Marcus Chen

CVE-2026-34621 is a prototype pollution flaw in Adobe Acrobat Reader with a CVSS 8.6 score. Active exploitation began in December 2025. Update immediately.

Microsoft found an intent redirection vulnerability in EngageLab's Android SDK affecting 50M+ app installs. Crypto wallets with 30M users were at risk.

CVE-2026-39987 in Marimo Python notebooks allows unauthenticated RCE via terminal WebSocket. Attackers weaponized it within hours. Patch to 0.23.0 now.

CVE-2026-25776 (CVSS 9.8) enables remote code execution through Movable Type's Listing Framework. Affects versions 6.0+. Patches available for MT 9, 8.8, 8.0.

CVE-2026-39888 bypasses PraisonAI's Python sandbox via exception frame traversal. Attackers chain __traceback__ attributes to reach exec(). Patch to 1.5.115.

CVE-2026-34197 exposes Apache ActiveMQ to remote code execution via the Jolokia API. Horizon3 researcher used Claude to uncover the flaw in under 10 minutes. Patch now.

CVE-2026-34040 lets attackers bypass Docker authorization plugins with a single padded HTTP request. CVSS 8.8 flaw patched in Engine 29.3.1.

Critical code injection vulnerability CVE-2025-59528 in Flowise AI agent builder scores maximum CVSS 10.0 and is under active exploitation. Over 12,000 instances are publicly accessible.

Security researcher releases working proof-of-concept for BlueHammer, an unpatched Windows Defender privilege escalation flaw enabling SYSTEM access via TOCTOU and path confusion vulnerabilities.

University of Toronto researchers demonstrate GPUBreach, a GPU rowhammer attack that bypasses IOMMU protections to achieve root access on systems with NVIDIA GPUs. Consumer GPUs remain unmitigated.

CISA adds CVE-2026-35616 to KEV catalog with April 9 deadline for federal agencies. Nearly 2,000 FortiClient EMS instances remain exposed as exploitation continues.

AI-discovered vulnerabilities bypass all security policies including 'secure' mode. Most servers won't receive fixes until 2027 without manual intervention.

CVE-2026-34838 lets authenticated attackers achieve RCE on Group-Office CRM servers via insecure deserialization. Upgrade to patched versions immediately.

CVE-2026-2699 and CVE-2026-2701 combine to let unauthenticated attackers take over ShareFile Storage Zone Controllers. Patches available since March 10.

CVE-2026-20093 and CVE-2026-20160 let unauthenticated attackers take full control of Cisco UCS servers and licensing infrastructure. No workarounds exist.

CVE-2026-35616 lets attackers bypass API authentication in FortiClient EMS 7.4.5-7.4.6 for unauthenticated RCE. Exploitation began March 31. Emergency hotfixes available.

CVE-2026-34938 lets attackers escape PraisonAI's three-layer Python sandbox to execute arbitrary OS commands. CVSS 10 — patch to version 1.5.90 immediately.

Microsoft Azure Kubernetes Service has a critical auth bypass (CVE-2026-33105) with a perfect CVSS 10.0 score. Unauthenticated attackers can escalate to cluster admin—patch now.

Unit 42 exposes how excessive default permissions in Google Cloud's Vertex AI let attackers weaponize AI agents to steal data from customer environments.

CVE-2026-5281 exploited in the wild targets Dawn WebGPU implementation. Google rushes emergency patch as Chrome zero-days accelerate in 2026.

CVE-2026-32746 (CVSS 9.8) in GNU InetUtils telnetd enables unauthenticated root RCE via buffer overflow. FreeBSD, NetBSD, Citrix NetScaler affected.

Trend Micro ZDI disclosed a CVSS 9.8 flaw enabling device takeover via animated stickers. Telegram says the vulnerability doesn't exist. No patch until July 2026.

Check Point Research disclosed a ChatGPT vulnerability that abused DNS tunneling to silently steal conversation data. OpenAI patched the flaw on February 20, 2026.

CVE-2026-21643 exploitation began March 26, six weeks after Fortinet's patch. Around 1,000 internet-exposed EMS instances remain vulnerable to unauthenticated RCE.

