2026-02-04
2026-02-04 17:16Z
HIGH

CVE-2026-0538 — Autodesk 3ds_max: A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can force an

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-0538

A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. CVSSv3.1 8.4 (HIGH) · EPSS 1th percentile

CWECWE 787VNDAutodeskVNDGifTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2026-02-04
2026-02-04 17:16Z
HIGH

CVE-2026-0537 — Autodesk 3ds_max: A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-0537

A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. CVSSv3.1 8.4 (HIGH) · EPSS 1th percentile

CWECWE 787VNDAutodeskVNDRgbTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2026-02-04
2026-02-04 14:16Z
CRIT

CVE-2025-5329 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-5329

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Martcode Software Inc. Delta Course Automation allows SQL Injection. This issue affects Delta Course Automation: through 04022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 9.8 (CRITICAL) · EPSS 2th percentile

CWECWE 89TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-02-04
2026-02-04 14:16Z
HIGH

CVE-2025-15368 — SportsPress: The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-15368

The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php CVSSv3.1 8.8 (HIGH)

CWECWE 98VNDSportspressTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-02-04
2026-02-04 08:16Z
HIGH

CVE-2026-1819 — Neutralization: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-1819

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS. This issue affects ViPort: through 23012026. CVSSv3.1 8.8 (HIGH) · EPSS 22th percentile

CWECWE 79TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-02-04
2026-02-04 02:16Z
HIGH

CVE-2025-69621 — An arbitrary file overwrite vulnerability in the file import process of Comic Book Reader

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-69621

An arbitrary file overwrite vulnerability in the file import process of Comic Book Reader v1.0.95 allows attackers to overwrite critical internal files, potentially leading to arbitrary code execution or exposure of sensitive information. CVSSv3.1 8.1 (HIGH) · EPSS 38th percentile

CWECWE 22TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-02-03
2026-02-03 19:16Z
HIGH

CVE-2025-62600 — Eprosima Fast_dds: If the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-62600

eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tamperin CVSSv3.1 8.6 (HIGH)

CWECWE 190CWECWE 789VNDEprosimaVNDFastTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-02-03
2026-02-03 18:16Z
HIGH

CVE-2025-62599 — Eprosima Fast_dds: If the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-62599

eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tamperin CVSSv3.1 8.6 (HIGH)

CWECWE 190CWECWE 789VNDEprosimaVNDFastTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-02-03
2026-02-03 15:16Z
CRIT

CVE-2025-5319 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-5319

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Emit Informatics and Communication Technologies Industry and Trade Ltd. Co. DIGITA Efficiency Management System allows SQL Injection. This issue affects DIGITA Efficiency Management System: through 03022026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 9.8 (CRITICAL) · EPSS 4th percentile

CWECWE 89TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-02-03
2026-02-03 13:15Z
HIGH

CVE-2025-6397 — Neutralization: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-6397

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ankara Hosting Website Design Website Software allows Reflected XSS. This issue affects Website Software: through 03022026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.6 (HIGH) · EPSS 20th percentile

CWECWE 79TYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-02-03
2026-02-03 07:16Z
CRIT

CVE-2026-24465 — Elecom Wab-s300iw-pd_firmware: Stack-based buffer overflow vulnerability exists in ELECOM wireless LAN access point devices.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-24465

Stack-based buffer overflow vulnerability exists in ELECOM wireless LAN access point devices. A crafted packet may lead to arbitrary code execution. CVSSv3.1 9.8 (CRITICAL)

CWECWE 121VNDElecomVNDStackTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-02-03
2026-02-03 07:16Z
HIGH

CVE-2026-22550 — Elecom Wrc-x1500gsa-b_firmware: OS command injection vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-22550

OS command injection vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B. A crafted request from a logged-in user may lead to an arbitrary OS command execution. CVSSv3.1 8.8 (HIGH)

CWECWE 78VNDElecomTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-02-03
2026-02-03 02:16Z
CRIT

CVE-2025-67484 — Mediawiki Mediawiki: Vulnerability in Wikimedia Foundation MediaWiki.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-67484

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. CVSSv3.1 9.8 (CRITICAL)

CWECWE 20VNDMediawikiVNDVulnerabilityTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-02-03
2026-02-03 02:16Z
HIGH

CVE-2025-67478 — Mediawiki Checkuser: Vulnerability in Wikimedia Foundation CheckUser.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-67478

Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files includes/Mail/UserMailer.Php. This issue affects CheckUser: from * before 1.39.14, 1.43.4, 1.44.1. CVSSv3.1 8.8 (HIGH)

VNDMediawikiVNDVulnerabilityTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-02-02
2026-02-02 23:16Z
HIGH

CVE-2026-24737 — Parall Jspdf: Prior to 4.1.0, user control of properties and methods of the Acroform module allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-24737

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are AcroformChoiceField.addO CVSSv3.1 8.1 (HIGH)

