24h | 7d | 30d

CVE-2026-22031

Overview

  • fastify
  • middie
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v3.1
HIGH (8.4)
EPSS
Pending
KEV

Description

@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. Version 9.1.0 fixes the issue.

Statistics

  • 1 Post
Last activity: Last hour

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2026-22031 - High (8.4)

@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded ...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • Last hour

CVE-2026-0915

Overview

  • The GNU C Library
  • glibc
15 Jan 2026
Published
16 Jan 2026
Updated
CVSS
Pending
EPSS
0.02%
KEV

Description

Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.

Statistics

  • 1 Post
Last activity: 4 hours ago

Fediverse

Profile picture
Laurent Cheylus @lcheylus

GNU C Library fixes a security Issue present since 1996 (getnetbyaddr and getnetbyaddr_r functions can leak the stack contents to the DNS resolver) CVE-2026-0915 #Infosec sourceware.org/git/?p=glibc.gi

  • 0
  • 0
  • 0
  • 4h ago

CVE-2026-22850

Overview

  • ibericode
  • koko-analytics
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v3.1
HIGH (8.4)
EPSS
Pending
KEV

Description

Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as "),('999','x');DROP TABLE wp_users;-- breaks out of the value list. When an administrator later imports that export file, the import handler in src/Admin/Data_Import.php reads the uploaded SQL with file_get_contents, performs only a superficial header check, splits on semicolons, and executes each statement via $wpdb->query with no validation of table names or statement types. Additionally, any authenticated user with manage_koko_analytics can upload an arbitrary .sql file and have it executed in the same permissive way. Combined, attacker-controlled input flows from the tracking endpoint into exported SQL and through the import execution sink, or directly via malicious uploads, enabling arbitrary SQL execution. In a worst-case scenario, attackers can achieve arbitrary SQL execution on the WordPress database, allowing deletion of core tables (e.g., wp_users), insertion of backdoor administrator accounts, or other destructive/privilege-escalating actions. Version 2.1.3 patches the issue.

Statistics

  • 1 Post
Last activity: Last hour

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2026-22850 - High (8.3)

Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbit...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • Last hour

CVE-2026-1139

Overview

  • UTT
  • 进取 520W
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.04%
KEV

Description

A vulnerability has been found in UTT 进取 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/ConfigExceptMSN. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 2 Posts
Last activity: 11 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2026-1139 - High (8.8)

A vulnerability has been found in UTT 进取 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/ConfigExceptMSN. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The expl...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 1
  • 11h ago

CVE-2026-23645

Overview

  • siyuan-note
  • siyuan
16 Jan 2026
Published
16 Jan 2026
Updated
CVSS v4.0
MEDIUM (5.3)
EPSS
0.04%
KEV

Description

SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.

Statistics

  • 1 Post
Last activity: 12 hours ago

Bluesky

Profile picture
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
[25.11] siyuan: 3.4.0 -> 3.5.4-dev2, fixes CVE-2026-23645 https://github.com/NixOS/nixpkgs/pull/481359 #security
  • 0
  • 0
  • 0
  • 12h ago

CVE-2025-63261

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
Last activity: 5 hours ago

Fediverse

Profile picture
pentest-tools.com @pentesttools

Ever named your own CVE? We sure did. 😏

Meet PTT-2025-021 (aka CVE-2025-63261).

A vulnerability in AWStats hiding inside cPanel.

One misplaced "|" flips log analysis into command execution.

No magic. Just unsafe open() and legacy code trusting input.

On our blog, we walk through how we traced it, proved it, and why this vulnerability class still bites.

Special thanks to Matei Badanoiu for the research. 👏

See the full attack path in Part 1: pentest-tools.com/blog/cpanel-

  • 0
  • 0
  • 0
  • 5h ago

CVE-2025-61684

Overview

  • h2o
  • quicly
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
Pending
KEV

Description

Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly. Commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e fixes the issue.

Statistics

  • 1 Post
Last activity: Last hour

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2025-61684 - High (7.5)

Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process usin...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • Last hour

CVE-2025-36911

Overview

  • Google
  • Android
15 Jan 2026
Published
15 Jan 2026
Updated
CVSS
Pending
EPSS
0.00%
KEV

Description

In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additional execution privileges needed. User interaction is not needed for exploitation.

Statistics

  • 1 Post
Last activity: 18 hours ago

Bluesky

Profile picture
セキュリティ対策Lab @securitylab-jp.bsky.social
#WhisperPair、 数億台のBluetooth 機器に深刻な脆弱性 CVE-2025-36911-Google Fast Pairの不備による盗聴・追跡リスクの実態 rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #セキュリティ #Security #サイバー攻撃
  • 0
  • 0
  • 0
  • 18h ago

CVE-2026-22037

Overview

  • fastify
  • fastify-express
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v3.1
HIGH (8.4)
EPSS
Pending
KEV

Description

The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. The vulnerability is caused by how @fastify/express matches requests against registered middleware paths. This vulnerability is similar to, but differs from, CVE-2026-22031 because this is a different npm module with its own code. Version 4.0.3 of @fastify/express contains a patch fort the issue.

Statistics

  • 1 Post
Last activity: Last hour

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2026-22037 - High (8.4)

The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • Last hour

CVE-2026-1155

Overview

  • Totolink
  • LR350
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
Pending
KEV

Description

A vulnerability was found in Totolink LR350 9.3.5u.6369_B20220309. Affected by this vulnerability is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ssid results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used.

Statistics

  • 2 Posts
Last activity: 4 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2026-1155 - High (8.8)

A vulnerability was found in Totolink LR350 9.3.5u.6369_B20220309. Affected by this vulnerability is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ssid results in buffer overflow. The attack ma...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 1
  • 4h ago
Showing 11 to 20 of 25 CVEs