SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 26ISSUE 02
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
January 2026 Microsoft Patch Tuesday Summary
Published: 2026-01-13
Last Updated: 2026-01-13 19:05:41 UTC
by Johannes Ullrich (Version: 1)
Today, Microsoft released patches for 113 vulnerabilities. One of these vulnerabilities affected the Edge browser and was patched upstream by Chromium.
Eight of the vulnerabilities are rated critical. One has been disclosed before today, and one is already being exploited. Five of the critical vulnerabilities affect Microsoft Office components.
Noteworthy Vulnerabilities
CVE-2026-20854: A remote code execution vulnerability in LSASS. This brings back memories from hallmark Windows security events like the Blaster worm. However, in this case, the attacker must be authenticated. But the attacker does not need elevated privileges. Microsoft considers exploitation less likely.
- https://nvd.nist.gov/vuln/detail/CVE-2026-20854
CVE-2026-20805: This is an information disclosure vulnerability in the Desktop Windows Manager, and it is already being exploited. The vulnerability can be used to identify the section address from a remote ALPC port.
- https://nvd.nist.gov/vuln/detail/CVE-2026-20805
CVE-2026-21265: Secure boot may not recognize an expired certificate. This problem was already disclosed, but so far hasn't been exploited ...
- https://nvd.nist.gov/vuln/detail/CVE-2026-21265
Read the full entry: https://isc.sans.edu/diary/January+2026+Microsoft+Patch+Tuesday+Summary/32624/
Malicious Process Environment Block Manipulation
Published: 2026-01-09
Last Updated: 2026-01-09 08:11:05 UTC
by Xavier Mertens (Version: 1)
Reverse engineers must have a good understanding of the environment where malware are executed (read: the operating system). In a previous diary, I talked about malicious code that could be executed when loading a DLL. Today, I’ll show you how a malware can hide suspicious information related to created processes.
The API call CreateProcess() is dedicated to, guess what, the creation of new processes! I won’t discuss all the parameters here but you have to know to it’s possible to specify some flags that will describe how the process will be created. One of them is CREATE_SUSPENDED (0x00000004). It will instruct the OS to create the process but not launch it automatically. This flag is usually a good sign of maliciousness (example in case of process hollowing).
Every process has a specific structure called the “PEB” (“Process Environment Block”). It’s a user-mode data structure in Windows that the operating system maintains for each running process to store essential runtime information such as loaded modules, process parameters, heap pointers, environment variables, and debugging flags.
The key element in the previous paragraph is user-mode. It means that a process is able to access its own PEB (example: to detect the presence of a debugger attached to the process) but also to modify it!
Let’s take a practical example where a malware needs to spawn a cmd.exe with some parameters. We can spoof the command line by modifying the PEB in a few steps ...
Read the full entry: https://isc.sans.edu/diary/Malicious+Process+Environment+Block+Manipulation/32614/
Analysis using Gephi with DShield Sensor Data
Published: 2026-01-07
Last Updated: 2026-01-08 00:13:26 UTC
by Guy Bruneau (Version: 1)
I'm always looking for new ways of manipulating the data captured by my DShield sensor. This time I used Gephi and Graphiz, a popular and powerful tool for visualizing and exploring relationships between nodes, to examine the relationship between the source IP, filename and which sensor got a copy of the file. I queried the past 30 days of data stored in my ELK database in Kibana using ES|QL to query and export the data and import the result into Gephi.
This is the query I used to export the data I needed. Notice the field event.reference == "no match" which is a tag that filters all the know researchers added by Logstash as a tag. ...
Read the full entry: https://isc.sans.edu/diary/Analysis+using+Gephi+with+DShield+Sensor+Data/32608/
Internet Storm Center Entries
YARA-X 1.11.0 Release: Hash Function Warnings (2026.01.11)
https://isc.sans.edu/diary/YARAX+1110+Release+Hash+Function+Warnings/32616/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2026-20805 - Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.
Product: Microsoft Desktop Windows Manager
CVSS Score: 5.5
** KEV since 2026-01-13 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20805
ISC Diary: https://isc.sans.edu/diary/32624
NVD References:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20805
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20805
CVE-2025-8110 - Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
Product: Gogs PutContents API
CVSS Score: 0
** KEV since 2026-01-12 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8110
ISC Podcast: https://isc.sans.edu/podcastdetail/9764
NVD References: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-8110
CVE-2026-21858 - n8n, an open source workflow automation platform, is vulnerable to remote attackers exploiting versions below 1.121.0 to access files on the server, potentially leading to exposure of sensitive information and further compromise.
Product: n8n Workflow Automation Platform
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21858
ISC Podcast: https://isc.sans.edu/podcastdetail/9758
CVE-2026-21877 - n8n is vulnerable to authenticated attackers executing malicious code in versions 0.121.2 and below, fixed in version 1.121.3, by disabling Git node and limiting access for untrusted users, upgrading is recommended.
Product: n8n workflow automation platform
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21877
CVE-2026-0491 - SAP Landscape Transformation allows an attacker to inject arbitrary code through a backdoor, compromising system security.
Product: SAP Landscape Transformation
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0491
CVE-2026-0498 - SAP S/4HANA (Private Cloud and On-Premise) is vulnerable to an admin privilege exploit in its function module, allowing injection of arbitrary code and posing a backdoor risk for full system compromise.
Product: SAP S/4HANA
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0498
CVE-2026-0500 - SAP Wily Introscope Enterprise Manager (WorkStation) is vulnerable to unauthenticated remote code execution attacks via a malicious JNLP file accessible by a public facing URL, compromising system security.
Product: SAP Wily Introscope Enterprise Manager
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0500
CVE-2026-0501 - SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) allows authenticated users to execute crafted SQL queries, compromising confidentiality, integrity, and availability.
Product: SAP S/4HANA Private Cloud
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0501
CVE-2025-15444 - Crypt::Sodium::XS module versions prior to 0.000042 for Perl are vulnerable due to including a version of libsodium with a CVE-2025-69277 vulnerability.
Product: Crypt Perl
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-15444
CVE-2025-15385 - Insufficient Verification of Data Authenticity vulnerability in TECNO Mobile com.Afmobi.Boomplayer allows Authentication Bypass.This issue affects com.Afmobi.Boomplayer: 7.4.63.
Product: TECNO Mobile com.Afmobi.Boomplayer
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-15385
CVE-2026-21675 - iccDEV contains a Use After Free vulnerability in versions 2.3.1 and below that is fixed in version 2.3.1.1.
Product: Color iccDEV
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21675
CVE-2020-36912 - Plexus anblick Digital Signage Management 3.1.13 has an open redirect vulnerability in the 'PantallaLogin' script, allowing attackers to manipulate the 'pagina' GET parameter and redirect users to malicious websites.
Product: Plexus anblick Digital Signage Management 3.1.13
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-36912
CVE-2020-36923 - Sony BRAVIA Digital Signage 1.7.8 is susceptible to an insecure direct object reference vulnerability that enables unauthorized access to hidden system resources.
Product: Sony BRAVIA Digital Signage 1.7.8
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-36923
CVE-2020-36925 - Arteco Web Client DVR/NVR is vulnerable to session hijacking due to weak session ID complexity, allowing remote attackers to bypass authentication and access live camera streams.
Product: Arteco Web Client DVR/NVR
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-36925
CVE-2025-60262 - H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point are vulnerable to a misconfiguration in vsftpd, allowing remote attackers to gain root-level control through anonymously uploaded files.
Product: H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60262
CVE-2025-65212 - NJHYST HY511 POE core before 2.1 and plugins before 0.1 allows attackers to bypass authentication and access configuration files by exploiting insufficient cookie verification.
Product: NJHYST HY511 POE core
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65212
CVE-2025-60534 - Blue Access Cobalt v02.000.195 is vulnerable to an authentication bypass flaw that enables unauthorized users to manipulate the web application's functionality without proper credentials.
