No Result
View All Result
No Result
View All Result
No Result
View All Result

Live CVE Feed

Share on FacebookShare on Twitter

Live CVE Feed

Curated from global sources like ENISA EUVD and CVE Details

  • CVE-2026-23566 - Log Injection in Content Distribution Service UDP Handler

    CVE ID : CVE-2026-23566Published : Jan. 29, 2026, 9:16 a.m. | 1 hour, 23 minutes agoDescription : A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to inject, tamper with, or forge log entries in \Nomad Branch.log via crafted data sent to the UDP network handler. This can impact log integrity and nonrepudiation.Severity: 6.5 | MEDIUMVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-23565 - Denial-of-Service in Content Distribution Service

    CVE ID : CVE-2026-23565Published : Jan. 29, 2026, 9:16 a.m. | 1 hour, 23 minutes agoDescription : A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause the NomadBranch.exe process to terminate via crafted requests. This can result in a denial-of-service condition of the Content Distribution Service.Severity: 6.5 | MEDIUMVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-23567 - Integer underflow in Content Distribution Service UDP handler

    CVE ID : CVE-2026-23567Published : Jan. 29, 2026, 9:16 a.m. | 1 hour, 23 minutes agoDescription : An integer underflow in the UDP command handler of the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an adjacent network attacker to trigger a heap-based buffer overflow and cause a denial-of-service (service crash) via specially crafted UDP packets.Severity: 6.5 | MEDIUMVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-23568 - Out-of-bounds read vulnerability in Content Distribution Service

    CVE ID : CVE-2026-23568Published : Jan. 29, 2026, 9:16 a.m. | 1 hour, 23 minutes agoDescription : An out-of-bounds read vulnerability in the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause information disclosure or denial-of-service via a special crafted packet. The leaked memory could be used to bypass ASLR and facilitate further exploitation.Severity: 5.4 | MEDIUMVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-23569 - Out-of-bounds read vulnerability in Content Distribution Service

    CVE ID : CVE-2026-23569Published : Jan. 29, 2026, 9:16 a.m. | 1 hour, 23 minutes agoDescription : An out-of-bounds read vulnerability in the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows a remote attacker to leak stack memory and cause a denial of service via a crafted request. The leaked stack memory could be used to bypass ASLR remotely and facilitate exploitation of other vulnerabilities on the affected system.Severity: 6.5 | MEDIUMVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-23570 - Log timestamp tampering vulnerability in Content Distribution Service

    CVE ID : CVE-2026-23570Published : Jan. 29, 2026, 9:16 a.m. | 1 hour, 23 minutes agoDescription : A missing validation of a user-controlled value in the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an adjacent network attacker to tamper with log timestamps via crafted UDP Sync command. This could result in forged or nonsensical datetime prefixes and compromising log integrity and forensic correlation.Severity: 6.5 | MEDIUMVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-23571 - Command Injection in 1E-Nomad-RunPkgStatusRequest Instruction in TeamViewer DEX

    CVE ID : CVE-2026-23571Published : Jan. 29, 2026, 9:16 a.m. | 1 hour, 23 minutes agoDescription : A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-RunPkgStatusRequest instruction. Improper input validation allows authenticated attackers with actioner privilege to run elevated arbitrary commands on connected hosts via malicious commands injected into the instruction’s input field. Users of 1E Client version 24.5 or higher are not affected.Severity: 6.8 | MEDIUMVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-1188 - Eclipse OMR Buffer Overflow Vulnerability

    CVE ID : CVE-2026-1188Published : Jan. 29, 2026, 9:16 a.m. | 1 hour, 23 minutes agoDescription : In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all supported processor features was not accounting for the separator inserted between processor features. If the output buffer supplied to this function was incorrectly sized, failing to account for the separator when determining when a write to the buffer was safe could lead to a buffer overflow. This issue is fixed in Eclipse OMR version 0.8.0.Severity: 6.9 | MEDIUMVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-23563 - Privilege escalation in TeamViewer DEX via DeleteFileByPath instruction

