CVE-2025-52691

Overview

SmarterTools
SmarterMail

29 Dec 2025

Published

09 Jan 2026

Updated

CVSS v3.1

CRITICAL (10.0)

EPSS

10.87%

MITRE

KEV

Description

Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.

Statistics

3 Posts
5 Interactions

Last activity: 6 hours ago

Fediverse

Catalin Cimpanu @campuscodi

watchTowr has published a technical analysis of a CVSS 10 pre-auth RCE vulnerability in SmartTool's SmarterMail business email platform.

The vulnerability (CVE-2025-52691) was silently patched in Oct and publicly disclosed only a few months later in Dec

https://labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertools-smartermail-pre-auth-rce-cve-2025-52691/

3
2
1
10h ago

Bluesky

CyberHub @cyberhub.blog

📌 Critical Pre-Auth RCE Vulnerability in SmarterMail (CVE-2025-52691) Disclosed by watchTowr Labs https://www.cyberhub.blog/article/17899-critical-pre-auth-rce-vulnerability-in-smartermail-cve-2025-52691-disclosed-by-watchtowr-labs

0
0
0
6h ago

CVE-2025-68428

Overview

parallax
jsPDF

05 Jan 2026

Published

06 Jan 2026

Updated

CVSS v4.0

CRITICAL (9.2)

EPSS

0.08%

MITRE

KEV

Description

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF.

Statistics

1 Post
4 Interactions

Last activity: 22 hours ago

Fediverse

Dark Web Informer :verified_paw: @DarkWebInformer

❗️CVE-2025-68428: Critical Path Traversal in jsPDF

GitHub: https://github.com/12nio/CVE-2025-68428_PoC

CVSS: 9.2
CVE Published: January 5th, 2026
Exploit Published: January 8th, 2026

News source: https://www.bleepingcomputer.com/news/security/critical-jspdf-flaw-lets-hackers-steal-secrets-via-generated-pdfs/

3
1
0
22h ago

CVE-2025-20700

Overview

Airoha Technology Corp.
AB156x, AB157x, AB158x, AB159x series, AB1627

04 Aug 2025

Published

05 Aug 2025

Updated

CVSS

Pending

EPSS

0.04%

MITRE

KEV

Description

In the Airoha Bluetooth audio SDK, there is a possible permission bypass that allows access critical data of RACE protocol through Bluetooth LE GATT service. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Statistics

1 Post
2 Interactions

Last activity: 12 hours ago

Bluesky

0xor0ne @0xor0ne.bsky.social

Airoha Bluetooth RACE vulnerabilities (CVE-2025-20700/20701/20702) Blog post: insinuator.net/2025/12/blue... White paper: static.ernw.de/whitepaper/E... Credits Dennis Heinze, Frieder Steinmetz #infosec #bluetooth

0
2
0
12h ago

CVE-2025-55182

Overview

Meta
react-server-dom-webpack

03 Dec 2025

Published

11 Dec 2025

Updated

CVSS v3.1

CRITICAL (10.0)

EPSS

53.46%

MITRE

KEV

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Statistics

1 Post
2 Interactions

Last activity: 23 hours ago

Fediverse

CVEDatabase.com @cvedatabase

⚠️ If you are running Next.js, you need to see this.

The "React2Shell" vulnerability (CVE-2025-55182) is currently making waves, and for good reason. Unauthenticated RCE on default configurations is about as critical as it gets for modern web frameworks.

If you haven't audited your versions yet, do it now.

See the full technical breakdown: 👉 https://www.cvedatabase.com/cve/CVE-2025-55182

#AppSec #ReactJS #NextJS #CyberSecurity #RCE #DevOps

0
2
0
23h ago

CVE-2026-0628

Overview

Google
Chrome

06 Jan 2026

Published

08 Jan 2026

Updated

CVSS

Pending

EPSS

0.02%

MITRE

KEV

Description

Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High)

Statistics

1 Post
1 Interaction

Last activity: 11 hours ago

Bluesky

ferramentaslinux.bsky.social @ferramentaslinux.bsky.social

🚨 Attention #Fedora Users! A critical security update is available for your Chromium browser. Version 143.0.7499.192 patches a high-severity vulnerability (CVE-2026-0628) that could let malicious sites bypass security rules. Read more: 👉 tinyurl.com/3xk6ta5d #Security

