CVE-2025-57155

Overview

Pending

20 Jan 2026

Published

21 Jan 2026

Updated

CVSS

Pending

EPSS

0.07%

MITRE

KEV

Description

NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service.

Statistics

1 Post

Last activity: 21 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2025-57155 - High (7.5)

NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-57155/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
21h ago

CVE-2025-10855

Overview

Solvera Software Services Trade Inc.
Teknoera

22 Jan 2026

Published

22 Jan 2026

Updated

CVSS v3.1

HIGH (7.5)

EPSS

Pending

MITRE

KEV

Description

Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers.This issue affects Teknoera: through 01102025.

Statistics

1 Post

Last activity: Last hour

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2025-10855 - High (7.5)

Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers.This issue affects Teknoera: through 01102025.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-10855/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
Last hour

CVE-2026-22807

Overview

vllm-project
vllm

21 Jan 2026

Published

21 Jan 2026

Updated

CVSS v3.1

HIGH (8.8)

EPSS

Pending

MITRE

KEV

Description

vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue.

Statistics

1 Post

Last activity: 15 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2026-22807 - High (8.8)

vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, all...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-22807/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
15h ago

CVE-2026-24042

Overview

appsmithorg
appsmith

22 Jan 2026

Published

22 Jan 2026

Updated

CVSS v3.1

CRITICAL (9.4)

EPSS

Pending

MITRE

KEV

Description

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication.

Statistics

1 Post

Last activity: 8 hours ago

Fediverse

TheHackerWire @thehackerwire

🔴 CVE-2026-24042 - Critical (9.4)

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24042/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
8h ago

CVE-2025-13878

Overview

ISC
BIND 9

21 Jan 2026

Published

21 Jan 2026

Updated

CVSS v3.1

HIGH (7.5)

EPSS

Pending

MITRE

KEV

Description

Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.

Statistics

1 Post

Last activity: 21 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2025-13878 - High (7.5)

Malformed BRID/HHIT records can cause `named` to terminate unexpectedly.
This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-13878/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
21h ago

CVE-2026-24006

Overview

lxsmnsyc
seroval

22 Jan 2026

Published

22 Jan 2026

Updated

CVSS v3.1

HIGH (7.5)

EPSS

Pending

MITRE

KEV

Description

Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.

Statistics

1 Post

Last activity: 9 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2026-24006 - High (7.5)

Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0
and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Sero...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24006/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
9h ago

CVE-2026-24002

Overview

gristlabs
grist-core

22 Jan 2026

Published

22 Jan 2026

Updated

CVSS v3.1

CRITICAL (9.1)

EPSS

Pending

MITRE

KEV

Description

Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets `GRIST_SANDBOX_FLAVOR` to `pyodide` and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting `GRIST_SANDBOX_FLAVOR` to `gvisor`.

Statistics

1 Post

Last activity: 9 hours ago

Fediverse

TheHackerWire @thehackerwire

🔴 CVE-2026-24002 - Critical (9)

Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, bu...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24002/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
9h ago

CVE-2025-57156

Overview

Pending

20 Jan 2026

Published

21 Jan 2026

Updated

CVSS

Pending

EPSS

0.07%

MITRE

KEV

Description

NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash).

Statistics

1 Post

Last activity: 21 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2025-57156 - High (7.5)

NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash).

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-57156/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
21h ago

CVE-2025-70651

Overview

Pending

21 Jan 2026

Published

21 Jan 2026

Updated

CVSS

Pending

EPSS

Pending

MITRE

KEV

Description

Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow in the ssid parameter of the form_fast_setting_wifi_set function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

Statistics

1 Post

Last activity: 21 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2025-70651 - High (7.5)

Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow in the ssid parameter of the form_fast_setting_wifi_set function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-70651/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

0
0
0
21h ago

CVE-2025-59719

Overview

Fortinet
FortiWeb

09 Dec 2025

Published

14 Jan 2026

Updated

CVSS v3.1

CRITICAL (9.1)

EPSS

0.08%

MITRE

KEV

Description

An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.

Statistics

2 Posts

Last activity: 5 hours ago

Fediverse

:mastodon: decio @decio

Si vous administrez des FortiGate/FortiOS : des admins signalent un contournement du patch de la vulnérabilité critique CVE-2025-59718 (FortiCloud SSO https://fortiguard.fortinet.com/psirt/FG-IR-25-647 ) → compromission possible même sur des firewalls « patchés » (ex. 7.4.9/7.4.10).

( https://www.reddit.com/r/fortinet/comments/1qibdcb/possible_new_sso_exploit_cve202559718_on_749/ )

Préreq : “Allow administrative login using FortiCloud SSO” activé (souvent après enregistrement FortiCare).

Mitigation : désactiver admin-forticloud-sso-login + restreindre l’accès admin + vérifier logs/nouveaux comptes.

Chaîne d'exploitation: CVE-2025-59718 (+ CVE-2025-59719 côté FortiWeb) ➡️ envoi de messages SAML forgés ➡️ bypass de vérification de signature ➡️ accès admin non autorisé.

[Références]
"Fortinet admins report patched FortiGate firewalls getting hacked"
👇
https://www.bleepingcomputer.com/news/security/fortinet-admins-report-patched-fortigate-firewalls-getting-hacked/

( https://cyberveille.ch/posts/2026-01-21-fortigate-contournement-de-correctif-sur-lauthentification-forticloud-sso-cve-2025-59718-activement-exploite/)

💬
⬇️
https://infosec.pub/post/40878137

#CyberVeille #Fortinet #FortiGate #FortiOS #CVE_2025_59718

0
0
0
5h ago

Bluesky

Information Security Briefly @infosecbriefly.bsky.social

Automated attackers exploit Fortinet SSO vulnerabilities (CVE-2025-59718, CVE-2025-59719) to create accounts, enable VPN access, and exfiltrate firewall configurations.

0
0
0
6h ago