CVE-2025-14847

Overview

MongoDB Inc.
MongoDB Server

19 Dec 2025

Published

31 Dec 2025

Updated

CVSS v4.0

HIGH (8.7)

EPSS

68.32%

MITRE

KEV

Description

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

Statistics

4 Posts
1 Interaction

Last activity: Last hour

Fediverse

robrich @robrich

https://thehackernews.com/2025/12/mongodb-vulnerability-cve-2025-14847.html - a #MongoDB #CVE allows unauthenticated users access to unused memory. Think Heartbleed for Mongo. #security

0
0
0
8h ago

Bluesky

Spiegel's crawler @osanpo.bsky.social

＞お知らせ：CyberNewsFlash「MongoDBにおける情報漏えいの脆弱性（CVE-2025-14847）について」 https://www.jpcert.or.jp/newsflash/2026010601.html

1
0
0
15h ago

guardian360.bsky.social @guardian360.bsky.social

The security flaw, designated CVE-2025-14847 and dubbed "MongoBleed," allows remote attackers to extract cleartext credentials, authentication tokens, and sensitive customer data from server memory without any authentication.

0
0
0
7h ago

tamosan @tamosan.bsky.social

関連：MongoDBにおける情報漏えいの脆弱性（CVE-2025-14847）について https://www.jpcert.or.jp/newsflash/2026010601.html

0
0
0
Last hour

CVE-2025-68668

Overview

n8n-io
n8n

26 Dec 2025

Published

05 Jan 2026

Updated

CVSS v3.1

CRITICAL (9.9)

EPSS

0.10%

MITRE

KEV

Description

n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process. This issue has been patched in version 2.0.0. Workarounds for this issue involve disabling the Code Node by setting the environment variable NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]", disabling Python support in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false, which was introduced in n8n version 1.104.0, and configuring n8n to use the task runner based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables.

Statistics

4 Posts

Last activity: 7 hours ago

Fediverse

TechNadu @technadu

Critical n8n vulnerability (CVE-2025-68668, CVSS 9.9) enables authenticated arbitrary command execution via the Code Node.

Patch released: mitigations include disabling the node or using the task-runner Python sandbox.

https://www.technadu.com/critical-new-vulnerability-in-automation-platform-n8n-allows-arbitrary-command-execution/617646/

Are automation platforms getting enough security scrutiny?

#InfoSec #CVE #n8n #DevSecOps #AutomationSecurity

0
0
0
10h ago

Bluesky

TechNadu @technadu.com

Critical n8n flaw discovered (CVE-2025-68668, CVSS 9.9). Authenticated users can execute arbitrary system commands on the host. Patch is out - updating is strongly advised. How do you secure automation tools in production? #CyberSecurity #n8n #CVE #Automation

0
0
0
10h ago

guardian360.bsky.social @guardian360.bsky.social

The vulnerability, tracked as CVE-2025-68668, is rated 9.9 on the CVSS scoring system. It has been described as a case of a protection mechanism failure. Cyera Research Labs' Vladimir Tokarev and Ofek Itach have been credited with discovering and reporting the flaw.

0
0
0
8h ago

CrowdCyber @crowdcyber.bsky.social

n8n Sandbox Escape: How CVE-2025-68668 Turns Workflows into Weapons

0
0
0
7h ago

CVE-2025-68428

Overview

parallax
jsPDF

05 Jan 2026

Published

06 Jan 2026

Updated

CVSS v4.0

CRITICAL (9.2)

EPSS

0.06%

MITRE

KEV

Description

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF.

Statistics

3 Posts

Last activity: Last hour

Bluesky

CrowdCyber @crowdcyber.bsky.social

CVE-2025-68428: Critical Flaw in jsPDF Library Allows Server-Side File Theft

0
0
0
16h ago

キタきつね @kitafox.bsky.social

CVE-2025-68428: jsPDFライブラリの重大な欠陥により、サーバー側でファイルの盗難が可能になる CVE-2025-68428: Critical Flaw in jsPDF Library Allows Server-Side File Theft #DailyCyberSecurity (Jan 6) securityonline.info/cve-2025-684...

