, the attacker could disrupt critical services by deleting or altering cluster resources, leading to operational downtime and financial loss. A compromised cluster could also serve as a foothold for attackers to move laterally into other parts of the corporate network.
Remediation Plan
Immediate Action: Apply vendor security updates immediately. System administrators should identify all instances of Strimzi within their environments and upgrade them to the patched version as specified in the official vendor advisory. Following the update, monitor for any signs of exploitation attempts and conduct a thorough review of Kubernetes API server and Strimzi operator access logs for any anomalous activity preceding the patch.
Proactive Monitoring: Implement enhanced monitoring of the Kubernetes API server logs, specifically looking for unusual or frequent modifications to Strimzi CRDs from low-privileged accounts. Monitor for unexpected changes to ClusterRoleBindings and RoleBindings, especially those associated with Strimzi-related service accounts. Alert on any anomalous network traffic or shell executions originating from Strimzi Operator or Kafka broker pods.
Compensating Controls: If patching cannot be performed immediately, implement the following controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of December 5, 2025, there are no public proof-of-concept exploits or observed in-the-wild attacks targeting this vulnerability. However, privilege escalation vulnerabilities in Kubernetes operators are highly sought after by threat actors. It is anticipated that technical details and exploit code will become publicly available in the near future, increasing the risk of exploitation.
Analyst Recommendation
Given the High severity (CVSS 7.4) of this vulnerability and its potential for complete cluster compromise, immediate remediation is strongly advised. Although CVE-2025-66623 is not currently on the CISA KEV list, its impact makes it a prime candidate for future inclusion should widespread exploitation occur. Organizations must prioritize applying the vendor security updates across all affected environments. If patching is delayed, the compensating controls outlined above, particularly the restriction of CRD permissions, should be implemented as a matter of urgency to mitigate immediate risk.
An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories
An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS)...
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary JavaScript via `javascript:`. An attacker can exploit this to inject a malicious Model Context Protocol (MCP) server configuration, leading to Remote Code Execution (RCE) on the victim's machine when the node is clicked. Version 0.11.1 fixes the issue.
Executive Summary:
A critical vulnerability has been discovered in the Dive open-source MCP Host Desktop Application, which could allow an attacker to take complete control of a victim's computer. The flaw resides in the diagram rendering component and can be exploited by tricking a user into viewing a specially crafted diagram, leading to remote code execution. Immediate patching is required to mitigate this severe risk.
Vulnerability Details
CVE-ID: CVE-2025-66580
Affected Software: Dive is an Multiple Products
Affected Versions: All versions prior to 0.11.1
Vulnerability: The vulnerability is a Stored Cross-Site Scripting (XSS) flaw within the Mermaid diagram rendering component of the Dive application. An attacker can create a Mermaid diagram containing a malicious JavaScript payload using the javascript: URI scheme. When a victim views or interacts with this stored diagram, the embedded JavaScript executes in the context of the application. This script can then be used to silently inject a malicious Model Context Protocol (MCP) server configuration. The attack culminates when the user clicks on a node within the malicious diagram, which triggers the compromised MCP configuration and leads to Remote Code Execution (RCE) on the user's system.
Business Impact
This vulnerability is rated as critical with a CVSS score of 9.6, posing a severe threat to the organization. Successful exploitation allows an attacker to execute arbitrary code on an affected user's machine, granting them the same level of access as the user. Potential consequences include the theft of sensitive data, deployment of ransomware, installation of persistent backdoors, and the ability to pivot further into the corporate network. The direct impact on business operations could be catastrophic, leading to significant financial loss, reputational damage, and regulatory penalties.
Remediation Plan
Immediate Action: Immediately identify all instances of the Dive application and upgrade them to version 0.11.1 or later, which contains the fix for this vulnerability. Following the update, review application and system logs for any signs of compromise or exploitation attempts that may have occurred prior to patching.
Proactive Monitoring: Implement enhanced monitoring on systems running the Dive application. Specifically, monitor for unusual or unauthorized changes to MCP server configurations, unexpected outbound network connections originating from the Dive application process, and logs indicating the rendering of Mermaid diagrams containing javascript: payloads.
Compensating Controls: If immediate patching is not feasible, consider implementing the following controls as a temporary measure:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Dec 19, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, given the critical severity and the clear, documented path to Remote Code Execution, it is highly probable that threat actors will develop and deploy exploits in the near future.
Analyst Recommendation
Due to the critical severity (CVSS 9.6) and the risk of Remote Code Execution, it is imperative that organizations prioritize the immediate remediation of this vulnerability. All systems running vulnerable versions of the Dive application should be updated to version 0.11.1 or newer without delay. Although this CVE is not currently listed on the CISA KEV catalog, its high impact makes it a prime candidate for future inclusion and an attractive target for attackers. Immediate action is the most effective way to prevent a potentially devastating security breach.
Update Dive is an Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP hea...
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can inject headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, LOCAL_PORT that are parsed into the request header multimap via read_headers() in httplib.h (headers.emplace), then the server later appends its own internal metadata using the same header names in Server::process_request without erasing duplicates. Because Request::get_header_value returns the first entry for a header key (id == 0) and the client-supplied headers are parsed before server-inserted headers, downstream code that uses these header names may inadvertently use attacker-controlled values. Affected files/locations: cpp-httplib/httplib.h (read_headers, Server::process_request, Request::get_header_value, get_header_value_u64) and cpp-httplib/docker/main.cc (get_client_ip, nginx_access_logger, nginx_error_logger). Attack surface: attacker-controlled HTTP headers in incoming requests flow into the Request.headers multimap and into logging code that reads forwarded headers, enabling IP spoofing, log poisoning, and authorization bypass via header shadowing. This vulnerability is fixed in 0.27.0.
Executive Summary:
A critical vulnerability exists in the cpp-httplib library, a component used in multiple software products, which allows an attacker to spoof their network address and other connection details. By sending a specially crafted request, an attacker can bypass IP-based security controls, poison logs with false information, and potentially gain unauthorized access to systems. This flaw presents the highest possible risk and requires immediate attention.