CVE-2026-33660 (CVSS 9.4) lets authenticated users escape n8n's AlaSQL sandbox via the Merge node. Over 615,000 public instances potentially vulnerable.

CVE-2026-3055 now actively exploited. CISA adds the CVSS 9.3 memory leak to KEV catalog, giving federal agencies until April 2 to patch SAML IdP configurations.

Critical CVSS 9.8 flaw in OpenClaw AI agent platform lets attackers replay setup codes for privilege escalation. Patch to version 2026.3.13 immediately.

CVE-2026-3098 lets subscribers read wp-config.php and any server file. Amelia Booking Pro also patched for admin password reset bug. Update these WordPress plugins now.

CISA added CVE-2025-53521 to its KEV catalog after F5 reclassified the BIG-IP APM vulnerability from DoS to remote code execution. CVSS 9.8—federal deadline is March 30.

Three vulnerabilities in LangChain and LangGraph expose filesystems, environment secrets, and conversation histories. CVE-2026-34070 enables path traversal. Patches available now.

CVE-2026-22557 lets unauthenticated attackers traverse paths and hijack UniFi Network accounts. CVSS 10.0 severity demands immediate patching to 10.1.89.

Critical CVE-2025-15517 allows attackers to bypass authentication on TP-Link Archer NX routers, upload malicious firmware, and modify configurations without credentials.

Critical deserialization flaw CVE-2026-4681 in PTC Windchill and FlexPLM threatens manufacturing sector. German federal police dispatched to warn companies of imminent exploitation.

n8n patches CVE-2026-27577, CVE-2026-27493, and two more sandbox escapes. One flaw allows unauthenticated attackers to execute commands via public form endpoints.

CVE-2026-3055 (CVSS 9.3) lets unauthenticated attackers read sensitive data from NetScaler memory. Affects appliances configured as SAML Identity Providers—patch now.

Attackers exploiting CVE-2025-32975 authentication bypass in Quest KACE to hijack admin accounts and deploy credential harvesters. Patched in May 2025—many remain exposed.

Three vulnerabilities in AVideo's CloneSite plugin chain together for unauthenticated remote code execution. CVE-2026-33478 has no patch available as attackers can extract admin credentials and inject OS commands.

CVE-2026-3888 exploits timing race between snap-confine and systemd-tmpfiles to grant root access on Ubuntu Desktop 24.04+. Qualys researchers demonstrate full privilege escalation.

Fortinet's March 2026 security advisory addresses 11 vulnerabilities including auth bypass, SQL injection, and buffer overflow flaws affecting enterprise management products.

Unrestricted file upload in Magento and Adobe Commerce REST API allows unauthenticated attackers to upload executable files. No isolated patch available for production versions.

Five vulnerabilities under active exploitation added to CISA's KEV catalog. Federal agencies must patch by April 3, 2026. Includes three Apple kernel flaws and Laravel RCE.

CVE-2026-33017 (CVSS 9.3) lets attackers execute arbitrary Python code on Langflow AI pipelines without authentication. Exploitation began before any PoC existed.

CVE-2026-21992 scores CVSS 9.8 and allows unauthenticated remote code execution on Oracle Identity Manager and Web Services Manager. Patch immediately.

CVE-2026-26144 allows attackers to silently exfiltrate sensitive data through Microsoft Copilot Agent without user interaction. Patch now or disable Copilot.

CVE-2026-3611 exposes Honeywell IQ4x building management controllers with CVSS 10 severity. Default configuration allows anyone to create admin accounts.

CISA confirms active exploitation of VMware Aria Operations CVE-2026-22719, a command injection flaw enabling unauthenticated RCE. Patch by March 24.

CISA added Microsoft SharePoint CVE-2026-20963 to the KEV catalog after confirming active exploitation. Federal agencies must patch by March 21.

LayerX researchers found that custom font rendering can hide malicious prompts from ChatGPT, Claude, Gemini, and other AI assistants while displaying them to users.

CVE-2026-32746 in GNU InetUtils telnetd allows unauthenticated root RCE via buffer overflow. CVSS 9.8, no patch available, over 200K servers exposed.

