2026-01-19
2026-01-19 18:16Z
CRIT

CVE-2026-23883 — Freerdp Freerdp: A malicious server can trigger a client‑side use after free, causing a crash (DoS)

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23883

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. CVSSv3.1 9.8 (CRITICAL)

CWECWE 416VNDFreerdpTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-01-19
2026-01-19 18:16Z
CRIT

CVE-2026-23534 — Freerdp Freerdp: Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23534

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 c CVSSv3.1 9.8 (CRITICAL)

CWECWE 122VNDFreerdpTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-01-19
2026-01-19 18:16Z
CRIT

CVE-2026-23533 — Freerdp Freerdp: Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23533

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 con CVSSv3.1 9.8 (CRITICAL)

CWECWE 122VNDFreerdpTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-01-19
2026-01-19 18:16Z
CRIT

CVE-2026-22797 — OpenStack: An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-22797

An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_ CVSSv3.1 9.9 (CRITICAL)

CWECWE 290VNDOpenstackTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2026-01-19
2026-01-19 17:15Z
CRIT

CVE-2026-23532 — Freerdp Freerdp: Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23532

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version CVSSv3.1 9.8 (CRITICAL)

CWECWE 122VNDFreerdpTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-01-19
2026-01-19 17:15Z
CRIT

CVE-2026-23531 — Freerdp Freerdp: Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23531

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator beh CVSSv3.1 9.8 (CRITICAL)

CWECWE 122VNDFreerdpTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-01-19
2026-01-19 17:15Z
CRIT

CVE-2026-23530 — Freerdp Freerdp: A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS)

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23530

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. CVSSv3.1 9.8 (CRITICAL)

CWECWE 122VNDFreerdpTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-01-19
2026-01-19 16:15Z
HIGH

CVE-2026-22031 — Fastify Fastify\/middie: @fastify/middie is the plugin that adds middleware support on steroids to Fastify.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-22031

@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing atta CVSSv3.1 8.4 (HIGH) · EPSS 29th percentile

CWECWE 177VNDFastifyTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2026-01-19
2026-01-19 00:00Z
HIGH

From Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers

Trend Micro Research·trendmicro.comin the wild

Trend Micro published an in-depth technical analysis of the Evelyn Stealer campaign, a multistage malware operation targeting software developers via weaponized Visual Studio Code extensions. The attack chain uses a malicious VSC extension to deploy a downloader (Lightshot.dll), which fetches a process-hollowing injector that decrypts and injects the final Evelyn Stealer payload into grpconv.exe. Evelyn implements sophisticated anti-analysis techniques, browser credential theft via DLL injection, cryptocurrency wallet harvesting, and FTP-based exfiltration of collected data.

SRFApplicationSRFOsTACTA0005TACTA0001TACTA0002TACTA0006TACTA0009VNDMicrosoft
78
Edit Score
2026-01-18
2026-01-18 00:15Z
HIGH

wpair-app — WPair is a defensive security research tool that demonstrates the CVE-2025-36911 (eg WhisperPair) vulnerability in Googl

GitHub · recent CVE PoCs·github.comGITHUB POCCVE-2025-36911in the wild

WPair is a public proof-of-concept tool demonstrating CVE-2025-36911 (WhisperPair), a critical authentication bypass in Google's Fast Pair Bluetooth protocol affecting millions of audio devices. The vulnerability allows unauthenticated attackers to pair with vulnerable devices, establish HFP connections, and access microphone streams without user consent. The tool includes a vulnerability scanner, full exploit chain, and audio capture capabilities targeting JBL, Sony, Marshall, and other major manufacturers.

SRFMobileTACTA0001TACTA0006VNDGoogleTYPResearchTYPToolTYPExploitSTGInitial Access
82
Edit Score
2026-01-16
2026-01-16 17:34Z
INFO

v1.6.6

Sliver releases·github.com

Sliver v1.6.6 released with minor improvements to error handling in directory listing operations and TUI/advanced forms. This is a routine maintenance release with 400 commits since v1.6.5, containing no disclosed security fixes or feature additions of note.