Product: Blue Access Cobalt
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60534
CVE-2025-14942 - wolfSSH's key exchange state machine can be manipulated to leak sensitive information and trick clients into insecure actions, affecting versions 1.4.21 and earlier, requiring immediate patching and credential updates.
Product: wolfSSH
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14942
CVE-2025-15471 - TRENDnet TEW-713RE 1.02 is vulnerable to remote os command injection through manipulation of the argument SZCMD in the file /goformX/formFSrvX, with the exploit now public and the vendor unresponsive to early disclosure.
Product: TRENDnet TEW-713RE
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-15471
CVE-2025-68637 - The Uniffle HTTP client exposes REST API communication to potential MITM attacks due to insecure SSL certificate trust and hostname verification settings.
Product: Uniffle HTTP client
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-68637
CVE-2026-0628 - Google Chrome's WebView tag prior to version 143.0.7499.192 is vulnerable to script injection via a crafted Chrome Extension, posing a high security risk.
Product: Google Chrome
CVSS Score: 8.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0628
ISC Diary: https://isc.sans.edu/diary/32624
NVD References: https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop.html
CVE-2025-12543 - Undertow HTTP server core fails to validate Host headers, allowing attackers to poison caches, scan networks, or hijack user sessions.
Product: Red Hat Undertow HTTP server core
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12543
CVE-2025-61492 - Terminal-controller-mcp 0.1.7 is vulnerable to command injection, enabling attackers to execute arbitrary commands with a specially crafted input.
Product: Terminal-controller-mcp 0.1.7
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61492
CVE-2026-21854 - Tarkov Data Manager had an authentication bypass vulnerability in the login endpoint prior to 02 January 2025, allowing unauthenticated users to gain admin access through JavaScript exploitation.
Product: Tarkov Data Manager
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21854
CVE-2026-21855 - The Tarkov Data Manager had a reflected Cross Site Scripting (XSS) vulnerability prior to 02 January 2025, allowing attackers to execute arbitrary JavaScript through malicious URLs.
Product: Tarkov Data Manager
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21855
CVE-2026-22189 - Panda3D versions up to and including 1.10.16 egg-mkfont has a stack-based buffer overflow vulnerability.
Product: CMU Panda3D
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22189
CVE-2025-69222 - LibreChat version 0.8.1-rc2 is prone to a server-side request forgery (SSRF) vulnerability due to missing restrictions on the Actions feature.
Product: LibreChat ChatGPT
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69222
CVE-2026-22252 - LibreChat prior to v0.8.2-rc2 allows authenticated users to execute root shell commands through the MCP stdio transport.
Product: LibreChat ChatGPT
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22252
CVE-2017-20216 - FLIR Thermal Camera PT-Series firmware version 8.0.0.64 is vulnerable to unauthenticated remote command injection through unsanitized POST parameters in the controllerFlirSystem.php script.
Product: FLIR Thermal Camera PT-Series firmware version 8.0.0.64
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20216
CVE-2019-25268 - NREL BEopt 2.8.0.0 is vulnerable to DLL hijacking, enabling attackers to execute unauthorized code by tricking users into opening application files from remote shares.
Product: NREL BEopt 2.8.0.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25268
CVE-2019-25282 - V-SOL GPON/EPON OLT Platform v2.03 is vulnerable to an open redirect flaw that enables attackers to redirect logged-in users to malicious websites through manipulation of the 'parent' GET parameter.
Product: V-SOL GPON/EPON OLT Platform
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25282
CVE-2026-21875 - ClipBucket v5 versions 5.5.2-#187 and below have a Blind SQL Injection vulnerability in the add comment section of a channel.
Product: ClipBucket v5
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21875
CVE-2026-21881 - Kanboard project management software versions 1.2.48 and below is vulnerable to authentication bypass via spoofed HTTP headers when REVERSE_PROXY_AUTH is enabled.