CISA renews warnings about CVE-2025-47812, a CVSS 10.0 vulnerability in Wing FTP Server that grants attackers root/SYSTEM access. Over 8,000 servers remain exposed.

CVE-2026-23813 allows unauthenticated attackers to reset admin passwords on HPE Aruba AOS-CX switches. No exploitation seen yet, but patch immediately.

Qualys discloses nine confused deputy vulnerabilities in Linux AppArmor that enable local privilege escalation to root. Ubuntu, Debian, and SUSE affected since 2017.

Google patches two actively exploited Chrome zero-days affecting Skia graphics and V8 JavaScript engine. CISA adds both to KEV catalog with March 27 deadline.

CVE-2026-1492 in User Registration & Membership plugin enables unauthenticated admin account creation. CVSS 9.8—over 100,000 sites at risk.

Veeam releases emergency patches for five critical RCE vulnerabilities (CVSS 9.9) affecting Backup & Replication. Domain users can fully compromise backup servers.

CVE-2025-68613 allows authenticated attackers to execute arbitrary code on n8n workflow servers. CISA gives federal agencies until March 25 to patch.

CVE-2026-1603 allows unauthenticated attackers to steal credential vaults from Ivanti Endpoint Manager. CISA added it to KEV catalog after exploitation detected.

Microsoft's March 2026 Patch Tuesday addresses 83 vulnerabilities including two publicly disclosed zero-days in SQL Server and .NET. Eight flaws rated Critical.

CVE-2026-3823 allows unauthenticated attackers to execute code on Atop Technologies industrial switches. Firmware 3.36 patches the critical buffer overflow.

Two critical vulnerabilities in Delta Electronics COMMGR2 enable remote code execution without authentication. ICS operators should patch to v2.11.1 immediately.

CVE-2026-30851 in Caddy's forward_auth module enables identity injection and privilege escalation. Any valid user can impersonate administrators. Update to 2.11.2.

Critical command injection and SQL bypass vulnerabilities in Tencent's WeKnora LLM framework allow unauthenticated RCE. Patch to versions 0.2.10 and 0.2.12 now.

Cisco confirms active exploitation of two more SD-WAN Manager vulnerabilities. Attackers deploying web shells through arbitrary file overwrite and credential exposure flaws.

Cisco confirmed CVE-2026-20122 and CVE-2026-20128 in Catalyst SD-WAN Manager are under active exploitation, with attackers deploying web shells globally.

Federal agencies must patch CVE-2017-7921 and CVE-2021-22681 by March 26. Hikvision cameras face active exploitation; Rockwell PLCs at risk.

CVE-2026-28289 allows unauthenticated attackers to achieve full server compromise by sending a single crafted email. CVSS 10.0—patch to 1.8.207 now.

CVE-2025-20265 in Cisco Secure Firewall Management Center allows unauthenticated attackers to execute commands as root via RADIUS authentication. Patch immediately.

CVE-2026-22886 exposes Eclipse OpenMQ to remote takeover via default admin/admin credentials. CVSS 9.8 critical vulnerability requires immediate attention from Java messaging users.

Google's March 2026 Android security update patches 129 vulnerabilities including CVE-2026-21385, a Qualcomm graphics flaw affecting 234 chipsets under active exploitation.

Critical insecure deserialization vulnerability in U-Office Force allows remote attackers to execute arbitrary code without authentication. CVSS 9.8, no patch available yet.

WordPress plugin wpForo 2.4.14 contains unauthenticated SQL injection, PHP object injection, and multiple authorization bypass flaws. Over 80,000 sites at risk.

Critical CVE-2026-21902 in Junos OS Evolved allows remote attackers to gain root access on PTX routers via exposed anomaly detection service. Patch now.

CVE-2026-28408 and related vulnerabilities allow unauthenticated attackers to bypass security, inject data, and execute code on WeGIA servers. Patch to version 3.6.5 immediately.

CVE-2026-2749 enables unauthenticated attackers to write or delete arbitrary files on Centreon Central Servers. Patches now available for all supported versions.

CVE-2026-27575 combines weak password enforcement with persistent sessions in Vikunja, enabling attackers to retain access even after victims change credentials.

