2026-02-12
2026-02-12 15:16Z
CRIT

CVE-2025-14014 — Upload: Smart Panel allows Accessing Functionality Not Properly Constrained by ACLs.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-14014

Unrestricted Upload of File with Dangerous Type vulnerability in NTN Information Processing Services Computer Software Hardware Industry and Trade Ltd. Co. Smart Panel allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Smart Panel: before 20251215. CVSSv3.1 9.8 (CRITICAL) · EPSS 7th percentile

CWECWE 434TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-02-12
2026-02-12 14:16Z
HIGH

CVE-2026-2007 — Postgresql Postgresql: Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-2007

Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation. PostgreSQL 18.1 and 18.0 are affected. CVSSv3.1 8.2 (HIGH)

CWECWE 120CWECWE 122VNDPostgresqlVNDHeapTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2026-02-12
2026-02-12 14:16Z
HIGH

CVE-2026-2006 — Postgresql Postgresql: Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-2006

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. CVSSv3.1 8.8 (HIGH)

CWECWE 129CWECWE 1285VNDPostgresqlTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-02-12
2026-02-12 14:16Z
HIGH

CVE-2026-2005 — Postgresql Postgresql: Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-2005

Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. CVSSv3.1 8.8 (HIGH)

CWECWE 120CWECWE 122VNDPostgresqlVNDHeapTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-02-12
2026-02-12 14:16Z
HIGH

CVE-2026-2004 — Postgresql Postgresql: Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-2004

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. CVSSv3.1 8.8 (HIGH)

CWECWE 1287VNDPostgresqlTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-02-12
2026-02-12 14:16Z
HIGH

CVE-2025-13002 — Farktor E-commerce_package: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-13002

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Cross-Site Scripting (XSS). This issue affects E-Commerce Package: through 27112025. CVSSv3.1 8.2 (HIGH) · EPSS 2th percentile

CWECWE 79VNDFarktorTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2026-02-12
2026-02-12 14:16Z
CRIT

CVE-2025-10969 — Farktor E-commerce_package: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-10969

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Blind SQL Injection. This issue affects E-Commerce Package: through 27112025. CVSSv3.1 9.8 (CRITICAL) · EPSS 4th percentile

CWECWE 89VNDFarktorTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-02-12
2026-02-12 08:00Z
HIGH

Bypassing Administrator Protection by Abusing UI Access

Project Zero·googleprojectzero.blogspot.com

Project Zero researcher disclosed 9 bypasses of Windows Administrator Protection, with detailed analysis of 5 root causes centered on UI Access abuse. The vulnerabilities exploit weaknesses in the UAC service's RAiLaunchAdminProcess RPC implementation, secure directory validation, and shared profile/environment handling to achieve arbitrary code execution in High-integrity UI Access processes. All issues have been patched.

SRFOsTACTA0004TACTA0005VNDMicrosoftTYPResearchTYPWriteupSTGDefense EvasionSTGPrivesc
82
Edit Score
2026-02-12
2026-02-12 07:30Z
HIGH

OysterLoader Unmasked: The Multi-Stage Evasion Loader

Sekoia.io·sekoia.ioin the wild

Sekoia published a comprehensive technical analysis of OysterLoader, a multi-stage C++ loader malware distributed via fake software installers (PuTTY, WinSCP, etc.) and used by the Rhysida ransomware group and WIZARD SPIDER. The four-stage infection chain employs API hammering, custom LZMA decompression, dynamic API resolution, steganography-embedded payloads, and obfuscated C2 communication using non-standard Base64 encoding to deliver ransomware and commodity infostealers like Vidar.

