Tag: cve
-
Google Warns of High-Risk WebView Vulnerability That Breaks Security Controls
Google released Chrome versions 143.0.7499.192/.193 on January 6, 2026, to patch a high-severity vulnerability in WebView that could allow attackers to bypass important security policies. The flaw, tracked as CVE-2026-0628, represents a significant threat to users whose browsers rely on WebView’s policy enforcement framework to block malicious content. Attribute Details CVE ID CVE-2026-0628 Severity High…
-
Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers
A newly discovered critical security flaw in legacy D-Link DSL gateway routers has come under active exploitation in the wild.The vulnerability, tracked as CVE-2026-0625 (CVSS score: 9.3), concerns a case of command injection in the “dnscfg.cgi” endpoint that arises as a result of improper sanitization of user-supplied DNS configuration parameters.”An unauthenticated remote attacker can inject…
-
HackerOne ‘ghosted’ me for months over $8,500 bug bounty, says researcher
Long after CVEs issued and open source flaws fixed First seen on theregister.com Jump to article: www.theregister.com/2026/01/07/hackerone_ghosted_researcher/
-
CERT/CC warns of critical, unfixed vulnerability in TOTOLINK EX200
CERT/CC disclosed an unpatched flaw in the TOTOLINK EX200 that allows a remote authenticated attacker to fully compromise the device. CERT/CC warns of an unpatched vulnerability, tracked as CVE-2025-65606, in the TOTOLINK EX200 range extender that lets a remote authenticated attacker fully take over the device. The TOTOLINK EX200 is a compact Wi-Fi range extender…
-
Google fixes critical Dolby Decoder bug in Android January update
Android’s January 2026 update fixes CVE-2025-54957, a critical Dolby audio decoder flaw discovered by Google researchers in October 2025. A critical Dolby audio decoder vulnerability, tracked as CVE-2025-54957, was addressed in the January 2026 Android security update. Google fixed the flaw in December 2025 for Pixel phones and has now rolled out the fix to…
-
Unpatched Firmware Flaw Exposes TOTOLINK EX200 to Full Remote Device Takeover
The CERT Coordination Center (CERT/CC) has disclosed details of an unpatched security flaw impacting TOTOLINK EX200 wireless range extender that could allow a remote authenticated attacker to gain full control of the device.The flaw, CVE-2025-65606 (CVSS score: N/A), has been characterized as a flaw in the firmware-upload error-handling logic, which could cause the device to…
-
New n8n Vulnerability Allows Attackers to Execute Arbitrary Commands
A critical vulnerability has been discovered in n8n, an open-source automation and workflow platform, that could allow authenticated users to execute arbitrary commands on vulnerable systems. The flaw, tracked as CVE-2025-68668, affects all n8n versions from 1.0.0 to 1.999.999 and has a CVSS score of 9.1, indicating severe risk. Attribute Details CVE ID CVE-2025-68668 Vulnerability…
-
Critical AdonisJS Vulnerability Allows Remote Attackers to Write Files on Server
A critical path traversal vulnerability has been discovered in AdonisJS’s multipart file handling, potentially allowing remote attackers to write arbitrary files to server locations outside the intended upload directory. The vulnerability, tracked as CVE-2026-21440, affects @adonisjs/bodyparser versions through 10.1.1 and all 11.x prerelease versions prior to 11.0.0-next.6, with patches now available in versions 10.1.2 and…
-
Critical n8n Vulnerability Allows Arbitrary Command Execution (CVE-2025-68668)
A newly disclosed n8n vulnerability has been confirmed to allow authenticated users to execute arbitrary system commands on affected servers. The issue, tracked as CVE-2025-68668, has been assigned a CVSS score of 9.9, placing it firmly in the critical severity range. The flaw impacts the open-source workflow automation platform n8n and affects a broad range of deployed versions. First…
-
Critical AdonisJS Bodyparser Flaw (CVSS 9.2) Enables Arbitrary File Write on Servers
