🔴 CVE-2026-0963 - Critical (9.9)

An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-0963/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🔴 CVE-2026-0963 - Critical (9.9)

An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-0963/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-0805 - High (8.2)

An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-0805/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-0805 - High (8.2)

An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-0805/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-24714 - High (7.5)

Some end of service NETGEAR products provide "TelnetEnable" functionality, which allows a magic packet to activate telnet service on the box.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24714/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-24714 - High (7.5)

Some end of service NETGEAR products provide "TelnetEnable" functionality, which allows a magic packet to activate telnet service on the box.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24714/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🔴 CVE-2025-69517 - Critical (9.8)

An issue in Amidaware Inc Tactical RMM v1.3.1 and before allows a remote attacker to execute arbitrary code via the /api/tacticalrmm/apiv3/views.py component

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-69517/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🔴 CVE-2025-69517 - Critical (9.8)

An issue in Amidaware Inc Tactical RMM v1.3.1 and before allows a remote attacker to execute arbitrary code via the /api/tacticalrmm/apiv3/views.py component

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-69517/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-1637 - High (8.8)

A vulnerability was identified in Tenda AC21 16.03.08.16. The affected element is the function fromAdvSetMacMtuWan of the file /goform/AdvSetMacMtuWan. The manipulation leads to stack-based buffer overflow. Remote exploitation of the attack is pos...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1637/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-1637 - High (8.8)

A vulnerability was identified in Tenda AC21 16.03.08.16. The affected element is the function fromAdvSetMacMtuWan of the file /goform/AdvSetMacMtuWan. The manipulation leads to stack-based buffer overflow. Remote exploitation of the attack is pos...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1637/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-25116 - High (7.6)

Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25116/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-25116 - High (7.6)

Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25116/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🚨 [CISA-2026:0129] CISA Adds One Known Exploited Vulnerability to Catalog (https://secdb.nttzen.cloud/security-advisory/detail/CISA-2026:0129)

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.

⚠️ CVE-2026-1281 (https://secdb.nttzen.cloud/cve/detail/CVE-2026-1281)
- Name: Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: Ivanti
- Product: Endpoint Manager Mobile (EPMM)
- Notes: Please adhere to Ivanti's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Ivanti products affected by this vulnerability. Apply any final mitigations provided by the vendor as soon as possible. For more information please: see: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 ; https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0S-5.noarch.rpm ; https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0L-5.noarch.rpm ; https://nvd.nist.gov/vuln/detail/CVE-2026-1281

#SecDB #InfoSec #CVE #CISA_KEV #cisa_20260129 #cisa20260129 #cve_2026_1281 #cve20261281

🔴 CVE-2026-1340 - Critical (9.8)

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1340/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

Ivanti warns of two EPMM flaws exploited in zero-day attacks

Ivanti has disclosed two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340, that were...

🔗️ [Bleepingcomputer] https://link.is.it/teik2H

🔴 CVE-2026-1340 - Critical (9.8)

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1340/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

Ivanti warns of two EPMM flaws exploited in zero-day attacks

Ivanti has disclosed two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340, that were...

🔗️ [Bleepingcomputer] https://link.is.it/teik2H

📢 Ivanti alerte sur deux failles critiques EPMM exploitées en zero‑day (CVE‑2026‑1281/1340)
📝 Source: BleepingComputer — Ivanti a divulgué deux failles critiques dans En...
📖 cyberveille : https://cyberveille.ch/posts/2026-01-30-ivanti-alerte-sur-deux-failles-critiques-epmm-exploitees-en-zero-day-cve-2026-1281-1340/
🌐 source : https://www.bleepingcomputer.com/news/security/ivanti-warns-of-two-epmm-flaws-exploited-in-zero-day-attacks/
#CVE_2026_1281 #CVE_2026_1340 #Cyberveille

🚨 [CISA-2026:0129] CISA Adds One Known Exploited Vulnerability to Catalog (https://secdb.nttzen.cloud/security-advisory/detail/CISA-2026:0129)

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.

⚠️ CVE-2026-1281 (https://secdb.nttzen.cloud/cve/detail/CVE-2026-1281)
- Name: Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: Ivanti
- Product: Endpoint Manager Mobile (EPMM)
- Notes: Please adhere to Ivanti's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Ivanti products affected by this vulnerability. Apply any final mitigations provided by the vendor as soon as possible. For more information please: see: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 ; https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0S-5.noarch.rpm ; https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0L-5.noarch.rpm ; https://nvd.nist.gov/vuln/detail/CVE-2026-1281

#SecDB #InfoSec #CVE #CISA_KEV #cisa_20260129 #cisa20260129 #cve_2026_1281 #cve20261281

🔴 CVE-2026-1281 - Critical (9.8)

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1281/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

Ivanti warns of two EPMM flaws exploited in zero-day attacks

Ivanti has disclosed two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340, that were...

🔗️ [Bleepingcomputer] https://link.is.it/teik2H

🔴 CVE-2026-1281 - Critical (9.8)

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1281/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

Ivanti warns of two EPMM flaws exploited in zero-day attacks

Ivanti has disclosed two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340, that were...

🔗️ [Bleepingcomputer] https://link.is.it/teik2H

🟠 CVE-2025-69516 - High (8.8)

A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged users with Report Viewer or Report Manager per...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-69516/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-69516 - High (8.8)

A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged users with Report Viewer or Report Manager per...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-69516/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

Critical Remote Code Execution Vulnerability Reported in Python PLY Library

A critical remote code execution vulnerability (CVE-2025-56005) was reported in the Python PLY library version 3.11 due to an undocumented and unsafe use of the pickle module. Attackers can exploit this flaw to run arbitrary code during parser initialization by providing a malicious pickle file.

**If you use Python PLY library, search and remove any use of the picklefile parameter - it's vulnerable with no fix available. Regenerate parser tables at startup instead and lock down write access to prevent attackers from planting malicious files.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-remote-code-execution-vulnerability-reported-in-python-ply-library-r-2-p-b-b/gD2P6Ple2L

🟠 CVE-2025-71003 - High (7.5)

An input validation vulnerability in the flow.arange() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-71003/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-71003 - High (7.5)

An input validation vulnerability in the flow.arange() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-71003/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-22260 - High (7.5)

Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata can crash with a stack overflow. Version 8.0.3 patches the issue. As a workaround, use default values for `request-body-limit` and `respo...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-22260/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

New Episode: SANS Stormcast Thursday, January 29th, 2026: WebLogic AI Slop; Fortinet Patches; WebLogic AI Slop; Fortinet Patches

Shownotes:

Odd WebLogic Request. Possible CVE-2026-21962 Exploit Attempt or AI Slop?
We are seeing attempts to attack CVE-2026-21962, a recent weblog vulnerability, using a non-working AI slop exploit
https://isc.sans.edu/diary/Odd%20WebLogic%20Reques

Transcript

AntennaPod | Anytime Player | Apple Podcasts | Castamatic | CurioCaster | Fountain | gPodder | Overcast | Pocket Casts | Podcast Addict | Podcast Guru | Podnews | Podverse | Truefans

Or Listen right here.

Odd WebLogic Request. Possible CVE-2026-21962 Exploit Attempt or AI Slop? https://isc.sans.edu/diary/32662

EUVD has listed critical CVE-2026-21962 Oracle HTTP Server vulnerability https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-3550

Oracle Critical Patch Update Advisory - January 2026 https://www.oracle.com/security-alerts/cpujan2026.html #infosec #vulnerability #Oracle

🔴 CVE-2026-22806 - Critical (9.1)

vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created with a limited scope, the scope can be bypassed to...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-22806/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🔴 CVE-2026-22806 - Critical (9.1)

vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created with a limited scope, the scope can be bypassed to...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-22806/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🔴 CVE-2025-69602 - Critical (9.1)

A session fixation vulnerability exists in 66biolinks v62.0.0 by AltumCode, where the application does not regenerate the session identifier after successful authentication. As a result, the same session cookie value is reused for users logging in...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-69602/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🔴 CVE-2025-69602 - Critical (9.1)

A session fixation vulnerability exists in 66biolinks v62.0.0 by AltumCode, where the application does not regenerate the session identifier after successful authentication. As a result, the same session cookie value is reused for users logging in...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-69602/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

Un accès root en une seule commande : cette faille dans GNU InetUtils menace les accès Telnet https://www.it-connect.fr/faille-cve-2026-24061-inetutils-telnet/ #ActuCybersécurité #Cybersécurité #Vulnérabilité

Un accès root en une seule commande : cette faille dans GNU InetUtils menace les accès Telnet https://www.it-connect.fr/faille-cve-2026-24061-inetutils-telnet/ #ActuCybersécurité #Cybersécurité #Vulnérabilité

⚪ 800,000 Telnet servers are vulnerable to remote attacks

🗨️ Shadowserver Foundation analysts are tracking nearly 800,000 IP addresses amid the active exploitation of a critical vulnerability, CVE-2026-24061, in the GNU InetUtils telnetd server component.

