Tag: cvss
-
Gemini MCP Tool 0-Day Vulnerability Exposes Systems to Remote Code Execution
A critical zero-day vulnerability has been disclosed in the Gemini MCP Tool, enabling unauthenticated remote attackers to execute arbitrary code on vulnerable installations without requiring user interaction or authentication. The vulnerability, tracked as CVE-2026-0755 with a CVSS score of 9.8, represents a severe risk to systems utilizing this tool in production environments. Vulnerability Overview The…
-
Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution
A critical sandbox escape vulnerability has been disclosed in the popular vm2 Node.js library that, if successfully exploited, could allow attackers to run arbitrary code on the underlying operating system.The vulnerability, tracked as CVE-2026-22709, carries a CVSS score of 9.8 out of 10.0 on the CVSS scoring system.”In vm2 for version 3.10.0, Promise.prototype.then Promise.prototype.catch First…
-
20,000 WordPress Sites Compromised by Backdoor Vulnerability Enabling Malicious Admin Access
A critical backdoor vulnerability discovered in the LA-Studio Element Kit for the Elementor plugin poses an immediate threat to more than 20,000 WordPress installations. The vulnerability, tracked as CVE-2026-0920 with a CVSS severity rating of 9.8 (Critical), enables unauthenticated attackers to create administrator accounts and achieve complete site compromise. The function fails to properly restrict…
-
Critical GNU InetUtils telnetd Flaw Lets Attackers Bypass Login and Gain Root Access
A critical security flaw has been disclosed in the GNU InetUtils telnet daemon (telnetd) that went unnoticed for nearly 11 years.The vulnerability, tracked as CVE-2026-24061, is rated 9.8 out of 10.0 on the CVSS scoring system. It affects all versions of GNU InetUtils from version 1.9.3 up to and including version 2.7.”Telnetd in GNU Inetutils…
-
Active Exploitation Of Fortinet SSO Flaw Targets Firewalls For Admin Takeover
Tags: access, authentication, cisa, cve, cvss, cyber, data-breach, exploit, firewall, flaw, fortinet, Internet, malicious, threat, vulnerabilityThreat actors actively exploit critical Fortinet vulnerabilities CVE-2025-59718 and CVE-2025-59719 to bypass FortiCloud SSO authentication on firewalls and proxies. These flaws allow unauthenticated attackers to craft malicious SAML messages, gaining admin access on internet-exposed devices. Fortinet disclosed them on December 9, 2025, with CVSS scores of 9.8, and CISA added CVE-2025-59718 to its Known Exploited…
-
Vulnerability prioritization beyond the CVSS number
Tags: automation, container, credentials, cve, cvss, data, docker, endpoint, flaw, github, identity, network, open-source, risk, service, update, vulnerability, vulnerability-managementA different way to look at vulnerabilities: This is where the unified linkage model (ULM) comes in. Instead of asking, “How bad is this vulnerability on its own?” ULM asks, “What can this vulnerability affect once it starts moving?”It focuses on three kinds of relationships:Adjacency: Systems that sit side by side and can influence each…
-
Critical WordPress Plugin Vulnerability Exposes 100,000+ Websites to Privilege Escalation Attacks
A critical privilege escalation vulnerability discovered in the Advanced Custom Fields: Extended WordPress plugin threatens over 100,000 active installations. The vulnerability, identified as CVE-2025-14533 with a CVSS score of 9.8, allows unauthenticated attackers to elevate their privileges to administrative by exploiting a misconfigured user registration form. The Advanced Custom Fields: Extended plugin, an addon for…
-
CVSS 10.0 und Exploit – HPE-OneView-Sicherheitslücke wird sehr wahrscheinlich ausgenutzt
First seen on security-insider.de Jump to article: www.security-insider.de/kritische-sicherheitsluecke-hpe-oneview-risiko-schutzmassnahmen-a-dbc1e7af45919fb3264171fd7cd64eb9/
-
January 2026 Microsoft Patch Tuesday: Actively exploited zero day needs attention
More priorities: Executives should also prioritize rapid patching and risk reduction efforts this month around the Windows Local Security Authority Subsystem Service Remote Code Execution, Windows Graphics Component Elevation of Privilege, and Windows Virtualization Based Security Enclave Elevation of Privilege flaws, Bicer said, as these vulnerabilities directly enable full system or trust boundary compromise.Strategic focus…
-
Fortinet Fixes Critical FortiSIEM Flaw Allowing Unauthenticated Remote Code Execution