Users of the “@adonisjs/bodyparser” npm package are being advised to update to the latest version following the disclosure of a critical security vulnerability that, if successfully exploited, could allow a remote attacker to write arbitrary files on the server.Tracked as CVE-2026-21440 (CVSS score: 9.2), the flaw has been described as a path traversal issue affecting…
-
New n8n Vulnerability (9.9 CVSS) Lets Authenticated Users Execute System Commands
A new critical security vulnerability has been disclosed in n8n, an open-source workflow automation platform, that could enable an authenticated attacker to execute arbitrary system commands on the underlying host.The vulnerability, tracked as CVE-2025-68668, is rated 9.9 on the CVSS scoring system. It has been described as a case of a protection mechanism failure.It affects…
-
MongoBleed: unauthenticated memory disclosure in MongoDB (CVE-2025-14847)
On December 12, 2025, the MongoDB Security Engineering team disclosed a high-severity vulnerability in MongoDB that allows unauthenticated memory disclosure. The issue is tracked as CVE-2025-14847 and has a CVSS score of 8.7 and was quickly nicknamed MongoBleed in the security community due to the way it exposes server memory. Technical Details MongoDB uses a”¦…
-
Kritische React2Shell-Schwachstelle wird aktiv ausgenutzt – CVE-2025-55182 öffnet React Server Components für Linux-Backdoors
First seen on security-insider.de Jump to article: www.security-insider.de/cve-2025-55182-react2shell-linux-backdoors-a-1bb71c2f73c8feceaaf077bb15fe17c9/
-
CISA Issues Warning on WHILL Model C2 Wheelchair Takeover Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a severe security flaw in WHILL Model C2 electric wheelchairs and Model F power chairs that could allow attackers to hijack the devices via Bluetooth. The vulnerability, tracked as CVE-2025-14346, carries a CVSS v3 score of 9.8, indicating critical severity. Security researchers…
-
Top CVEs of December 2025
December 2025 was a brutal reality check for security teams. While most were winding down for the holidays, threat actors weaponized a tectonic shift in the landscape, headlined by the… The post Top CVEs of December 2025 appeared first on Strobes Security. First seen on securityboulevard.com Jump to article: https://securityboulevard.com/2026/01/top-cves-of-december-2025/
-
IBM warns of critical API Connect bug enabling remote access
IBM disclosed a critical API Connect flaw (CVE-2025-13915, CVSS 9.8) that allows remote access via an authentication bypass. IBM addressed a critical API Connect vulnerability, tracked as CVE-2025-13915 (CVSS score of 9.8) that allows remote access via an authentication bypass. API Connect is IBM’s API management platform. It’s used by organizations to create, secure, manage,…
-
Best of 2025: CVE-2025-29927 Understanding the Next.js Middleware Vulnerability
When security vulnerabilities appear in popular frameworks, they can affect thousands of websites overnight. That’s exactly what’s happening with a newly discovered vulnerability in Next.js one of the most… First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/01/cve-2025-29927-understanding-the-next-js-middleware-vulnerability-2/
-
Critical CVSS 9.8 Flaw Found in IBM API Connect Authentication System
IBM has disclosed details of a critical security flaw in API Connect that could allow attackers to gain remote access to the application.The vulnerability, tracked as CVE-2025-13915, is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an authentication bypass flaw.”IBM API Connect could allow a…
-
Critical Apache StreamPipes Flaw Allows Attackers to Take Over Admin Accounts
Apache StreamPipes has released an urgent security advisory addressing CVE-2025-47411, a critical privilege escalation vulnerability affecting versions 0.69.0 through 0.97.0. The flaw allows attackers with legitimate non-administrator accounts to exploit the user ID creation mechanism and hijack administrator credentials, gaining full control over the streaming data platform. The Vulnerability The vulnerability stems from improper handling…
-
Singapore CSA warns of maximun severity SmarterMail RCE flaw