CVE-2026-20781 exposes OCPP WebSocket endpoints to unauthenticated station impersonation, enabling attackers to manipulate EV charging infrastructure and steal energy.

CVE-2026-2251 is a CVSS 9.8 path traversal vulnerability in Xerox FreeFlow Core that enables unauthenticated remote code execution. Upgrade to version 8.1.0 now.

Check Point found CVE-2025-59536 and CVE-2026-21852 in Anthropic's Claude Code. Opening a cloned repo could execute code and leak API credentials.

CVE-2026-27941 (CVSS 9.9) lets attackers execute code via pull requests to OpenLIT, stealing GITHUB_TOKEN and cloud secrets. Patch to 1.37.1 now.

CVE-2026-20127 gives attackers full admin access to Cisco SD-WAN infrastructure. CISA emergency directive requires federal patches by Feb 27.

Microsoft confirms Copilot bug bypassed DLP policies, reading confidential emails without authorization. European Parliament blocked Copilot over concerns.

CISA flags FileZen command injection flaw (CVE-2026-25108, CVSS 8.7) as actively exploited. Federal agencies must patch by March 17, 2026.

Serv-U 15.5.4 fixes four CVSS 9.1 bugs including type confusion and access control flaws. Admin access required, but file transfer platforms remain high-value targets.

CVE-2025-40540 is a critical type confusion vulnerability in SolarWinds Serv-U with CVSS 9.1. Attackers with admin access can execute arbitrary code.

CISA adds CVE-2025-49113 (CVSS 9.9) and CVE-2025-68461 to KEV catalog after attackers weaponized the deserialization flaw within 48 hours. Federal agencies must patch by March 13.

CVE-2026-26119 lets attackers escalate from standard user to domain admin via improper authentication. Microsoft rates exploitation 'more likely.'

CVE-2026-26030 in Microsoft's Semantic Kernel Python SDK enables unauthenticated RCE through InMemoryVectorStore. Upgrade to 1.39.4 immediately.

Federal agencies must patch CVE-2026-22769 by Saturday after CISA confirms Chinese hackers exploited the Dell RecoverPoint vulnerability since 2024.

CVE-2026-2329 (CVSS 9.3) enables unauthenticated RCE on Grandstream GXP1600 VoIP phones. Attackers can intercept calls, steal credentials. Patch to 1.0.7.81.

Critical CVE-2026-1490 (CVSS 9.8) in CleanTalk anti-spam plugin allows unauthenticated attackers to install malicious plugins via DNS spoofing. Update to 6.72 now.

Cisco Talos researcher uses 'good enough' emulation to fuzz Socomec DIRIS M-70 energy gateway, discovering CVE-2025-54848 through CVE-2025-55222 in Modbus protocol handling.

CISA confirms active exploitation of Chrome CVE-2026-2441, Zimbra SSRF, Windows ActiveX CVE-2008-0015, and ThreatSonar flaws. Federal agencies face March 10 deadline.

CVE-2026-2441 is a high-severity CSS use-after-free in Chrome being exploited in the wild. Update to version 145.0.7632.75 immediately.

New n8n RCE flaw bypasses December patch through type confusion. CVSS 9.4 vulnerability enables unauthenticated command execution via malicious workflows.

CVE-2026-20700 memory corruption flaw in dyld exploited against targeted individuals. Google TAG credited with discovery. Patch now for iOS, macOS, watchOS.

GreyNoise traces Ivanti EPMM exploitation to bulletproof hosting on PROSPERO network. Defenders find dormant webshells—signs of initial access broker activity.

CVE-2025-20359 and CVE-2025-20360 affect Cisco FTD, Meraki, and open-source Snort 3. No workarounds exist—patches rolling out through February.

CVE-2026-21643 allows unauthenticated attackers to chain SQL injection with command execution in FortiClient EMS. CVSS 9.8 affects version 7.4.4—upgrade to 7.4.5 immediately.

CVE-2026-1731 allows unauthenticated remote code execution on BeyondTrust Remote Support and Privileged Remote Access products. CVSS 9.9 vulnerability affects 11,000+ exposed instances.

