24h | 7d | 30d

CVE-2025-14847

Overview

  • MongoDB Inc.
  • MongoDB Server
19 Dec 2025
Published
12 Jan 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
58.19%
KEV

Description

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

Statistics

  • 1 Post
Last activity: 19 hours ago

Bluesky

Profile picture fallback
Emeric HUNTER @theemerichunter.bsky.social
Mongobleed sounds like a bad sci-fi villain but it's actually a MongoDB security flaw CVE-2025-14847. Percona to the rescue patching it with urgency and transparency. Let's keep our databases from joining the dark side!
  • 0
  • 0
  • 0
  • 19h ago

CVE-2026-2129

Overview

  • D-Link
  • DIR-823X
08 Feb 2026
Published
08 Feb 2026
Updated
CVSS v4.0
HIGH (8.6)
EPSS
Pending
KEV

Description

A vulnerability was found in D-Link DIR-823X 250416. Affected by this issue is some unknown functionality of the file /goform/set_ac_status. Performing a manipulation of the argument ac_ipaddr/ac_ipstatus/ap_randtime results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used.

Statistics

  • 1 Post
Last activity: 3 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🚨 HIGH severity: CVE-2026-2129 in D-Link DIR-823X (v250416) enables unauthenticated remote OS command injection via /goform/set_ac_status. Exploit code is public β€” patch or restrict access now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-25857

Overview

  • Shenzhen Tenda Technology
  • Tenda G300-F
07 Feb 2026
Published
07 Feb 2026
Updated
CVSS v4.0
HIGH (8.6)
EPSS
Pending
KEV

Description

Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

Statistics

  • 1 Post
Last activity: 2 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CVE-2026-25857: HIGH-severity OS command injection in Tenda G300-F routers (≀16.01.14.2). No patch yet β€” exposure of management interface risks full device compromise. Restrict access, monitor WAN diagnostics. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 2h ago

CVE-2026-1144

Overview

  • quickjs-ng
  • quickjs
19 Jan 2026
Published
20 Jan 2026
Updated
CVSS v4.0
MEDIUM (5.3)
EPSS
0.06%
KEV

Description

A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.

Statistics

  • 1 Post
Last activity: 13 hours ago

Bluesky

Profile picture fallback
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
[Backport release-25.11] quickjs{,-ng}: react to CVE-2026-1144 and CVE-2026-1145 https://github.com/NixOS/nixpkgs/pull/486490 #security
  • 0
  • 0
  • 0
  • 13h ago

CVE-2026-1145

Overview

  • quickjs-ng
  • quickjs
19 Jan 2026
Published
20 Jan 2026
Updated
CVSS v4.0
MEDIUM (5.3)
EPSS
0.07%
KEV

Description

A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue.

Statistics

  • 1 Post
Last activity: 13 hours ago

Bluesky

Profile picture fallback
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
[Backport release-25.11] quickjs{,-ng}: react to CVE-2026-1144 and CVE-2026-1145 https://github.com/NixOS/nixpkgs/pull/486490 #security
  • 0
  • 0
  • 0
  • 13h ago

CVE-2017-12617

Overview

  • Apache Software Foundation
  • Apache Tomcat
03 Oct 2017
Published
21 Oct 2025
Updated
CVSS
Pending
EPSS
94.36%
KEV

Description

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Statistics

  • 1 Post
Last activity: 22 hours ago

Fediverse

Profile picture fallback
hrbrmstr πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦ @hrbrmstr

Apache Tomcat is far and away the most likely intended target given port 8080 and the Java exception body content. The DefaultServlet with readonly=false in web.xml is the textbook case (CVE-2017-12615, CVE-2017-12617). Eclipse Jetty can also expose similar behavior if its DefaultServlet or WebDAV module is configured to allow PUT writes. Apache TomEE, being Tomcat-based with Jakarta EE extensions, inherits all of the same misconfigurations. (5/15)

  • 0
  • 0
  • 0
  • 22h ago

CVE-2017-12615

Overview

  • Apache Software Foundation
  • Apache Tomcat
19 Sep 2017
Published
21 Oct 2025
Updated
CVSS
Pending
EPSS
94.22%
KEV

Description

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Statistics

  • 1 Post
Last activity: 22 hours ago

Fediverse

Profile picture fallback
hrbrmstr πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦ @hrbrmstr

Apache Tomcat is far and away the most likely intended target given port 8080 and the Java exception body content. The DefaultServlet with readonly=false in web.xml is the textbook case (CVE-2017-12615, CVE-2017-12617). Eclipse Jetty can also expose similar behavior if its DefaultServlet or WebDAV module is configured to allow PUT writes. Apache TomEE, being Tomcat-based with Jakarta EE extensions, inherits all of the same misconfigurations. (5/15)

  • 0
  • 0
  • 0
  • 22h ago
Showing 21 to 27 of 27 CVEs