24h | 7d | 30d

CVE-2025-14478

Overview

  • kraftplugins
  • Demo Importer Plus
17 Jan 2026
Published
17 Jan 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.08%
KEV

Description

The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0.

Statistics

  • 1 Post
Last activity: 21 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2025-14478 - High (7.5)

The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-lev...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 21h ago

CVE-2025-67823

Overview

  • Pending
15 Jan 2026
Published
16 Jan 2026
Updated
CVSS
Pending
EPSS
0.04%
KEV

Description

A vulnerability in the Multimedia Email component of Mitel MiContact Center Business through 10.2.0.10 and Mitel CX through 1.1.0.1 could allow an unauthenticated attacker to conduct a Cross-Site Scripting (XSS) attack due to insufficient input validation. A successful exploit requires user interaction where the email channel is enabled. This could allow an attacker to execute arbitrary scripts in the victim's browser or desktop client application.

Statistics

  • 1 Post
Last activity: 3 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2025-67823 - High (8.2)

A vulnerability in the Multimedia Email component of Mitel MiContact Center Business through 10.2.0.10 and Mitel CX through 1.1.0.1 could allow an unauthenticated attacker to conduct a Cross-Site Scripting (XSS) attack due to insufficient input va...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-23550

Overview

  • Modular DS
  • Modular DS
  • modular-connector
14 Jan 2026
Published
14 Jan 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.04%
KEV

Description

Incorrect Privilege Assignment vulnerability in Modular DS allows Privilege Escalation.This issue affects Modular DS: from n/a through 2.5.1.

Statistics

  • 1 Post
Last activity: 23 hours ago

Bluesky

Profile picture
Eyal Estrin ☁️ @eyalestrin.bsky.social
Modular DS bug hands hackers instant WordPress admin access (CVE-2026-23550) #appsec
  • 0
  • 0
  • 0
  • 23h ago

CVE-2025-66402

Overview

  • misskey-dev
  • misskey
15 Dec 2025
Published
16 Dec 2025
Updated
CVSS v4.0
HIGH (7.1)
EPSS
0.04%
KEV

Description

Misskey is an open source, federated social media platform. Starting in version 13.0.0-beta.16 and prior to version 2025.12.0, an actor who does not have permission to view favorites or clips can can export the posts and view the contents. Version 2025.12.0 fixes the issue.

Statistics

  • 1 Post
Last activity: 18 hours ago

Bluesky

Profile picture
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
[release-25.11] misskey: apply patch for CVE-2025-66402 https://github.com/NixOS/nixpkgs/pull/480284 #security
  • 0
  • 0
  • 0
  • 18h ago

CVE-2025-20393

Overview

  • Cisco
  • Cisco Secure Email
17 Dec 2025
Published
15 Jan 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
6.44%
KEV

Description

A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execute arbitrary system commands on an affected device with root privileges. This vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.

Statistics

  • 1 Post
Last activity: 15 hours ago

Fediverse

Profile picture
Anonymous :verified: @youranonnewsirc

Here's a brief on the latest global, tech, and cybersecurity news from the last 24 hours:

Global: Uganda's Yoweri Museveni was declared winner of the presidential election. Over 100 people have died in torrential rains and floods across Southern Africa.

Tech: OpenAI is reportedly considering introducing ads to ChatGPT. Google filed to appeal a decision in its search monopoly case, and new generative AI features are rolling out for Gmail.

Cybersecurity: Cisco patched a zero-day vulnerability (CVE-2025-20393) exploited by a China-linked APT (Jan 16). A new PayPal phishing scam uses verified invoices with fake support numbers, and the GhostPoster browser malware, active for five years, was exposed.

#News #Anonymous #AnonNews_irc

  • 0
  • 0
  • 0
  • 15h ago

CVE-2026-21900

Overview

  • nasa
  • CryptoLib
10 Jan 2026
Published
13 Jan 2026
Updated
CVSS v4.0
HIGH (8.2)
EPSS
0.06%
KEV

Description

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, an out-of-bounds heap read vulnerability in cryptography_encrypt() occurs when parsing JSON metadata from KMC server responses. The flawed strtok iteration pattern uses ptr + strlen(ptr) + 1 which reads one byte past allocated buffer boundaries when processing short or malformed metadata strings. This issue has been patched in version 1.4.3.

Statistics

  • 1 Post
Last activity: 9 hours ago

Fediverse

Profile picture
geeknik @geeknik

CVE-2026-21900: NASA’s own crypto lib leaks heap memory like a cracked spacesuit—because strtok(ptr+strlen+1) is apparently flight-ready code.
redpacketsecurity.com/cisa-vul

  • 0
  • 0
  • 0
  • 9h ago

CVE-2026-0861

Overview

  • The GNU C Library
  • glibc
14 Jan 2026
Published
16 Jan 2026
Updated
CVSS
Pending
EPSS
0.01%
KEV

Description

Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 10 hours ago

Fediverse

Profile picture
Xerz 💗 @xerz

tbh, CVE-2026-0915 does require the sysadmin to do something extremely weird, so: okay I guess

nevertheless, it’s very much a C-specific issue

…and then there’s CVE-2026-0861

  • 1
  • 0
  • 0
  • 10h ago

CVE-2026-22695

Overview

  • pnggroup
  • libpng
12 Jan 2026
Published
13 Jan 2026
Updated
CVSS v3.1
MEDIUM (6.1)
EPSS
0.01%
KEV

Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.

Statistics

  • 1 Post
Last activity: 18 hours ago

Bluesky

Profile picture
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
🚨 CRITICAL: Mageia 9 libpng vulnerabilities CVE-2026-22695 & CVE-2026-22801 allow heap buffer over-read attacks. MGASA-2026-0010 patch now available. Read more: 👉 tinyurl.com/52x7w749 #Security
  • 0
  • 0
  • 0
  • 18h ago

CVE-2026-22801

Overview

  • pnggroup
  • libpng
12 Jan 2026
Published
13 Jan 2026
Updated
CVSS v3.1
MEDIUM (6.8)
EPSS
0.01%
KEV

Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

Statistics

  • 1 Post
Last activity: 18 hours ago

Bluesky

Profile picture
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
🚨 CRITICAL: Mageia 9 libpng vulnerabilities CVE-2026-22695 & CVE-2026-22801 allow heap buffer over-read attacks. MGASA-2026-0010 patch now available. Read more: 👉 tinyurl.com/52x7w749 #Security
  • 0
  • 0
  • 0
  • 18h ago
Showing 11 to 19 of 19 CVEs