Overview
Description
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.
Statistics
- 4 Posts
- 1 Interaction
Last activity: 2 hours ago
Fediverse
Bluesky
> お知らせ:CyberNewsFlash「MongoDBにおける情報漏えいの脆弱性(CVE-2025-14847)について」
https://www.jpcert.or.jp/newsflash/2026010601.html
The security flaw, designated CVE-2025-14847 and dubbed "MongoBleed," allows remote attackers to extract cleartext credentials, authentication tokens, and sensitive customer data from server memory without any authentication.
関連:MongoDBにおける情報漏えいの脆弱性(CVE-2025-14847)について https://www.jpcert.or.jp/newsflash/2026010601.html
Overview
Description
n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process. This issue has been patched in version 2.0.0. Workarounds for this issue involve disabling the Code Node by setting the environment variable NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]", disabling Python support in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false, which was introduced in n8n version 1.104.0, and configuring n8n to use the task runner based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables.
Statistics
- 4 Posts
Last activity: 10 hours ago
Fediverse
Critical n8n vulnerability (CVE-2025-68668, CVSS 9.9) enables authenticated arbitrary command execution via the Code Node.
Patch released: mitigations include disabling the node or using the task-runner Python sandbox.
Are automation platforms getting enough security scrutiny?
Bluesky
Critical n8n flaw discovered (CVE-2025-68668, CVSS 9.9).
Authenticated users can execute arbitrary system commands on the host.
Patch is out - updating is strongly advised.
How do you secure automation tools in production?
#CyberSecurity #n8n #CVE #Automation
The vulnerability, tracked as CVE-2025-68668, is rated 9.9 on the CVSS scoring system. It has been described as a case of a protection mechanism failure. Cyera Research Labs' Vladimir Tokarev and Ofek Itach have been credited with discovering and reporting the flaw.
n8n Sandbox Escape: How CVE-2025-68668 Turns Workflows into Weapons
Overview
- parallax
- jsPDF
05 Jan 2026
Published
06 Jan 2026
Updated
CVSS v4.0
CRITICAL (9.2)
EPSS
0.06%
KEV
Description
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF.
Statistics
- 3 Posts
Last activity: 3 hours ago
Bluesky
CVE-2025-68428: Critical Flaw in jsPDF Library Allows Server-Side File Theft
CVE-2025-68428: jsPDFライブラリの重大な欠陥により、サーバー側でファイルの盗難が可能になる
CVE-2025-68428: Critical Flaw in jsPDF Library Allows Server-Side File Theft #DailyCyberSecurity (Jan 6)
securityonline.info/cve-2025-684...
AdonisJS Bodyparser has a critical flaw (CVE-2026-21440, CVSS 9.2) allowing arbitrary file write on servers. Update "@adonisjs/bodyparser" to the latest version. Unsanitized filenames in MultipartFile.move() can lead to path traversal. jsPDF npm library also has a similar flaw (CVE-2025-68428).
Overview
- adonisjs
- core
02 Jan 2026
Published
05 Jan 2026
Updated
CVSS v4.0
CRITICAL (9.2)
EPSS
0.24%
KEV
Description
AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.
Statistics
- 3 Posts
Last activity: 4 hours ago
Bluesky
Unpatched Servers at Risk: The Critical AdonisJS Bodyparser Vulnerability (CVE-2026-21440) & How to Secure Your Nodejs Stack Now + Video
Introduction: A critical path traversal vulnerability in the AdonisJS `@adonisjs/bodyparser` package, tracked as CVE-2026-21440 with a CVSS score of 9.2,…
📌 Critical Path Traversal Vulnerability in AdonisJS Bodyparser Package (CVE-2026-21440) https://www.cyberhub.blog/article/17701-critical-path-traversal-vulnerability-in-adonisjs-bodyparser-package-cve-2026-21440
AdonisJS Bodyparser has a critical flaw (CVE-2026-21440, CVSS 9.2) allowing arbitrary file write on servers. Update "@adonisjs/bodyparser" to the latest version. Unsanitized filenames in MultipartFile.move() can lead to path traversal. jsPDF npm library also has a similar flaw (CVE-2025-68428).