Microsoft's February 2026 Patch Tuesday fixes 59 flaws including six actively exploited zero-days. CrowdStrike confirmed CVE-2026-21533 was used in attacks targeting US and Canada since December.

CVE-2026-22778 chains a heap leak and buffer overflow in vLLM's video processing to achieve full RCE on AI inference servers. Patch to 0.14.1 now.

CVE-2025-22225 sandbox escape now confirmed as a ransomware attack vector. Exploitation toolkit predates Broadcom's patch by a full year.

CVE-2026-24423 lets unauthenticated attackers execute OS commands on SmarterMail servers. CISA confirms active ransomware exploitation and sets a February 26 patch deadline.

CVE-2026-25049 bypasses n8n's previous sandbox fix to enable system command execution. Four additional vulnerabilities disclosed simultaneously.

Federal agencies face an aggressive Friday deadline to patch CVE-2025-40551 in SolarWinds Web Help Desk. The compressed timeline signals serious active exploitation.

CVE-2026-20111 enables stored cross-site scripting attacks against administrators of Cisco Prime Infrastructure network management systems.

Attackers exploiting CVE-2025-5947 in Service Finder Bookings plugin to hijack admin accounts through cookie manipulation. Over 6,000 sites potentially exposed.

GreyNoise reveals CISA silently updated ransomware indicators on 59 vulnerabilities without alerts. New RSS feed tool catches changes within an hour.

Four actively exploited vulnerabilities added to CISA's catalog including SolarWinds Web Help Desk deserialization flaw with CVSS 9.8. Federal agencies have until February 6 to patch.

Tenable discloses 'LookOut' vulnerabilities in Google Looker enabling remote code execution and full database theft. Self-hosted deployments at 60,000+ organizations exposed.

The OWASP Top 10 lists the most critical web application security vulnerabilities. Learn what each risk means, see real-world examples, and understand how to protect your applications.

Researchers disclose zero-click attack vector on Android where adding a user to a group can trigger malware execution through manipulated media files.

Attackers exploited a validation flaw to send spoofed cross-chain messages and unlock tokens across Ethereum, Arbitrum, and six other networks.

CVE-2025-8110 allows authenticated attackers to achieve RCE on self-hosted Git servers via path traversal. Over 700 instances already compromised.

JFrog researchers develop working remote code execution exploit for CVE-2025-62507, a stack buffer overflow in Redis discovered by Google's AI security agent.

CVE-2025-0921 enables privileged file system operations that can disrupt industrial control systems in automotive, energy, and manufacturing environments.

Cisco patches CVE-2026-20029, an XML external entity vulnerability in Identity Services Engine with proof-of-concept exploit code already publicly available.

Deserialization bugs and authentication bypasses enable unauthenticated RCE. Attackers have targeted WHD vulnerabilities before.

Two critical code injection flaws in Ivanti Endpoint Manager Mobile enable unauthenticated RCE. Federal agencies must remediate by February 1.

CVE-2025-15467 allows attackers to crash or compromise systems by sending malicious CMS messages. All AI-discovered in OpenSSL's largest coordinated security release.

JFrog discloses CVE-2026-1470 and CVE-2026-0863 in workflow automation platform. Both vulnerabilities enable authenticated remote code execution.

CVE-2026-23550 in Modular DS plugin scores CVSS 10.0. Active exploitation began January 13, with 40,000+ sites at risk.

CVE-2026-24858 allows attackers with FortiCloud accounts to log into other organizations' FortiGate devices. Patches rolling out now.

CVE-2026-23760 enables unauthenticated admin takeover in SmarterMail. Exploitation began two days after patch release.

CVE-2026-21509 bypasses OLE security protections across Office 2016-2024. CISA adds it to KEV catalog with February 16 deadline.

KB5074109 update causing UNMOUNTABLE_BOOT_VOLUME errors on some Windows 11 devices. Physical machines affected; VMs appear unimpacted.

Mozilla patches six high-severity flaws in Firefox 147 and ESR releases. Multiple sandbox escape vulnerabilities could enable arbitrary code execution.