Product: Kanboard project management software
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21881
CVE-2025-62877 - SUSE Virtualization (Harvester) environments using the 1.5.x or 1.6.x interactive installer may expose the OS default ssh login password during new cluster or host additions.
Product: SUSE Virtualization (Harvester)
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62877
CVE-2025-69258 - Trend Micro Apex Central is vulnerable to a LoadLibraryEX exploit that could allow an attacker to run code as SYSTEM.
Product: Trend Micro Apex Central
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69258
CVE-2026-21876 - The OWASP core rule set (CRS) has a bug in rule 922110 that can lead to missed malicious charsets in multipart requests prior to versions 4.22.0 and 3.3.8.
Product: OWASP core rule set (CRS)
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21876
CVE-2026-21891 - ZimaOS fails to properly validate passwords for system service accounts, allowing authenticated access with any password.
Product: Zimaspace ZimaOS
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21891
CVE-2025-56425 - Enaio versions 10.10, 11.0, and 11.10 are vulnerable to authenticated remote attackers injecting arbitrary SMTP commands via the /osrest/api/organization/sendmail endpoint.
Product: Enaio AppConnector
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56425
CVE-2025-59468 - PostgreSQL vulnerability in Veeam Backup & Replication that enables a Backup Administrator to execute malicious code remotely under the postgres user by sending a malicious password parameter.
Product: Veeam Backup & Replication
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59468
NVD References: https://www.veeam.com/kb4792
CVE-2025-59469 - This vulnerability in Veeam Backup & Replication allows a Backup or Tape Operator to write files as root.
Product: Veeam Backup & Replication
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59469
NVD References: https://www.veeam.com/kb4792
CVE-2025-59470 - PostgreSQL vulnerability in Veeam Backup & Replication allows a Backup Operator to execute remote code as the postgres user via a malicious interval or order parameter.
Product: Veeam Backup & Replication
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59470
NVD References: https://www.veeam.com/kb4792
CVE-2025-61246 - indieka900 online-shopping-system-php 1.0 is vulnerable to SQL Injection in master/review_action.php via the proId parameter.
Product: indieka900 online-shopping-system-php
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61246
CVE-2025-61546 - Edu Business Solutions Print Shop Pro WebDesk version 18.34 allows remote attackers to exploit the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint and create financial discrepancies by purchasing items with a negative quantity due to client-side input validation controls.
Product: edu Business Solutions Print Shop Pro WebDesk
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61546
CVE-2025-61548 - Edu Business Solutions Print Shop Pro WebDesk version 18.34 is susceptible to SQL Injection via the unsanitized hfInventoryDistFormID parameter in the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint, enabling remote attackers to execute arbitrary SQL commands.
Product: edu Business Solutions Print Shop Pro WebDesk
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61548
CVE-2025-67825 - Nitro PDF Pro for Windows before 14.42.0.34 may display signer information from a non-verified PDF field.
Product: Nitro PDF Pro
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67825
CVE-2026-22234 - OPEXUS eCasePortal before version 9.0.45.0 is vulnerable to unauthorized access to user-uploaded files through the 'Attachments.aspx' endpoint.
Product: OPEXUS eCasePortal
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22234
CVE-2025-67325 - QloApps versions 1.7.0 and earlier have an unrestricted file upload vulnerability in the hotel review feature, allowing remote unauthenticated attackers to achieve remote code execution.
Product: QloApps hotel review feature
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67325
CVE-2025-66913 - JimuReport version 2.1.3 allows remote code execution by processing user-controlled H2 JDBC URLs, enabling attackers to run arbitrary Java code through certain directives.
Product: JimuReport
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66913
CVE-2025-66916 - RuoYi-Vue-Plus versions 5.5.1 and earlier allow attackers to perform arbitrary file reading and writing by exploiting the lack of input filtering in the snailjob component.
Product: RuoYi RuoYi-Vue-Plus
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66916
CVE-2025-68715 - Panda Wireless PWRU0 devices with firmware 2.2.9 have exposed HTTP endpoints vulnerable to unauthenticated remote attackers, allowing for unauthorized modification of network settings and potential privilege escalation.