SRFApplicationSRFOsTACTA0001TACTA0002SRFNetworkTACTA0011VNDRhysidaVNDWizard Spider
76
Edit Score
2026-02-11
2026-02-11 19:15Z
CRIT

CVE-2025-69872 — DiskCache: An attacker with write access to the cache directory can achieve arbitrary code execution

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-69872

DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache. CVSSv3.1 9.8 (CRITICAL)

CWECWE 94CWECWE 502VNDDiskcacheTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-02-11
2026-02-11 18:16Z
HIGH

CVE-2025-65480 — Pacom: Authenticated users can inject malicious scripts in the Report Templates which are executed when

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-65480

An issue was discovered in Pacom Unison Client 5.13.1. Authenticated users can inject malicious scripts in the Report Templates which are executed when certain script conditions are fulfilled, leading to Remote Code Execution. CVSSv3.1 8.8 (HIGH) · EPSS 49th percentile

CWECWE 78VNDPacomTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-02-11
2026-02-11 17:00Z
HIGH

V8 Heap Archaeology: Finding Exploitation Artifacts in Chrome’s Memory

SpecterOps·specterops.ioCVE-2025-2135

SpecterOps released v8-forensics, a Rust tool for detecting JavaScript memory corruption exploits in Chrome V8 heap dumps without requiring symbols. The research details the anatomy of V8 exploitation primitives (OOB read/write, addrof, fakeobj, caged R/W) and introduces three high-fidelity forensic detection signatures: CorruptedLength (array_length > elements_length), ElementsMapMismatch (elements_kind disagreement with backing store type), and EmbeddedInElements (fake objects forged within array slots). The approach enables proactive detection of failed exploitation attempts via Windows Error Reporting crash dumps, catching attackers at their first failed attempt rather than waiting for successful compromise.

TACTA0005SRFBrowserVNDGoogleVNDChromiumTYPResearchTYPWriteupSTGDefense EvasionSTGExecution
87
Edit Score
2026-02-11
2026-02-11 15:16Z
CRIT

CVE-2025-12059 — Insertion: Logo j-Platform allows Exploiting Incorrectly Configured Access Control Security Levels.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-12059

Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Logo Software Industry and Trade Inc. Logo j-Platform allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Logo j-Platform: from 3.29.6.4 before 3.34.8.9. CVSSv3.1 9.8 (CRITICAL) · EPSS 20th percentile

CWECWE 538VNDInsertionTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-02-11
2026-02-11 14:16Z
CRIT

CVE-2025-8668 — Neutralization: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-8668

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in E-Kalite Software Hardware Engineering Design and Internet Services Industry and Trade Ltd. Co. Turboard allows Reflected XSS. This issue affects Turboard: from 2025.07 before 2026.02.  NOTE: This CVE record updated after the vendor implemented mitigations. CVSSv3.1 9.4 (CRITICAL) · EPSS 6th percentile

CWECWE 79TYPVulnerability
9.4
CVSS v3.1
97
Edit Score
2026-02-11
2026-02-11 13:15Z
CRIT

CVE-2025-8025 — Authentication: Missing Authentication for Critical Function, Improper Access Control vulnerability in Dinosoft Business Solutions Dinosoft

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-8025

Missing Authentication for Critical Function, Improper Access Control vulnerability in Dinosoft Business Solutions Dinosoft ERP allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Dinosoft ERP: from < 3.0.1 through 11022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 9.8 (CRITICAL) · EPSS 10th percentile

CWECWE 306CWECWE 284TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-02-11
2026-02-11 12:16Z
HIGH

CVE-2025-10174 — Cleartext: PanCafe Pro allows Flooding.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-10174

Cleartext Transmission of Sensitive Information vulnerability in Pan Software & Information Technologies Ltd. PanCafe Pro allows Flooding. This issue affects PanCafe Pro: from < 3.3.2 through 23092025. CVSSv3.1 8.3 (HIGH) · EPSS 5th percentile

CWECWE 319VNDCleartextTYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2026-02-11
2026-02-11 09:15Z
HIGH

CVE-2025-9986 — Exposure: of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vadi Corporate

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-9986

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vadi Corporate Information Systems Ltd. Co. DIGIKENT allows Excavation. This issue affects DIGIKENT: through 13092025. CVSSv3.1 8.2 (HIGH) · EPSS 15th percentile