0
1
0
11h ago

CVE-2026-0716

Overview

Pending

Pending

Published

Pending

Updated

CVSS

Pending

EPSS

Pending

MITRE

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

1 Post
1 Interaction

Last activity: 7 hours ago

Fediverse

Mike Gorse @MikeGorse

I'm not exactly sure why I'm doing this on a Sunday, and the hard work was done by others, but there you go; proposed fix for CVE-2026-0716. https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/494

0
1
0
7h ago

CVE-2022-26320

Overview

Pending

14 Mar 2022

Published

07 Oct 2024

Updated

CVSS

Pending

EPSS

0.52%

MITRE

KEV

Description

The Rambus SafeZone Basic Crypto Module before 10.4.0, as used in certain Fujifilm (formerly Fuji Xerox) devices before 2022-03-01, Canon imagePROGRAF and imageRUNNER devices through 2022-03-14, and potentially many other devices, generates RSA keys that can be broken with Fermat's factorization method. This allows efficient calculation of private RSA keys from the public key of a TLS certificate.

Statistics

1 Post

Last activity: 9 hours ago

Fediverse

어둠사자 @gnh1201

요즘 스레드에 RSA-2048을 해독했다는 양반이 있어서 글을 처음부터 끝까지 정독했다.

그리고 코드 없이 개념적으로 가능한지 따져봄. 이 사람의 주장은 너무 중구난방이라 깔끔하게 한줄로 요약하면 이렇다.

"d = | q - p | 의 d(거리)가 0에 수렴할수록 RSA가 깨질 가능성이 높아진다."

그리고 이건 얼추 사실은 맞음.

거리가 가까워질수록 Fermat's Factorization를 이용한 공격이 가능해지고, 이와 관련된 공식 취약점 CVE (예: CVE-2022-26320)도 존재한다.

참고로 어려운게 아니라 고등과정 곱셈 공식 중 하나다.

RSA-2048에서는 사실상 불가능하고, RSA-256 수준에선 가능할 수 있다. (RSA-2048은 특정 조건 만족시 가능)

RSA-2048을 풀었다고 주장하시는 분이 올린 코드를 봤을 때, 그냥 q를 저장해놓고 n mod q 먹여서 0이 되는지 확인하고 p를 유도하는 것임.

그냥 답지가지고 장난치는거라 생각하면 된다.

0
0
0
9h ago

CVE-2026-0840

Overview

UTT
进取 520W

11 Jan 2026

Published

11 Jan 2026

Updated

CVSS v4.0

HIGH (8.7)

EPSS

0.04%

MITRE

KEV

Description

A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. Affected by this vulnerability is the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

1 Post

Last activity: 17 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2026-0840 - High (8.8)

A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. Affected by this vulnerability is the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart leads to buffer overflow. It i...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-0840/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
17h ago

CVE-2026-0841

Overview

UTT
进取 520W

11 Jan 2026

Published

11 Jan 2026

Updated

CVSS v4.0

HIGH (8.7)

EPSS

0.04%

MITRE

KEV

Description

A vulnerability was detected in UTT 进取 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formPictureUrl. The manipulation of the argument importpictureurl results in buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

1 Post

Last activity: 15 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2026-0841 - High (8.8)

A vulnerability was detected in UTT 进取 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formPictureUrl. The manipulation of the argument importpictureurl results in buffer overflow. It is possible to launch ...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-0841/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
15h ago

CVE-2025-69277

Overview

libsodium
libsodium

31 Dec 2025

Published

07 Jan 2026

Updated

CVSS v3.1

MEDIUM (4.5)

EPSS

0.02%

MITRE

KEV

Description

libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.

Statistics

1 Post

Last activity: 12 hours ago

Bluesky

ferramentaslinux.bsky.social @ferramentaslinux.bsky.social

🚨 CVE-2025-69277: Critical libsodium validation flaw impacts #Fedora42. Affects Ed25519 sig verification. Data integrity & disclosure risk. Read more: 👉 tinyurl.com/3nypjx8s #Security

0
0
0
12h ago