Product: Panda Wireless PWRU0 devices
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-68715
CVE-2025-68717 - KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 allow authentication bypass, allowing attackers to piggyback on active sessions and access sensitive data without authentication.
Product: KAYSUS KS-WR3600 routers
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-68717
CVE-2025-70974 - The vulnerability in Fastjson before 1.2.48 allows for JNDI injection via an @type key in a JSON document, exploited in the wild between 2023 and 2025.
Product: Fastjson before 1.2.48
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-70974
Recent CVEs Continued
CVE-2025-64090 - This vulnerability allows authenticated attackers to execute commands via the hostname of the device.
Product: Zenitel VS-IS 9.3.3.1 (8.2.3.5 for TCIV)
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64090
NVD References: https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf
CVE-2025-64093 - Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device.
Product: Zenitel ICX-AlphaCom v1.5.3.3/ AlphaCom XE to 13.1.3.16 and BSP 32.4.3.12
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64093
NVD References: https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf
CVE-2025-14598 - BeeS Software Solutions BET Portal is vulnerable to SQL injection in the login functionality, allowing attackers to execute arbitrary commands on the backend database.
Product: BeeS Software Solutions BET Portal
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14598
CVE-2025-69542 - D-Link DIR895LA1 v102b07 is vulnerable to a Command Injection flaw in the DHCP daemon service, enabling execution of arbitrary commands as root by sending a malicious hostname during lease renewal.
Product: D-Link DIR895LA1
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69542
CVE-2025-70161 - EDIMAX BR-6208AC V2_1.02 is vulnerable to Command Injection through the pppUserName field, allowing attackers to execute arbitrary code.
Product: EDIMAX BR-6208AC V2_1.02
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-70161
CVE-2025-15500 & CVE-2025-15501 - OS Command Injection vulnerabilities in Sangfor Operation and Maintenance Management System up to version 3.0.8
Product: Sangfor Operation and Maintenance Management System
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-15500
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-15501
CVE-2026-22584 - Salesforce Uni2TS on MacOS, Windows, Linux allows the injection of code to execute in non-executable files, affecting versions up to 1.2.0.
Product: Salesforce Uni2TS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22584
CVE-2026-22600 - OpenProject is vulnerable to a Local File Read (LFR) issue in the work package PDF export functionality, allowing attackers to access sensitive data by uploading a specially crafted SVG file disguised as a PNG.
Product: OpenProject web-based project management software
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22600
CVE-2025-61686 - React Router in @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2 allows an attacker to manipulate session data when using createFileSessionStorage() with an unsigned cookie.
Product: React Router @react-router/node
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61686
CVE-2025-65091 - XWiki Full Calendar Macro prior to version 2.4.5 allows unauthorized users to inject SQL queries and potentially launch a DoS attack by accessing the Calendar.JSONService page.
Product: XWiki Full Calendar Macro
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65091
CVE-2026-22688 - WeKnora has a command injection vulnerability that allows authenticated users to execute subprocesses by injecting values into MCP stdio settings, which has been patched in version 0.2.5.
Product: WeKnora LLM-powered framework
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22688
CVE-2025-52694 - Multiple Advantech products are susceptible to SQL injection, allowing unauthenticated remote attackers to run arbitrary SQL commands on the exposed service.
Product: Multiple Advantech products
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52694
NVD References: https://www.csa.gov.sg/alerts-and-advisories/alerts/alerts-al-2026-001/
CVE-2025-65552 - D3D Wi-Fi Home Security System ZX-G12 v2.1.1 is susceptible to RF replay attacks on the 433 MHz sensor communication channel due to lack of security features.
Product: D3D Wi-Fi Home Security System ZX-G12
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65552
CVE-2025-46066 - An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges
Product: Automai Automai Director
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-46066
CVE-2025-46070 - An issue in Automai BotManager v.25.2.0 allows a remote attacker to execute arbitrary code via the BotManager.exe component
Product: Automai BotManager
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-46070
CVE-2025-63314 - DDSN Interactive Acora CMS v10.7.1 is vulnerable to a static password reset token, enabling attackers to conduct a replay attack for full account takeover.
