okay no, that seems completely unrelated. the solaris bug is CVE-2007-0882 (which btw was wormed) and the -- was added 6 years later as a result of an audit... but it is on %u, which is the username that comes off of actual telnet authentication (a telnet option that inserts a sorta-EAP stage in negotiation) where by the time login is invoked, telnetd has already authenticated the user, so the username should be trusted

🟠 CVE-2025-56353 - High (7.5)

In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), a memory leak occurs due to the broker's failure to validate or reject malformed UTF-8 strings in topic filters. An attacker can exploit this by sending repeated subscriptio...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-56353/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2025-66692 - High (7.5)

A buffer over-read in the PublicKey::verify() method of Binance - Trust Wallet Core before commit 5668c67 allows attackers to cause a Denial of Service (DoS) via a crafted input.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-66692/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)

🔗 https://vulnerability.circl.lu/vuln/CVE-2025-12383

#vulnerabilitymanagement #cybersecurity #infosec

‼️CVE-2026-23744: Versions 1.4.2 and earlier of MCPJam inspector are vulnerable to remote code execution (RCE)

CVSS: 9.8
CVE Published: January 16th, 2026
PoC/Exploit Published: January 20th, 2026

GitHub PoC: https://github.com/boroeurnprach/CVE-2026-23744-PoC/

Advisory: https://github.com/advisories/GHSA-232v-j27c-5pp6

MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.

🟠 CVE-2025-63647 - High (7.5)

A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-63647/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

A very critical vulnerability, CVE-2026-23754, has been identified in D-Link D-View 8 up to version 2.0.1.107, specifically within the API Endpoint component. This flaw allows any authenticated user to manipulate the user_id argument to access and impersonate other users, including administrators, by retrieving sensitive credential data.
https://vuldb.com/?id.342188

🔴 CVE-2025-65482 - Critical (9.8)

An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx file.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-65482/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-21940 - High (7.5)

Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: User and User Group). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-21940/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack