24h | 7d | 30d

CVE-2025-55182

Overview

  • Meta
  • react-server-dom-webpack
03 Dec 2025
Published
11 Dec 2025
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
62.33%
KEV

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Statistics

  • 2 Posts
Last activity: 4 hours ago

Fediverse

Profile picture
CrowdSec @CrowdSec

📝 New article by a CrowdSec Ambassador, Killian Prin-Abeil! 🎉

In this deep dive, Killian breaks down React2Shell (CVE-2025-55182), from how the RCE works in React Server Components to why Next.js apps are vulnerable by default.

He also explores how the community reacted in hours, with CrowdSec shipping a virtual patch and threat intel to reduce exposure immediately.

👉Read it here: crowdsec.net/blog/react2shell-

  • 0
  • 0
  • 0
  • 4h ago

Bluesky

Profile picture
CrowdSec @crowdsec.bsky.social
📝 New article by a CrowdSec Ambassador, Killian Prin-Abeil!  In this deep dive, he breaks down #React2Shell (CVE-2025-55182), from how the #RCE works in #React Server Components to why Next.js apps are vulnerable by default. 👉Read it here: www.crowdsec.net/blog/react2s...
  • 0
  • 0
  • 0
  • 5h ago

CVE-2025-59718

Overview

  • Fortinet
  • FortiOS
09 Dec 2025
Published
14 Jan 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
2.27%
KEV

Description

A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.

Statistics

  • 2 Posts
Last activity: 3 hours ago

Fediverse

Profile picture
CERT.at @CERT_at

Aktuelle Neuigkeiten: Aktuelle Angriffswelle gegen CVE-2025-59718, Patches unzureichend
cert.at/de/aktuelles/2026/1/ak

  • 0
  • 0
  • 0
  • 4h ago
Profile picture
buherator @buherator
[reddit] Possible new SSO Exploit (CVE-2025-59718) on 7.4.9?

https://www.reddit.com/r/fortinet/comments/1qibdcb/possible_new_sso_exploit_cve202559718_on_749/

/via @Hetti

#Fortinet
  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-21962

Overview

  • Oracle Corporation
  • Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in
20 Jan 2026
Published
20 Jan 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.03%
KEV

Description

Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

Statistics

  • 2 Posts
Last activity: 1 hour ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🔴 CVE-2026-21962 - Critical (10)

Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that ar...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 17h ago
Profile picture
CyberNetsecIO @netsecio

📰 Oracle Issues Critical Patch for CVSS 10.0 Auth Bypass in WebLogic Server

🚨 CRITICAL PATCH: Oracle's January 2026 update fixes 337 flaws, including a CVSS 10.0 auth bypass (CVE-2026-21962) in WebLogic Server. This is remotely exploitable with no user interaction. Patch immediately! ⚠️ #Oracle #PatchTuesday #CVE

🔗 cyber.netsecops.io/articles/or

  • 0
  • 0
  • 0
  • 1h ago

CVE-2026-23745

Overview

  • isaacs
  • node-tar
16 Jan 2026
Published
20 Jan 2026
Updated
CVSS v4.0
HIGH (8.2)
EPSS
0.00%
KEV

Description

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

Statistics

  • 2 Posts
Last activity: 1 hour ago

Bluesky

Profile picture
IT-Connect @it-connect.bsky.social
⚠️ Node.js La bibliothèque node-tar (plus de 49 millions de téléchargements par semaine !) contient une faille de sécurité importante : CVE-2026-23745, score CVSS 8.2. Ce qu'il faut savoir 👇 - www.it-connect.fr/node-js-cve-... #infosec #cybersecurite #nodejs #dev #supplychain
  • 0
  • 0
  • 0
  • 1h ago
Profile picture
OpsMatters @opsmatters.com
The latest update for #Foresiet includes "CVE-2026-23745: A Deep Dive into the node-tar Arbitrary File Overwrite Vulnerability" and "Exploiting Monsta FTP: Technical Analysis of CVE-2025-34299". #cybersecurity #infosec https://opsmtrs.com/3J3CMGz
  • 0
  • 0
  • 0
  • 13h ago

CVE-2025-13878

Overview

  • ISC
  • BIND 9
21 Jan 2026
Published
21 Jan 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
Pending
KEV

Description

Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.

Statistics

  • 1 Post
  • 6 Interactions
Last activity: 2 hours ago

Fediverse

Profile picture
ISC.org @iscdotorg

Our January 2026 maintenance releases of BIND 9 are available and can be downloaded from the links below. Packages and container images provided by ISC will be updated later today.

In addition to bug fixes and feature improvements, these releases also contain fixes for a security vulnerability. More information can be found in the following Security Advisory:

kb.isc.org/docs/cve-2025-13878

Download software and release notes at: isc.org/download/

  • 3
  • 3
  • 0
  • 2h ago

CVE-2026-0629

Overview

  • TP-Link Systems Inc.
  • VIGI InSight Sx45 Series (S245/S345/S445)
16 Jan 2026
Published
17 Jan 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.04%
KEV

Description

Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device, compromising configuration and network security.

Statistics

  • 1 Post
  • 3 Interactions
Last activity: 22 hours ago

Fediverse

Profile picture
Maik @maik

Eine kritische Sicherheitslücke CVE-2026-0629 erlaubt es Angreifern, Admin-Zugriff auf zahlreiche #TPLink Vigi-Überwachungskameras per Fernzugriff zu erlangen. golem.de/specials/tp-link/

  • 3
  • 0
  • 0
  • 22h ago

CVE-2026-0899

Overview

  • Google
  • Chrome
20 Jan 2026
Published
21 Jan 2026
Updated
CVSS
Pending
EPSS
0.07%
KEV

Description

Out of bounds memory access in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

Statistics

  • 1 Post
  • 3 Interactions
Last activity: 22 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2026-0899 - High (8.8)

Out of bounds memory access in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 2
  • 1
  • 0
  • 22h ago

CVE-2026-0907

Overview

  • Google
  • Chrome
20 Jan 2026
Published
20 Jan 2026
Updated
CVSS
Pending
EPSS
0.10%
KEV

Description

Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 22 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🔴 CVE-2026-0907 - Critical (9.8)

Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 1
  • 0
  • 0
  • 22h ago

CVE-2025-14533

Overview

  • hwk-fr
  • Advanced Custom Fields: Extended
20 Jan 2026
Published
20 Jan 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.08%
KEV

Description

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 17 hours ago

Fediverse

Profile picture
Dark Web Informer :verified_paw: @DarkWebInformer

‼️CVE-2025-14533: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1, exposing 100,000 sites.

CVSS: 9.8
CVE Published: January 20th, 2026
Bounty: $975.00

Advisory: github.com/advisories/GHSA-jm7

Writeup: wordfence.com/blog/2026/01/100

Description: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.

  • 1
  • 0
  • 0
  • 17h ago

CVE-2026-0610

Overview

  • Devolutions
  • Server
19 Jan 2026
Published
20 Jan 2026
Updated
CVSS
Pending
EPSS
0.03%
KEV

Description

SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 22 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🔴 CVE-2026-0610 - Critical (9.8)

SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 1
  • 0
  • 0
  • 22h ago
Showing 1 to 10 of 52 CVEs