Product: DDSN Interactive Acora CMS
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63314
CVE-2026-22783 - IRIS has a vulnerability in versions prior to 2.4.24 that allows authenticated users to delete arbitrary filesystem paths via mass assignment in the file management system.
Product: DFIR-IRIS Iris
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22783
CVE-2025-51567 - Kashipara Online Exam System V1.0 is vulnerable to SQL Injection in the /exam/user/profile.php page, allowing remote attackers to access the database by executing arbitrary SQL commands via specific POST parameters.
Product: kashipara Online Exam System V1.0
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51567
CVE-2025-66802 - Sourcecodester Covid-19 Contact Tracing System 1.0 is vulnerable to RCE, allowing attackers to execute remote code through a reverse shell.
Product: Sourcecodester Covid-19 Contact Tracing System 1.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66802
CVE-2025-67147 - Amansuryawanshi Gym-Management-System-PHP 1.0 is vulnerable to multiple SQL Injection attacks that allow attackers to compromise the system's security and manipulate database records.
Product: amansuryawanshi Gym-Management-System-PHP
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67147
NVD References: https://github.com/amansuryawanshi/Gym-Management-System-PHP/issues/3
CVE-2025-29329 - Sagemcom F@st 3686 MAGYAR_4.121.0 is vulnerable to a buffer overflow in the ippprint service, allowing remote attackers to execute arbitrary code via a crafted HTTP request.
Product: Sagemcom F@st 3686 MAGYAR_4.121.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29329
CVE-2025-67146 - AbhishekMali21 GYM-MANAGEMENT-SYSTEM 1.0 is vulnerable to multiple SQL Injection issues in various search pages and payment functions, allowing remote attackers to manipulate the database and extract unauthorized data.
Product: AbhishekMali21 GYM-MANAGEMENT-SYSTEM
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67146
CVE-2026-22794 - Appsmith allows attackers to generate malicious password reset/email verification links leading to potential account takeover by using the Origin value from request headers as the email link baseUrl without validation in versions prior to 1.93.
Product: Appsmith platform
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22794
CVE-2025-40805 - Siemens Industrial Edge Devices devices lack proper user authentication enforcement on specific API endpoints, allowing unauthenticated remote attackers to impersonate legit users if they know their identity.
Product: Siemens Industrial Edge Devices
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40805
NVD References:
- https://cert-portal.siemens.com/productcert/html/ssa-001536.html
- https://cert-portal.siemens.com/productcert/html/ssa-014678.html
CVE-2025-11250 - Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations.
Product: ManageEngine ADSelfService Plus
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11250
NVD References: https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-11250.html
CVE-2026-0879 - Firefox is vulnerable to sandbox escape due to incorrect boundary conditions in the Graphics component, affecting versions Firefox < 147, Firefox ESR < 115.32, and Firefox ESR < 140.7.
Product: Firefox ESR
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0879
CVE-2026-0881 - Sandbox escape in the Messaging System component. This vulnerability affects Firefox < 147.
Product: Mozilla Firefox
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0881
CVE-2026-0884 - Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147 and Firefox ESR < 140.7.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0884
CVE-2026-0892 - Firefox 146 and Thunderbird 146 contain memory safety bugs that could potentially allow for arbitrary code execution.
Product: Mozilla Firefox and Thunderbird
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0892
CVE-2025-12548 - Eclipse Che che-machine-exec allows unauthenticated remote command execution and secret exfiltration via exposed JSON-RPC API on TCP port 3333.
Product: Eclipse Che che-machine-exec
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12548
CVE-2025-47855 - Fortinet FortiFone 7.0.0 through 7.0.1 and FortiFone 3.0.13 through 3.0.23 allow unauthenticated attackers to access device configurations through crafted HTTP or HTTPS requests.