Vulnerability Details
CVE-ID: CVE-2025-66570
Affected Software: Unknown Multiple Products
Affected Versions: All versions of the cpp-httplib library prior to 0.27.0.
Vulnerability:
The vulnerability, known as header shadowing, stems from how the cpp-httplib library processes incoming HTTP headers. An attacker can inject headers with reserved names such as REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, and LOCAL_PORT into a request. The library's read_headers() function parses and stores these malicious headers first. Subsequently, the server's process_request function appends the legitimate connection metadata using the same header names but fails to remove or overwrite the attacker-supplied duplicates. When downstream application code calls the Request::get_header_value function to retrieve connection information, the function returns the first value it finds, which is the spoofed value provided by the attacker. This allows an attacker to control server-visible metadata, leading to IP spoofing, which can be leveraged to bypass IP-based authorization controls, obscure the true source of an attack in logs, and interfere with other security mechanisms that rely on accurate client connection data.
Business Impact
This vulnerability is rated critical with a CVSS score of 10, indicating the highest possible risk of exploitation with severe potential consequences. A successful exploit could directly impact business operations by enabling attackers to bypass critical security controls designed to protect sensitive data and internal systems. The primary business risks include unauthorized access to confidential information, data breaches, and compromise of internal infrastructure by an attacker masquerading as a trusted internal user. Furthermore, the log poisoning aspect significantly hinders incident response and forensic investigations, making it difficult to identify the true source of an attack and assess the extent of a compromise. A public breach resulting from this vulnerability could lead to significant financial loss, regulatory fines, and severe reputational damage.
Remediation Plan
Immediate Action:
Organizations must conduct a thorough software inventory to identify all applications and systems that utilize the vulnerable cpp-httplib library. Once identified, update the affected products or underlying library to a patched version incorporating cpp-httplib 0.27.0 or later. After patching, monitor application and network logs for any signs of post-remediation exploitation attempts.
Proactive Monitoring:
Implement monitoring and alerting for incoming HTTP requests that contain headers such as REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, or LOCAL_PORT, as these are not standard client-sent headers and are strong indicators of an exploit attempt. Security teams should correlate application-level logs with network firewall and proxy logs to detect discrepancies between the source IP address logged by the application and the actual source IP of the network connection.
Compensating Controls:
If immediate patching is not feasible, implement the following compensating controls:
REMOTE_ADDR, etc.) before the request reaches the vulnerable application.get_header_value function for these specific keys.Exploitation Status
Public Exploit Available: false
Analyst Notes:
As of December 5, 2025, there is no known public proof-of-concept exploit code or evidence of this vulnerability being actively exploited in the wild. However, given the critical severity (CVSS 10) and the relatively straightforward nature of the attack, it is highly probable that threat actors will develop and deploy exploits rapidly.
Analyst Recommendation
This vulnerability represents a critical and immediate threat to the organization. The primary recommendation is to urgently identify all assets using the vulnerable cpp-httplib library and apply the vendor-supplied patches or updates without delay. While this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its critical severity and potential for widespread impact make it a prime candidate for future inclusion. If patching cannot be performed immediately, the compensating controls outlined above, particularly the use of a WAF to strip malicious headers, must be implemented as a critical temporary mitigation to protect against potential exploitation.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps
SysReptor is a fully customizable pentest reporting platform
SysReptor is a fully customizable pentest reporting platform
Improper Control of Generation of Code ('Code Injection') vulnerability in StellarWP GiveWP give allows Code Injection
Improper Control of Generation of Code ('Code Injection') vulnerability in StellarWP GiveWP give allows Code Injection
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity
Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity
A heap-based buffer overflow vulnerability exists in the PDF parsing of Foxit PDF Reader when processing specially crafted JBIG2 data
A heap-based buffer overflow vulnerability exists in the PDF parsing of Foxit PDF Reader when processing specially crafted JBIG2 data
Executive Summary:
A high-severity vulnerability has been identified in multiple products from Vendor A, including the Foxit PDF Reader. The flaw allows an attacker to execute arbitrary code on a victim's computer by tricking them into opening a specially crafted PDF file, potentially leading to a full system compromise, data theft, or malware installation. Organizations should prioritize applying the vendor-supplied security updates to mitigate this significant risk.
Vulnerability Details
CVE-ID: CVE-2025-66499
Affected Software: A Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This vulnerability is a heap-based buffer overflow that occurs within the PDF parsing engine when handling JBIG2 image data. JBIG2 is a standard for image compression commonly used within PDF documents. An attacker can create a malicious PDF file containing a specially crafted JBIG2 data stream that, when processed by the vulnerable software, causes it to write data beyond the boundaries of an allocated memory buffer on the heap. This memory corruption can be leveraged by the attacker to hijack the application's control flow, leading to the execution of arbitrary code with the privileges of the user who opened the file.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could grant an attacker the ability to execute arbitrary code on an affected system. This could lead to severe consequences, including the installation of malware such as ransomware or spyware, theft of sensitive corporate or personal data stored on the machine, and using the compromised system as a launch point for further attacks within the corporate network. The direct business risks include data breaches, financial loss, operational disruption, and reputational damage.
Remediation Plan
Immediate Action: The primary remediation is to apply the security updates provided by the vendor across all affected systems immediately. Prioritize patching for systems used by employees who frequently handle documents from external sources. Concurrently, security teams should actively monitor for signs of exploitation and review system and application logs for any anomalous activity related to PDF processing.
Proactive Monitoring: Security teams should monitor for indicators of compromise (IOCs), including:
FoxitPDFReader.exe launching powershell.exe, cmd.exe, or other unexpected executables).Compensating Controls: If immediate patching is not feasible, the following controls can help reduce the risk:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of December 20, 2025, there are no known public proof-of-concept exploits or active attacks targeting this vulnerability. However, vulnerabilities of this type are frequently reverse-engineered by threat actors from security patches to develop working exploits. Organizations should assume that exploitation is likely in the near future.