Singapore’s CSA warns of CVE-2025-52691, a critical SmarterMail flaw enabling unauthenticated remote code execution via arbitrary file upload. Singapore’s Cyber Security Agency of Singapore (CSA) warns of a maximum severity flaw, tracked as CVE-2025-52691 (CVSS score of 10.0), in SmarterMail. The vulnerability enables unauthenticated remote code execution via arbitrary file upload. >>Successful exploitation of the…
-
IBM Warns of Critical API Connect Bug Allowing Remote Authentication Bypass
IBM has disclosed details of a critical security flaw in API Connect that could allow attackers to gain remote access to the application.The vulnerability, tracked as CVE-2025-13915, is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an authentication bypass flaw.”IBM API Connect could allow a…
-
IBM Warns of Critical API Connect Bug Allowing Remote Authentication Bypass
IBM has disclosed details of a critical security flaw in API Connect that could allow attackers to gain remote access to the application.The vulnerability, tracked as CVE-2025-13915, is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an authentication bypass flaw.”IBM API Connect could allow a…
-
MongoBleed (CVE-2025-14847): the US, China, and the EU are among the top exploited GEOs
MongoBleed (CVE-2025-14847) lets attackers remotely leak memory from unpatched MongoDB servers using zlib compression, without authentication. A critical vulnerability, CVE-2025-14847 (MongoBleed), was disclosed right after Christmas, an unwelcome “gift” for the cybersecurity community, impacting MongoDB Server deployments that use zlib network compression. MongoDB is a popular open-source NoSQL database used to store and manage data…
-
Critical IBM API Connect Flaw Allows Attackers to Bypass Authentication
IBM has disclosed a critical authentication bypass vulnerability affecting its API Connect platform, assigning it a maximum CVSS severity score of 9.8. The flaw, tracked as CVE-2025-13915, represents a primary authentication weakness (CWE-305) that requires no user interaction or special privileges to exploit. The vulnerability impacts IBM API Connect versions 10.0.8.0 through 10.0.8.5 and version…
-
CISA Alerts on Active Exploitation of MongoDB Vulnerability CVE-2025-14847
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning about the active exploitation of CVE-2025-14847, a severe vulnerability affecting MongoDB and MongoDB Server. The flaw was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on December 29, 2025, signaling that threat actors are actively targeting this security weakness in real-world attacks.…
-
CSA Issues Alert on Critical SmarterMail Bug Allowing Remote Code Execution
The Cyber Security Agency of Singapore (CSA) has issued a bulletin warning of a maximum-severity security flaw in SmarterTools SmarterMail email software that could be exploited to achieve remote code execution.The vulnerability, tracked as CVE-2025-52691, carries a CVSS score of 10.0. It relates to a case of arbitrary file upload that could enable code execution…
-
CSA Issues Alert on Critical SmarterMail Bug Allowing Remote Code Execution
The Cyber Security Agency of Singapore (CSA) has issued a bulletin warning of a maximum-severity security flaw in SmarterTools SmarterMail email software that could be exploited to achieve remote code execution.The vulnerability, tracked as CVE-2025-52691, carries a CVSS score of 10.0. It relates to a case of arbitrary file upload that could enable code execution…
-
Critical 0day flaw Exposes 70k XSpeeder Devices as Vendor Ignores Alert
Researchers reveal CVE-2025-54322, a critical unpatched flaw in XSpeeder networking gear found by AI agents. 70,000 industrial and branch devices are exposed. First seen on hackread.com Jump to article: hackread.com/xspeeder-0day-flaw-devices-vendor-ignores-alert/
-
MongoDB Vulnerability CVE-2025-14847 Under Active Exploitation Worldwide
A recently disclosed security vulnerability in MongoDB has come under active exploitation in the wild, with over 87,000 potentially susceptible instances identified across the world.The vulnerability in question is CVE-2025-14847 (CVSS score: 8.7), which allows an unauthenticated attacker to remotely leak sensitive data from the MongoDB server memory. It has been codenamed MongoBleed.”A flaw First…