🔗 https://hackmag.com/news/telnetd?utm_source=mastodon&utm_medium=social&utm_campaign=repost_hackmag_to_socials

#news

Nearly 800,000 #Telnet servers exposed to remote attacks

The security flaw (CVE-2026-24061) already has a proof-of-concept exploit, impacts GNU InetUtils versions 1.9.3 (released in 2015) through 2.7, and was patched in version 2.8 (released on January 20).

https://www.bleepingcomputer.com/news/security/nearly-800-000-telnet-servers-exposed-to-remote-attacks/

‼️AISLE Goes 12-for-12 on OpenSSL Vulnerability Detection

CVEs Published: January 27th, 2026

High and Moderate Severity Flaws:

▪️CVE-2025-15467: Stack Buffer Overflow in CMS AuthEnvelopedData Parsing (High): A vulnerability with the potential to enable remote code execution under specific conditions

▪️CVE-2025-11187: PBMAC1 Parameter Validation in PKCS#12 (Moderate): Missing validation that could trigger a stack-based buffer overflow

Low Severity Flaws:

▪️CVE-2025-15468: Crash in QUIC protocol cipher handling
▪️CVE-2025-15469: Silent truncation bug affecting post-quantum signature algorithms (ML-DSA)
▪️CVE-2025-66199: Memory exhaustion via TLS 1.3 certificate compression
▪️CVE-2025-68160: Memory corruption in line-buffering (affects code back to OpenSSL 1.0.2)
▪️CVE-2025-69418: Encryption flaw in OCB mode on hardware-accelerated paths
▪️CVE-2025-69419: Memory corruption in PKCS#12 character encoding
▪️CVE-2025-69420: Crash in TimeStamp Response verification
▪️CVE-2025-69421: Crash in PKCS#12 decryption
▪️CVE-2026-22795: Crash in PKCS#12 parsing
▪️CVE-2026-22796: Crash in PKCS#7 signature verification (affects code back to OpenSSL 1.0.2)

"When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.

Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk."

Writeup: https://aisle.com/blog/aisle-discovered-12-out-of-12-openssl-vulnerabilities

🟠 CVE-2026-1610 - High (8.1)

A vulnerability was found in Tenda AX12 Pro V2 16.03.49.24_cn. Affected by this issue is some unknown functionality of the component Telnet Service. Performing a manipulation results in hard-coded credentials. The attack is possible to be carried ...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1610/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-1610 - High (8.1)

A vulnerability was found in Tenda AX12 Pro V2 16.03.49.24_cn. Affected by this issue is some unknown functionality of the component Telnet Service. Performing a manipulation results in hard-coded credentials. The attack is possible to be carried ...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1610/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

KiloView Encoder Account Takeover Vulnerability

KiloView video encoders contain a critical vulnerability (CVE-2026-1453) that allows unauthenticated attackers to create administrator accounts and take full control of the devices. The vendor has not yet released a public patch.

**Make sure all KiloView devices are isolated from the internet and accessible from trusted networks only. Then reach out to the vendor to get information of any upcoming patches. At the moment, there is no patch available.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/kiloview-encoder-account-takeover-vulnerability-g-t-5-9-l/gD2P6Ple2L

🔴 CVE-2026-1453 - Critical (9.8)

A missing authentication for critical function vulnerability in KiloView Encoder Series could allow an unauthenticated attacker to create or delete administrator accounts. This vulnerability can grant the attacker full administrative control over ...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1453/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

KiloView Encoder Account Takeover Vulnerability

KiloView video encoders contain a critical vulnerability (CVE-2026-1453) that allows unauthenticated attackers to create administrator accounts and take full control of the devices. The vendor has not yet released a public patch.

**Make sure all KiloView devices are isolated from the internet and accessible from trusted networks only. Then reach out to the vendor to get information of any upcoming patches. At the moment, there is no patch available.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/kiloview-encoder-account-takeover-vulnerability-g-t-5-9-l/gD2P6Ple2L

🔴 CVE-2026-1453 - Critical (9.8)

A missing authentication for critical function vulnerability in KiloView Encoder Series could allow an unauthenticated attacker to create or delete administrator accounts. This vulnerability can grant the attacker full administrative control over ...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1453/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-71007 - High (7.5)

An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-71007/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-71007 - High (7.5)

An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-71007/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-71007 - High (7.5)

An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-71007/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-71007 - High (7.5)

An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-71007/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-71007 - High (7.5)

An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-71007/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-71007 - High (7.5)

An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-71007/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-61726 - High (7.5)

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse larg...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-61726/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-61726 - High (7.5)

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse larg...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-61726/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-14472 - High (8.1)

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery.This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-14472/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-14472 - High (8.1)

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery.This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-14472/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-13986 - High (7.5)

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-13986/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-13986 - High (7.5)

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-13986/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-13982 - High (8.1)

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Login Time Restriction allows Cross Site Request Forgery.This issue affects Login Time Restriction: from 0.0.0 before 1.0.3.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-13982/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-13982 - High (8.1)

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Login Time Restriction allows Cross Site Request Forgery.This issue affects Login Time Restriction: from 0.0.0 before 1.0.3.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-13982/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🔴 CVE-2026-24897 - Critical (10)

Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating s...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24897/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-71000 - High (7.5)

An issue in the flow.cuda.BoolTensor component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-71000/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-71000 - High (7.5)

An issue in the flow.cuda.BoolTensor component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-71000/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-70999 - High (7.5)

A GPU device-ID validation flaw in the flow.cuda.get_device_capability() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted device ID.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-70999/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-70999 - High (7.5)

A GPU device-ID validation flaw in the flow.cuda.get_device_capability() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted device ID.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-70999/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-65891 - High (7.5)

A GPU device-ID validation flaw in OneFlow v0.9.0 allows attackers to trigger a Denial of Dervice (DoS) by invoking flow.cuda.get_device_properties() with an invalid or negative device index.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-65891/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-65891 - High (7.5)

A GPU device-ID validation flaw in OneFlow v0.9.0 allows attackers to trigger a Denial of Dervice (DoS) by invoking flow.cuda.get_device_properties() with an invalid or negative device index.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-65891/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-65890 - High (7.5)

A device-ID validation flaw in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) by calling flow.cuda.synchronize() with an invalid or out-of-range GPU device index.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-65890/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-65890 - High (7.5)

A device-ID validation flaw in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) by calling flow.cuda.synchronize() with an invalid or out-of-range GPU device index.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-65890/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-61731 - High (7.8)

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pk...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-61731/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-61731 - High (7.8)

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pk...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-61731/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-14975 - High (8.1)

The Custom Login Page Customizer WordPress plugin before 2.5.4 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and ther...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-14975/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-14975 - High (8.1)

The Custom Login Page Customizer WordPress plugin before 2.5.4 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and ther...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-14975/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-14840 - High (7.5)

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing.This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-14840/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-14840 - High (7.5)

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing.This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-14840/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🔴 CVE-2025-15467 - Critical (9.8)

Issue summary: Parsing CMS AuthEnvelopedData message with maliciously
crafted AEAD parameters can trigger a stack buffer overflow.

Impact summary: A stack buffer overflow may lead to a crash, causing Denial
of Service, or potentially remote code ...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-15467/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

Blip blop, I'm a #mastobot.
Here is a summary (in beta) of the latest posts in #programmingAtKukei https://masto.kukei.eu/browse/programming category:
- OpenSSL vulnerabilities and patches (CVE-2025-15467; 12 advisories)
- AI agent tooling and Model Context Protocol (MCP) including Claude Code benchmarks and multi‑agent pipelines
- FOSDEM 2026 and Python community events (PyCascades 2026; PyTexasConference2026)
- 11tyCMS public beta (IndieWeb/11tyCMS)
- Rust in Android and GPU [1/2]

📦 That WinRAR "Free Trial" You Never Paid For? Hackers Are Exploiting It Right Now 🚨
A WinRAR vulnerability patched last July (CVE-2025-8088) is still being actively exploited by Russian APTs, Chinese threat actors, and cybercrime gangs six months later. The path traversal flaw lets attackers slip malicious files into your system when you extract seemingly innocent archives. If you're still using WinRAR, update immediately or switch to 7-Zip.

Sources:
- https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/
- https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2025-8088
- https://www.helpnetsecurity.com/2026/01/28/winrar-vulnerability-exploited-cve-2025-8088/

---

🔓 Critical OpenSSL Flaw Could Let Hackers Take Over Your Computer Via Email 💀

CVE-2025-15467 is a critical 9.8 CVSS remote code execution vulnerability in OpenSSL's CMS and S/MIME message processing. OpenSSL powers encrypted communications across the entire internet, and this flaw allows unauthenticated attackers to execute arbitrary code remotely without any credentials. A working proof-of-concept already exists in the wild, meaning both defenders and attackers have access to it.

Sources:
- https://nvd.nist.gov/vuln/detail/CVE-2025-15467
https://www.infosecurity-magazine.com/news/12-openssl-flaws/
- https://openssl-library.org/news/vulnerabilities/
- https://twitter.com/IntCyberDigest/status/2016288593547833778

---

🤦 SolarWinds Ships Critical Vulnerabilities In Their Own Software (Yes, THAT SolarWinds) 🤡

SolarWinds, the company that became the poster child for supply chain attacks after their 2020 breach, just disclosed four critical vulnerabilities in their Web Help Desk product. The flaws include unauthenticated remote code execution and authentication bypass that can be chained together to completely compromise systems without logging in. Five years after congressional hearings and intense security scrutiny, they still shipped this mess.

Sources:
- https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/
- https://www.helpnetsecurity.com/2026/01/29/solarwinds-web-help-desk-rce-vulnerabilities/
- https://www.rapid7.com/blog/post/etr-multiple-critical-solarwinds-web-help-desk-vulnerabilities-cve-2025-40551-40552-40553-40554/
- https://nvd.nist.gov/vuln/detail/CVE-2025-40552
- https://nvd.nist.gov/vuln/detail/CVE-2025-40553
- https://nvd.nist.gov/vuln/detail/CVE-2025-40554
- https://nvd.nist.gov/vuln/detail/CVE-2025-40551

🔴 CVE-2025-15467 - Critical (9.8)

Issue summary: Parsing CMS AuthEnvelopedData message with maliciously
crafted AEAD parameters can trigger a stack buffer overflow.