Overview
- TRENDnet
- TEW-713RE
06 Jan 2026
Published
06 Jan 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
Pending
KEV
Description
A vulnerability was detected in TRENDnet TEW-713RE 1.02. The impacted element is an unknown function of the file /goformX/formFSrvX. The manipulation of the argument SZCMD results in os command injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Statistics
- 2 Posts
- 2 Interactions
Last activity: 1 hour ago
Fediverse
🔴 CVE-2025-15471 - Critical (9.8)
A vulnerability was detected in TRENDnet TEW-713RE 1.02. The impacted element is an unknown function of the file /goformX/formFSrvX. The manipulation of the argument SZCMD results in os command injection. It is possible to launch the attack remote...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-15471/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda
Overview
- Microsoft
- Windows 10 Version 1809
08 Jul 2025
Published
23 Aug 2025
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.08%
KEV
Description
Heap-based buffer overflow in Windows Cred SSProvider Protocol allows an authorized attacker to elevate privileges locally.
Statistics
- 2 Posts
- 1 Interaction
Last activity: 9 hours ago
Fediverse
[RSS] Micropatches Released for Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability (CVE-2025-47987)
https://blog.0patch.com/2026/01/micropatches-released-for-credential.html
https://blog.0patch.com/2026/01/micropatches-released-for-credential.html
Bluesky
[RSS] Micropatches Released for Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability (CVE-2025-47987)
blog.0patch.com ->
Original->
Overview
- IBM
- API Connect
26 Dec 2025
Published
06 Jan 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.37%
KEV
Description
IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.
Statistics
- 3 Posts
Last activity: 7 hours ago
Fediverse
The Cyber Security Agency of Singapore has issued an alert for a critical vulnerability (CVE-2025-13915) in IBM API Connect, which allows for authentication bypass and has a CVSS score of 9.8. IBM has released fixes for affected versions, and while there's no evidence of active exploitation, immediate remediation is strongly recommended.
https://cyble.com/blog/cve-2025-13915-ibm-api-connect-vulnerability/
Bluesky
📢 Alerte critique: CVE-2025-13915 dans IBM API Connect (contournement d’authentification, CVSS 9,8)
📝 Selon Cyble, l'agence de cybersécur…
https://cyberveille.ch/posts/2026-01-06-alerte-critique-cve-2025-13915-dans-ibm-api-connect-contournement-dauthentification-cvss-98/ #CVE_2025_13915 #Cyberveille
Overview
Description
This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.
Statistics
- 1 Post
- 13 Interactions
Last activity: 9 hours ago
Fediverse
Another perfect 10 in n8n? LMFAO. 🥳
https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263
Edit to add the link to the CVE. It's not published at this time though.
Overview
Description
An issue in H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point, there is a misconfiguration vulnerability about vsftpd. Through this vulnerability, all files uploaded anonymously via the FTP protocol is automatically owned by the root user and remote attackers could gain root-level control over the devices.
Statistics
- 2 Posts
- 2 Interactions
Last activity: 10 hours ago
Fediverse
🔴 CVE-2025-60262 - Critical (9.8)
An issue in H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point, there is a misconfiguration vulnerability about vsftpd. Through this vulnerability, all files uploaded anonymously via the FTP protocol is a...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-60262/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda
Overview
Description
A weakness has been identified in Tenda AC23 16.03.07.52. This affects the function sscanf of the file /goform/PowerSaveSet. Executing a manipulation of the argument Time can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
Statistics
- 2 Posts
- 2 Interactions
Last activity: 10 hours ago
Fediverse
🟠 CVE-2026-0640 - High (8.8)
A weakness has been identified in Tenda AC23 16.03.07.52. This affects the function sscanf of the file /goform/PowerSaveSet. Executing a manipulation of the argument Time can lead to buffer overflow. The attack can be launched remotely. The exploi...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-0640/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda