24h | 7d | 30d

CVE-2026-0830

Overview

  • AWS
  • Kiro IDE
09 Jan 2026
Published
09 Jan 2026
Updated
CVSS v4.0
HIGH (8.4)
EPSS
Pending
KEV

Description

Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces. To mitigate, users should update to the latest version.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2026-0830 - High (7.8)

Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces.

To mitigate, users should updat...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

  • 0
  • 0
  • 0
  • 10h ago

CVE-2025-67070

Overview

  • Pending
09 Jan 2026
Published
09 Jan 2026
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

A vulnerability exists in Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T, which allows an unauthenticated attacker to bypass the multi-factor authentication (MFA) mechanism during the password recovery process. This results in the ability to change the admin password and gain full access to the administrative panel.

Statistics

  • 1 Post
Last activity: 9 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2025-67070 - High (8.2)

A vulnerability exists in Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T, which allows an unauthenticated attacker to bypass the multi-factor authentication (MFA) mechanism during the password recovery process. This results in the ability to ...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

  • 0
  • 0
  • 0
  • 9h ago

CVE-2026-22029

Overview

  • remix-run
  • react-router
10 Jan 2026
Published
10 Jan 2026
Updated
CVSS v3.1
HIGH (8.0)
EPSS
Pending
KEV

Description

React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.

Statistics

  • 1 Post
Last activity: 5 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2026-22029 - High (8)

React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode,...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 5h ago

CVE-2026-22600

Overview

  • opf
  • openproject
10 Jan 2026
Published
10 Jan 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
Pending
KEV

Description

OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work package attachment, an attacker can exploit the backend image processing engine (ImageMagick). When the work package is exported to PDF, the backend attempts to resize the image, triggering the ImageMagick text: coder. This allows an attacker to read arbitrary local files that the application user has permissions to access (e.g., /etc/passwd, all project configuration files, private project data, etc.). The attack requires permissions to upload attachments to a container that can be exported to PDF, such as a work package. The issue has been patched in version 16.6.4. Those who are unable to upgrade may apply the patch manually.

Statistics

  • 1 Post
Last activity: 6 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🔴 CVE-2026-22600 - Critical (9.1)

OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disg...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

  • 0
  • 0
  • 0
  • 6h ago

CVE-2025-68715

Overview

  • Pending
08 Jan 2026
Published
09 Jan 2026
Updated
CVSS
Pending
EPSS
0.10%
KEV

Description

An issue was discovered in Panda Wireless PWRU0 devices with firmware 2.2.9 that exposes multiple HTTP endpoints (/goform/setWan, /goform/setLan, /goform/wirelessBasic) that do not enforce authentication. A remote unauthenticated attacker can modify WAN, LAN, and wireless settings directly, leading to privilege escalation and denial of service.

Statistics

  • 1 Post
Last activity: 12 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🔴 CVE-2025-68715 - Critical (9.1)

An issue was discovered in Panda Wireless PWRU0 devices with firmware 2.2.9 that exposes multiple HTTP endpoints (/goform/setWan, /goform/setLan, /goform/wirelessBasic) that do not enforce authentication. A remote unauthenticated attacker can modi...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

  • 0
  • 0
  • 0
  • 12h ago

CVE-2026-22595

Overview

  • TryGhost
  • Ghost
10 Jan 2026
Published
10 Jan 2026
Updated
CVSS v3.1
HIGH (8.1)
EPSS
Pending
KEV

Description

Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authentication. External systems that have been authenticated via Staff Tokens for Admin/Owner-role users would have had access to these endpoints. This issue has been patched in versions 5.130.6 and 6.11.0.

Statistics

  • 1 Post
Last activity: 5 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2026-22595 - High (8.1)

Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be ac...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 5h ago

CVE-2025-68613

Overview

  • n8n-io
  • n8n
19 Dec 2025
Published
22 Dec 2025
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
8.42%
KEV

Description

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

Statistics

  • 3 Posts
  • 18 Interactions
Last activity: 22 hours ago

Fediverse

Profile picture
CERT-Bund @certbund

🚨 Kritische Schwachstellen in n8n

In den letzten drei Wochen wurden vier kritische Schwachstellen (CVE-2025-68613, CVE-2025-68668, CVE-2026-21858, CVE-2026-21877) in der Open-Source Workflow-Automatisierungsplattform n8n gemeldet, die von Angreifenden ausgenutzt werden können, um beliebigen Programmcode auszuführen und die Systeme ggf. vollständig zu kompromittieren.