Impact summary: A stack buffer overflow may lead to a crash, causing Denial
of Service, or potentially remote code ...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-15467/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

📦 That WinRAR "Free Trial" You Never Paid For? Hackers Are Exploiting It Right Now 🚨
A WinRAR vulnerability patched last July (CVE-2025-8088) is still being actively exploited by Russian APTs, Chinese threat actors, and cybercrime gangs six months later. The path traversal flaw lets attackers slip malicious files into your system when you extract seemingly innocent archives. If you're still using WinRAR, update immediately or switch to 7-Zip.

Sources:
- https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/
- https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2025-8088
- https://www.helpnetsecurity.com/2026/01/28/winrar-vulnerability-exploited-cve-2025-8088/

---

🔓 Critical OpenSSL Flaw Could Let Hackers Take Over Your Computer Via Email 💀

CVE-2025-15467 is a critical 9.8 CVSS remote code execution vulnerability in OpenSSL's CMS and S/MIME message processing. OpenSSL powers encrypted communications across the entire internet, and this flaw allows unauthenticated attackers to execute arbitrary code remotely without any credentials. A working proof-of-concept already exists in the wild, meaning both defenders and attackers have access to it.

Sources:
- https://nvd.nist.gov/vuln/detail/CVE-2025-15467
https://www.infosecurity-magazine.com/news/12-openssl-flaws/
- https://openssl-library.org/news/vulnerabilities/
- https://twitter.com/IntCyberDigest/status/2016288593547833778

---

🤦 SolarWinds Ships Critical Vulnerabilities In Their Own Software (Yes, THAT SolarWinds) 🤡

SolarWinds, the company that became the poster child for supply chain attacks after their 2020 breach, just disclosed four critical vulnerabilities in their Web Help Desk product. The flaws include unauthenticated remote code execution and authentication bypass that can be chained together to completely compromise systems without logging in. Five years after congressional hearings and intense security scrutiny, they still shipped this mess.

Sources:
- https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/
- https://www.helpnetsecurity.com/2026/01/29/solarwinds-web-help-desk-rce-vulnerabilities/
- https://www.rapid7.com/blog/post/etr-multiple-critical-solarwinds-web-help-desk-vulnerabilities-cve-2025-40551-40552-40553-40554/
- https://nvd.nist.gov/vuln/detail/CVE-2025-40552
- https://nvd.nist.gov/vuln/detail/CVE-2025-40553
- https://nvd.nist.gov/vuln/detail/CVE-2025-40554
- https://nvd.nist.gov/vuln/detail/CVE-2025-40551

‼️AISLE Goes 12-for-12 on OpenSSL Vulnerability Detection

CVEs Published: January 27th, 2026

High and Moderate Severity Flaws:

▪️CVE-2025-15467: Stack Buffer Overflow in CMS AuthEnvelopedData Parsing (High): A vulnerability with the potential to enable remote code execution under specific conditions

▪️CVE-2025-11187: PBMAC1 Parameter Validation in PKCS#12 (Moderate): Missing validation that could trigger a stack-based buffer overflow

Low Severity Flaws:

▪️CVE-2025-15468: Crash in QUIC protocol cipher handling
▪️CVE-2025-15469: Silent truncation bug affecting post-quantum signature algorithms (ML-DSA)
▪️CVE-2025-66199: Memory exhaustion via TLS 1.3 certificate compression
▪️CVE-2025-68160: Memory corruption in line-buffering (affects code back to OpenSSL 1.0.2)
▪️CVE-2025-69418: Encryption flaw in OCB mode on hardware-accelerated paths
▪️CVE-2025-69419: Memory corruption in PKCS#12 character encoding
▪️CVE-2025-69420: Crash in TimeStamp Response verification
▪️CVE-2025-69421: Crash in PKCS#12 decryption
▪️CVE-2026-22795: Crash in PKCS#12 parsing
▪️CVE-2026-22796: Crash in PKCS#7 signature verification (affects code back to OpenSSL 1.0.2)

"When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.

Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk."

Writeup: https://aisle.com/blog/aisle-discovered-12-out-of-12-openssl-vulnerabilities

Yes, there's RCE in #OpenSSL 3.x, but thankfully it isn't in the HTTPS side of things:

"Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk."

https://openssl-library.org/news/vulnerabilities/#CVE-2025-15467

OpenSSL: Stack buffer overflow in CMS AuthEnvelopedData parsing

Link: https://openssl-library.org/news/vulnerabilities/#CVE-2025-15467
Discussion: https://news.ycombinator.com/item?id=46782662

OpenSSL Security Advisory

https://openssl-library.org/news/secadv/20260127.txt

One high, one medium, and 9 low severity issues.

The high severity is a stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467): attacker provides an oversized IV, leading to buffer overflow prior to authentication, possibly leading to remote code execution if you're parsing untrusted CMS or PKCS#7 content with AEAD (e.g., AES-GCM).

OpenSSL: Stack buffer overflow in CMS AuthEnvelopedData parsing
Link: https://openssl-library.org/news/vulnerabilities/#CVE-2025-15467
Comments: https://news.ycombinator.com/item?id=46782662

OpenSSL: Stack buffer overflow in CMS AuthEnvelopedData parsing
https://openssl-library.org/news/vulnerabilities/#CVE-2025-15467
#ycombinator

OpenSSL: Stack buffer overflow in CMS AuthEnvelopedData parsing

https://openssl-library.org/news/vulnerabilities/#CVE-2025-15467

OpenSSL: Stack buffer overflow in CMS AuthEnvelopedData parsing

https://openssl-library.org/news/vulnerabilities/#CVE-2025-15467

#HackerNews

⚠️ Critical Solarwinds Web Vulnerability Allows Remote Code Execution and Security Bypass

｢ Multiple critical vulnerabilities in SolarWinds Web Help Desk (WHD), culminating in unauthenticated remote code execution (RCE) via Java deserialization in CVE-2025-40551, were uncovered by https://Horizon3.ai researchers.
These flaws chain static credentials, security bypasses, and deserialization weaknesses, affecting versions prior to 2026.1 ｣

‼️ SolarWinds Web Help Desk RCE Hit by Multiple Critical Security Flaws; CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554

CVSS: All 9.8
CVEs Published: January 28th, 2026

CVE-2025-40551: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40552: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.

CVE-2025-40553: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40554: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.

Advisories:

https://nvd.nist.gov/vuln/detail/CVE-2025-40551
https://nvd.nist.gov/vuln/detail/CVE-2025-40552
https://nvd.nist.gov/vuln/detail/CVE-2025-40553
https://nvd.nist.gov/vuln/detail/CVE-2025-40554

📦 That WinRAR "Free Trial" You Never Paid For? Hackers Are Exploiting It Right Now 🚨
A WinRAR vulnerability patched last July (CVE-2025-8088) is still being actively exploited by Russian APTs, Chinese threat actors, and cybercrime gangs six months later. The path traversal flaw lets attackers slip malicious files into your system when you extract seemingly innocent archives. If you're still using WinRAR, update immediately or switch to 7-Zip.

Sources:
- https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/
- https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2025-8088
- https://www.helpnetsecurity.com/2026/01/28/winrar-vulnerability-exploited-cve-2025-8088/

---

🔓 Critical OpenSSL Flaw Could Let Hackers Take Over Your Computer Via Email 💀

CVE-2025-15467 is a critical 9.8 CVSS remote code execution vulnerability in OpenSSL's CMS and S/MIME message processing. OpenSSL powers encrypted communications across the entire internet, and this flaw allows unauthenticated attackers to execute arbitrary code remotely without any credentials. A working proof-of-concept already exists in the wild, meaning both defenders and attackers have access to it.

Sources:
- https://nvd.nist.gov/vuln/detail/CVE-2025-15467
https://www.infosecurity-magazine.com/news/12-openssl-flaws/
- https://openssl-library.org/news/vulnerabilities/
- https://twitter.com/IntCyberDigest/status/2016288593547833778

---

🤦 SolarWinds Ships Critical Vulnerabilities In Their Own Software (Yes, THAT SolarWinds) 🤡

SolarWinds, the company that became the poster child for supply chain attacks after their 2020 breach, just disclosed four critical vulnerabilities in their Web Help Desk product. The flaws include unauthenticated remote code execution and authentication bypass that can be chained together to completely compromise systems without logging in. Five years after congressional hearings and intense security scrutiny, they still shipped this mess.

Sources:
- https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/
- https://www.helpnetsecurity.com/2026/01/29/solarwinds-web-help-desk-rce-vulnerabilities/
- https://www.rapid7.com/blog/post/etr-multiple-critical-solarwinds-web-help-desk-vulnerabilities-cve-2025-40551-40552-40553-40554/
- https://nvd.nist.gov/vuln/detail/CVE-2025-40552
- https://nvd.nist.gov/vuln/detail/CVE-2025-40553
- https://nvd.nist.gov/vuln/detail/CVE-2025-40554
- https://nvd.nist.gov/vuln/detail/CVE-2025-40551

⚠️ Critical Solarwinds Web Vulnerability Allows Remote Code Execution and Security Bypass

｢ Multiple critical vulnerabilities in SolarWinds Web Help Desk (WHD), culminating in unauthenticated remote code execution (RCE) via Java deserialization in CVE-2025-40551, were uncovered by https://Horizon3.ai researchers.
These flaws chain static credentials, security bypasses, and deserialization weaknesses, affecting versions prior to 2026.1 ｣

‼️ SolarWinds Web Help Desk RCE Hit by Multiple Critical Security Flaws; CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554

CVSS: All 9.8
CVEs Published: January 28th, 2026

CVE-2025-40551: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40552: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.