The ubiquitous command-line tool will stop accepting HackerOne submissions January 31. After $86K paid across 78 vulnerabilities, AI-generated noise made the program unsustainable.

Five vulnerabilities added to CISA's KEV catalog this week. VMware vCenter RCE bug patched 18 months ago now seeing active exploitation.

CVE-2026-24061 allows remote authentication bypass in GNU InetUtils telnetd. Exploitation activity detected within hours of disclosure.

Arctic Wolf reports automated attacks creating rogue admin accounts on supposedly patched FortiGate devices. Fortinet acknowledges incomplete fix.

Fuzzware.io claims Master of Pwn at Tokyo competition after researchers demonstrate record-breaking exploits against Tesla, EV chargers, and infotainment systems.

Researchers demonstrated 29 new zero-day exploits on Day Two at Pwn2Own Automotive in Tokyo, targeting EV chargers, infotainment systems, and Automotive Grade Linux.

CVE-2026-22844 allowed meeting participants to execute arbitrary code on Zoom's on-premises multimedia routers. No active exploitation reported yet.

CVE-2025-14533 in the ACF Extended plugin allows unauthenticated attackers to register as administrators on 100,000 WordPress sites.

Researchers exploited 37 zero-day vulnerabilities in Tesla systems, EV chargers, and infotainment units during the first day of Pwn2Own Automotive 2026 in Tokyo.

Multiple CVSS 10.0 flaws affect Commerce, Communications, and PeopleSoft. MySQL patches include a critical 9.8-severity bug.

CVE-2025-68493 in the XWork component enables XML External Entity attacks that can leak files, perform SSRF, or crash systems. Patch to version 6.1.1.

CVE-2026-22184 allows attackers to trigger memory corruption via an oversized archive name in zlib's untgz utility. No patch existed at initial disclosure.

Industrial control system vulnerabilities disclosed in Siemens RUGGEDCOM, Industrial Edge devices, Schneider EcoStruxure, AVEVA, and Festo products.

Varonis researchers disclosed a vulnerability chain that let attackers exfiltrate user data through Copilot with a single malicious link click. Microsoft has patched the issue.

AsyncOS fixes released for CVE-2025-20393 after weeks of active exploitation. Compromised appliances require full rebuild to remove persistent backdoors.

Critical Google Fast Pair vulnerability affects millions of wireless audio devices from major manufacturers. Attackers can eavesdrop on calls within Bluetooth range.

Critical authentication bug in popular scheduling platform reduces multi-factor auth to single-factor. Patch available in version 6.0.7.

CVE-2025-68668 bypasses Python code restrictions in workflow automation platform. CVSS 9.9 flaw affects versions 1.0.0 through 1.x.

CVE-2026-0227 allows unauthenticated attackers to crash firewalls via malformed packets. Proof-of-concept code is publicly available.

CVE-2025-64155 in Fortinet's SIEM product enables unauthenticated command injection via phMonitor service. CVSS 9.4, patches now available.

January 2026 Patch Tuesday addresses CVE-2026-20805, an info disclosure bug already under attack. CISA gives feds until February 3 to patch.

January 2026 Patch Day addresses 17 flaws including four HotNews vulnerabilities. CVE-2026-0501 allows authenticated attackers to compromise S/4HANA financial systems.

CVE-2026-20029 lets authenticated admins read restricted system files through XML parsing weakness. Trend Micro ZDI researcher found the bug; no workarounds available.

CVE-2026-22610 lets attackers inject JavaScript through SVG script attributes that Angular's sanitizer fails to recognize. Patches available for versions 19-21.

Five critical vulnerabilities in the self-hosting platform allow authenticated users to execute arbitrary commands as root. Over 52,000 instances are exposed globally.

CVE-2026-20026 and CVE-2026-20027 allow remote attackers to crash Snort or extract sensitive data. No workarounds exist—patches are the only fix.

CVE-2025-68428 enables path traversal in the popular JavaScript PDF library, allowing attackers to read arbitrary files from Node.js servers and exfiltrate them via generated documents.

January 7 KEV update includes CVE-2009-0556 from 2009 alongside recently patched HPE OneView vulnerability. Both are seeing active exploitation.