CWECWE 116CWECWE 917VNDParallTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-02-02
2026-02-02 23:16Z
CRIT

CVE-2026-22778 — Vllm Vllm: With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-22778

vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 87th percentile

CWECWE 532CWECWE 209VNDVllmTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2026-02-02
2026-02-02 14:16Z
HIGH

CVE-2026-24070 — Native-instruments Native_access: The communication with the XPC service of the privileged helper is only allowed if

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-24070

During the installation of the Native Access application, a privileged helper `com.native-instruments.NativeAccess.Helper2`, which is used by Native Access to trigger functions via XPC communication like copy-file, remove or set-permissions, is deployed as well. The communication with the XPC service of the privileged helper is only allowed if the client process is signed with the corresponding certificate and fulfills the following code signing requirement: "anchor trusted a CVSSv3.1 8.8 (HIGH) · EPSS 0th percentile

CWECWE 426VNDNative InstrumentsVNDNativeTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-02-02
2026-02-02 14:16Z
HIGH

CVE-2026-1761 — This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-1761

A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due to an incorrect length calculation. A remote attacker can exploit this by sending a specially crafted multipart HTTP response, which can lead to memory corruption. This issue may result in application crashes or arbitrary code execution in applications that process untrusted server responses, and it does not require authentication or user inter CVSSv3.1 8.6 (HIGH)

CWECWE 121TYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-02-02
2026-02-02 13:15Z
HIGH

CVE-2025-8587 — Akceyazilim Skspro: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-8587

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows SQL Injection. This issue affects SKSPro: through 07012026. CVSSv3.1 8.6 (HIGH) · EPSS 5th percentile

CWECWE 89VNDAkceyazilimTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-02-02
2026-02-02 06:16Z
HIGH

CVE-2026-1531 — This insecure default allows a remote attacker, capable of intercepting network traffic between Satellite

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-1531

A flaw was found in foreman_kubevirt. When configuring the connection to OpenShift, the system disables SSL verification if a Certificate Authority (CA) certificate is not explicitly set. This insecure default allows a remote attacker, capable of intercepting network traffic between Satellite and OpenShift, to perform a Man-in-the-Middle (MITM) attack. Such an attack could lead to the disclosure or alteration of sensitive information. CVSSv3.1 8.1 (HIGH)

CWECWE 295TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-02-02
2026-02-02 06:16Z
HIGH

CVE-2026-1530 — This vulnerability allows a remote attacker to perform a Man-in-the-Middle (MITM) attack due to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-1530

A flaw was found in fog-kubevirt. This vulnerability allows a remote attacker to perform a Man-in-the-Middle (MITM) attack due to disabled certificate validation. This enables the attacker to intercept and potentially alter sensitive communications between Satellite and OpenShift, resulting in information disclosure and data integrity compromise. CVSSv3.1 8.1 (HIGH)

CWECWE 295TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-02-01
2026-02-01 02:05Z
INFO

v1.6.10

Sliver releases·github.com

Sliver v1.6.10 released with stability improvements to SOCKS5 for HTTP/mTLS transports, expanded time format support, new shellcode encoders, WASM Donut integration, and Go 1.25.6 upgrade. No security vulnerabilities disclosed; this is a routine feature and maintenance release.

SRFOsVNDBishop FoxTYPToolSTGExecutionSTGC2
35
Edit Score
2026-01-30
2026-01-30 21:15Z
HIGH

CVE-2025-24293 — Active: The default allowed list contains three methods allow for the circumvention of the safe

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24293

# Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. Impact ------ Th CVSSv3.1 8.1 (HIGH)

CWECWE 94CWECWE 77CWECWE 88VNDActiveTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-01-30
2026-01-30 17:00Z
HIGH

Weaponizing Whitelists: An Azure Blob Storage Mythic C2 Profile

SpecterOps·specterops.io

SpecterOps released azureBlob, a new Mythic C2 profile that leverages Azure Blob Storage for command and control communications. The technique exploits common firewall whitelisting of *.blob.core.windows.net—a broad exception carved out in deployment guides from vendors like Citrix and Parallels—to establish C2 channels in mature enterprise environments with restrictive egress controls. The implementation includes container-scoped SAS tokens to limit blast radius if an agent is compromised, and integrates with the Medusa agent with a reference Python implementation (Pegasus) for validation.

SRFApplicationTACTA0005SRFCloudTACTA0011VNDMicrosoftVNDMythicTYPResearchTYPTechnique
78
Edit Score
2026-01-30
2026-01-30 16:16Z
HIGH

CVE-2025-4686 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-4686

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co. Online Exam and Assessment allows SQL Injection. This issue affects Online Exam and Assessment: through 30012026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.6 (HIGH) · EPSS 17th percentile

CWECWE 89TYPVulnerability
8.6
CVSS v3.1
93
Edit Score