CVE-2025-40553: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40554: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.

Advisories:

https://nvd.nist.gov/vuln/detail/CVE-2025-40551
https://nvd.nist.gov/vuln/detail/CVE-2025-40552
https://nvd.nist.gov/vuln/detail/CVE-2025-40553
https://nvd.nist.gov/vuln/detail/CVE-2025-40554

📦 That WinRAR "Free Trial" You Never Paid For? Hackers Are Exploiting It Right Now 🚨
A WinRAR vulnerability patched last July (CVE-2025-8088) is still being actively exploited by Russian APTs, Chinese threat actors, and cybercrime gangs six months later. The path traversal flaw lets attackers slip malicious files into your system when you extract seemingly innocent archives. If you're still using WinRAR, update immediately or switch to 7-Zip.

Sources:
- https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/
- https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2025-8088
- https://www.helpnetsecurity.com/2026/01/28/winrar-vulnerability-exploited-cve-2025-8088/

---

🔓 Critical OpenSSL Flaw Could Let Hackers Take Over Your Computer Via Email 💀

CVE-2025-15467 is a critical 9.8 CVSS remote code execution vulnerability in OpenSSL's CMS and S/MIME message processing. OpenSSL powers encrypted communications across the entire internet, and this flaw allows unauthenticated attackers to execute arbitrary code remotely without any credentials. A working proof-of-concept already exists in the wild, meaning both defenders and attackers have access to it.

Sources:
- https://nvd.nist.gov/vuln/detail/CVE-2025-15467
https://www.infosecurity-magazine.com/news/12-openssl-flaws/
- https://openssl-library.org/news/vulnerabilities/
- https://twitter.com/IntCyberDigest/status/2016288593547833778

---

🤦 SolarWinds Ships Critical Vulnerabilities In Their Own Software (Yes, THAT SolarWinds) 🤡

SolarWinds, the company that became the poster child for supply chain attacks after their 2020 breach, just disclosed four critical vulnerabilities in their Web Help Desk product. The flaws include unauthenticated remote code execution and authentication bypass that can be chained together to completely compromise systems without logging in. Five years after congressional hearings and intense security scrutiny, they still shipped this mess.

Sources:
- https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/
- https://www.helpnetsecurity.com/2026/01/29/solarwinds-web-help-desk-rce-vulnerabilities/
- https://www.rapid7.com/blog/post/etr-multiple-critical-solarwinds-web-help-desk-vulnerabilities-cve-2025-40551-40552-40553-40554/
- https://nvd.nist.gov/vuln/detail/CVE-2025-40552
- https://nvd.nist.gov/vuln/detail/CVE-2025-40553
- https://nvd.nist.gov/vuln/detail/CVE-2025-40554
- https://nvd.nist.gov/vuln/detail/CVE-2025-40551

SolarWinds has just announced four high-severity vulnerabilities in its Web Help Desk (WHD) software that could lead to full system takeover.

These flaws include unauthenticated Remote Code Execution (RCE) via insecure deserialization and multiple Authentication Bypasses, allowing attackers to execute protected methods without any credentials.

CVE-2025-40551 & CVE-2025-40553 (Unauthenticated RCE)
CVE-2025-40552 & CVE-2025-40554 (Auth Bypass)

https://www.thehackerwire.com/solarwinds-patches-critical-rce-and-auth-bypass-flaws-in-web-help-desk/

CVE-2025-40551: SolarWinds WebHelpDesk RCE Deep-Dive and Indicators of Compromise https://horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/

🔴 CVE-2025-40551 - Critical (9.8)

SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without au...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-40551/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

‼️ SolarWinds Web Help Desk RCE Hit by Multiple Critical Security Flaws; CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554

CVSS: All 9.8
CVEs Published: January 28th, 2026

CVE-2025-40551: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40552: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.

CVE-2025-40553: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40554: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.

Advisories:

https://nvd.nist.gov/vuln/detail/CVE-2025-40551
https://nvd.nist.gov/vuln/detail/CVE-2025-40552
https://nvd.nist.gov/vuln/detail/CVE-2025-40553
https://nvd.nist.gov/vuln/detail/CVE-2025-40554

📦 That WinRAR "Free Trial" You Never Paid For? Hackers Are Exploiting It Right Now 🚨
A WinRAR vulnerability patched last July (CVE-2025-8088) is still being actively exploited by Russian APTs, Chinese threat actors, and cybercrime gangs six months later. The path traversal flaw lets attackers slip malicious files into your system when you extract seemingly innocent archives. If you're still using WinRAR, update immediately or switch to 7-Zip.

Sources:
- https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/
- https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2025-8088
- https://www.helpnetsecurity.com/2026/01/28/winrar-vulnerability-exploited-cve-2025-8088/

---

🔓 Critical OpenSSL Flaw Could Let Hackers Take Over Your Computer Via Email 💀

CVE-2025-15467 is a critical 9.8 CVSS remote code execution vulnerability in OpenSSL's CMS and S/MIME message processing. OpenSSL powers encrypted communications across the entire internet, and this flaw allows unauthenticated attackers to execute arbitrary code remotely without any credentials. A working proof-of-concept already exists in the wild, meaning both defenders and attackers have access to it.

Sources:
- https://nvd.nist.gov/vuln/detail/CVE-2025-15467
https://www.infosecurity-magazine.com/news/12-openssl-flaws/
- https://openssl-library.org/news/vulnerabilities/
- https://twitter.com/IntCyberDigest/status/2016288593547833778

---

🤦 SolarWinds Ships Critical Vulnerabilities In Their Own Software (Yes, THAT SolarWinds) 🤡

SolarWinds, the company that became the poster child for supply chain attacks after their 2020 breach, just disclosed four critical vulnerabilities in their Web Help Desk product. The flaws include unauthenticated remote code execution and authentication bypass that can be chained together to completely compromise systems without logging in. Five years after congressional hearings and intense security scrutiny, they still shipped this mess.

Sources:
- https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/
- https://www.helpnetsecurity.com/2026/01/29/solarwinds-web-help-desk-rce-vulnerabilities/
- https://www.rapid7.com/blog/post/etr-multiple-critical-solarwinds-web-help-desk-vulnerabilities-cve-2025-40551-40552-40553-40554/
- https://nvd.nist.gov/vuln/detail/CVE-2025-40552
- https://nvd.nist.gov/vuln/detail/CVE-2025-40553
- https://nvd.nist.gov/vuln/detail/CVE-2025-40554
- https://nvd.nist.gov/vuln/detail/CVE-2025-40551

‼️ SolarWinds Web Help Desk RCE Hit by Multiple Critical Security Flaws; CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554

CVSS: All 9.8
CVEs Published: January 28th, 2026

CVE-2025-40551: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40552: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.

CVE-2025-40553: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40554: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.

Advisories:

https://nvd.nist.gov/vuln/detail/CVE-2025-40551
https://nvd.nist.gov/vuln/detail/CVE-2025-40552
https://nvd.nist.gov/vuln/detail/CVE-2025-40553
https://nvd.nist.gov/vuln/detail/CVE-2025-40554

📦 That WinRAR "Free Trial" You Never Paid For? Hackers Are Exploiting It Right Now 🚨
A WinRAR vulnerability patched last July (CVE-2025-8088) is still being actively exploited by Russian APTs, Chinese threat actors, and cybercrime gangs six months later. The path traversal flaw lets attackers slip malicious files into your system when you extract seemingly innocent archives. If you're still using WinRAR, update immediately or switch to 7-Zip.

Sources:
- https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/
- https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2025-8088
- https://www.helpnetsecurity.com/2026/01/28/winrar-vulnerability-exploited-cve-2025-8088/

---

🔓 Critical OpenSSL Flaw Could Let Hackers Take Over Your Computer Via Email 💀

CVE-2025-15467 is a critical 9.8 CVSS remote code execution vulnerability in OpenSSL's CMS and S/MIME message processing. OpenSSL powers encrypted communications across the entire internet, and this flaw allows unauthenticated attackers to execute arbitrary code remotely without any credentials. A working proof-of-concept already exists in the wild, meaning both defenders and attackers have access to it.

Sources:
- https://nvd.nist.gov/vuln/detail/CVE-2025-15467
https://www.infosecurity-magazine.com/news/12-openssl-flaws/
- https://openssl-library.org/news/vulnerabilities/
- https://twitter.com/IntCyberDigest/status/2016288593547833778

---

🤦 SolarWinds Ships Critical Vulnerabilities In Their Own Software (Yes, THAT SolarWinds) 🤡

SolarWinds, the company that became the poster child for supply chain attacks after their 2020 breach, just disclosed four critical vulnerabilities in their Web Help Desk product. The flaws include unauthenticated remote code execution and authentication bypass that can be chained together to completely compromise systems without logging in. Five years after congressional hearings and intense security scrutiny, they still shipped this mess.

Sources:
- https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/
- https://www.helpnetsecurity.com/2026/01/29/solarwinds-web-help-desk-rce-vulnerabilities/
- https://www.rapid7.com/blog/post/etr-multiple-critical-solarwinds-web-help-desk-vulnerabilities-cve-2025-40551-40552-40553-40554/
- https://nvd.nist.gov/vuln/detail/CVE-2025-40552
- https://nvd.nist.gov/vuln/detail/CVE-2025-40553
- https://nvd.nist.gov/vuln/detail/CVE-2025-40554
- https://nvd.nist.gov/vuln/detail/CVE-2025-40551

SolarWinds has just announced four high-severity vulnerabilities in its Web Help Desk (WHD) software that could lead to full system takeover.

