24h | 7d | 30d

Overview

  • Meta
  • react-server-dom-webpack

03 Dec 2025
Published
11 Dec 2025
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
62.33%

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Statistics

  • 2 Posts

Last activity: 4 hours ago

Fediverse

Profile picture

📝 New article by a CrowdSec Ambassador, Killian Prin-Abeil! 🎉

In this deep dive, Killian breaks down React2Shell (CVE-2025-55182), from how the RCE works in React Server Components to why Next.js apps are vulnerable by default.

He also explores how the community reacted in hours, with CrowdSec shipping a virtual patch and threat intel to reduce exposure immediately.

👉Read it here: crowdsec.net/blog/react2shell-

  • 0
  • 0
  • 0
  • 4h ago

Bluesky

Profile picture
📝 New article by a CrowdSec Ambassador, Killian Prin-Abeil!  In this deep dive, he breaks down #React2Shell (CVE-2025-55182), from how the #RCE works in #React Server Components to why Next.js apps are vulnerable by default. 👉Read it here: www.crowdsec.net/blog/react2s...
  • 0
  • 0
  • 0
  • 5h ago

Overview

  • Fortinet
  • FortiOS

09 Dec 2025
Published
14 Jan 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
2.27%

Description

A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.

Statistics

  • 2 Posts

Last activity: 3 hours ago

Fediverse

Profile picture

Aktuelle Neuigkeiten: Aktuelle Angriffswelle gegen CVE-2025-59718, Patches unzureichend
cert.at/de/aktuelles/2026/1/ak

  • 0
  • 0
  • 0
  • 4h ago
Profile picture
  • 0
  • 0
  • 0
  • 3h ago

Overview

  • Oracle Corporation
  • Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in

20 Jan 2026
Published
20 Jan 2026
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
0.03%

KEV

Description

Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

Statistics

  • 2 Posts

Last activity: 1 hour ago

Fediverse

Profile picture

🔴 CVE-2026-21962 - Critical (10)

Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that ar...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 17h ago
Profile picture

📰 Oracle Issues Critical Patch for CVSS 10.0 Auth Bypass in WebLogic Server

🚨 CRITICAL PATCH: Oracle's January 2026 update fixes 337 flaws, including a CVSS 10.0 auth bypass (CVE-2026-21962) in WebLogic Server. This is remotely exploitable with no user interaction. Patch immediately! ⚠️ #Oracle #PatchTuesday #CVE

🔗 cyber.netsecops.io/articles/or

  • 0
  • 0
  • 0
  • 1h ago

Overview

  • isaacs
  • node-tar

16 Jan 2026
Published
20 Jan 2026
Updated

CVSS v4.0
HIGH (8.2)
EPSS
0.00%

KEV

Description

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

Statistics

  • 2 Posts

Last activity: 1 hour ago

Bluesky

Profile picture
⚠️ Node.js La bibliothèque node-tar (plus de 49 millions de téléchargements par semaine !) contient une faille de sécurité importante : CVE-2026-23745, score CVSS 8.2. Ce qu'il faut savoir 👇 - www.it-connect.fr/node-js-cve-... #infosec #cybersecurite #nodejs #dev #supplychain
  • 0
  • 0
  • 0
  • 1h ago
Profile picture
The latest update for #Foresiet includes "CVE-2026-23745: A Deep Dive into the node-tar Arbitrary File Overwrite Vulnerability" and "Exploiting Monsta FTP: Technical Analysis of CVE-2025-34299". #cybersecurity #infosec https://opsmtrs.com/3J3CMGz
  • 0
  • 0
  • 0
  • 13h ago

Overview

  • ISC
  • BIND 9

21 Jan 2026
Published
21 Jan 2026
Updated

CVSS v3.1
HIGH (7.5)
EPSS
Pending

KEV

Description

Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.

Statistics

  • 1 Post
  • 6 Interactions

Last activity: 2 hours ago

Fediverse

Profile picture

Our January 2026 maintenance releases of BIND 9 are available and can be downloaded from the links below. Packages and container images provided by ISC will be updated later today.

In addition to bug fixes and feature improvements, these releases also contain fixes for a security vulnerability. More information can be found in the following Security Advisory:

kb.isc.org/docs/cve-2025-13878

Download software and release notes at: isc.org/download/

  • 3
  • 3
  • 0
  • 2h ago

Overview

  • TP-Link Systems Inc.
  • VIGI InSight Sx45 Series (S245/S345/S445)

16 Jan 2026
Published
17 Jan 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.04%

KEV

Description

Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device, compromising configuration and network security.

Statistics

  • 1 Post
  • 3 Interactions

Last activity: 22 hours ago

Fediverse

Profile picture

Eine kritische Sicherheitslücke CVE-2026-0629 erlaubt es Angreifern, Admin-Zugriff auf zahlreiche #TPLink Vigi-Überwachungskameras per Fernzugriff zu erlangen. golem.de/specials/tp-link/

  • 3
  • 0
  • 0
  • 22h ago

Overview

  • Google
  • Chrome

20 Jan 2026
Published
21 Jan 2026
Updated

CVSS
Pending
EPSS
0.07%

KEV

Description

Out of bounds memory access in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

Statistics

  • 1 Post
  • 3 Interactions

Last activity: 22 hours ago

Fediverse

Profile picture

🟠 CVE-2026-0899 - High (8.8)

Out of bounds memory access in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 2
  • 1
  • 0
  • 22h ago

Overview

  • Google
  • Chrome

20 Jan 2026
Published
20 Jan 2026
Updated

CVSS
Pending
EPSS
0.10%

KEV

Description

Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 22 hours ago

Fediverse

Profile picture

🔴 CVE-2026-0907 - Critical (9.8)

Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 1
  • 0
  • 0
  • 22h ago

Overview

  • hwk-fr
  • Advanced Custom Fields: Extended

20 Jan 2026
Published
20 Jan 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.08%

KEV

Description

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 17 hours ago

Fediverse

Profile picture

‼️CVE-2025-14533: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1, exposing 100,000 sites.

CVSS: 9.8
CVE Published: January 20th, 2026
Bounty: $975.00

Advisory: github.com/advisories/GHSA-jm7

Writeup: wordfence.com/blog/2026/01/100

Description: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.

  • 1
  • 0
  • 0
  • 17h ago

Overview

  • Devolutions
  • Server

19 Jan 2026
Published
20 Jan 2026
Updated

CVSS
Pending
EPSS
0.03%

KEV

Description

SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 22 hours ago

Fediverse

Profile picture

🔴 CVE-2026-0610 - Critical (9.8)

SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 1
  • 0
  • 0
  • 22h ago
Showing 1 to 10 of 52 CVEs