Fortinet has released updates to fix a critical security flaw impacting FortiSIEM that could allow an unauthenticated attacker to achieve code execution on susceptible instances.The operating system (OS) injection vulnerability, tracked as CVE-2025-64155, is rated 9.4 out of 10.0 on the CVSS scoring system.”An improper neutralization of special elements used in an OS command (‘OS…
-
ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation
ServiceNow has disclosed details of a now-patched critical security flaw impacting its ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform arbitrary actions as that user.The vulnerability, tracked as CVE-2025-12420, carries a CVSS score of 9.3 out of 10.0″This issue […] could enable an unauthenticated user to impersonate another…
-
New Angular Vulnerability Allows Attackers to Execute Malicious Payloads
A high Cross-Site Scripting (XSS) vulnerability has been discovered in Angular’s Template Compiler, potentially exposing millions of web applications to malicious JavaScript execution. The flaw, tracked as CVE-2026-22610, affects multiple versions of Angular’s core packages and carries a High severity rating with a CVSS score of 7.3/10. Attribute Details CVE ID CVE-2026-22610 Severity High (CVSS 4.0: 7.3/10) Vulnerability…
-
Critical jsPDF Vulnerability Enables Arbitrary File Read in Node.js (CVE-2025-68428)
In January 2026, a critical security vulnerability was disclosed in jsPDF, a popular JavaScript library used to generate PDF documents. The issue, tracked as CVE-2025-68428, affects server-side Node.js deployments of jsPDF prior to version 4.0.0 and has been assigned a CVSS score of 9.2. The vulnerability is a path traversal issue that can be abused”¦…
-
Critical React Router Flaws Could Let Attackers Access or Modify Server Files
A critical vulnerability has been discovered in React Router and Remix that could allow attackers to access or modify sensitive files on web servers. The flaw affects multiple packages and has received a severity rating of Critical with a CVSS score of 8.8/10. Field Details CVE ID CVE-2025-61686 Severity Critical CVSS Score 8.8/10 Vulnerability Overview The security issue stems from…
-
Ni8mare: Kritische n8n-Lücke bedroht 100.000 Server
Tags: access, api, bug, cloud, cve, cvss, cyberattack, google, open-source, rce, remote-code-execution, update, vulnerabilityn8n-Anwender sollten ihre Systeme dringend patchen. Forscher warnen vor einer schwerwiegenden Sicherheitslücke. Forscher des Security-Anbieters Cyera haben eine schwerwiegende Schwachstelle in der Workflow-Automatisierungsplattform n8n entdeckt. Sie ermöglicht es Angreifern, beliebigen Code auszuführen. Auf diese Weise könnten sie die vollständige Kontrolle über die betroffene Umgebung übernehmen, so die Experten. Laut Forschungsbericht sind davon 100.000 Server betroffen.…
-
Trend Micro Apex Central RCE Flaw Scores 9.8 CVSS in On-Prem Windows Versions
Trend Micro has released security updates to address multiple security vulnerabilities impacting on-premise versions of Apex Central for Windows, including a critical bug that could result in arbitrary code execution.The vulnerability, tracked as CVE-2025-69258, carries a CVSS score of 9.8 out of a maximum of 10.0. The vulnerability has been described as a case of…
-
Cisco identifies vulnerability in ISE network access control devices
rotate ISE credentials for those with existing and approved access;ensure only those who need access have credentials;reduce the number of devices that can access the ISE server;patch as soon as it’s possible to take the server offline.In its notice to customers, Cisco says a vulnerability [CVE-2026-20029] in the licensing features of ISE and Cisco ISE…
-
n8n Users Urged to Patch CVSS 10.0 Full System Takeover Vulnerability
A critical vulnerability (CVE-2026-21877) found by Upwind affects n8n automation tools. Learn why researchers are urging users to update to version 1.121.3 immediately to prevent remote code execution. First seen on hackread.com Jump to article: hackread.com/n8n-users-patch-full-system-takeover-vulnerability/
-
Cisco ISE Vulnerability Enables Access to Sensitive Data
Cisco has disclosed a new XML External Entity (XXE) vulnerability in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could allow authenticated attackers with administrative access to read sensitive data from the underlying operating system. The vulnerability is tracked as CVE-2026-20029 and is rated CVSS 4.9 (medium severity), but its…
-
New n8n Vulnerability (CVE-2026-21858) Allows Unauthenticated File Access and RCE