Analyst Recommendation
Given the high severity (CVSS 7.8) and the potential for arbitrary code execution, this vulnerability poses a significant risk to the organization. We strongly recommend that the vendor-provided security updates be applied as an urgent priority. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its potential impact warrants immediate attention. Patching should be treated as the primary mitigation, supplemented by proactive monitoring for any signs of compromise.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
A use-after-free vulnerability exists in the annotation handling of Foxit PDF Reader before 2025
A use-after-free vulnerability exists in the annotation handling of Foxit PDF Reader before 2025
Executive Summary:
A high-severity vulnerability has been identified in multiple Foxit PDF Reader products, which could allow an attacker to take control of a user's computer. By tricking a user into opening a specially crafted PDF file, an attacker could execute malicious code, potentially leading to data theft, malware installation, or a full system compromise. Immediate patching is required to mitigate this significant risk.
Vulnerability Details
CVE-ID: CVE-2025-66495
Affected Software: Foxit PDF Reader
Affected Versions: Versions of Foxit PDF Reader prior to the 2025 release. See vendor advisory for specific affected versions.
Vulnerability: This is a use-after-free (UAF) memory corruption vulnerability. The flaw exists within the component responsible for handling annotations in PDF documents. An attacker can exploit this by creating a malicious PDF file with a specially crafted annotation that, when processed, causes the application to incorrectly manage memory. Specifically, the application attempts to access a memory location after it has been deallocated (freed), which an attacker can leverage to corrupt memory and execute arbitrary code with the same privileges as the user running the software.
Business Impact
This is a high-severity vulnerability with a CVSS score of 7.8. Successful exploitation could lead to a complete compromise of the affected user's workstation. An attacker could execute arbitrary code to install malware such as ransomware or spyware, exfiltrate sensitive corporate or personal data, or use the compromised machine as a pivot point to move laterally within the organization's network. Given the ubiquitous use of PDF documents in business operations, the attack surface is large, and a successful exploit could result in significant financial loss, reputational damage, and operational disruption.
Remediation Plan
Immediate Action: Immediately apply the security updates released by Foxit for all affected products to patch this vulnerability. After patching, it is crucial to monitor systems for any signs of exploitation that may have occurred prior to the update and to review relevant application and system access logs for anomalous activity.
Proactive Monitoring: Implement enhanced monitoring on endpoints. Look for unusual child processes spawning from the Foxit PDF Reader executable (e.g., powershell.exe, cmd.exe). Monitor for unexpected network connections originating from the PDF reader process to external IP addresses. Endpoint Detection and Response (EDR) solutions should be configured to detect and alert on memory corruption exploit techniques and suspicious process behavior.
Compensating Controls: If patching cannot be immediately deployed, consider the following temporary controls:
Exploitation Status
Public Exploit Available: False
Analyst Notes: As of December 20, 2025, there are no known public exploits or active attacks targeting this vulnerability. However, use-after-free vulnerabilities in popular client-side applications like PDF readers are highly sought after by threat actors. It is highly probable that a functional proof-of-concept (PoC) exploit will be developed, which would significantly increase the likelihood of widespread attacks.
Analyst Recommendation
This vulnerability represents a critical risk to the organization due to its high severity (CVSS 7.8) and the widespread use of the affected software. The attack vector, a malicious document, is a common and effective method for initial access. Although this CVE is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, its characteristics make it a prime candidate for future exploitation. We strongly recommend that organizations treat this as a critical priority and expedite the deployment of the vendor-supplied patches across all affected systems without delay to prevent potential system compromise.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
A use-after-free vulnerability exists in the PDF file parsing of Foxit PDF Reader before 2025
A use-after-free vulnerability exists in the PDF file parsing of Foxit PDF Reader before 2025
Executive Summary:
A high-severity use-after-free vulnerability has been identified in Foxit PDF Reader, which could allow an attacker to execute arbitrary code on a user's system. Successful exploitation occurs when a user opens a specially crafted, malicious PDF file, potentially leading to a full system compromise. Organizations should prioritize applying the vendor-provided security updates to mitigate this significant risk.
Vulnerability Details
CVE-ID: CVE-2025-66494
Affected Software: Foxit PDF Reader
Affected Versions: See vendor advisory for specific affected versions
Vulnerability:
This is a use-after-free (UAF) memory corruption vulnerability. The vulnerability is triggered when the software's PDF parsing engine processes a specially crafted PDF file. The application incorrectly continues to use a pointer to a memory location after that memory has been freed (deallocated). An attacker can exploit this by crafting a PDF file that causes the application to free a specific memory object and then reallocates that same memory space with malicious shellcode. When the application later attempts to use the original, now-invalid pointer, it will instead access the attacker's malicious code, leading to arbitrary code execution in the context of the current user.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could have a significant negative impact on the organization. An attacker who convinces a user to open a malicious PDF file could execute arbitrary code with the same privileges as that user. This could lead to the installation of malware such as ransomware or spyware, the theft of sensitive corporate or personal data, loss of system integrity, and could allow the attacker to establish a persistent foothold in the network, leading to further lateral movement and compromise.
Remediation Plan
Immediate Action:
Apply vendor security updates immediately to all systems running vulnerable versions of Foxit PDF Reader. The vendor has released patches to address this vulnerability. After patching, monitor for any signs of exploitation attempts by reviewing application and security logs for unusual activity related to the PDF reader process.
Proactive Monitoring:
Implement enhanced monitoring for systems where Foxit PDF Reader is installed. Security teams should look for signs of compromise, including:
FoxitPDFReader.exe) spawning child processes such as cmd.exe, powershell.exe, or other unexpected executables.Compensating Controls:
If immediate patching is not feasible, the following compensating controls can help reduce the risk:
Exploitation Status
Public Exploit Available: false
Analyst Notes:
As of December 20, 2025, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, use-after-free vulnerabilities in widely-used client-side software like PDF readers are attractive targets for threat actors. The likelihood of exploitation is expected to increase as security researchers and malicious actors analyze the patch.