CWECWE 497TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2026-02-11
2026-02-11 08:16Z
HIGH

CVE-2025-10913 — Neutralization: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-10913

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saastech Cleaning and Internet Services Inc. TemizlikYolda allows Cross-Site Scripting (XSS). This issue affects TemizlikYolda: through 11022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.3 (HIGH) · EPSS 20th percentile

CWECWE 79TYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2026-02-10
2026-02-10 18:30Z
CRIT

The February 2026 Security Update Review

Microsoft released 62 CVEs in February 2026 with six actively exploited vulnerabilities, including critical Windows Shell and Word security feature bypasses (CVE-2026-21510, CVE-2026-21514), Desktop Window Manager and RDS privilege escalations (CVE-2026-21519, CVE-2026-21533), and multiple Azure cloud infrastructure vulnerabilities. Adobe released 44 CVEs across creative suite products with no active exploitation reported. The unusually high number of ITW exploits (6 vs. 1 last month) and prevalence of one-click code execution and SYSTEM-level privilege escalation bugs warrant immediate patching.

SRFApplicationSRFOsTACTA0004TACTA0005TACTA0002SRFCloudVNDMicrosoftVNDAdobe
8.6
CVSS v3.1
82
Edit Score
2026-02-10
2026-02-10 18:16Z
HIGH

CVE-2026-25646 — Libpng Libpng: Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-25646

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past th CVSSv3.1 8.1 (HIGH)

CWECWE 125CWECWE 122CWECWE 126VNDLibpngTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-02-10
2026-02-10 15:45Z
INFO

v2.9.1

AzureHound releases·github.com

AzureHound v2.9.1 released with a minor bug fix removing an unneeded channel for devices (BED-7366). This is a routine maintenance release with 41 commits since v2.9.0.

SRFCloudTACTA0043VNDSpecteropsTYPToolSTGRecon
25
Edit Score
2026-02-10
2026-02-10 15:16Z
HIGH

CVE-2025-7636 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-7636

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ergosis Security Systems Computer Industry and Trade Inc. ZEUS PDKS allows SQL Injection. This issue affects ZEUS PDKS: from <1.0.5.10 through 10022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.8 (HIGH) · EPSS 14th percentile

CWECWE 89TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-02-10
2026-02-10 15:16Z
HIGH

CVE-2025-7347 — Authorization: Bypass Through User-Controlled Key vulnerability in Dinibh Puzzle Software Solutions Dinibh Patrol Tracking

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-7347

Authorization Bypass Through User-Controlled Key vulnerability in Dinibh Puzzle Software Solutions Dinibh Patrol Tracking System allows Exploitation of Trusted Identifiers. This issue affects Dinibh Patrol Tracking System: through 10022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.8 (HIGH) · EPSS 19th percentile

CWECWE 639TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-02-10
2026-02-10 14:16Z
HIGH

CVE-2025-6967 — Execution: CMS allows JSON Hijacking (aka JavaScript Hijacking), Authentication Bypass.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-6967

Execution After Redirect (EAR) vulnerability in Sarman Soft Software and Technology Services Industry and Trade Ltd. Co. CMS allows JSON Hijacking (aka JavaScript Hijacking), Authentication Bypass. This issue affects CMS: through 10022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.7 (HIGH) · EPSS 10th percentile

CWECWE 698VNDExecutionTYPVulnerability
8.7
CVSS v3.1
94
Edit Score
2026-02-10
2026-02-10 09:16Z
CRIT

CVE-2025-11242 — Server: Server-Side Request Forgery (SSRF) vulnerability in Teknolist Computer Systems Software Publishing Industry and Trade

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-11242

Server-Side Request Forgery (SSRF) vulnerability in Teknolist Computer Systems Software Publishing Industry and Trade Inc. Okulistik allows Server Side Request Forgery. This issue affects Okulistik: through 21102025. CVSSv3.1 9.8 (CRITICAL) · EPSS 20th percentile

CWECWE 918TYPVulnerability
9.8
CVSS v3.1
99
Edit Score