24h | 7d | 30d

CVE-2026-25128

Overview

  • NaturalIntelligence
  • fast-xml-parser
30 Jan 2026
Published
30 Jan 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
Pending
KEV

Description

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.

Statistics

  • 1 Post
Last activity: 9 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2026-25128 - High (7.5)

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 9h ago

CVE-2026-24854

Overview

  • ChurchCRM
  • CRM
30 Jan 2026
Published
30 Jan 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
Pending
KEV

Description

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue.

Statistics

  • 1 Post
Last activity: 9 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2026-24854 - High (8.8)

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQ...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 9h ago

CVE-2025-63261

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
Last activity: 12 hours ago

Fediverse

Profile picture
pentest-tools.com @pentesttools

🔥 A vulnerability in AWStats sitting in a cPanel tree... H I D I N G?

We discovered it.

CVE-2025-63261 (or as we call it: PTT-2025-021) is what happens when "legacy meets lazy":

A single "|" in an HTTP GET param leads straight to RCE via Perl’s unsafe open() call.

And yes, this was sitting in AWStats.

Why it matters:

🔹 It’s already 2026, and we’re still finding bugs from 2000s-era web tools
🔹 Attack surface doesn’t disappear, it just ages quietly
🔹 RCE doesn’t need zero-days when it has zero hygiene

📝 We have a very comprehensive Part 1 article, written by Matei Badanoiu, who walks us through:

✅ How we found the bug
✅ How we turned it into a working exploit
✅ Why these “boring” vulns still matter

Read the article here: pentest-tools.com/blog/cpanel-

  • 0
  • 0
  • 0
  • 12h ago

CVE-2025-15467

Overview

  • OpenSSL
  • OpenSSL
27 Jan 2026
Published
29 Jan 2026
Updated
CVSS
Pending
EPSS
0.44%
KEV

Description

Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

Statistics

  • 1 Post
Last activity: 17 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🔴 CVE-2025-15467 - Critical (9.8)

Issue summary: Parsing CMS AuthEnvelopedData message with maliciously
crafted AEAD parameters can trigger a stack buffer overflow.

Impact summary: A stack buffer overflow may lead to a crash, causing Denial
of Service, or potentially remote code ...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 17h ago

CVE-2026-21509

Overview

  • Microsoft
  • Microsoft Office 2019
26 Jan 2026
Published
30 Jan 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
2.83%
KEV

Description

Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.

Statistics

  • 1 Post
Last activity: 12 hours ago

Bluesky

Profile picture
Sequretek @sequretek.bsky.social
🚨 Security Alert 🚨 Microsoft Office zero-day (CVE-2026-21509) is being actively exploited. Attackers can bypass OLE security via crafted Office docs, leading to code execution & malware. 👉 www.sequretek.com/resources/th... #ZeroDay #CyberSecurity #ThreatIntel #MicrosoftOffice
  • 0
  • 0
  • 0
  • 12h ago

CVE-2025-40552

Overview

  • SolarWinds
  • Web Help Desk
28 Jan 2026
Published
29 Jan 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.05%
KEV

Description

SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.

Statistics

  • 1 Post
Last activity: 21 hours ago

Bluesky

Profile picture
ohhara @shiojiri.com
SolarWinds、Web Help Deskにおける重大な脆弱性を複数修正(CVE-2025-40552、CVE-2025-40553他) | Codebook|Security News https://codebook.machinarecord.com/threatreport/silobreaker-cyber-alert/43668/
  • 0
  • 0
  • 0
  • 21h ago

CVE-2026-1145

Overview

  • quickjs-ng
  • quickjs
19 Jan 2026
Published
20 Jan 2026
Updated
CVSS v4.0
MEDIUM (5.3)
EPSS
0.05%
KEV

Description

A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue.

Statistics

  • 1 Post
Last activity: 18 hours ago

Bluesky

Profile picture
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
quickjs{,-ng}: react to CVE-2026-1144 and CVE-2026-1145 https://github.com/NixOS/nixpkgs/pull/484886 #security
  • 0
  • 0
  • 0
  • 18h ago

CVE-2025-40553

Overview

  • SolarWinds
  • Web Help Desk
28 Jan 2026
Published
29 Jan 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.65%
KEV

Description

SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

Statistics

  • 1 Post
Last activity: 21 hours ago

Bluesky

Profile picture
ohhara @shiojiri.com
SolarWinds、Web Help Deskにおける重大な脆弱性を複数修正(CVE-2025-40552、CVE-2025-40553他) | Codebook|Security News https://codebook.machinarecord.com/threatreport/silobreaker-cyber-alert/43668/
  • 0
  • 0
  • 0
  • 21h ago

CVE-2025-58150

Overview

  • Xen
  • Xen
28 Jan 2026
Published
28 Jan 2026
Updated
CVSS
Pending
EPSS
0.01%
KEV

Description

Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing.

Statistics

  • 1 Post
Last activity: 10 hours ago

Bluesky

Profile picture
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
🚨 Attention System Administrators & DevOps Teams! 🚨 #Mageia has released a critical security update, MGASA-2026-0026, patching two high-severity Xen hypervisor vulnerabilities (CVE-2025-58150 & CVE-2026-23553). Read more: 👉 tinyurl.com/4uc6es63 #Security
  • 0
  • 0
  • 0
  • 10h ago

CVE-2026-1144

Overview

  • quickjs-ng
  • quickjs
19 Jan 2026
Published
20 Jan 2026
Updated
CVSS v4.0
MEDIUM (5.3)
EPSS
0.04%
KEV

Description

A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.

Statistics

  • 1 Post
Last activity: 18 hours ago

Bluesky

Profile picture
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
quickjs{,-ng}: react to CVE-2026-1144 and CVE-2026-1145 https://github.com/NixOS/nixpkgs/pull/484886 #security
  • 0
  • 0
  • 0
  • 18h ago
Showing 31 to 40 of 44 CVEs