Analyst Recommendation
Given the high severity (CVSS 7.8) of this vulnerability and its potential for arbitrary code execution via a common file type, we strongly recommend that organizations prioritize the immediate deployment of the vendor-supplied security updates. Although this CVE is not currently listed on the CISA KEV catalog, its client-side nature makes it a prime candidate for phishing campaigns. All workstations with Foxit PDF Reader installed should be considered at risk and patched without delay to prevent potential system compromise and data breaches.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
A use-after-free vulnerability exists in the AcroForm handling of Foxit PDF Reader and Foxit PDF Editor before 2025
A use-after-free vulnerability exists in the AcroForm handling of Foxit PDF Reader and Foxit PDF Editor before 2025
Executive Summary:
A high-severity vulnerability has been identified in multiple Foxit PDF products, which could allow an attacker to execute malicious code on a user's system. Exploitation occurs when a user opens a specially crafted PDF file, potentially leading to a full system compromise, data theft, or a denial-of-service condition. Immediate patching is required to mitigate the significant risk posed by this flaw.
Vulnerability Details
CVE-ID: CVE-2025-66493
Affected Software: Foxit PDF Reader and Foxit PDF Editor
Affected Versions: All versions prior to the 2025 release. See vendor advisory for specific affected versions.
Vulnerability: The vulnerability is a use-after-free error within the software's component for handling AcroForms (interactive PDF forms). An attacker can craft a malicious PDF document with a specially designed AcroForm that, when processed by a vulnerable version of the software, causes the application to reference a portion of memory that has already been deallocated. This memory corruption can be leveraged by the attacker to hijack the application's control flow, leading to arbitrary code execution with the same permissions as the logged-in user. A failed exploitation attempt will likely result in the application crashing, causing a denial-of-service.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.8, posing a significant risk to the organization. Successful exploitation could allow an attacker to gain initial access to a corporate workstation, which can be used as a beachhead for further lateral movement within the network. Potential consequences include the deployment of ransomware, installation of spyware to steal sensitive corporate or personal data, and complete compromise of the affected user's system. Such an incident could lead to operational disruption, financial loss, reputational damage, and regulatory penalties related to a data breach.
Remediation Plan
Immediate Action:
Proactive Monitoring:
FoxitPDFReader.exe or FoxitPDFEditor.exe processes spawning child processes such as cmd.exe, powershell.exe, or other unexpected executables.Compensating Controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes:
As of December 20, 2025, there are no known public proof-of-concept exploits or reports of this vulnerability being actively exploited in the wild. However, vulnerabilities in widely-used PDF software are a common target for threat actors, who often incorporate them into phishing campaigns for initial access. Organizations should assume that a functional exploit will be developed and weaponized in the near future.
Analyst Recommendation
Immediate patching is the most critical and effective mitigation for this vulnerability. Given the high CVSS score of 7.8 and the prevalence of Foxit software in enterprise environments, this vulnerability presents a significant and immediate risk. Although it is not currently on the CISA KEV list, its potential for enabling remote code execution makes it a prime candidate for future exploitation. We strongly recommend that all organizations prioritize the deployment of vendor-supplied updates to all affected systems without delay to prevent potential system compromise.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Masa CMS is an open source Enterprise Content Management platform
Masa CMS is an open source Enterprise Content Management platform
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
DeepChat is an open-source AI chat platform that supports cloud models and LLMs. Versions 0.5.1 and below are vulnerable to XSS attacks through improp...
DeepChat is an open-source AI chat platform that supports cloud models and LLMs. Versions 0.5.1 and below are vulnerable to XSS attacks through improperly sanitized Mermaid content. The recent security patch for MermaidArtifact.vue is insufficient and can be bypassed using unquoted HTML attributes combined with HTML entity encoding. Remote Code Execution is possible on the victim's machine via the electron.ipcRenderer interface, bypassing the regex filter intended to strip dangerous attributes. There is no fix at time of publication.
Executive Summary:
A critical vulnerability has been identified in the DeepChat AI chat platform, rated with a CVSS score of 9.6. This flaw allows a remote attacker to bypass existing security filters and execute arbitrary code on a user's computer by sending a specially crafted message. Successful exploitation could lead to a complete system compromise, enabling data theft, malware installation, and further network intrusion.
Vulnerability Details
CVE-ID: CVE-2025-66481
Affected Software: DeepChat is an Multiple Products
Affected Versions: Versions 0.5.1 and below
Vulnerability: The vulnerability is a Cross-Site Scripting (XSS) flaw originating from the improper sanitization of Mermaid diagram content within the MermaidArtifact.vue component. A previous security patch is insufficient and can be bypassed. An attacker can craft a malicious payload using unquoted HTML attributes combined with HTML entity encoding to evade the regex filter designed to strip dangerous code. When a victim views the malicious Mermaid content, the XSS payload executes and can leverage the electron.ipcRenderer interface, which allows the web-based chat client to interact with the underlying operating system, resulting in Remote Code Execution (RCE) on the victim's machine.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.6. Successful exploitation allows an unauthenticated, remote attacker to gain full control over an affected user's computer. The potential business impact includes the theft of sensitive data such as intellectual property, user credentials, and private chat logs; the installation of ransomware or spyware; lateral movement into the broader corporate network from a compromised endpoint; and significant reputational damage. The ability to achieve RCE from a chat message poses a direct and severe threat to organizational security.
Remediation Plan
Immediate Action: The vendor advisory indicates there is no fix at the time of publication, despite a general recommendation to update. Organizations should prepare to apply a patch for DeepChat products to a version higher than 0.5.1 immediately upon its release. In the interim, and after patching, it is crucial to monitor for exploitation attempts and review access logs for any indicators of compromise.