CVE-2026-21858 scores CVSS 10.0 and requires no credentials to exploit. Attackers can read files, forge admin sessions, and execute commands.

CVE-2026-0628 allowed malicious extensions to inject scripts into privileged pages through insufficient policy enforcement. Update to Chrome 143.0.7499.192.

CVE-2026-0625 allows unauthenticated remote code execution on legacy DSL routers. Affected models reached end-of-life in 2020 and won't receive fixes.

Google patches CVE-2026-0628 in first 2026 update. The high-severity bug affects billions of users across Chrome and Android applications.

Apple issues emergency patches for two WebKit zero-day vulnerabilities being actively exploited in sophisticated attacks linked to NSO Group's Pegasus spyware.

GreyNoise researchers uncover coordinated campaign exploiting 767 CVEs across 47 technology stacks. Hong Kong-based infrastructure generated 98% of attack traffic on Christmas Day.

CVE-2025-14346 allows attackers within Bluetooth range to fully control electric wheelchairs without authentication, earning a CVSS 9.8 severity score.

CVE-2025-69194 is a path traversal bug in Metalink handling that could let remote attackers write arbitrary files. CVSS 8.8.

CVE-2025-66398 lets unauthenticated attackers achieve code execution on boat navigation servers. CVSS 9.6 vulnerability affects all versions before 2.19.0.

CVE-2025-13915 allows remote attackers to bypass authentication without credentials. Affects versions 10.0.8.0 through 10.0.8.5 and 10.0.11.0 used by major banks and airlines.

CVE-2025-54322 enables unauthenticated root RCE on SD-WAN appliances and edge routers. Vendor has ignored seven months of disclosure attempts. No patch available.

Singapore's CSA warns of a critical SmarterMail vulnerability allowing remote code execution through file upload without authentication. Patch immediately.

Federal agencies have until January 19 to patch CVE-2025-14847. Security researchers release open-source detection tool as attackers harvest credentials from exposed servers.

Company admits ChatGPT Atlas remains vulnerable to attacks that hijack AI agents through malicious web content. New defenses deployed, but fundamental risk persists.

CVE-2025-68664 scores CVSS 9.3 and enables secret extraction and prompt injection in LangChain Core. Patch immediately if you're running AI agents.

CVE-2025-14847 allows unauthenticated attackers to read server memory in low-complexity attacks. Multiple MongoDB versions affected.

CVE-2025-14174 and CVE-2025-43529 were exploited in sophisticated attacks before Apple's December 12 emergency patches across iOS, macOS, and Safari.

CISA adds WinRAR path traversal vulnerability to KEV catalog as Gamaredon, Bitter, and GOFFEE deploy it for espionage and wiper attacks across multiple continents.

CVE-2020-12812 allows attackers to bypass two-factor authentication on FortiGate devices by simply changing username case. Fortinet issued fresh advisory on December 25.

CVE-2025-68613 in the workflow automation platform scores CVSS 9.9 with public PoC code now available. Patch to version 1.122.0 immediately.

CVE-2025-40602 privilege escalation flaw combined with earlier vulnerability enables unauthenticated remote code execution on SonicWall appliances.

Critical out-of-bounds write vulnerability in WatchGuard Firebox firewalls under active exploitation with over 125,000 devices exposed online.

CVE-2025-55182 exploitation escalates as Weaxor ransomware operators use critical React Server Components flaw for initial access across 60+ organizations.

CVE-2025-59374 exploits compromised ASUS software distribution to deploy backdoors on consumer and enterprise systems worldwide.

Critical CVE-2025-20393 in Cisco Secure Email Gateway actively exploited by UAT-9686 threat actors deploying AquaShell backdoor since November.

CVE-2025-37164 allows unauthenticated remote code execution against HPE OneView infrastructure management platforms running versions prior to 11.00.

CVE-2025-66516 is a CVSS 10.0 XXE injection vulnerability in Apache Tika affecting Solr, Elasticsearch, and countless document processing systems.

Two critical CVSS 9.8 vulnerabilities in FortiGate devices are being actively exploited just days after patch release. Attackers targeting SSO authentication.