okay no, that seems completely unrelated. the solaris bug is CVE-2007-0882 (which btw was wormed) and the -- was added 6 years later as a result of an audit... but it is on %u, which is the username that comes off of actual telnet authentication (a telnet option that inserts a sorta-EAP stage in negotiation) where by the time login is invoked, telnetd has already authenticated the user, so the username should be trusted

‼️CVE-2026-23744: Versions 1.4.2 and earlier of MCPJam inspector are vulnerable to remote code execution (RCE)

CVSS: 9.8
CVE Published: January 16th, 2026
PoC/Exploit Published: January 20th, 2026

GitHub PoC: https://github.com/boroeurnprach/CVE-2026-23744-PoC/

Advisory: https://github.com/advisories/GHSA-232v-j27c-5pp6

MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.

🟠 CVE-2025-56353 - High (7.5)

In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), a memory leak occurs due to the broker's failure to validate or reject malformed UTF-8 strings in topic filters. An attacker can exploit this by sending repeated subscriptio...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-56353/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-66692 - High (7.5)

A buffer over-read in the PublicKey::verify() method of Binance - Trust Wallet Core before commit 5668c67 allows attackers to cause a Denial of Service (DoS) via a crafted input.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-66692/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)

🔗 https://vulnerability.circl.lu/vuln/CVE-2025-12383

#vulnerabilitymanagement #cybersecurity #infosec

🟠 CVE-2025-27378 - High (8.6)

AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to injec...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-27378/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-63647 - High (7.5)

A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-63647/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-23965 - High (7.5)

sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto prior to version 0.4.0. Under default configurat...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-23965/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

A very critical vulnerability, CVE-2026-23754, has been identified in D-Link D-View 8 up to version 2.0.1.107, specifically within the API Endpoint component. This flaw allows any authenticated user to manipulate the user_id argument to access and impersonate other users, including administrators, by retrieving sensitive credential data.
https://vuldb.com/?id.342188