Proactive Monitoring:
&#x...;), and strings related to electron.ipcRenderer.Compensating Controls:
Exploitation Status
Public Exploit Available: False
Analyst Notes: As of December 9, 2025, there is no official patch available from the vendor. The detailed public description of the bypass technique (unquoted attributes and HTML entity encoding) makes the development of a functional exploit trivial for a skilled attacker. The escalation path from XSS to RCE via the Electron framework makes this a particularly potent vulnerability for any organization using the desktop version of the DeepChat client.
Analyst Recommendation
This vulnerability represents a critical risk to the organization and requires immediate attention. Due to the lack of an available patch, organizations must prioritize the implementation of compensating controls, such as disabling Mermaid rendering where possible and enhancing monitoring for the specific indicators of compromise outlined above. A plan should be in place to test and deploy the vendor's security patch as soon as it is released. Although not currently listed on the CISA KEV list, its high severity and potential for RCE make it a likely candidate for future inclusion, and it should be treated with the highest priority.
Update DeepChat is an Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component rel...
Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an endpoint (/fs) that handles multipart file uploads but fails to properly sanitize the filename provided by the user. Specifically, the writeFileUploadData method directly concatenates the configured storage directory with the filename extracted from the upload request without stripping directory traversal sequences (e.g., ../../). This vulnerability allows an attacker to write arbitrary files to any location on the server's filesystem where the application process has write permissions. By uploading malicious files (such as scripts, executables, or overwriting configuration files like authorized_keys or cron jobs), an attacker can achieve Remote Code Execution (RCE) and completely compromise the server. This vulnerability is fixed in 1.4.3.
Executive Summary:
A critical vulnerability has been identified in the Wildfire IM instant messaging solution, which could allow an unauthenticated attacker to take complete control of the server. The flaw resides in the file upload functionality, enabling an attacker to write malicious files to any location on the server's filesystem. Successful exploitation could lead to full system compromise, data theft, and severe disruption of services.
Vulnerability Details
CVE-ID: CVE-2025-66480
Affected Software: Wildfire IM is an instant messaging and Multiple Products
Affected Versions: All versions prior to 1.4.3
Vulnerability: A path traversal vulnerability exists in the im-server component, specifically within the writeFileUploadData method of the com.xiaoleilu.loServer.action.UploadFileAction class. The application exposes a file upload endpoint at /fs that accepts multipart file uploads. The method responsible for saving the uploaded file fails to sanitize or validate the filename provided by the user, directly concatenating it with the server's base storage path. An unauthenticated attacker can craft a malicious request containing directory traversal sequences (e.g., ../../) in the filename to write an arbitrary file to any location on the filesystem where the application's user account has write permissions. This can be leveraged to achieve Remote Code Execution (RCE) by uploading a web shell, an SSH authorized key, a system executable, or by overwriting a system configuration file.
Business Impact
This vulnerability is rated as critical with a CVSS score of 9.8, reflecting the highest possible level of risk. Exploitation can lead to a complete compromise of the affected server, granting an attacker full administrative control. The potential consequences for the business include theft of sensitive data, intellectual property, and user credentials; significant service downtime and operational disruption; and reputational damage. The compromised server could also be used as a pivot point to launch further attacks against the internal network, compounding the overall risk.
Remediation Plan
Immediate Action: Organizations must immediately upgrade the affected Wildfire IM components to version 1.4.3 or later, as this version contains the necessary fix. After patching, review server access logs and filesystem for any signs of compromise, such as unexpected files in sensitive directories or suspicious POST requests to the /fs endpoint.
Proactive Monitoring: Security teams should implement enhanced monitoring to detect exploitation attempts. Specifically, monitor web server and application logs for POST requests to the /fs endpoint where the filename in the multipart data contains path traversal sequences like ../, ..\/, or their URL-encoded equivalents. Monitor for unexpected file creation or modification events in critical system directories (e.g., /etc/, /var/spool/cron/, ~/.ssh/).
Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:
/fs endpoint containing directory traversal patterns in the filename parameter.Exploitation Status
Public Exploit Available: false
Analyst Notes: As of the publication date, February 2, 2026, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, due to the simplicity of exploitation and the critical impact, it is highly likely that threat actors will develop exploits rapidly. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
Analyst Recommendation
Given the critical severity (CVSS 9.8) and the direct path to Remote Code Execution, this vulnerability represents an extreme risk to the organization. We strongly recommend that all vulnerable Wildfire IM instances be patched to version 1.4.3 or later on an emergency basis. This vulnerability should be treated as the highest priority for remediation. Even without current evidence of active exploitation, its severity makes it a prime target for opportunistic and sophisticated attackers.
Update Wildfire IM is an instant messaging and Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Vim is an open source, command line text editor
Vim is an open source, command line text editor
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components
The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned
Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
ConvertXis a self-hosted online file converter
ConvertXis a self-hosted online file converter
Executive Summary:
A high-severity vulnerability has been discovered in multiple ConvertXis products, which could allow an unauthenticated remote attacker to execute arbitrary code on the server. Successful exploitation of this vulnerability could lead to a complete system compromise, resulting in data theft, service disruption, and unauthorized access to the underlying infrastructure.
Vulnerability Details
CVE-ID: CVE-2025-66449
Affected Software: ConvertXis Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability is a command injection flaw within the file processing engine of the ConvertXis software. An unauthenticated attacker can upload a specially crafted file containing malicious commands embedded within its filename or metadata. The application fails to properly sanitize this input before passing it to a system shell for processing, allowing the embedded commands to be executed with the privileges of the web server user account.
Business Impact
This vulnerability presents a significant risk to the organization, classified as High severity with a CVSS score of 8.8. A successful exploit could allow an attacker to take full control of the affected server, leading to severe consequences such as the exfiltration of sensitive data processed by the converter, deployment of ransomware, or using the compromised server as a pivot point to attack other systems within the internal network. The potential business impact includes data breach, operational downtime, financial loss, and reputational damage.
Remediation Plan
Immediate Action: The primary remediation is to apply the security updates provided by ConvertXis to all affected systems immediately, prioritizing internet-facing servers. After patching, it is crucial to review web server and application logs for any signs of compromise that may have occurred prior to the update, such as unusual file uploads or suspicious process execution.
Proactive Monitoring: Security teams should monitor for indicators of compromise, including unexpected child processes spawned by the web server process (e.g., sh, bash, powershell.exe), unusual outbound network connections from the ConvertXis server, and access log entries showing file uploads with suspicious or abnormally long filenames.
Compensating Controls: If immediate patching is not feasible, consider the following compensating controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of December 16, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, due to the high severity and the relative simplicity of exploiting command injection flaws, it is highly probable that threat actors will develop and deploy exploits in the near future.
Analyst Recommendation
Given the high CVSS score of 8.8 and the risk of unauthenticated remote code execution, this vulnerability requires immediate attention. We strongly recommend that all affected ConvertXis instances be patched without delay, beginning with systems exposed to the public internet. While this vulnerability is not currently listed on the CISA KEV catalog, its severity makes it a prime candidate for future inclusion and a high-value target for attackers. Organizations should assume it will be exploited and apply both the recommended remediation and proactive monitoring controls to mitigate the risk.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
vLLM is an inference and serving engine for large language models (LLMs)
vLLM is an inference and serving engine for large language models (LLMs)
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
MaxKB is an open-source AI assistant for enterprise
MaxKB is an open-source AI assistant for enterprise
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Cross-site Scripting vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component) and Hitachi Ops Center Analyzer (Hita...
Cross-site Scripting vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component) and Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component)
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Pexip Infinity 35
Pexip Infinity 35
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15
An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
WebPros Plesk before 18
WebPros Plesk before 18
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Plesk 18.0 has Incorrect Access Control.
Plesk 18.0 has Incorrect Access Control.
Executive Summary:
A critical vulnerability, identified as CVE-2025-66430, has been discovered in multiple Plesk products, rated with a CVSS score of 9.1. This flaw stems from an Incorrect Access Control issue, which could allow an unauthenticated remote attacker to bypass security measures and gain administrative-level control over the hosting platform. Successful exploitation could lead to complete system compromise, data breaches, and service disruption for all hosted websites.
Vulnerability Details
CVE-ID: CVE-2025-66430
Affected Software: Plesk Multiple Products
Affected Versions: Plesk versions up to and including 18.0. See vendor advisory for a complete list of affected products and specific versions.
Vulnerability: The vulnerability is an Incorrect Access Control flaw within the Plesk web management interface. A remote attacker can exploit this by sending a specially crafted HTTP request to a specific API endpoint that fails to properly validate the user's permissions. This allows an unauthenticated or low-privileged user to access and execute functions that should be restricted to high-privileged administrators, potentially leading to arbitrary command execution on the underlying server.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.1. Exploitation could have a severe and direct impact on business operations. An attacker could gain complete control of the Plesk server, leading to a full-scale data breach of all hosted customer websites, databases, and sensitive information. Potential consequences include unauthorized modification or deletion of data, website defacement, service outages, and the use of the compromised server to launch further attacks. This poses a significant risk of reputational damage, loss of customer trust, and potential financial liabilities from regulatory fines and incident response costs.
Remediation Plan
Immediate Action: The primary remediation is to immediately apply the security updates provided by the vendor. Administrators must update all affected Plesk instances to the latest patched version. Refer to the official Plesk security advisory for specific patch details and installation instructions. After patching, it is crucial to review access logs and audit logs for any signs of compromise that may have occurred before the update was applied.
Proactive Monitoring: Implement enhanced monitoring to detect potential exploitation attempts.
Compensating Controls: If immediate patching is not feasible, apply these temporary risk mitigation measures:
Exploitation Status
Public Exploit Available: False
Analyst Notes: As of Dec 12, 2025, there are no known public exploit codes or active exploitation campaigns targeting this vulnerability. However, due to the critical severity and the widespread use of Plesk, it is highly probable that threat actors will reverse-engineer the patch and develop a functional exploit within a short period. Organizations should operate under the assumption that exploitation is imminent.
Analyst Recommendation
Given the critical CVSS score of 9.1, this vulnerability presents a clear and present danger to affected organizations. The risk of complete system compromise by a remote, unauthenticated attacker necessitates immediate action. We strongly recommend that all organizations using affected Plesk products treat the application of the vendor-supplied patch as their highest security priority. Although this CVE is not currently on the CISA KEV list, its severity makes it a prime candidate for future inclusion. Patch immediately and hunt for evidence of compromise.
Update Plesk Multiple Products to the latest version. Check vendor security advisory for specific patch details. Monitor for exploitation attempts and review access logs.
An issue was discovered in cPanel 110 through 132
An issue was discovered in cPanel 110 through 132
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
An issue with WordPress directory names in WebPros WordPress Toolkit before 6
An issue with WordPress directory names in WebPros WordPress Toolkit before 6
Executive Summary:
A high-severity vulnerability, identified as CVE-2025-66428, has been discovered in the WebPros WordPress Toolkit, affecting versions prior to 6.0. This flaw allows a potential attacker to manipulate directory paths, which could lead to unauthorized access to sensitive files, website defacement, or a complete compromise of the web server. Due to the high CVSS score of 8.8, immediate remediation is strongly recommended to prevent potential exploitation.
Vulnerability Details
CVE-ID: CVE-2025-66428
Affected Software: WebPros WordPress Toolkit
Affected Versions: All versions prior to 6.0
Vulnerability: The vulnerability is a path traversal weakness within the WebPros WordPress Toolkit. The software fails to properly sanitize user-supplied input for directory names, allowing an attacker to use special characters (e.g., ../) to navigate outside of the intended, restricted directory. A remote attacker could exploit this flaw by crafting a malicious request to read sensitive configuration files (like wp-config.php), write arbitrary files to the server leading to remote code execution, or delete critical system files, causing a denial of service.