Product: Fortinet FortiFone
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47855
NVD References: https://fortiguard.fortinet.com/psirt/FG-IR-25-260
CVE-2025-64155 - Fortinet FortiSIEM 7.4.0 and older versions are vulnerable to os command injection, potentially enabling attackers to execute unauthorized code or commands through crafted TCP requests.
Product: Fortinet FortiSIEM
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64155
CVE-2026-20854 - Windows Local Security Authority Subsystem Service (LSASS) vulnerability allows remote code execution by an authorized attacker.
Product: Microsoft Windows Local Security Authority Subsystem Service (LSASS)
CVSS Score: 7.5
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20854
ISC Diary: https://isc.sans.edu/diary/32624
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20854
CVE-2025-68271 - OpenC3 COSMOS contains a critical remote code execution vulnerability in versions 5.0.0 to 6.10.1, allowing unauthenticated attackers to trigger Ruby code execution through the JSON-RPC API.
Product: OpenC3 COSMOS
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-68271
CVE-2020-36911 - Covenant 0.1.3 - 0.5 has a remote code execution vulnerability, enabling attackers to create malicious JWT tokens with admin privileges and execute arbitrary commands using custom DLL payloads.
Product: Covenant 0.1.3 - 0.5
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-36911
CVE-2022-50807 - Concrete5 CMS version 9.1.3 is vulnerable to an XPath injection that enables attackers to flood the system with malicious payloads through URL path parameters.
Product: Concrete5 CMS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-50807
CVE-2022-50893 - VIAVIWEB Wallpaper Admin 1.0 is prone to an unauthenticated remote code execution vulnerability allowing attackers to upload malicious PHP files and execute arbitrary code on the server.
Product: VIAVIWEB Wallpaper Admin 1.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-50893
CVE-2022-50894 - VIAVIWEB Wallpaper Admin 1.0 is vulnerable to SQL injection via the img_id parameter in edit_gallery_image.php, allowing attackers to manipulate database queries and extract information.
Product: VIAVIWEB Wallpaper Admin 1.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-50894
CVE-2022-50905 - e107 CMS version 3.2.1 is vulnerable to multiple XSS attacks, including a reflected XSS in the news comment functionality and an upload restriction bypass for authenticated administrators.
Product: e107 CMS version 3.2.1
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-50905
CVE-2022-50912 - ImpressCMS 1.4.4 has a file upload vulnerability allowing attackers to upload harmful files and execute PHP code on the server.
Product: ImpressCMS 1.4.4
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-50912
CVE-2022-50919 - Tdarr 2.00.15 has an unauthenticated remote code execution vulnerability in its Help terminal, allowing attackers to inject commands and execute remote code without authentication.
Product: Tdarr 2.00.15
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-50919
CVE-2022-50922 - Audio Conversion Wizard v2.01 has a buffer overflow vulnerability that can lead to remote code execution by manipulating a registration code.
Product: Audio Conversion Wizard v2.01
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-50922
CVE-2022-50925 - Prowise Reflect version 1.0.9 has a remote keystroke injection vulnerability via an exposed WebSocket on port 8082, enabling attackers to control keyboard events by sending crafted messages.
Product: Prowise Reflect
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-50925
CVE-2022-50926 - WAGO 750-8212 PFC200 G2 2ETH RS firmware exhibits a privilege escalation flaw enabling attackers to change user session cookies' parameters and gain admin access without authentication.
Product: WAGO 750-8212 PFC200 G2 2ETH RS firmware
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-50926
CVE-2022-50935 - Flame II HSPA USB Modem is vulnerable to an unquoted service path allowing attackers to execute malicious code with elevated privileges.
Product: Flame II HSPA USB Modem
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-50935
CVE-2023-54328 - AimOne Video Converter 2.04 Build 103 is vulnerable to a buffer overflow in its registration form, allowing attackers to crash the application and potentially exploit its registration mechanism.