    CVE ID : CVE-2026-23563Published : Jan. 29, 2026, 9:16 a.m. | 1 hour, 23 minutes agoDescription : Improper Link Resolution Before File Access (invoked by 1E‑Explorer‑TachyonCore‑DeleteFileByPath instruction) in TeamViewer DEX - 1E Client before version 26.1 on Windows allows a low‑privileged local attacker to delete protected system files via a crafted RPC control junction or symlink that is followed when the delete instruction executes.Severity: 5.7 | MEDIUMVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-23564 - Transmission of Unencrypted Data in Content Distribution Service

    CVE ID : CVE-2026-23564Published : Jan. 29, 2026, 9:16 a.m. | 1 hour, 23 minutes agoDescription : A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause normally encrypted UDP traffic to be sent in cleartext. This can result in disclosure of sensitive information.Severity: 6.5 | MEDIUMVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • SolarWinds fixes critical Web Help Desk RCE vulnerabilities, upgrade ASAP!
    on January 29, 2026 at 9:17 am

    SolarWinds fixes critical Web Help Desk RCE vulnerabilities, upgrade ASAP! SolarWinds has fixed six critical and high-severity vulnerabilities in its popular Web Help Desk (WHD) support ticketing and asset management solution, and is urging customers to upgrade to v2026.1 as ... Read more Published Date: Jan 29, 2026 (1 hour, 21 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-40554 CVE-2025-40553 CVE-2025-40552 CVE-2025-40551 CVE-2025-40537 CVE-2025-40536 CVE-2025-8088 CVE-2024-28987 CVE-2024-28986

  • Locked Out of the Crate: Microsoft’s “Smart” Security Cripples ASUS ROG Ally
    on January 29, 2026 at 8:30 am

    Locked Out of the Crate: Microsoft’s “Smart” Security Cripples ASUS ROG Ally Microsoft Defender suite continues to exhibit erratic behavior, with the latest anomaly involving the Smart App Control feature erroneously flagging ASUS Armoury Crate. This “false positive” has rende ... Read more Published Date: Jan 29, 2026 (2 hours, 9 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-24858 CVE-2026-21509 CVE-2026-20045 CVE-2025-21298 CVE-2023-5716

  • Critical Solarwinds Web Vulnerability Allows Remote Code Execution and Security Bypass
    on January 29, 2026 at 8:27 am

    Critical Solarwinds Web Vulnerability Allows Remote Code Execution and Security Bypass Multiple critical vulnerabilities in SolarWinds Web Help Desk (WHD), culminating in unauthenticated remote code execution (RCE) via Java deserialization in CVE-2025-40551, were uncovered by Horizon3.a ... Read more Published Date: Jan 29, 2026 (2 hours, 11 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-40551 CVE-2025-40537 CVE-2025-40536 CVE-2025-26399 CVE-2024-28988 CVE-2024-28986

  • The Final Hang-Up: Microsoft Disables Legacy Modem Drivers for Security
    on January 29, 2026 at 8:24 am

    The Final Hang-Up: Microsoft Disables Legacy Modem Drivers for Security For users of Windows 11 who have recently deployed the latest cumulative updates, a myriad of complications may have already surfaced. Among these, a relatively obscure yet critical issue has emerged: ... Read more Published Date: Jan 29, 2026 (2 hours, 15 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-24858 CVE-2026-21509 CVE-2026-20045 CVE-2025-24052 CVE-2023-31096

  • High-Severity IDOR Flaw Lets Admins Hijack TP-Link Omada Owner Accounts
    on January 29, 2026 at 3:13 am

    High-Severity IDOR Flaw Lets Admins Hijack TP-Link Omada Owner Accounts TP-Link has issued a security advisory regarding multiple vulnerabilities discovered in its Omada Controller software, a popular centralized management platform for business networking. The most sever ... Read more Published Date: Jan 29, 2026 (7 hours, 26 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-24858 CVE-2025-9522 CVE-2025-9521 CVE-2025-9520 CVE-2025-14756 CVE-2026-21509 CVE-2026-20045 CVE-2026-0629 CVE-2025-6542

  • Safety Broken: PyTorch “Safe” Mode Bypassed by Critical RCE Flaw
    on January 29, 2026 at 2:58 am

    Safety Broken: PyTorch “Safe” Mode Bypassed by Critical RCE Flaw The development team behind PyTorch, the backbone of modern deep learning and AI research, has patched a high-severity vulnerability that breaks the trust of its most security-conscious feature. Track ... Read more Published Date: Jan 29, 2026 (7 hours, 41 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-24765 CVE-2026-24747 CVE-2026-24858 CVE-2026-21509 CVE-2026-20045 CVE-2025-32434 CVE-2024-5480

  • CVE-2026-24765: PHPUnit Vulnerability Exposes CI/CD Pipelines to RCE
    on January 29, 2026 at 2:48 am

    CVE-2026-24765: PHPUnit Vulnerability Exposes CI/CD Pipelines to RCE The maintainers of PHPUnit, the industry-standard testing framework for PHP, have released a critical security update to address a high-severity vulnerability that turns the testing process itself int ... Read more Published Date: Jan 29, 2026 (7 hours, 51 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-24765 CVE-2026-24858 CVE-2026-21509 CVE-2026-20045

  • CVE-2026-24002: Critical Sandbox Escape Turns Grist Spreadsheets into RCE Weapons
    on January 29, 2026 at 2:30 am

    CVE-2026-24002: Critical Sandbox Escape Turns Grist Spreadsheets into RCE Weapons A seemingly innocent spreadsheet formula could be the key to compromising entire organizations, thanks to a critical vulnerability uncovered by Cyera Research Labs in Grist-Core. The flaw, tracked as ... Read more Published Date: Jan 29, 2026 (8 hours, 9 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-23830 CVE-2026-24765 CVE-2026-24858 CVE-2025-14988 CVE-2026-21509 CVE-2026-0994 CVE-2026-24002 CVE-2026-20045 CVE-2026-0695 CVE-2025-61937 CVE-2026-22864 CVE-2026-22863 CVE-2025-37186 CVE-2025-52691 CVE-2025-68668 CVE-2025-37164 CVE-2025-59396 CVE-2025-61787 CVE-2025-58384 CVE-2025-8088 CVE-2025-1316 CVE-2023-28445

  • The “Zeroplayer” Arsenal: WinRAR Flaw CVE-2025-8088 Weaponized by Spies
    on January 29, 2026 at 1:58 am

    The “Zeroplayer” Arsenal: WinRAR Flaw CVE-2025-8088 Weaponized by Spies Timeline of notable observed exploitation | Image: GTIG A critical vulnerability in one of the world’s most popular file archivers has become a favorite weapon for government spies and cybercriminals ... Read more Published Date: Jan 29, 2026 (8 hours, 41 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-24858 CVE-2026-21509 CVE-2026-24002 CVE-2026-20045 CVE-2025-8088

  • Dissecting CVE-2026-22709: The Zombie Exploit in Node.js vm2
    on January 29, 2026 at 1:36 am

    Dissecting CVE-2026-22709: The Zombie Exploit in Node.js vm2 January 29, 2026CVE-2026-22709 represents a critical sandbox escape vulnerability in the widely used vm2 Node.js library, allowing attackers to achieve remote code execution (RCE) on host systems.This ... Read more Published Date: Jan 29, 2026 (9 hours, 3 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-24858 CVE-2026-22709

  • CVE-2026-23830: Critical SandboxJS Flaw (CVSS 10) Allows Total Sandbox Escape
    on January 29, 2026 at 12:22 am

    CVE-2026-23830: Critical SandboxJS Flaw (CVSS 10) Allows Total Sandbox Escape A perfect storm of missing checks has led to a maximum-severity vulnerability in SandboxJS, a library designed to safely execute untrusted JavaScript code. Tracked as CVE-2026-23830, the flaw carries ... Read more Published Date: Jan 29, 2026 (10 hours, 16 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-23830 CVE-2026-24858 CVE-2025-14988 CVE-2026-21509 CVE-2026-0994 CVE-2026-20045 CVE-2026-0695 CVE-2025-61937 CVE-2025-37186 CVE-2025-52691 CVE-2025-37164 CVE-2025-59396 CVE-2025-58384 CVE-2025-47154 CVE-2025-1316

  • CVE-2025-14988: Critical 9.8 Vulnerability hits ibaPDA Industrial Software
    on January 29, 2026 at 12:16 am

    CVE-2025-14988: Critical 9.8 Vulnerability hits ibaPDA Industrial Software A critical security vulnerability has been identified in ibaPDA, a core data acquisition system used in industrial environments to monitor and analyze process data. Tracked as CVE-2025-14988, the flaw ... Read more Published Date: Jan 29, 2026 (10 hours, 23 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-23830 CVE-2026-24858 CVE-2025-14988 CVE-2026-21509 CVE-2026-0994 CVE-2026-20045 CVE-2026-0695 CVE-2025-61937 CVE-2025-37186 CVE-2025-52691 CVE-2025-37164 CVE-2025-59396 CVE-2025-58384 CVE-2025-1316

  • Malicious Open Source Software Packages Neared 500,000 in 2025
    on January 28, 2026 at 8:35 pm

    Malicious Open Source Software Packages Neared 500,000 in 2025 Malicious open source software packages have become a critical problem threatening the software supply chain. That’s one of the major takeaways of a new report titled “State of the Software Supply Cha ... Read more Published Date: Jan 28, 2026 (14 hours, 4 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-55182 CVE-2024-37079 CVE-2024-3094

  • Everybody is WinRAR phishing, dropping RATs as fast as lightning
    on January 28, 2026 at 6:59 pm

    Everybody is WinRAR phishing, dropping RATs as fast as lightning Come one, come all. Everyone from Russian and Chinese government goons to financially motivated miscreants is exploiting a long-since-patched WinRAR vuln to bring you infostealers and Remote Access Tr ... Read more Published Date: Jan 28, 2026 (15 hours, 40 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-8088

  • New sandbox escape flaw exposes n8n instances to RCE attacks
    on January 28, 2026 at 5:46 pm

    New sandbox escape flaw exposes n8n instances to RCE attacks Two vulnerabilities in the n8n workflow automation platform could allow attackers to fully compromise affected instances, access sensitive data, and execute arbitrary code on the underlying host. Iden ... Read more Published Date: Jan 28, 2026 (16 hours, 52 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-1470 CVE-2026-0863 CVE-2026-21858

  • CVE-2025-40551: SolarWinds WebHelpDesk RCE Deep-Dive and Indicators of Compromise
    on January 28, 2026 at 4:49 pm

    CVE-2025-40551: SolarWinds WebHelpDesk RCE Deep-Dive and Indicators of Compromise Let us know your cookie preferences Reddit uses cookies and similar technologies to: Keep the website operational and running properly Prevent fraud and abuse Monitor site usage and performance metric ... Read more Published Date: Jan 28, 2026 (17 hours, 49 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-40551

  • Fortinet unearths another critical bug as SSO accounts borked post-patch
    on January 28, 2026 at 4:30 pm

    Fortinet unearths another critical bug as SSO accounts borked post-patch Things aren't over yet for Fortinet customers – the security shop has disclosed yet another critical FortiCloud SSO vulnerability. Those hoping for a reprieve following last week's patch pantomime are ... Read more Published Date: Jan 28, 2026 (18 hours, 9 minutes ago) Vulnerabilities has been mentioned in this article.

  • TP-Link Archer Vulnerability Let Attackers Take Control Over the Router
    on January 28, 2026 at 4:15 pm

    TP-Link Archer Vulnerability Let Attackers Take Control Over the Router A critical security advisory has been released for a command injection vulnerability affecting the Archer MR600 v5 router. The flaw, tracked as CVE-2025-14756, enables authenticated attackers to execu ... Read more Published Date: Jan 28, 2026 (18 hours, 24 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-14756

  • Gemini MCP Tool 0-day Vulnerability Allows Remote Attackers to Execute Arbitrary Code
    on January 28, 2026 at 4:06 pm

    Gemini MCP Tool 0-day Vulnerability Allows Remote Attackers to Execute Arbitrary Code A critical zero‑day vulnerability in Gemini MCP Tool exposes users to remote code execution (RCE) attacks without any authentication. Tracked as ZDI‑26‑021 / ZDI‑CAN‑27783 and assigned CVE‑2026‑0755, ... Read more Published Date: Jan 28, 2026 (18 hours, 33 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-0755