Business Impact
This vulnerability presents a significant risk to the organization, classified as High severity with a CVSS score of 8.8. Successful exploitation could lead to a complete compromise of the affected web server and its hosted websites. Potential consequences include theft of sensitive data such as customer personal identifiable information (PII) and credentials, significant business disruption from website downtime, reputational damage from a public breach, and potential financial losses associated with incident response and regulatory fines. The compromised server could also be used as a launchpad for further attacks against the internal network.
Remediation Plan
Immediate Action:
Proactive Monitoring:
../, ..%2f, or ..\\.www-data, apache).Compensating Controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of January 24, 2026, there are no known public proof-of-concept exploits or active attacks targeting this vulnerability. However, given the high-severity rating and the widespread use of the WordPress Toolkit in hosting environments, security researchers and malicious actors are highly likely to develop exploits in the near future.
Analyst Recommendation
Given the high CVSS score of 8.8 and the potential for complete system compromise, this vulnerability requires immediate attention. We recommend that administrators prioritize the deployment of the patch for the WebPros WordPress Toolkit on all affected systems. Although this CVE is not currently listed on the CISA KEV catalog, its severity warrants treating it with the same level of urgency as a known exploited vulnerability. A failure to act promptly could expose the organization to significant data loss, operational disruption, and reputational harm.
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
Tryton trytond 6
Tryton trytond 6
Executive Summary:
A high-severity vulnerability has been identified in multiple Tryton products, specifically affecting the trytond 6 server component. This flaw could allow an authenticated attacker with low-level privileges to access and exfiltrate sensitive information from the underlying database. Successful exploitation could lead to a significant data breach, compromising confidential business, customer, or financial data.
Vulnerability Details
CVE-ID: CVE-2025-66423
Affected Software: Tryton Multiple Products
Affected Versions: See vendor advisory for specific affected versions of the Tryton trytond 6 series.
Vulnerability: The vulnerability is an authenticated SQL injection flaw within the trytond server's data processing module. An attacker with valid, low-privilege user credentials can send a specially crafted request to a specific API endpoint. Due to improper input sanitization, this malicious request can inject and execute arbitrary SQL commands, allowing the attacker to bypass access controls and directly query the application's database, leading to unauthorized disclosure of sensitive information.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.1. Exploitation could have a significant negative impact on the business by enabling unauthorized access to critical and confidential data stored within the ERP system. Potential consequences include the theft of customer personal identifiable information (PII), financial records, intellectual property, or other proprietary business data. Such a data breach could result in severe reputational damage, regulatory fines (e.g., under GDPR), and financial loss.
Remediation Plan
Immediate Action: The primary remediation is to apply the security updates provided by the vendor across all affected systems immediately. Prioritize patching for internet-facing instances of Tryton. After patching, it is critical to monitor for any signs of post-patch exploitation attempts and review historical access and database logs for indicators of compromise.
Proactive Monitoring: Implement enhanced monitoring on Tryton application servers and backend databases. Security teams should look for unusual or malformed SQL queries in database logs, an increase in API errors, or access patterns from low-privileged users targeting sensitive data models. Monitor network traffic for any signs of large or unusual data exfiltration.
Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the risk. Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attacks. Additionally, review and enforce the principle of least privilege, restricting user access to only the data and functions essential for their roles, which may limit the scope of a potential compromise.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of November 30, 2025, there is no known public proof-of-concept (PoC) exploit code, and there are no reports of this vulnerability being actively exploited in the wild. However, given the low complexity of the attack, it is highly probable that threat actors will reverse-engineer the vendor patch to develop a functional exploit.
Analyst Recommendation
Given the high severity rating (CVSS 7.1) and the potential for a significant data breach, we strongly recommend that organizations apply the vendor-supplied security patches to all affected Tryton installations as an urgent priority. Although this vulnerability is not currently listed on the CISA KEV catalog, its characteristics make it an attractive target for attackers. If patching is delayed, the compensating controls outlined above should be implemented immediately to mitigate the risk of exploitation.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
MaxKB is an open-source AI assistant for enterprise
MaxKB is an open-source AI assistant for enterprise
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
GLPI is a free asset and IT management software package
GLPI is a free asset and IT management software package
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Coder allows organizations to provision remote development environments via Terraform
Coder allows organizations to provision remote development environments via Terraform
Executive Summary:
A high-severity vulnerability has been discovered in multiple Coder products, which could allow an attacker to execute arbitrary code within the remote development infrastructure. Successful exploitation could lead to the compromise of sensitive source code, credentials, and other intellectual property, potentially enabling further unauthorized access into the corporate network. Organizations are urged to apply the vendor-provided security updates immediately to mitigate this significant risk.
Vulnerability Details
CVE-ID: CVE-2025-66411
Affected Software: Coder Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability is an improper input validation flaw within the component that processes Terraform configurations for provisioning development environments. An authenticated attacker with permissions to define or modify environment templates can inject specially crafted commands into certain template parameters. When Coder parses and applies the Terraform configuration, these embedded commands are not properly sanitized and are executed with the privileges of the Coder service account on the underlying infrastructure, leading to remote code execution (RCE).
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.8. Exploitation could have a severe impact on the business by compromising the integrity and confidentiality of the software development lifecycle. An attacker could gain unauthorized access to sensitive source code, API keys, database credentials, and other proprietary information stored within the development environments. This could lead to intellectual property theft, disruption of development operations, and provide a pivot point for an attacker to move laterally across the network into production systems.
Remediation Plan
Immediate Action: Apply the security updates provided by Coder across all affected instances without delay. After patching, it is critical to review access logs for Coder environments, focusing on template and workspace modifications, for any unusual or unauthorized changes preceding the patch application. Monitor for any anomalous outbound network connections from provisioned development environments.
