24h | 7d | 30d

Overview

  • n8n-io
  • n8n

07 Jan 2026
Published
08 Jan 2026
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
0.02%

KEV

Description

n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.

Statistics

  • 4 Posts
  • 2 Interactions

Last activity: 20 hours ago

Bluesky

Profile picture
Scan results for n8n CVE-2026-21858 (CVSS 10.0 RCE) for 2026-01-09: 105,753 vulnerable instances by unique IP found - out of 230,562 IPs with n8n we see that day. Dashboard Tree Map view: dashboard.shadowserver.org/statistics/c... IP data in Vulnerable HTTP: www.shadowserver.org/what-we-do/n...
  • 0
  • 1
  • 0
  • 21h ago
Profile picture
Deconstructing the n8n Critical RCE (CVE-2026-21858) and the Death of Implicit Trust. www.linkedin.com/pulse/invisi...
  • 0
  • 1
  • 0
  • 20h ago
Profile picture
Thank you to Validin for the collaboration on the scan! Dashboard World Map view: dashboard.shadowserver.org/statistics/c... CVE-2026-21858 Tracker: dashboard.shadowserver.org/statistics/c... Advisory with patch info: github.com/n8n-io/n8n/s... NVD entry: nvd.nist.gov/vuln/detail/...
  • 0
  • 0
  • 0
  • 21h ago
Profile picture
The NI8MARE Nightmare: How a Perfect 100 CVSS in n8n Exposes Your Automation to Total Takeover + Video Introduction: A critical vulnerability, dubbed "NI8MARE" and tracked as CVE-2026-21858, has been disclosed in the popular workflow automation platform n8n, earning the maximum severity rating of…
  • 0
  • 0
  • 0
  • 20h ago

Overview

  • SmarterTools
  • SmarterMail

29 Dec 2025
Published
09 Jan 2026
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
10.87%

KEV

Description

Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.

Statistics

  • 3 Posts
  • 2 Interactions

Last activity: 2 hours ago

Fediverse

Profile picture

watchTowr has published a technical analysis of a CVSS 10 pre-auth RCE vulnerability in SmartTool's SmarterMail business email platform.

The vulnerability (CVE-2025-52691) was silently patched in Oct and publicly disclosed only a few months later in Dec

labs.watchtowr.com/do-smart-pe

  • 1
  • 1
  • 1
  • 2h ago

Bluesky

Profile picture
📢 SmarterMail: RCE pré-auth (CVE-2025-52691) via endpoint d’upload non authentifié et traversée de chemin 📝 Selon un billet techn… https://cyberveille.ch/posts/2026-01-10-smartermail-rce-pre-auth-cve-2025-52691-via-endpoint-dupload-non-authentifie-et-traversee-de-chemin/ #CVE_2025_52691 #Cyberveille
  • 0
  • 0
  • 0
  • 19h ago

Overview

  • parallax
  • jsPDF

05 Jan 2026
Published
06 Jan 2026
Updated

CVSS v4.0
CRITICAL (9.2)
EPSS
0.08%

KEV

Description

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF.

Statistics

  • 1 Post
  • 4 Interactions

Last activity: 15 hours ago

Fediverse

Profile picture

❗️CVE-2025-68428: Critical Path Traversal in jsPDF

GitHub: github.com/12nio/CVE-2025-6842

CVSS: 9.2
CVE Published: January 5th, 2026
Exploit Published: January 8th, 2026

News source: bleepingcomputer.com/news/secu

  • 3
  • 1
  • 0
  • 15h ago

Overview

  • Airoha Technology Corp.
  • AB156x, AB157x, AB158x, AB159x series, AB1627

04 Aug 2025
Published
05 Aug 2025
Updated

CVSS
Pending
EPSS
0.04%

KEV

Description

In the Airoha Bluetooth audio SDK, there is a possible permission bypass that allows access critical data of RACE protocol through Bluetooth LE GATT service. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Statistics

  • 1 Post
  • 2 Interactions

Last activity: 5 hours ago

Bluesky

Profile picture
Airoha Bluetooth RACE vulnerabilities (CVE-2025-20700/20701/20702) Blog post: insinuator.net/2025/12/blue... White paper: static.ernw.de/whitepaper/E... Credits Dennis Heinze, Frieder Steinmetz #infosec #bluetooth
  • 0
  • 2
  • 0
  • 5h ago

Overview

  • Meta
  • react-server-dom-webpack

03 Dec 2025
Published
11 Dec 2025
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
53.46%

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Statistics

  • 1 Post
  • 2 Interactions

Last activity: 16 hours ago

Fediverse

Profile picture

⚠️ If you are running Next.js, you need to see this.