Cybersecurity researchers have disclosed a new critical flaw in the popular workflow automation platform n8n that could allow unauthenticated attackers to fully compromise vulnerable systems. The issue, tracked as CVE-2026-21858 and assigned a maximum CVSS score of 10.0, is being described as one of the most severe n8n vulnerabilities reported to date. First seen on thecyberexpress.com Jump to article: thecyberexpress.com/cve-2026-21858-n8n-webhook-vulnerability/
-
Holes in Veeam Backup suite allow remote code execution, creation of malicious backup config files
Tags: access, backup, credentials, cve, cvss, cybersecurity, data, exploit, jobs, malicious, monitoring, password, ransomware, remote-code-execution, risk, risk-management, sans, threat, update, veeam, vulnerabilityCVE-2025-59470 (with a CVSS score of 9) allows a Backup or Tape Operator to perform remote code execution (RCE) as the Postgres user by sending a malicious interval or order parameter;CVE-2025-59469 (with a severity score of 7.2) allows a Backup or Tape Operator to write files as root;CVE-2025-55125 (with a severity score of 7.2) allows a Backup…
-
Ni8mare flaw gives unauthenticated control of n8n instances
A critical n8n flaw (CVE-2026-21858, CVSS 10.0), dubbed Ni8mare, allows unauthenticated attackers to fully take over vulnerable instances. Researchers uncovered a maximum severity n8n vulnerability, tracked as CVE-2026-21858 (CVSS score of 10.0). The flaw, dubbed Ni8mare by Cyera researchers who discovered the vulnerability, lets unauthenticated attackers fully compromise affected instances. n8n is a workflow automation…
-
Veeam resolves CVSS 9.0 RCE flaw and other security issues
Veeam patched a critical RCE flaw in Backup & Replication, CVE-2025-59470, rated CVSS 9.0, along with other vulnerabilities. Veeam released patches for multiple Backup & Replication flaws, including a critical RCE vulnerability tracked as CVE-2025-59470 (CVSS score of 9.0). A Backup or Tape Operator can achieve remote code execution as the postgres user by abusing…
-
Veeam resolves CVSS 9.0 RCE flaw and other security issues
Veeam patched a critical RCE flaw in Backup & Replication, CVE-2025-59470, rated CVSS 9.0, along with other vulnerabilities. Veeam released patches for multiple Backup & Replication flaws, including a critical RCE vulnerability tracked as CVE-2025-59470 (CVSS score of 9.0). A Backup or Tape Operator can achieve remote code execution as the postgres user by abusing…
-
Veeam resolves CVSS 9.0 RCE flaw and other security issues
Veeam patched a critical RCE flaw in Backup & Replication, CVE-2025-59470, rated CVSS 9.0, along with other vulnerabilities. Veeam released patches for multiple Backup & Replication flaws, including a critical RCE vulnerability tracked as CVE-2025-59470 (CVSS score of 9.0). A Backup or Tape Operator can achieve remote code execution as the postgres user by abusing…
-
Veeam Patches Critical RCE Vulnerability with CVSS 9.0 in Backup & Replication
Veeam has released security updates to address multiple flaws in its Backup & Replication software, including a “critical” issue that could result in remote code execution (RCE).The vulnerability, tracked as CVE-2025-59470, carries a CVSS score of 9.0.”This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by…
-
n8n Warns of CVSS 10.0 RCE Vulnerability Affecting Self-Hosted and Cloud Versions
Tags: automation, cloud, cve, cvss, exploit, flaw, open-source, rce, remote-code-execution, vulnerabilityOpen-source workflow automation platform n8n has warned of a maximum-severity security flaw that, if successfully exploited, could result in authenticated remote code execution (RCE).The vulnerability, which has been assigned the CVE identifier CVE-2026-21877, is rated 10.0 on the CVSS scoring system.”Under certain conditions, an authenticated user may be able to cause untrusted code to be…
-
New n8n Vulnerability Allows Attackers to Execute Arbitrary Commands
A critical vulnerability has been discovered in n8n, an open-source automation and workflow platform, that could allow authenticated users to execute arbitrary commands on vulnerable systems. The flaw, tracked as CVE-2025-68668, affects all n8n versions from 1.0.0 to 1.999.999 and has a CVSS score of 9.1, indicating severe risk. Attribute Details CVE ID CVE-2025-68668 Vulnerability…
-
Critical n8n Vulnerability Allows Arbitrary Command Execution (CVE-2025-68668)
A newly disclosed n8n vulnerability has been confirmed to allow authenticated users to execute arbitrary system commands on affected servers. The issue, tracked as CVE-2025-68668, has been assigned a CVSS score of 9.9, placing it firmly in the critical severity range. The flaw impacts the open-source workflow automation platform n8n and affects a broad range of deployed versions. First…