Betroffene Systeme sollten zeitnah auf eine aktuelle Version gebracht werden.

  • 8
  • 4
  • 0
  • 22h ago
Profile picture
CERT-Bund @certbund

Details zu den einzelnen Schwachstellen:

CVE-2025-68613 (betrifft Versionen vor 1.20.4)
github.com/n8n-io/n8n/security

CVE-2025-68668 (betrifft Versionen vor 2.0.0)
github.com/n8n-io/n8n/security

CVE-2026-21858 (betrifft Versionen vor 1.121.0)
github.com/n8n-io/n8n/security

CVE-2026-21877 (betrifft Versionen vor 1.121.3)
github.com/n8n-io/n8n/security

  • 3
  • 2
  • 0
  • 22h ago

Bluesky

Profile picture
Mynameisv @mynameisv.bsky.social
C'est un beau début d'année pour la FrenchTech avec : 💥 Vulns CVE-2026-21858 et CVE-2025-68613 n8n par @chocapikk.bsky.social 💥 Vuln Livewire CVE-2025-54068* par @w0rty.bsky.social et @remsio.bsky.social Bravo à vous 🎉 et bonne année 2026 😄 *allez.... fin 2025 c'est presque début 2026 😅
  • 0
  • 1
  • 0
  • 23h ago

CVE-2025-14338

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 14 hours ago

Fediverse

Profile picture
Anderson Nascimento @andersonc0d3

InputPlumber: Lack of D-Bus Authorization and Input Verification allows UI Input Injection and Denial-of-Service (CVE-2025-66005, CVE-2025-14338)

security.opensuse.org/2026/01/

  • 1
  • 0
  • 0
  • 14h ago

CVE-2025-66005

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 14 hours ago

Fediverse

Profile picture
Anderson Nascimento @andersonc0d3

InputPlumber: Lack of D-Bus Authorization and Input Verification allows UI Input Injection and Denial-of-Service (CVE-2025-66005, CVE-2025-14338)

security.opensuse.org/2026/01/

  • 1
  • 0
  • 0
  • 14h ago

CVE-2025-68668

Overview

  • n8n-io
  • n8n
26 Dec 2025
Published
05 Jan 2026
Updated
CVSS v3.1
CRITICAL (9.9)
EPSS
0.10%
KEV

Description

n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process. This issue has been patched in version 2.0.0. Workarounds for this issue involve disabling the Code Node by setting the environment variable NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]", disabling Python support in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false, which was introduced in n8n version 1.104.0, and configuring n8n to use the task runner based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables.

Statistics

  • 2 Posts
  • 17 Interactions
Last activity: 22 hours ago

Fediverse

Profile picture
CERT-Bund @certbund

🚨 Kritische Schwachstellen in n8n

In den letzten drei Wochen wurden vier kritische Schwachstellen (CVE-2025-68613, CVE-2025-68668, CVE-2026-21858, CVE-2026-21877) in der Open-Source Workflow-Automatisierungsplattform n8n gemeldet, die von Angreifenden ausgenutzt werden können, um beliebigen Programmcode auszuführen und die Systeme ggf. vollständig zu kompromittieren.

Betroffene Systeme sollten zeitnah auf eine aktuelle Version gebracht werden.

  • 8
  • 4
  • 0
  • 22h ago
Profile picture
CERT-Bund @certbund

Details zu den einzelnen Schwachstellen:

CVE-2025-68613 (betrifft Versionen vor 1.20.4)
github.com/n8n-io/n8n/security

CVE-2025-68668 (betrifft Versionen vor 2.0.0)
github.com/n8n-io/n8n/security

CVE-2026-21858 (betrifft Versionen vor 1.121.0)
github.com/n8n-io/n8n/security

CVE-2026-21877 (betrifft Versionen vor 1.121.3)
github.com/n8n-io/n8n/security

  • 3
  • 2
  • 0
  • 22h ago
Showing 71 to 80 of 108 CVEs