0
0
0
Last hour

JF_0x01 @jfreeg.bsky.social

AdonisJS Bodyparser has a critical flaw (CVE-2026-21440, CVSS 9.2) allowing arbitrary file write on servers. Update "@adonisjs/bodyparser" to the latest version. Unsanitized filenames in MultipartFile.move() can lead to path traversal. jsPDF npm library also has a similar flaw (CVE-2025-68428).

0
0
0
9h ago

CVE-2026-21440

Overview

adonisjs
core

02 Jan 2026

Published

05 Jan 2026

Updated

CVSS v4.0

CRITICAL (9.2)

EPSS

0.24%

MITRE

KEV

Description

AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.

Statistics

3 Posts

Last activity: 2 hours ago

Bluesky

Undercode Testing @undercode.bsky.social

Unpatched Servers at Risk: The Critical AdonisJS Bodyparser Vulnerability (CVE-2026-21440) & How to Secure Your Nodejs Stack Now + Video Introduction: A critical path traversal vulnerability in the AdonisJS `@adonisjs/bodyparser` package, tracked as CVE-2026-21440 with a CVSS score of 9.2,…

0
0
0
14h ago

CyberHub @cyberhub.blog

📌 Critical Path Traversal Vulnerability in AdonisJS Bodyparser Package (CVE-2026-21440) https://www.cyberhub.blog/article/17701-critical-path-traversal-vulnerability-in-adonisjs-bodyparser-package-cve-2026-21440

0
0
0
2h ago

JF_0x01 @jfreeg.bsky.social

AdonisJS Bodyparser has a critical flaw (CVE-2026-21440, CVSS 9.2) allowing arbitrary file write on servers. Update "@adonisjs/bodyparser" to the latest version. Unsanitized filenames in MultipartFile.move() can lead to path traversal. jsPDF npm library also has a similar flaw (CVE-2025-68428).

0
0
0
9h ago

CVE-2025-47987

Overview

Microsoft
Windows 10 Version 1809

08 Jul 2025

Published

23 Aug 2025

Updated

CVSS v3.1

HIGH (7.8)

EPSS

0.08%

MITRE

KEV

Description

Heap-based buffer overflow in Windows Cred SSProvider Protocol allows an authorized attacker to elevate privileges locally.

Statistics

2 Posts
1 Interaction

Last activity: 7 hours ago

Fediverse

buherator @buherator

[RSS] Micropatches Released for Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability (CVE-2025-47987)

https://blog.0patch.com/2026/01/micropatches-released-for-credential.html

0
0
0
7h ago

Bluesky

buherator @buherator.bsky.social

[RSS] Micropatches Released for Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability (CVE-2025-47987) blog.0patch.com -> Original->

0
1
0
7h ago

CVE-2025-13915

Overview

IBM
API Connect

26 Dec 2025

Published

06 Jan 2026

Updated

CVSS v3.1

CRITICAL (9.8)

EPSS

0.37%

MITRE

KEV

Description

IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.

Statistics

3 Posts

Last activity: 4 hours ago

Fediverse

ekiledjian @edwardk

The Cyber Security Agency of Singapore has issued an alert for a critical vulnerability (CVE-2025-13915) in IBM API Connect, which allows for authentication bypass and has a CVSS score of 9.8. IBM has released fixes for affected versions, and while there's no evidence of active exploitation, immediate remediation is strongly recommended.
https://cyble.com/blog/cve-2025-13915-ibm-api-connect-vulnerability/

0
0
1
12h ago

Bluesky

CyberVeille @cyberveille-ch.bsky.social

📢 Alerte critique: CVE-2025-13915 dans IBM API Connect (contournement d’authentification, CVSS 9,8) 📝 Selon Cyble, l'agence de cybersécur… https://cyberveille.ch/posts/2026-01-06-alerte-critique-cve-2025-13915-dans-ibm-api-connect-contournement-dauthentification-cvss-98/ #CVE_2025_13915 #Cyberveille

0
0
0
4h ago

CVE-2026-21877

Overview

Pending

Pending

Published

Pending

Updated

CVSS

Pending

EPSS

Pending

MITRE

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

1 Post
13 Interactions

Last activity: 6 hours ago

Fediverse

cR0w @cR0w

Another perfect 10 in n8n? LMFAO. 🥳

https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263

Edit to add the link to the CVE. It's not published at this time though.

https://www.cve.org/CVERecord?id=CVE-2026-21877

7
6
0
6h ago

CVE-2025-60262

Overview

Pending

06 Jan 2026

Published

06 Jan 2026

Updated

CVSS

Pending

EPSS

Pending

MITRE

KEV

Description

An issue in H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point, there is a misconfiguration vulnerability about vsftpd. Through this vulnerability, all files uploaded anonymously via the FTP protocol is automatically owned by the root user and remote attackers could gain root-level control over the devices.

Statistics

2 Posts
2 Interactions

Last activity: 7 hours ago

Fediverse

TheHackerWire @thehackerwire

🔴 CVE-2025-60262 - Critical (9.8)

An issue in H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point, there is a misconfiguration vulnerability about vsftpd. Through this vulnerability, all files uploaded anonymously via the FTP protocol is a...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-60262/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

0
0
0
7h ago

cR0w @cR0w

Tenda

https://www.cve.org/CVERecord?id=CVE-2026-0640

H3C

https://www.cve.org/CVERecord?id=CVE-2025-60262

cc: @Dio9sys @da_667

#internetOfShit

0
2
0
8h ago

CVE-2026-0640

Overview

Tenda
AC23

06 Jan 2026

Published

06 Jan 2026

Updated

CVSS v4.0

HIGH (8.7)

EPSS

Pending

MITRE

KEV

Description

A weakness has been identified in Tenda AC23 16.03.07.52. This affects the function sscanf of the file /goform/PowerSaveSet. Executing a manipulation of the argument Time can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.

Statistics

2 Posts
2 Interactions

Last activity: 7 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2026-0640 - High (8.8)

A weakness has been identified in Tenda AC23 16.03.07.52. This affects the function sscanf of the file /goform/PowerSaveSet. Executing a manipulation of the argument Time can lead to buffer overflow. The attack can be launched remotely. The exploi...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-0640/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

0
0
0
7h ago

cR0w @cR0w

Tenda

https://www.cve.org/CVERecord?id=CVE-2026-0640

H3C

https://www.cve.org/CVERecord?id=CVE-2025-60262

cc: @Dio9sys @da_667

#internetOfShit

0
2
0
8h ago

CVE-2025-14942

Overview

wolfSSL
wolfSSH

06 Jan 2026

Published

06 Jan 2026

Updated

CVSS v4.0

CRITICAL (9.4)

EPSS

Pending

MITRE

KEV

Description

wolfSSH’s key exchange state machine can be manipulated to leak the client’s password in the clear, trick the client to send a bogus signature, or trick the client into skipping user authentication. This affects client applications with wolfSSH version 1.4.21 and earlier. Users of wolfSSH must update or apply the fix patch and it’s recommended to update credentials used. This fix is also recommended for wolfSSH server applications. While there aren’t any specific attacks on server applications, the same defect is present. Thanks to Aina Toky Rasoamanana of Valeo and Olivier Levillain of Telecom SudParis for the report.

Statistics

1 Post
11 Interactions

Last activity: 7 hours ago

Fediverse

cR0w @cR0w

Oops.

wolfSSH’s key exchange state machine can be manipulated to leak the client’s password in the clear, trick the client to send a bogus signature, or trick the client into skipping user authentication. This affects client applications with wolfSSH version 1.4.21 and earlier. Users of wolfSSH must update or apply the fix patch and it’s recommended to update credentials used. This fix is also recommended for wolfSSH server applications. While there aren’t any specific attacks on server applications, the same defect is present. Thanks to Aina Toky Rasoamanana of Valeo and Olivier Levillain of Telecom SudParis for the report.

sev:CRIT 9.4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Red

https://www.cve.org/CVERecord?id=CVE-2025-14942

3
8
0
7h ago