These flaws include unauthenticated Remote Code Execution (RCE) via insecure deserialization and multiple Authentication Bypasses, allowing attackers to execute protected methods without any credentials.

CVE-2025-40551 & CVE-2025-40553 (Unauthenticated RCE)
CVE-2025-40552 & CVE-2025-40554 (Auth Bypass)

https://www.thehackerwire.com/solarwinds-patches-critical-rce-and-auth-bypass-flaws-in-web-help-desk/

🔴 CVE-2025-40554 - Critical (9.8)

SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-40554/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

‼️ SolarWinds Web Help Desk RCE Hit by Multiple Critical Security Flaws; CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554

CVSS: All 9.8
CVEs Published: January 28th, 2026

CVE-2025-40551: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40552: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.

CVE-2025-40553: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40554: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.

Advisories:

https://nvd.nist.gov/vuln/detail/CVE-2025-40551
https://nvd.nist.gov/vuln/detail/CVE-2025-40552
https://nvd.nist.gov/vuln/detail/CVE-2025-40553
https://nvd.nist.gov/vuln/detail/CVE-2025-40554

📦 That WinRAR "Free Trial" You Never Paid For? Hackers Are Exploiting It Right Now 🚨
A WinRAR vulnerability patched last July (CVE-2025-8088) is still being actively exploited by Russian APTs, Chinese threat actors, and cybercrime gangs six months later. The path traversal flaw lets attackers slip malicious files into your system when you extract seemingly innocent archives. If you're still using WinRAR, update immediately or switch to 7-Zip.

Sources:
- https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/
- https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2025-8088
- https://www.helpnetsecurity.com/2026/01/28/winrar-vulnerability-exploited-cve-2025-8088/

---

🔓 Critical OpenSSL Flaw Could Let Hackers Take Over Your Computer Via Email 💀

CVE-2025-15467 is a critical 9.8 CVSS remote code execution vulnerability in OpenSSL's CMS and S/MIME message processing. OpenSSL powers encrypted communications across the entire internet, and this flaw allows unauthenticated attackers to execute arbitrary code remotely without any credentials. A working proof-of-concept already exists in the wild, meaning both defenders and attackers have access to it.

Sources:
- https://nvd.nist.gov/vuln/detail/CVE-2025-15467
https://www.infosecurity-magazine.com/news/12-openssl-flaws/
- https://openssl-library.org/news/vulnerabilities/
- https://twitter.com/IntCyberDigest/status/2016288593547833778

---

🤦 SolarWinds Ships Critical Vulnerabilities In Their Own Software (Yes, THAT SolarWinds) 🤡

SolarWinds, the company that became the poster child for supply chain attacks after their 2020 breach, just disclosed four critical vulnerabilities in their Web Help Desk product. The flaws include unauthenticated remote code execution and authentication bypass that can be chained together to completely compromise systems without logging in. Five years after congressional hearings and intense security scrutiny, they still shipped this mess.

Sources:
- https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/
- https://www.helpnetsecurity.com/2026/01/29/solarwinds-web-help-desk-rce-vulnerabilities/
- https://www.rapid7.com/blog/post/etr-multiple-critical-solarwinds-web-help-desk-vulnerabilities-cve-2025-40551-40552-40553-40554/
- https://nvd.nist.gov/vuln/detail/CVE-2025-40552
- https://nvd.nist.gov/vuln/detail/CVE-2025-40553
- https://nvd.nist.gov/vuln/detail/CVE-2025-40554
- https://nvd.nist.gov/vuln/detail/CVE-2025-40551

‼️ SolarWinds Web Help Desk RCE Hit by Multiple Critical Security Flaws; CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554

CVSS: All 9.8
CVEs Published: January 28th, 2026

CVE-2025-40551: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40552: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.

CVE-2025-40553: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40554: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.

Advisories:

https://nvd.nist.gov/vuln/detail/CVE-2025-40551
https://nvd.nist.gov/vuln/detail/CVE-2025-40552
https://nvd.nist.gov/vuln/detail/CVE-2025-40553
https://nvd.nist.gov/vuln/detail/CVE-2025-40554

📦 That WinRAR "Free Trial" You Never Paid For? Hackers Are Exploiting It Right Now 🚨
A WinRAR vulnerability patched last July (CVE-2025-8088) is still being actively exploited by Russian APTs, Chinese threat actors, and cybercrime gangs six months later. The path traversal flaw lets attackers slip malicious files into your system when you extract seemingly innocent archives. If you're still using WinRAR, update immediately or switch to 7-Zip.

Sources:
- https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/
- https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2025-8088
- https://www.helpnetsecurity.com/2026/01/28/winrar-vulnerability-exploited-cve-2025-8088/

---

🔓 Critical OpenSSL Flaw Could Let Hackers Take Over Your Computer Via Email 💀

CVE-2025-15467 is a critical 9.8 CVSS remote code execution vulnerability in OpenSSL's CMS and S/MIME message processing. OpenSSL powers encrypted communications across the entire internet, and this flaw allows unauthenticated attackers to execute arbitrary code remotely without any credentials. A working proof-of-concept already exists in the wild, meaning both defenders and attackers have access to it.

Sources:
- https://nvd.nist.gov/vuln/detail/CVE-2025-15467
https://www.infosecurity-magazine.com/news/12-openssl-flaws/
- https://openssl-library.org/news/vulnerabilities/
- https://twitter.com/IntCyberDigest/status/2016288593547833778

---

🤦 SolarWinds Ships Critical Vulnerabilities In Their Own Software (Yes, THAT SolarWinds) 🤡

SolarWinds, the company that became the poster child for supply chain attacks after their 2020 breach, just disclosed four critical vulnerabilities in their Web Help Desk product. The flaws include unauthenticated remote code execution and authentication bypass that can be chained together to completely compromise systems without logging in. Five years after congressional hearings and intense security scrutiny, they still shipped this mess.

Sources:
- https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/
- https://www.helpnetsecurity.com/2026/01/29/solarwinds-web-help-desk-rce-vulnerabilities/
- https://www.rapid7.com/blog/post/etr-multiple-critical-solarwinds-web-help-desk-vulnerabilities-cve-2025-40551-40552-40553-40554/
- https://nvd.nist.gov/vuln/detail/CVE-2025-40552
- https://nvd.nist.gov/vuln/detail/CVE-2025-40553
- https://nvd.nist.gov/vuln/detail/CVE-2025-40554
- https://nvd.nist.gov/vuln/detail/CVE-2025-40551

SolarWinds has just announced four high-severity vulnerabilities in its Web Help Desk (WHD) software that could lead to full system takeover.

These flaws include unauthenticated Remote Code Execution (RCE) via insecure deserialization and multiple Authentication Bypasses, allowing attackers to execute protected methods without any credentials.

CVE-2025-40551 & CVE-2025-40553 (Unauthenticated RCE)
CVE-2025-40552 & CVE-2025-40554 (Auth Bypass)

https://www.thehackerwire.com/solarwinds-patches-critical-rce-and-auth-bypass-flaws-in-web-help-desk/

🔴 CVE-2025-40553 - Critical (9.8)

SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without au...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-40553/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

‼️ SolarWinds Web Help Desk RCE Hit by Multiple Critical Security Flaws; CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554

CVSS: All 9.8
CVEs Published: January 28th, 2026

CVE-2025-40551: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40552: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.

CVE-2025-40553: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40554: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.

Advisories:

https://nvd.nist.gov/vuln/detail/CVE-2025-40551
https://nvd.nist.gov/vuln/detail/CVE-2025-40552
https://nvd.nist.gov/vuln/detail/CVE-2025-40553
https://nvd.nist.gov/vuln/detail/CVE-2025-40554

📦 That WinRAR "Free Trial" You Never Paid For? Hackers Are Exploiting It Right Now 🚨
A WinRAR vulnerability patched last July (CVE-2025-8088) is still being actively exploited by Russian APTs, Chinese threat actors, and cybercrime gangs six months later. The path traversal flaw lets attackers slip malicious files into your system when you extract seemingly innocent archives. If you're still using WinRAR, update immediately or switch to 7-Zip.

Sources:
- https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/
- https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2025-8088
- https://www.helpnetsecurity.com/2026/01/28/winrar-vulnerability-exploited-cve-2025-8088/

---

🔓 Critical OpenSSL Flaw Could Let Hackers Take Over Your Computer Via Email 💀

CVE-2025-15467 is a critical 9.8 CVSS remote code execution vulnerability in OpenSSL's CMS and S/MIME message processing. OpenSSL powers encrypted communications across the entire internet, and this flaw allows unauthenticated attackers to execute arbitrary code remotely without any credentials. A working proof-of-concept already exists in the wild, meaning both defenders and attackers have access to it.

Sources:
- https://nvd.nist.gov/vuln/detail/CVE-2025-15467
https://www.infosecurity-magazine.com/news/12-openssl-flaws/
- https://openssl-library.org/news/vulnerabilities/
- https://twitter.com/IntCyberDigest/status/2016288593547833778

---

🤦 SolarWinds Ships Critical Vulnerabilities In Their Own Software (Yes, THAT SolarWinds) 🤡

SolarWinds, the company that became the poster child for supply chain attacks after their 2020 breach, just disclosed four critical vulnerabilities in their Web Help Desk product. The flaws include unauthenticated remote code execution and authentication bypass that can be chained together to completely compromise systems without logging in. Five years after congressional hearings and intense security scrutiny, they still shipped this mess.