Product: AimOne Video Converter
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-54328
CVE-2023-54329 & CVE-2023-54330 - Inbit Messenger 4.6.0 - 4.9.0 remote command execution via stack overflow vulnerabilities.
Product: Inbit Messenger
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-54329
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-54330
CVE-2023-54334 - Explorer32++ 1.3.5.531 has a buffer overflow flaw in Structured Exception Handler (SEH) records, enabling attackers to execute arbitrary code by supplying a long file name argument.
Product Name: Explorer32++ 1.3.5.531
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-54334
CVE-2023-54335 - eXtplorer 2.1.14 is vulnerable to an authentication bypass that could permit attackers to login without a password, enabling them to upload malicious files and execute remote commands.
Product: eXtplorer 2.1.14
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-54335
CVE-2023-54339 - Webgrind 1.1 allows unauthenticated attackers to remotely execute system commands by manipulating the dataFile parameter in index.php.
Product: Webgrind 1.1
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-54339
CVE-2026-22686 - Enclave has a critical sandbox escape vulnerability in enclave-vm prior to version 2.7.0 that allows untrusted JavaScript code to execute arbitrary code in the host Node.js runtime.
Product: Enclave-vm
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22686
CVE-2025-14996 - The AS Password Field In Default Registration Form plugin for WordPress allows for privilege escalation and account takeover by unauthenticated attackers.
Product: WordPress AS Password Field In Default Registration Form plugin
Active Installations: This plugin has been closed as of December 30, 2025 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14996
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/061f022b-b922-4499-bb34-8ea91ba5ace3?source=cve
CVE-2025-15018 - The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to 1.3.11, allowing unauthenticated attackers to reset the password of any user, including administrators, by setting a known password reset key during the reset process.
Product: WordPress Optional Email plugin
Active Installations: This plugin has been closed as of January 2, 2026 and is not available for download. This closure is temporary, pending a full review.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-15018
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/ff4243e9-cf72-40d5-bc7d-204426024a1d?source=cve
CVE-2019-25296 - The WP Cost Estimation plugin for WordPress allows unauthenticated attackers to upload arbitrary files and delete existing files due to missing file type validation in certain AJAX actions.
Product: WordPress WP Cost Estimation plugin
Active Installations: Unknown. Update to version 9.644, or a newer patched version
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25296
NVD References: https://www.wordfence.com/blog/2019/02/vulnerabilities-patched-in-wp-cost-estimation-plugin/
CVE-2025-14736 - The Frontend Admin by DynamiApps plugin for WordPress up to version 3.28.25 is vulnerable to Privilege Escalation, allowing unauthenticated attackers to register as administrators and take control of the site through user-supplied role values in various functions.
Product: DynamiApps Frontend Admin by DynamiApps plugin
Active Installations: 10,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14736
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/07eb71fc-6588-490d-8947-3077ec4a9045?source=cve
CVE-2025-14741 - The Frontend Admin by DynamiApps plugin for WordPress allows unauthenticated attackers to delete various types of data due to missing authorization checks.
Product: DynamiApps Frontend Admin by DynamiApps plugin for WordPress
Active Installations: 10,000+
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14741
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/53adbab6-953a-4a6f-bbfc-89efdbdd28e0?source=cve
Sponsors
Palo Alto Networks
The Bold Evolution of Cortex XDR: What’s Next for Our Industry-Leading Endpoint Security. We're fueling our platform with two key innovations: industry-leading automation from agentic AI and elite expertise from Unit 42® MDR. See how they combine to transform your defense.
SANS
Free Event | SANS 2026 Kubernetes & CNAPP Forum | Thursday, January 15, 2026 from 10:00 AM to 1:00 PM ET. Also available on demand.
SANS
Webinar | Securing Enterprise Data in the Age of AI: Closing Gaps Through DLP and Data Risk Management Programs | Wednesday, January 21, 2026 at 1:00 PM ET. \
SANS
Webinar | Beyond the Breach - Why Unified DFIR Is the Future of Enterprise Cyber Resilience | Thursday, January 22, 2026 at 1:00 PM ET.