The "React2Shell" vulnerability (CVE-2025-55182) is currently making waves, and for good reason. Unauthenticated RCE on default configurations is about as critical as it gets for modern web frameworks.

If you haven't audited your versions yet, do it now.

See the full technical breakdown: 👉 cvedatabase.com/cve/CVE-2025-5

#AppSec #ReactJS #NextJS #CyberSecurity #RCE #DevOps

  • 0
  • 2
  • 0
  • 16h ago

Overview

  • Google
  • Chrome

06 Jan 2026
Published
08 Jan 2026
Updated

CVSS
Pending
EPSS
0.02%

KEV

Description

Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High)

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 3 hours ago

Bluesky

Profile picture
🚨 Attention #Fedora Users! A critical security update is available for your Chromium browser. Version 143.0.7499.192 patches a high-severity vulnerability (CVE-2026-0628) that could let malicious sites bypass security rules. Read more: 👉 tinyurl.com/3xk6ta5d #Security
  • 0
  • 1
  • 0
  • 3h ago

Overview

  • adonisjs
  • core

02 Jan 2026
Published
05 Jan 2026
Updated

CVSS v4.0
CRITICAL (9.2)
EPSS
0.32%

KEV

Description

AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 16 hours ago

Fediverse

Profile picture

❗️CVE-2026-21440: A critical path traversal vulnerability affecting the AdonisJS framework, specifically its multipart file upload handling.

PoC Exploit: github.com/Ashwesker/Ashwesker

▪️CVSS: 9.2
▪️CVE Published: January 2nd, 2026
▪️Exploit Published: January 5th, 2026

Details:

AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.

  • 0
  • 1
  • 0
  • 16h ago

Overview

  • Vito Peleg
  • Atarim
  • atarim-visual-collaboration

06 Nov 2025
Published
17 Nov 2025
Updated

CVSS
Pending
EPSS
10.74%

KEV

Description

Insertion of Sensitive Information Into Sent Data vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Retrieve Embedded Sensitive Data.This issue affects Atarim: from n/a through <= 4.2.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 17 hours ago

Fediverse

Profile picture

❗️CVE-2025-60188: Atarim Plugin PoC Exploit

GitHub: github.com/m4sh-wacker/CVE-202

  • 0
  • 1
  • 0
  • 17h ago

Overview

  • The Tcpdump Group
  • libpcap

31 Dec 2025
Published
02 Jan 2026
Updated

CVSS v3.1
LOW (1.9)
EPSS
0.02%

KEV

Description

pcap_ether_aton() is an auxiliary function in libpcap, it takes a string argument and returns a fixed-size allocated buffer. The string argument must be a well-formed MAC-48 address in one of the supported formats, but this requirement has been poorly documented. If an application calls the function with an argument that deviates from the expected format, the function can read data beyond the end of the provided string and write data beyond the end of the allocated buffer.

Statistics

  • 1 Post

Last activity: 20 hours ago

Bluesky

Profile picture
🚨 THREAD: Critical libpcap vulnerability CVE-2025-11961 threatens network security infrastructure. Read more: 👉 tinyurl.com/wurd46hn #Security #Mageia
  • 0
  • 0
  • 0
  • 20h ago

Overview

  • coreruleset
  • coreruleset

08 Jan 2026
Published
08 Jan 2026
Updated

CVSS v3.1
CRITICAL (9.3)
EPSS
0.03%

KEV

Description

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.

Statistics

  • 1 Post

Last activity: Last hour

Bluesky

Profile picture
📌 Critical WAF Bypass Vulnerability (CVE-2026-21876) Affects OWASP ModSecurity and Coraza https://www.cyberhub.blog/article/17896-critical-waf-bypass-vulnerability-cve-2026-21876-affects-owasp-modsecurity-and-coraza
  • 0
  • 0
  • 0
  • Last hour
Showing 1 to 10 of 28 CVEs