CVE-2025-57792

Overview

Explorance
Blue

28 Jan 2026

Published

28 Jan 2026

Updated

CVSS

Pending

EPSS

Pending

MITRE

KEV

Description

Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user input in a web application endpoint. An attacker can supply crafted input that is executed as part of backend database queries. The issue is exploitable without authentication, significantly raising the risk.

Statistics

2 Posts

Last activity: 14 hours ago

Fediverse

TheHackerWire @thehackerwire

🔴 CVE-2025-57792 - Critical (10)

Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user input in a web application endpoint. An attacker can supply crafted input that is executed as part of backend database queries...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-57792/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
1
14h ago

CVE-2025-57795

Overview

Explorance
Blue

28 Jan 2026

Published

28 Jan 2026

Updated

CVSS

Pending

EPSS

Pending

MITRE

KEV

Description

Explorance Blue versions prior to 8.14.13 contain an authenticated remote file download vulnerability in a web service component. In default configurations, this flaw can be leveraged to achieve remote code execution.

Statistics

2 Posts

Last activity: 14 hours ago

Fediverse

TheHackerWire @thehackerwire

🔴 CVE-2025-57795 - Critical (9.9)

Explorance Blue versions prior to 8.14.13 contain an authenticated remote file download vulnerability in a web service component. In default configurations, this flaw can be leveraged to achieve remote code execution.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-57795/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
1
14h ago

CVE-2026-24772

Overview

opf
openproject

28 Jan 2026

Published

28 Jan 2026

Updated

CVSS v3.1

HIGH (8.9)

EPSS

Pending

MITRE

KEV

Description

OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing. The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim's behalf. This vulnerability was introduced with OpenProject 17.0.0 and was fixed in 17.0.2. As a workaround, disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Additionally the `hocuspocus` container should also be disabled.

Statistics

1 Post

Last activity: 15 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2026-24772 - High (8.9)

OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is curr...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24772/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
15h ago

CVE-2026-20045

Overview

Cisco
Cisco Unified Communications Manager

21 Jan 2026

Published

22 Jan 2026

Updated

CVSS v3.1

HIGH (8.2)

EPSS

0.89%

MITRE

KEV

Description

A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device.  This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.

Statistics

1 Post

Last activity: 2 hours ago

Fediverse

Daniel Kuhl ✌🏻☮️☕️ @daniel1820815

🚨 Patch your Cisco UC products:

Cisco Unified Communications Products Remote Code Execution Vulnerability (CVE-2026-20045)

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b

#Cisco #Vulnerability #CVE_2026_20045

0
0
0
2h ago

CVE-2025-40536

Overview

SolarWinds
Web Help Desk

28 Jan 2026

Published

29 Jan 2026

Updated

CVSS v3.1

HIGH (8.1)

EPSS

0.24%

MITRE

KEV

Description

SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.

Statistics

1 Post

Last activity: 23 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2025-40536 - High (8.1)

SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-40536/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
23h ago

CVE-2022-22265

Overview

Samsung Mobile
Samsung Mobile Devices

07 Jan 2022

Published

21 Oct 2025

Updated

CVSS v3.1

MEDIUM (5.0)

EPSS

0.16%

MITRE

KEV

Description

An improper check or handling of exceptional conditions in NPU driver prior to SMR Jan-2022 Release 1 allows arbitrary memory write and code execution.

Statistics

1 Post

Last activity: 11 hours ago

Fediverse

Javier Partido Rufo @javierprtd

18/08/2024: I just released the blog explaining how I leveraged CVE-2022-22265 in the Samsung npu driver. Double free to achieve UAF over signalfd + cross cache + Dirty Page Table + code inject into libbase.so for execution by init. Hope you can enjoy it https://soez.github.io/posts/CVE-2022-22265-Samsung-npu-driver/

0
0
0
11h ago

CVE-2026-23830

Overview

nyariv
SandboxJS

27 Jan 2026

Published

28 Jan 2026

Updated

CVSS v3.1

CRITICAL (10.0)

EPSS

0.16%

MITRE

KEV

Description

SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to `AsyncFunction` not being isolated in `SandboxFunction`. The library attempts to sandbox code execution by replacing the global `Function` constructor with a safe, sandboxed version (`SandboxFunction`). This is handled in `utils.ts` by mapping `Function` to `sandboxFunction` within a map used for lookups. However, before version 0.8.26, the library did not include mappings for `AsyncFunction`, `GeneratorFunction`, and `AsyncGeneratorFunction`. These constructors are not global properties but can be accessed via the `.constructor` property of an instance (e.g., `(async () => {}).constructor`). In `executor.ts`, property access is handled. When code running inside the sandbox accesses `.constructor` on an async function (which the sandbox allows creating), the `executor` retrieves the property value. Since `AsyncFunction` was not in the safe-replacement map, the `executor` returns the actual native host `AsyncFunction` constructor. Constructors for functions in JavaScript (like `Function`, `AsyncFunction`) create functions that execute in the global scope. By obtaining the host `AsyncFunction` constructor, an attacker can create a new async function that executes entirely outside the sandbox context, bypassing all restrictions and gaining full access to the host environment (Remote Code Execution). Version 0.8.26 patches this vulnerability.

Statistics

1 Post

Last activity: 19 hours ago

Bluesky

Securitycipher @securitycipher.bsky.social

Escaping the Matrix: A Deep Dive into SandboxJS RCE (CVE-2026–23830) https://medium.com/@meysam_bal-afkan/escaping-the-matrix-a-deep-dive-into-sandboxjs-rce-cve-2026-23830-1fbbca3f46fc?source=rss------bug_bounty-5

0
0
0
19h ago

CVE-2026-24430

Overview

Shenzhen Tenda Technology Co., Ltd.
W30E V2

26 Jan 2026

Published

26 Jan 2026

Updated

CVSS v4.0

HIGH (8.2)

EPSS

0.04%

MITRE

KEV

Description

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible over unencrypted HTTP by default, credentials may be exposed to network-based interception.

Statistics

1 Post

Last activity: 5 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2026-24430 - High (7.5)

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible over un...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24430/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
5h ago

CVE-2025-68662

Overview

discourse
discourse

28 Jan 2026

Published

28 Jan 2026

Updated

CVSS v3.1

HIGH (7.6)

EPSS

Pending

MITRE

KEV

Description

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.

Statistics

1 Post

Last activity: 14 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2025-68662 - High (7.6)

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. This issue is patched...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-68662/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
14h ago

CVE-2025-33218

Overview

NVIDIA
GeForce

28 Jan 2026

Published

29 Jan 2026

Updated

CVSS v3.1

HIGH (7.8)

EPSS

Pending

MITRE

KEV

Description

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where an attacker could cause an integer overflow. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure.

Statistics

1 Post

Last activity: 15 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2025-33218 - High (7.8)

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where an attacker could cause an integer overflow. A successful exploit of this vulnerability might lead to code execution, escalation of privi...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-33218/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
15h ago