Sources:
- https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/
- https://www.helpnetsecurity.com/2026/01/29/solarwinds-web-help-desk-rce-vulnerabilities/
- https://www.rapid7.com/blog/post/etr-multiple-critical-solarwinds-web-help-desk-vulnerabilities-cve-2025-40551-40552-40553-40554/
- https://nvd.nist.gov/vuln/detail/CVE-2025-40552
- https://nvd.nist.gov/vuln/detail/CVE-2025-40553
- https://nvd.nist.gov/vuln/detail/CVE-2025-40554
- https://nvd.nist.gov/vuln/detail/CVE-2025-40551

‼️ SolarWinds Web Help Desk RCE Hit by Multiple Critical Security Flaws; CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554

CVSS: All 9.8
CVEs Published: January 28th, 2026

CVE-2025-40551: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40552: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.

CVE-2025-40553: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40554: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.

Advisories:

https://nvd.nist.gov/vuln/detail/CVE-2025-40551
https://nvd.nist.gov/vuln/detail/CVE-2025-40552
https://nvd.nist.gov/vuln/detail/CVE-2025-40553
https://nvd.nist.gov/vuln/detail/CVE-2025-40554

📦 That WinRAR "Free Trial" You Never Paid For? Hackers Are Exploiting It Right Now 🚨
A WinRAR vulnerability patched last July (CVE-2025-8088) is still being actively exploited by Russian APTs, Chinese threat actors, and cybercrime gangs six months later. The path traversal flaw lets attackers slip malicious files into your system when you extract seemingly innocent archives. If you're still using WinRAR, update immediately or switch to 7-Zip.

Sources:
- https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/
- https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2025-8088
- https://www.helpnetsecurity.com/2026/01/28/winrar-vulnerability-exploited-cve-2025-8088/

---

🔓 Critical OpenSSL Flaw Could Let Hackers Take Over Your Computer Via Email 💀

CVE-2025-15467 is a critical 9.8 CVSS remote code execution vulnerability in OpenSSL's CMS and S/MIME message processing. OpenSSL powers encrypted communications across the entire internet, and this flaw allows unauthenticated attackers to execute arbitrary code remotely without any credentials. A working proof-of-concept already exists in the wild, meaning both defenders and attackers have access to it.

Sources:
- https://nvd.nist.gov/vuln/detail/CVE-2025-15467
https://www.infosecurity-magazine.com/news/12-openssl-flaws/
- https://openssl-library.org/news/vulnerabilities/
- https://twitter.com/IntCyberDigest/status/2016288593547833778

---

🤦 SolarWinds Ships Critical Vulnerabilities In Their Own Software (Yes, THAT SolarWinds) 🤡

SolarWinds, the company that became the poster child for supply chain attacks after their 2020 breach, just disclosed four critical vulnerabilities in their Web Help Desk product. The flaws include unauthenticated remote code execution and authentication bypass that can be chained together to completely compromise systems without logging in. Five years after congressional hearings and intense security scrutiny, they still shipped this mess.

Sources:
- https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/
- https://www.helpnetsecurity.com/2026/01/29/solarwinds-web-help-desk-rce-vulnerabilities/
- https://www.rapid7.com/blog/post/etr-multiple-critical-solarwinds-web-help-desk-vulnerabilities-cve-2025-40551-40552-40553-40554/
- https://nvd.nist.gov/vuln/detail/CVE-2025-40552
- https://nvd.nist.gov/vuln/detail/CVE-2025-40553
- https://nvd.nist.gov/vuln/detail/CVE-2025-40554
- https://nvd.nist.gov/vuln/detail/CVE-2025-40551

SolarWinds has just announced four high-severity vulnerabilities in its Web Help Desk (WHD) software that could lead to full system takeover.

These flaws include unauthenticated Remote Code Execution (RCE) via insecure deserialization and multiple Authentication Bypasses, allowing attackers to execute protected methods without any credentials.

CVE-2025-40551 & CVE-2025-40553 (Unauthenticated RCE)
CVE-2025-40552 & CVE-2025-40554 (Auth Bypass)

https://www.thehackerwire.com/solarwinds-patches-critical-rce-and-auth-bypass-flaws-in-web-help-desk/

🔴 CVE-2025-40552 - Critical (9.8)

SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-40552/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-69420 - High (7.5)

Issue summary: A type confusion vulnerability exists in the TimeStamp Response
verification code where an ASN1_TYPE union member is accessed without first
validating the type, causing an invalid or NULL pointer dereference when
processing a malfor...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-69420/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

‼️AISLE Goes 12-for-12 on OpenSSL Vulnerability Detection

CVEs Published: January 27th, 2026

High and Moderate Severity Flaws:

▪️CVE-2025-15467: Stack Buffer Overflow in CMS AuthEnvelopedData Parsing (High): A vulnerability with the potential to enable remote code execution under specific conditions

▪️CVE-2025-11187: PBMAC1 Parameter Validation in PKCS#12 (Moderate): Missing validation that could trigger a stack-based buffer overflow

Low Severity Flaws:

▪️CVE-2025-15468: Crash in QUIC protocol cipher handling
▪️CVE-2025-15469: Silent truncation bug affecting post-quantum signature algorithms (ML-DSA)
▪️CVE-2025-66199: Memory exhaustion via TLS 1.3 certificate compression
▪️CVE-2025-68160: Memory corruption in line-buffering (affects code back to OpenSSL 1.0.2)
▪️CVE-2025-69418: Encryption flaw in OCB mode on hardware-accelerated paths
▪️CVE-2025-69419: Memory corruption in PKCS#12 character encoding
▪️CVE-2025-69420: Crash in TimeStamp Response verification
▪️CVE-2025-69421: Crash in PKCS#12 decryption
▪️CVE-2026-22795: Crash in PKCS#12 parsing
▪️CVE-2026-22796: Crash in PKCS#7 signature verification (affects code back to OpenSSL 1.0.2)

"When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.

Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk."

Writeup: https://aisle.com/blog/aisle-discovered-12-out-of-12-openssl-vulnerabilities

🟠 CVE-2026-24868 - High (7.5)

Mitigation bypass in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 147.0.2.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24868/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

‼️AISLE Goes 12-for-12 on OpenSSL Vulnerability Detection

CVEs Published: January 27th, 2026

High and Moderate Severity Flaws:

▪️CVE-2025-15467: Stack Buffer Overflow in CMS AuthEnvelopedData Parsing (High): A vulnerability with the potential to enable remote code execution under specific conditions

▪️CVE-2025-11187: PBMAC1 Parameter Validation in PKCS#12 (Moderate): Missing validation that could trigger a stack-based buffer overflow

Low Severity Flaws:

▪️CVE-2025-15468: Crash in QUIC protocol cipher handling
▪️CVE-2025-15469: Silent truncation bug affecting post-quantum signature algorithms (ML-DSA)
▪️CVE-2025-66199: Memory exhaustion via TLS 1.3 certificate compression
▪️CVE-2025-68160: Memory corruption in line-buffering (affects code back to OpenSSL 1.0.2)
▪️CVE-2025-69418: Encryption flaw in OCB mode on hardware-accelerated paths
▪️CVE-2025-69419: Memory corruption in PKCS#12 character encoding
▪️CVE-2025-69420: Crash in TimeStamp Response verification
▪️CVE-2025-69421: Crash in PKCS#12 decryption
▪️CVE-2026-22795: Crash in PKCS#12 parsing
▪️CVE-2026-22796: Crash in PKCS#7 signature verification (affects code back to OpenSSL 1.0.2)

"When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.

Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk."

Writeup: https://aisle.com/blog/aisle-discovered-12-out-of-12-openssl-vulnerabilities

‼️AISLE Goes 12-for-12 on OpenSSL Vulnerability Detection

CVEs Published: January 27th, 2026

High and Moderate Severity Flaws:

▪️CVE-2025-15467: Stack Buffer Overflow in CMS AuthEnvelopedData Parsing (High): A vulnerability with the potential to enable remote code execution under specific conditions

▪️CVE-2025-11187: PBMAC1 Parameter Validation in PKCS#12 (Moderate): Missing validation that could trigger a stack-based buffer overflow

Low Severity Flaws:

▪️CVE-2025-15468: Crash in QUIC protocol cipher handling
▪️CVE-2025-15469: Silent truncation bug affecting post-quantum signature algorithms (ML-DSA)
▪️CVE-2025-66199: Memory exhaustion via TLS 1.3 certificate compression
▪️CVE-2025-68160: Memory corruption in line-buffering (affects code back to OpenSSL 1.0.2)
▪️CVE-2025-69418: Encryption flaw in OCB mode on hardware-accelerated paths
▪️CVE-2025-69419: Memory corruption in PKCS#12 character encoding
▪️CVE-2025-69420: Crash in TimeStamp Response verification
▪️CVE-2025-69421: Crash in PKCS#12 decryption
▪️CVE-2026-22795: Crash in PKCS#12 parsing
▪️CVE-2026-22796: Crash in PKCS#7 signature verification (affects code back to OpenSSL 1.0.2)

"When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.

Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk."

Writeup: https://aisle.com/blog/aisle-discovered-12-out-of-12-openssl-vulnerabilities

‼️AISLE Goes 12-for-12 on OpenSSL Vulnerability Detection

CVEs Published: January 27th, 2026

High and Moderate Severity Flaws:

▪️CVE-2025-15467: Stack Buffer Overflow in CMS AuthEnvelopedData Parsing (High): A vulnerability with the potential to enable remote code execution under specific conditions

▪️CVE-2025-11187: PBMAC1 Parameter Validation in PKCS#12 (Moderate): Missing validation that could trigger a stack-based buffer overflow

Low Severity Flaws:

▪️CVE-2025-15468: Crash in QUIC protocol cipher handling
▪️CVE-2025-15469: Silent truncation bug affecting post-quantum signature algorithms (ML-DSA)
▪️CVE-2025-66199: Memory exhaustion via TLS 1.3 certificate compression
▪️CVE-2025-68160: Memory corruption in line-buffering (affects code back to OpenSSL 1.0.2)
▪️CVE-2025-69418: Encryption flaw in OCB mode on hardware-accelerated paths
▪️CVE-2025-69419: Memory corruption in PKCS#12 character encoding
▪️CVE-2025-69420: Crash in TimeStamp Response verification
▪️CVE-2025-69421: Crash in PKCS#12 decryption
▪️CVE-2026-22795: Crash in PKCS#12 parsing
▪️CVE-2026-22796: Crash in PKCS#7 signature verification (affects code back to OpenSSL 1.0.2)

"When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.

Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk."

Writeup: https://aisle.com/blog/aisle-discovered-12-out-of-12-openssl-vulnerabilities

‼️AISLE Goes 12-for-12 on OpenSSL Vulnerability Detection

CVEs Published: January 27th, 2026

High and Moderate Severity Flaws:

▪️CVE-2025-15467: Stack Buffer Overflow in CMS AuthEnvelopedData Parsing (High): A vulnerability with the potential to enable remote code execution under specific conditions

▪️CVE-2025-11187: PBMAC1 Parameter Validation in PKCS#12 (Moderate): Missing validation that could trigger a stack-based buffer overflow

Low Severity Flaws:

▪️CVE-2025-15468: Crash in QUIC protocol cipher handling
▪️CVE-2025-15469: Silent truncation bug affecting post-quantum signature algorithms (ML-DSA)
▪️CVE-2025-66199: Memory exhaustion via TLS 1.3 certificate compression
▪️CVE-2025-68160: Memory corruption in line-buffering (affects code back to OpenSSL 1.0.2)
▪️CVE-2025-69418: Encryption flaw in OCB mode on hardware-accelerated paths
▪️CVE-2025-69419: Memory corruption in PKCS#12 character encoding
▪️CVE-2025-69420: Crash in TimeStamp Response verification
▪️CVE-2025-69421: Crash in PKCS#12 decryption
▪️CVE-2026-22795: Crash in PKCS#12 parsing
▪️CVE-2026-22796: Crash in PKCS#7 signature verification (affects code back to OpenSSL 1.0.2)

"When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.

Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk."

Writeup: https://aisle.com/blog/aisle-discovered-12-out-of-12-openssl-vulnerabilities

‼️AISLE Goes 12-for-12 on OpenSSL Vulnerability Detection

CVEs Published: January 27th, 2026

High and Moderate Severity Flaws:

▪️CVE-2025-15467: Stack Buffer Overflow in CMS AuthEnvelopedData Parsing (High): A vulnerability with the potential to enable remote code execution under specific conditions

▪️CVE-2025-11187: PBMAC1 Parameter Validation in PKCS#12 (Moderate): Missing validation that could trigger a stack-based buffer overflow

Low Severity Flaws:

▪️CVE-2025-15468: Crash in QUIC protocol cipher handling
▪️CVE-2025-15469: Silent truncation bug affecting post-quantum signature algorithms (ML-DSA)
▪️CVE-2025-66199: Memory exhaustion via TLS 1.3 certificate compression
▪️CVE-2025-68160: Memory corruption in line-buffering (affects code back to OpenSSL 1.0.2)
▪️CVE-2025-69418: Encryption flaw in OCB mode on hardware-accelerated paths
▪️CVE-2025-69419: Memory corruption in PKCS#12 character encoding
▪️CVE-2025-69420: Crash in TimeStamp Response verification
▪️CVE-2025-69421: Crash in PKCS#12 decryption
▪️CVE-2026-22795: Crash in PKCS#12 parsing
▪️CVE-2026-22796: Crash in PKCS#7 signature verification (affects code back to OpenSSL 1.0.2)

"When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.

Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk."

Writeup: https://aisle.com/blog/aisle-discovered-12-out-of-12-openssl-vulnerabilities

‼️AISLE Goes 12-for-12 on OpenSSL Vulnerability Detection

CVEs Published: January 27th, 2026

High and Moderate Severity Flaws:

▪️CVE-2025-15467: Stack Buffer Overflow in CMS AuthEnvelopedData Parsing (High): A vulnerability with the potential to enable remote code execution under specific conditions

▪️CVE-2025-11187: PBMAC1 Parameter Validation in PKCS#12 (Moderate): Missing validation that could trigger a stack-based buffer overflow

Low Severity Flaws:

▪️CVE-2025-15468: Crash in QUIC protocol cipher handling
▪️CVE-2025-15469: Silent truncation bug affecting post-quantum signature algorithms (ML-DSA)
▪️CVE-2025-66199: Memory exhaustion via TLS 1.3 certificate compression
▪️CVE-2025-68160: Memory corruption in line-buffering (affects code back to OpenSSL 1.0.2)
▪️CVE-2025-69418: Encryption flaw in OCB mode on hardware-accelerated paths
▪️CVE-2025-69419: Memory corruption in PKCS#12 character encoding
▪️CVE-2025-69420: Crash in TimeStamp Response verification
▪️CVE-2025-69421: Crash in PKCS#12 decryption
▪️CVE-2026-22795: Crash in PKCS#12 parsing
▪️CVE-2026-22796: Crash in PKCS#7 signature verification (affects code back to OpenSSL 1.0.2)

"When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.

Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk."

Writeup: https://aisle.com/blog/aisle-discovered-12-out-of-12-openssl-vulnerabilities

‼️AISLE Goes 12-for-12 on OpenSSL Vulnerability Detection

CVEs Published: January 27th, 2026

High and Moderate Severity Flaws:

▪️CVE-2025-15467: Stack Buffer Overflow in CMS AuthEnvelopedData Parsing (High): A vulnerability with the potential to enable remote code execution under specific conditions

▪️CVE-2025-11187: PBMAC1 Parameter Validation in PKCS#12 (Moderate): Missing validation that could trigger a stack-based buffer overflow

Low Severity Flaws:

▪️CVE-2025-15468: Crash in QUIC protocol cipher handling
▪️CVE-2025-15469: Silent truncation bug affecting post-quantum signature algorithms (ML-DSA)
▪️CVE-2025-66199: Memory exhaustion via TLS 1.3 certificate compression
▪️CVE-2025-68160: Memory corruption in line-buffering (affects code back to OpenSSL 1.0.2)
▪️CVE-2025-69418: Encryption flaw in OCB mode on hardware-accelerated paths
▪️CVE-2025-69419: Memory corruption in PKCS#12 character encoding
▪️CVE-2025-69420: Crash in TimeStamp Response verification
▪️CVE-2025-69421: Crash in PKCS#12 decryption
▪️CVE-2026-22795: Crash in PKCS#12 parsing
▪️CVE-2026-22796: Crash in PKCS#7 signature verification (affects code back to OpenSSL 1.0.2)

"When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.

Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk."

Writeup: https://aisle.com/blog/aisle-discovered-12-out-of-12-openssl-vulnerabilities

‼️AISLE Goes 12-for-12 on OpenSSL Vulnerability Detection

CVEs Published: January 27th, 2026

High and Moderate Severity Flaws:

▪️CVE-2025-15467: Stack Buffer Overflow in CMS AuthEnvelopedData Parsing (High): A vulnerability with the potential to enable remote code execution under specific conditions

▪️CVE-2025-11187: PBMAC1 Parameter Validation in PKCS#12 (Moderate): Missing validation that could trigger a stack-based buffer overflow

Low Severity Flaws:

▪️CVE-2025-15468: Crash in QUIC protocol cipher handling
▪️CVE-2025-15469: Silent truncation bug affecting post-quantum signature algorithms (ML-DSA)
▪️CVE-2025-66199: Memory exhaustion via TLS 1.3 certificate compression
▪️CVE-2025-68160: Memory corruption in line-buffering (affects code back to OpenSSL 1.0.2)
▪️CVE-2025-69418: Encryption flaw in OCB mode on hardware-accelerated paths
▪️CVE-2025-69419: Memory corruption in PKCS#12 character encoding
▪️CVE-2025-69420: Crash in TimeStamp Response verification
▪️CVE-2025-69421: Crash in PKCS#12 decryption
▪️CVE-2026-22795: Crash in PKCS#12 parsing
▪️CVE-2026-22796: Crash in PKCS#7 signature verification (affects code back to OpenSSL 1.0.2)

"When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.

Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk."

Writeup: https://aisle.com/blog/aisle-discovered-12-out-of-12-openssl-vulnerabilities

‼️AISLE Goes 12-for-12 on OpenSSL Vulnerability Detection

CVEs Published: January 27th, 2026

High and Moderate Severity Flaws:

▪️CVE-2025-15467: Stack Buffer Overflow in CMS AuthEnvelopedData Parsing (High): A vulnerability with the potential to enable remote code execution under specific conditions

▪️CVE-2025-11187: PBMAC1 Parameter Validation in PKCS#12 (Moderate): Missing validation that could trigger a stack-based buffer overflow

Low Severity Flaws:

▪️CVE-2025-15468: Crash in QUIC protocol cipher handling
▪️CVE-2025-15469: Silent truncation bug affecting post-quantum signature algorithms (ML-DSA)
▪️CVE-2025-66199: Memory exhaustion via TLS 1.3 certificate compression
▪️CVE-2025-68160: Memory corruption in line-buffering (affects code back to OpenSSL 1.0.2)
▪️CVE-2025-69418: Encryption flaw in OCB mode on hardware-accelerated paths
▪️CVE-2025-69419: Memory corruption in PKCS#12 character encoding
▪️CVE-2025-69420: Crash in TimeStamp Response verification
▪️CVE-2025-69421: Crash in PKCS#12 decryption
▪️CVE-2026-22795: Crash in PKCS#12 parsing
▪️CVE-2026-22796: Crash in PKCS#7 signature verification (affects code back to OpenSSL 1.0.2)

"When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.

Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk."

Writeup: https://aisle.com/blog/aisle-discovered-12-out-of-12-openssl-vulnerabilities

Critical File System Vulnerability Patched in iba Systems ibaPDA

iba Systems patched a critical file system vulnerability, CVE-2025-14988 in its ibaPDA software used in critical manufacturing. The flaw allows unauthorized attackers to manipulate files.

**Make sure all industrial devices are isolated from the internet and accessible from trusted networks only. Update ibaPDA to version 8.12.1 as soon as possible. In the meantime apply mitigating measures to limit impact.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-file-system-vulnerability-patched-in-iba-systems-ibapda-k-x-s-9-3/gD2P6Ple2L

🟠 CVE-2026-24842 - High (8.2)

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to cra...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24842/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-1280 - High (7.5)

The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthe...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1280/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-40536 - High (8.1)

SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-40536/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-40537 - High (7.5)

SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situations, could allow access to administrative functions.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-40537/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-24840 - High (8)

Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating th...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24840/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-67645 - High (8.8)

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request paramet...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-67645/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-55292 - High (8.2)

Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-55292/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-24836 - High (7.6)

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include script...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24836/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-24833 - High (7.6)

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24833/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🔴 CVE-2026-24770 - Critical (9.8)

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions, the MinerU parser contains a "Zip Slip" vulnerability, allowing an attacker to overwrite arbitrary files on the server (leading...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24770/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-24783 - High (7.5)

soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the `mulDiv(x, y, z)` function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative....

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24783/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-24778 - High (8.8)

Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaSc...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24778/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🔴 CVE-2026-24736 - Critical (9.1)

Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define "Webhooks" as actions within the Rules engine. The url parameter in the webhook c...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24736/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🔴 CVE-2026-24736 - Critical (9.1)

Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define "Webhooks" as actions within the Rules engine. The url parameter in the webhook c...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24736/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-24882 - High (8.4)

In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24882/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-23593 - High (7.5)

A vulnerability in the web-based management interface of HPE Aruba Networking Fabric Composer could allow an unauthenticated remote attacker to view some system files. Successful exploitation could allow an attacker to read files within the affect...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-23593/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-23881 - High (7.7)

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of ...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-23881/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-22258 - High (7.5)

Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC over...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-22258/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-24831 - High (7.5)

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ixray-team ixray-1.6-stcop.This issue affects ixray-1.6-stcop: before 1.3.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24831/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-24831 - High (7.5)

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ixray-team ixray-1.6-stcop.This issue affects ixray-1.6-stcop: before 1.3.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24831/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🔴 CVE-2026-24874 - Critical (9.1)

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith.This issue affects xray-monolith: before 2025.12.30.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24874/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🔴 CVE-2026-24874 - Critical (9.1)

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith.This issue affects xray-monolith: before 2025.12.30.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24874/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-0648 - High (7.8)

The vulnerability stems from an incorrect error-checking logic in the CreateCounter() function (in threadx/utility/rtos_compatibility_layers/OSEK/tx_osek.c) when handling the return value of osek_get_counter(). Specifically, the current code chec...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-0648/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-24873 - High (7.8)

Out-of-bounds Read vulnerability in Rinnegatamante lpp-vita.This issue affects lpp-vita: before lpp-vita r6.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24873/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🔴 CVE-2026-24872 - Critical (9.8)

improper pointer arithmetic

vulnerability in ProjectSkyfire SkyFire_548.This issue affects SkyFire_548: before 5.4.8-stable5.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24872/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🔴 CVE-2026-24832 - Critical (9.8)

Out-of-bounds Write vulnerability in ixray-team ixray-1.6-stcop.This issue affects ixray-1.6-stcop: before 1.3.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24832/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-65889 - High (7.5)

A type validation flaw in the flow.dstack() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-65889/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-65889 - High (7.5)

A type validation flaw in the flow.dstack() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-65889/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-65889 - High (7.5)

A type validation flaw in the flow.dstack() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-65889/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-65889 - High (7.5)

A type validation flaw in the flow.dstack() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-65889/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-65888 - High (7.5)

A dimension validation flaw in the flow.empty() component of OneFlow 0.9.0 allows attackers to cause a Denial of Service (DoS) via a negative or excessively large dimension value.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-65888/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-65888 - High (7.5)

A dimension validation flaw in the flow.empty() component of OneFlow 0.9.0 allows attackers to cause a Denial of Service (DoS) via a negative or excessively large dimension value.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-65888/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-65888 - High (7.5)

A dimension validation flaw in the flow.empty() component of OneFlow 0.9.0 allows attackers to cause a Denial of Service (DoS) via a negative or excessively large dimension value.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-65888/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-65888 - High (7.5)

A dimension validation flaw in the flow.empty() component of OneFlow 0.9.0 allows attackers to cause a Denial of Service (DoS) via a negative or excessively large dimension value.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-65888/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-65886 - High (7.5)

A shape mismatch vulnerability in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via supplying crafted tensor shapes.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-65886/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-65886 - High (7.5)

A shape mismatch vulnerability in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via supplying crafted tensor shapes.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-65886/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-65886 - High (7.5)

A shape mismatch vulnerability in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via supplying crafted tensor shapes.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-65886/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-65886 - High (7.5)

A shape mismatch vulnerability in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via supplying crafted tensor shapes.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-65886/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

‼️ CVE-2026-1056: Snow Monkey Forms <= 12.0.3 - Unauthenticated Arbitrary File Deletion via Path Traversal

PoC/Exploit: https://github.com/ch4r0nn/CVE-2026-1056-POC

CVSS: 9.8
CVE Published: January 28th, 2026

Advisory: https://github.com/advisories/GHSA-g5p3-f4cq-94v5

Details: The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

‼️ CVE-2026-1056: Snow Monkey Forms <= 12.0.3 - Unauthenticated Arbitrary File Deletion via Path Traversal

PoC/Exploit: https://github.com/ch4r0nn/CVE-2026-1056-POC

CVSS: 9.8
CVE Published: January 28th, 2026

Advisory: https://github.com/advisories/GHSA-g5p3-f4cq-94v5

Details: The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

🔴 CVE-2026-1056 - Critical (9.8)

The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and including, 12.0.3. This makes it possible for unauthent...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1056/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-57283 - High (7.8)

The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-57283/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-57283 - High (7.8)

The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-57283/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🔴 CVE-2025-61140 - Critical (9.8)

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-61140/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🔴 CVE-2025-61140 - Critical (9.8)

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-61140/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-62514 - High (8.3)

Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, `libparsec_crypto`, a component of the Parsec application, does not check for weak order point of Curve25519 when compiled...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-62514/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-62514 - High (8.3)

Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, `libparsec_crypto`, a component of the Parsec application, does not check for weak order point of Curve25519 when compiled...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-62514/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-7714 - High (7.5)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows Command Line Execution through SQL Injection.This issue affe...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-7714/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-7714 - High (7.5)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows Command Line Execution through SQL Injection.This issue affe...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-7714/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-7713 - High (7.5)

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows XSS Through HTTP Headers.This issue affects Content M...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-7713/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-7713 - High (7.5)

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows XSS Through HTTP Headers.This issue affects Content M...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-7713/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-1616 - High (7.5)

The $uri$args concatenation in nginx configuration file present in Open Security Issue Management (OSIM) prior v2025.9.0 allows path traversal attacks via query parameters.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1616/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-1616 - High (7.5)

The $uri$args concatenation in nginx configuration file present in Open Security Issue Management (OSIM) prior v2025.9.0 allows path traversal attacks via query parameters.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1616/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-7016 - High (8)

Improper Access Control vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Authentication Abuse.This issue affects QR Menu: before s1.05.12.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-7016/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-7016 - High (8)

Improper Access Control vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Authentication Abuse.This issue affects QR Menu: before s1.05.12.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-7016/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-24856 - High (7.8)

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Versions prior to 2.3.1.2 have an undefined behavior issue when floating-point NaN values are converted to...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24856/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

New.

NVIDIA GPU Display Drivers - January 2026 vulnerabilities: CVE-2025-33217, CVE-2025-33218, and CVE-2025-33219 https://nvidia.custhelp.com/app/answers/detail/a_id/5747 #Nvidia #infosec #vulnerability

🟠 CVE-2025-33217 - High (7.8)

NVIDIA Display Driver for Windows contains a vulnerability where an attacker could trigger a use after free. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and ...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-33217/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

New.

NVIDIA GPU Display Drivers - January 2026 vulnerabilities: CVE-2025-33217, CVE-2025-33218, and CVE-2025-33219 https://nvidia.custhelp.com/app/answers/detail/a_id/5747 #Nvidia #infosec #vulnerability

🟠 CVE-2025-33218 - High (7.8)

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where an attacker could cause an integer overflow. A successful exploit of this vulnerability might lead to code execution, escalation of privi...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-33218/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

New.

NVIDIA GPU Display Drivers - January 2026 vulnerabilities: CVE-2025-33217, CVE-2025-33218, and CVE-2025-33219 https://nvidia.custhelp.com/app/answers/detail/a_id/5747 #Nvidia #infosec #vulnerability