  • SolarWinds waarschuwt voor kritieke kwetsbaarheden in Web Help Desk
    on January 28, 2026 at 4:02 pm

    SolarWinds waarschuwt voor kritieke kwetsbaarheden in Web Help Desk Softwarebedrijf SolarWinds waarschuwt voor verschillende kritieke kwetsbaarheden in Web Help Desk waardoor ongeauthenticeerde aanvallers systemen op afstand kunnen overnemen. Ook bevat de software har ... Read more Published Date: Jan 28, 2026 (18 hours, 37 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-40554 CVE-2025-40553 CVE-2025-40551 CVE-2025-40537 CVE-2024-28987 CVE-2024-28986

  • Hackers Still Using Patched WinRAR Flaw for Malware Drops, Warns Google
    on January 28, 2026 at 3:49 pm

    Hackers Still Using Patched WinRAR Flaw for Malware Drops, Warns Google The Google Threat Intelligence Group (GTIG) warns that nation-state actors and financially motivated threat actors are exploiting a flaw in WinRAR. Known as CVE-2025-8088, this vulnerability allows ha ... Read more Published Date: Jan 28, 2026 (18 hours, 50 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-8088

  • WinRAR vulnerability still a go-to tool for hackers, Mandiant warns
    on January 28, 2026 at 2:57 pm

    WinRAR vulnerability still a go-to tool for hackers, Mandiant warns State-sponsored hackers and financially motivated attackers continue leveraging a critical WinRAR vulnerability (CVE-2025-8088) that’s been fixed over half a year ago. CVE-2025-8088 is a path traversa ... Read more Published Date: Jan 28, 2026 (19 hours, 41 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-24858 CVE-2026-21509 CVE-2025-8088

  • SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws
    on January 28, 2026 at 2:39 pm

    SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws SolarWinds has released security updates to patch critical authentication bypass and remote command execution vulnerabilities in its Web Help Desk IT help desk software. The authentication bypass secu ... Read more Published Date: Jan 28, 2026 (20 hours ago) Vulnerabilities has been mentioned in this article. CVE-2025-40554 CVE-2025-40553 CVE-2025-40552 CVE-2025-40551 CVE-2025-40537 CVE-2025-26399 CVE-2024-28988 CVE-2024-28986

  • Check Point Harmony SASE Windows Client Vulnerability Enables Privilege Escalation
    on January 28, 2026 at 2:35 pm

    Check Point Harmony SASE Windows Client Vulnerability Enables Privilege Escalation A critical privilege-escalation vulnerability has been discovered in Check Point’s Harmony SASE (Secure Access Service Edge) Windows client software, affecting versions prior to 12.2. Tracked as CVE-2 ... Read more Published Date: Jan 28, 2026 (20 hours, 4 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-24858 CVE-2025-9142

  • Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution
    on January 28, 2026 at 2:01 pm

    Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution A critical sandbox escape vulnerability has been disclosed in the popular vm2 Node.js library that, if successfully exploited, could allow attackers to run arbitrary code on the underlying operating s ... Read more Published Date: Jan 28, 2026 (20 hours, 38 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-22709 CVE-2026-20045 CVE-2024-37079 CVE-2023-37903 CVE-2023-37466 CVE-2023-32314 CVE-2023-30547 CVE-2023-29199 CVE-2023-29017 CVE-2022-36067

severity high

  • CVE-2026-24897 - Authenticated Remote Code Execution via Arbitrary File Upload

    CVE ID : CVE-2026-24897Published : Jan. 28, 2026, 11:15 p.m. | 11 hours, 46 minutes agoDescription : Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares. By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue.Severity: 10.0 | CRITICALVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-24835 - Podman Desktop Extension System Vulnerable to Authentication Bypass

    CVE ID : CVE-2026-24835Published : Jan. 28, 2026, 9:16 p.m. | 13 hours, 46 minutes agoDescription : Podman Desktop is a graphical tool for developing on containers and Kubernetes. A critical authentication bypass vulnerability in Podman Desktop prior to version 1.25.1 allows any extension to completely circumvent permission checks and gain unauthorized access to all authentication sessions. The `isAccessAllowed()` function unconditionally returns `true`, enabling malicious extensions to impersonate any user, hijack authentication sessions, and access sensitive resources without authorization. This vulnerability affects all versions of Podman Desktop. Version 1.25.1 contains a patch for the issue.Severity: 8.8 | HIGHVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-24769 - NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload

    CVE ID : CVE-2026-24769Published : Jan. 28, 2026, 9:16 p.m. | 13 hours, 46 minutes agoDescription : NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because the malicious payload is stored server-side and executed under the application’s origin, successful exploitation can lead to account compromise, data exfiltration and unauthorized actions performed on behalf of affected users. Version 0.301.0 patches the issue.Severity: 8.5 | HIGHVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-0750 - Payment bypass in Commerce Paybox

    CVE ID : CVE-2026-0750Published : Jan. 28, 2026, 7:16 p.m. | 15 hours, 45 minutes agoDescription : Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5.Severity: 8.7 | HIGHVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-24772 - OpenProject has SSRF and CSWSH in Hocuspocus Synchronization Server

    CVE ID : CVE-2026-24772Published : Jan. 28, 2026, 7:16 p.m. | 15 hours, 45 minutes agoDescription : OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing. The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim's behalf. This vulnerability was introduced with OpenProject 17.0.0 and was fixed in 17.0.2. As a workaround, disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Additionally the `hocuspocus` container should also be disabled.Severity: 8.9 | HIGHVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2025-57792 - SQL Injection Vulnerability in Explorance Blue

    CVE ID : CVE-2025-57792Published : Jan. 28, 2026, 6:16 p.m. | 16 hours, 45 minutes agoDescription : Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user input in a web application endpoint. An attacker can supply crafted input that is executed as part of backend database queries. The issue is exploitable without authentication, significantly raising the risk.Severity: 10.0 | CRITICALVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2025-57793 - SQL Injection Vulnerability in Explorance Blue

    CVE ID : CVE-2025-57793Published : Jan. 28, 2026, 6:16 p.m. | 16 hours, 45 minutes agoDescription : Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user-supplied input in a web application component. Crafted input can be executed as part of backend database queries. The issue is exploitable without authentication, significantly elevating the risk.Severity: 8.6 | HIGHVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2025-57794 - Unrestricted File Upload Vulnerability in Explorance Blue

    CVE ID : CVE-2025-57794Published : Jan. 28, 2026, 6:16 p.m. | 16 hours, 45 minutes agoDescription : Explorance Blue versions prior to 8.14.9 contain an authenticated unrestricted file upload vulnerability in the administrative interface. The application does not adequately restrict uploaded file types, allowing malicious files to be uploaded and executed by the server. This condition enables remote code execution under default configurations.Severity: 9.1 | CRITICALVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2025-57795 - Unauthenticated Remote File Download in Explorance Blue

    CVE ID : CVE-2025-57795Published : Jan. 28, 2026, 6:16 p.m. | 16 hours, 45 minutes agoDescription : Explorance Blue versions prior to 8.14.13 contain an authenticated remote file download vulnerability in a web service component. In default configurations, this flaw can be leveraged to achieve remote code execution.Severity: 9.9 | CRITICALVisit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2020-36973 - PDW File Browser 1.3 - Remote Code Execution

    CVE ID : CVE-2020-36973Published : Jan. 28, 2026, 6:16 p.m. | 16 hours, 45 minutes agoDescription : PDW File Browser 1.3 contains a remote code execution vulnerability that allows authenticated users to upload and rename webshell files to arbitrary web server locations. Attackers can upload a .txt webshell, rename it to .php, and move it to accessible directories using double-encoded path traversal techniques.Severity: 8.7 | HIGHVisit the link for more details, such as CVSS details, affected products, timeline, and more...

    NEWS Events

    No Result
    View All Result

    © 2025 Sumtrix – Your source for the latest in Cybersecurity, AI, and Tech News.

    Our website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.