CVE-2026-23743

Overview

discourse
discourse

28 Jan 2026

Published

28 Jan 2026

Updated

CVSS v4.0

MEDIUM (6.9)

EPSS

0.04%

MITRE

KEV

Description

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources (private topics, categories, posts, or hidden tags) were redirecting users to URLs containing the resource slug, even when the user didn't have access to view the resource. This leaked potentially sensitive information (e.g., private topic titles) via the redirect Location header and the 404 page's search box. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.

Statistics

1 Post

Last activity: 10 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2026-23743 - High (7.5)

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources (private topics, categories, posts, or hidden tags) were redirecting users to URLs ...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-23743/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
10h ago

CVE-2026-21418

Overview

Dell
Unity

30 Jan 2026

Published

31 Jan 2026

Updated

CVSS v3.1

HIGH (7.8)

EPSS

0.06%

MITRE

KEV

Description

Dell Unity, version(s) 5.5.2 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.

Statistics

1 Post

Last activity: 21 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2026-21418 - High (7.8)

Dell Unity, version(s) 5.5.2 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerabilit...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-21418/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
21h ago

CVE-2026-23760

Overview

SmarterTools
SmarterMail

22 Jan 2026

Published

27 Jan 2026

Updated

CVSS v4.0

CRITICAL (9.3)

EPSS

49.87%

MITRE

KEV

Description

SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.

Statistics

1 Post

Last activity: 16 hours ago

Bluesky

CyberVeille @cyberveille-ch.bsky.social

📢 Plus de 6 000 serveurs SmarterMail exposés à une faille critique d’authentification (CVE-2026-23760) 📝 Selon Security Affairs, la Shado… https://cyberveille.ch/posts/2026-01-29-plus-de-6-000-serveurs-smartermail-exposes-a-une-faille-critique-dauthentification-cve-2026-23760/ #CISA_KEV #Cyberveille

0
0
0
16h ago

CVE-2025-1395

Overview

Codriapp Innovation and Software Technologies Inc.
HeyGarson

30 Jan 2026

Published

30 Jan 2026

Updated

CVSS v3.1

HIGH (8.2)

EPSS

0.03%

MITRE

KEV

Description

Generation of Error Message Containing Sensitive Information vulnerability in Codriapp Innovation and Software Technologies Inc. HeyGarson allows Fuzzing for application mapping.This issue affects HeyGarson: through 30012026. NOTE: The vendor was contacted several times to verifying fixing process but did not respond in any way.

Statistics

1 Post

Last activity: 21 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2025-1395 - High (8.2)

Generation of Error Message Containing Sensitive Information vulnerability in Codriapp Innovation and Software Technologies Inc. HeyGarson allows Fuzzing for application mapping.This issue affects HeyGarson: through 30012026.

NOTE: The vendor was...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-1395/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
21h ago

CVE-2025-51958

Overview

Pending

30 Jan 2026

Published

30 Jan 2026

Updated

CVSS

Pending

EPSS

Pending

MITRE

KEV

Description

aelsantex runcommand 2014-04-01, a plugin for DokuWiki, allows unauthenticated attackers to execute arbitrary system commands via lib/plugins/runcommand/postaction.php.

Statistics

1 Post

Last activity: 12 hours ago

Fediverse

TheHackerWire @thehackerwire

🔴 CVE-2025-51958 - Critical (9.8)

aelsantex runcommand 2014-04-01, a plugin for DokuWiki, allows unauthenticated attackers to execute arbitrary system commands via lib/plugins/runcommand/postaction.php.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-51958/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
12h ago

CVE-2025-62348

Overview

Salt Project
Salt
salt

30 Jan 2026

Published

31 Jan 2026

Updated

CVSS v3.1

HIGH (7.8)

EPSS

Pending

MITRE

KEV

Description

Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process.

Statistics

1 Post

Last activity: 12 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2025-62348 - High (7.8)

Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-62348/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
12h ago

CVE-2026-25153

Overview

backstage
backstage

30 Jan 2026

Published

30 Jan 2026

Updated

CVSS v3.1

HIGH (7.7)

EPSS

Pending

MITRE

KEV

Description

Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with `runIn: local`, a malicious actor who can submit or modify a repository's `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. @backstage/plugin-techdocs-node versions 1.13.11 and 1.14.1 contain a fix. The fix introduces an allowlist of supported MkDocs configuration keys. Unsupported configuration keys (including `hooks`) are now removed from `mkdocs.yml` before running the generator, with a warning logged to indicate which keys were removed. Users of `@techdocs/cli` should also upgrade to the latest version, which includes the fixed `@backstage/plugin-techdocs-node` dependency. Some workarounds are available. Configure TechDocs with `runIn: docker` instead of `runIn: local` to provide container isolation, though it does not fully mitigate the risk. Limit who can modify `mkdocs.yml` files in repositories that TechDocs processes; only allow trusted contributors. Implement PR review requirements for changes to `mkdocs.yml` files to detect malicious `hooks` configurations before they are merged. Use MkDocs < 1.4.0 (e.g., 1.3.1) which does not support hooks. Note: This may limit access to newer MkDocs features. Building documentation in CI/CD pipelines using `@techdocs/cli` does not mitigate this vulnerability, as the CLI uses the same vulnerable `@backstage/plugin-techdocs-node` package.

Statistics

1 Post

Last activity: 9 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2026-25153 - High (7.7)

Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is c...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25153/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
9h ago

CVE-2026-25128

Overview

NaturalIntelligence
fast-xml-parser

30 Jan 2026

Published

30 Jan 2026

Updated

CVSS v3.1

HIGH (7.5)

EPSS

Pending

MITRE

KEV

Description

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `&#9999999;` or `&#xFFFFFF;`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.

Statistics

1 Post

Last activity: 15 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2026-25128 - High (7.5)

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25128/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
15h ago

CVE-2026-24854

Overview

ChurchCRM
CRM

30 Jan 2026

Published

30 Jan 2026

Updated

CVSS v3.1

HIGH (8.8)

EPSS

Pending

MITRE

KEV

Description

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue.

Statistics

1 Post

Last activity: 15 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2026-24854 - High (8.8)

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQ...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24854/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
15h ago

CVE-2025-63261

Overview

Pending

Pending

Published

Pending

Updated

CVSS

Pending

EPSS

Pending

MITRE

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

1 Post

Last activity: 18 hours ago

Fediverse

pentest-tools.com @pentesttools

🔥 A vulnerability in AWStats sitting in a cPanel tree... H I D I N G?

We discovered it.

CVE-2025-63261 (or as we call it: PTT-2025-021) is what happens when "legacy meets lazy":

A single "|" in an HTTP GET param leads straight to RCE via Perl’s unsafe open() call.

And yes, this was sitting in AWStats.

Why it matters:

🔹 It’s already 2026, and we’re still finding bugs from 2000s-era web tools
🔹 Attack surface doesn’t disappear, it just ages quietly
🔹 RCE doesn’t need zero-days when it has zero hygiene

📝 We have a very comprehensive Part 1 article, written by Matei Badanoiu, who walks us through:

✅ How we found the bug
✅ How we turned it into a working exploit
✅ Why these “boring” vulns still matter

Read the article here: https://pentest-tools.com/blog/cpanel-cve-ptt-2025-021-part-1

0
0
0
18h ago