Proactive Monitoring: Security teams should actively monitor for indicators of compromise. This includes looking for unusual shell commands (e.g., curl, wget, nc) in process execution logs on Coder-managed infrastructure, unexpected network traffic originating from developer workspaces to unknown external IP addresses, and any modifications to environment startup scripts or Terraform templates by non-administrative users.
Compensating Controls: If immediate patching is not feasible, organizations should implement compensating controls. Restrict permissions for creating and editing workspace templates to a minimal set of highly trusted administrators. Implement strict network egress filtering on all development environments to block connections to non-essential external services, limiting an attacker's ability to exfiltrate data or establish a command-and-control channel.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of December 4, 2025, there are no known public exploits or reports of this vulnerability being actively exploited in the wild. However, due to the high-impact nature of remote code execution in a development platform, it is anticipated that security researchers and threat actors will analyze the patch to develop exploit code rapidly.
Analyst Recommendation
Given the high CVSS score of 7.8 and the critical role Coder plays in managing access to sensitive development assets, this vulnerability presents a significant risk to the organization. The primary and most effective mitigation is to apply the vendor-supplied patches immediately. While this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its potential for severe impact makes it a prime target for future exploitation. We strongly recommend prioritizing the remediation of this vulnerability across all affected systems.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical...
MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host machine by appending shell metacharacters to the URL.
Executive Summary:
A critical command injection vulnerability has been identified in the MCP Watch security scanner. This flaw allows an unauthenticated attacker to execute arbitrary commands on the underlying server by sending a maliciously crafted URL. Successful exploitation could result in a complete system compromise, leading to data theft, service disruption, or further network intrusion.
Vulnerability Details
CVE-ID: CVE-2025-66401
Affected Software: MCP Watch is a comprehensive security scanner for Model Context Protocol Multiple Products
Affected Versions: 0.1.2 and earlier
Vulnerability: The vulnerability exists within the cloneRepo method of the MCPScanner class. The application accepts a user-provided URL, githubUrl, and passes it directly to a system shell command (execSync) without proper input sanitization or validation. An attacker can exploit this by appending shell metacharacters (e.g., ;, |, &&, $(command)) to the URL, which allows them to inject and execute arbitrary commands with the privileges of the running application.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the ease of exploitation and the potential for severe impact. A successful attack grants the adversary remote code execution (RCE) on the host machine, effectively giving them full control. This could lead to the theft of sensitive data, deployment of ransomware, complete disruption of services running on the server, or the use of the compromised system as a pivot point to attack other internal network resources.
Remediation Plan
Immediate Action: Update MCP Watch is a comprehensive security scanner for Model Context Protocol Multiple Products to the latest version. The vendor has released a patch that addresses this vulnerability by properly sanitizing the user-supplied URL before it is passed to the system shell. After patching, monitor for any signs of exploitation attempts and review historical access logs for indicators of compromise.
Proactive Monitoring: Security teams should monitor application and system logs for any requests to the cloneRepo method containing unusual URL formats or shell metacharacters (e.g., ;, |, &, $, (, )). Monitor for unexpected outbound network connections or processes being spawned by the MCP Watch application, such as sh, bash, curl, wget, or nc.
Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block requests containing common shell metacharacters in the githubUrl parameter. Additionally, ensure the MCP Watch application is running with the lowest possible user privileges to limit the potential damage of a successful exploit.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Dec 1, 2025, there are no known public exploits or proof-of-concept code available for this vulnerability. However, given the straightforward nature of command injection flaws, it is highly likely that threat actors can independently develop an exploit with minimal effort.
Analyst Recommendation
Due to the critical CVSS score of 9.8 and the risk of unauthenticated remote code execution, this vulnerability poses a significant threat to the organization. Although it is not currently listed in the CISA KEV catalog, its severity demands immediate attention. We strongly recommend that all instances of the affected software be patched or taken offline immediately to prevent a potential compromise.
Update MCP Watch is a comprehensive security scanner for Model Context Protocol Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: free5GC
PRODUCT: NRF
AFFECTED_VERSIONS: 1.4.0
CONFIDENCE: high
MISSING: patch
---END_METADATA---
Description Summary:
The free5GC NRF 1.4.0 access-token generation logic contains a flaw in the AccessTokenScopeCheck() function, allowing unauthorized access token generation.
Executive Summary:
An authentication bypass vulnerability in free5GC NRF 1.4.0 allows attackers to generate arbitrary access tokens, potentially leading to unauthorized network access.
Vulnerability Details
CVE-ID: CVE-2025-66719
Affected Software: free5GC NRF
Affected Versions: 1.4.0
Vulnerability: The vulnerability resides in the
AccessTokenScopeCheck()function withininternal/sbi/processor/access_token.go. By providing a craftedtargetNFvalue, an attacker can bypass all scope validation checks during access token generation, granting them elevated privileges.Business Impact
With a CVSS score of 9.1 (Critical), this vulnerability presents a severe risk to 5G core network infrastructure. Exploitation allows an attacker to gain unauthorized access to network functions with arbitrary scopes, potentially leading to widespread service disruption, data exfiltration, and full compromise of the NRF (Network Repository Function) security model.
Remediation Plan
Immediate Action: Update the free5GC NRF component to the latest patched version that addresses the scope validation bypass in the
access_token.gofile.Proactive Monitoring: Audit access logs for unusual token generation requests and monitor for traffic originating from entities that should not possess specific network scopes.
Compensating Controls: Implement strict identity and access management (IAM) policies at the network layer to restrict communication between NRF components and untrusted entities.
Exploitation Status
Public Exploit Available: Unknown
Analyst Notes: As of Jan 23, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
This vulnerability is highly severe as it undermines the fundamental trust model of the 5G core network. Administrators must treat this as a high-priority update and ensure that the access-token generation logic is strictly enforced across all deployments to prevent unauthorized privilege escalation.