SRFOsVNDBishop FoxTYPTool
25
Edit Score
2026-01-16
2026-01-16 17:00Z
HIGH

One WSL BOF to Rule Them All

SpecterOps·specterops.io

SpecterOps released a Beacon Object File (BOF) that enables reliable command execution across all WSL2 versions by reverse-engineering the COM interface variations in WslServiceProxyStub.dll. The tool addresses the challenge of WSL2's unmonitored execution environment by dynamically detecting WSL version and applying the correct interface definition, allowing attackers to pivot from monitored Windows hosts into isolated Linux VMs with minimal detection risk.

SRFApplicationSRFOsTACTA0007TACTA0008TYPResearchTYPToolTYPWriteupSTGDiscovery
82
Edit Score
2026-01-16
2026-01-16 03:15Z
CRIT

CVE-2025-62582 — Deltaww Diaview: Delta Electronics DIAView has multiple vulnerabilities.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-62582

Delta Electronics DIAView has multiple vulnerabilities. CVSSv3.1 9.8 (CRITICAL) · EPSS 6th percentile

CWECWE 306VNDDeltaVNDDeltawwTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-01-16
2026-01-16 03:15Z
CRIT

CVE-2025-62581 — Deltaww Diaview: Delta Electronics DIAView has multiple vulnerabilities.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-62581

Delta Electronics DIAView has multiple vulnerabilities. CVSSv3.1 9.8 (CRITICAL) · EPSS 8th percentile

CWECWE 321VNDDeltaVNDDeltawwTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-01-15
2026-01-15 20:16Z
HIGH

CVE-2026-23622 — Easyappointments Easy\!appointments: In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23622

Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/p CVSSv3.1 8.8 (HIGH) · EPSS 1th percentile

CWECWE 352VNDEasyappointmentsTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-01-15
2026-01-15 20:16Z
HIGH

CVE-2026-23527 — H3 H3: Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23527

H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5. CVSSv3.1 8.9 (HIGH)

CWECWE 444VNDH3VNDTtpTYPVulnerability
8.9
CVSS v3.1
95
Edit Score
2026-01-15
2026-01-15 17:00Z
HIGH

MSSQL and SCCM Elevation of Privilege Vulnerabilities

SpecterOps·specterops.ioCVE-2025-49758CVE-2025-47179

SpecterOps researcher Chris Thompson disclosed two privilege escalation vulnerabilities: CVE-2025-49758 in MSSQL Server (CVSS 8.8) allowing ALTER ANY LOGIN permission holders to reset securityadmin passwords and escalate to sysadmin, and CVE-2025-47179 in Configuration Manager (CVSS 6.7) allowing CMPivot Administrator role members to grant themselves Full Administrator access. Both vulnerabilities stem from overly permissive role configurations and have been patched; detection capabilities were added to BloodHound and MSSQLHound.

SRFApplicationSRFOsTACTA0004TACTA0005VNDMicrosoftVNDBloodhoundTYPResearchTYPWriteup
82
Edit Score
2026-01-15
2026-01-15 12:54Z
INFO

EntraGoat — A deliberately vulnerable Microsoft Entra ID environment. Learn identity security through hands-on, realistic attack cha

GitHub · Azure / Entra tools·github.comGITHUB POC

EntraGoat is a deliberately vulnerable Microsoft Entra ID lab environment released by Semperis, designed to teach identity security through hands-on attack scenarios. The tool deploys realistic misconfigurations and privilege escalation paths using PowerShell and Microsoft Graph APIs, with multiple challenge scenarios covering service principal abuse, app-only permissions exploitation, and certificate-based authentication attacks.

TACTA0004TACTA0005TACTA0001SRFIdentitySRFCloudVNDMicrosoftTYPResearchTYPTool
72
Edit Score
2026-01-15
2026-01-15 00:00Z
CRIT

Introducing ÆSIR: Finding Zero-Day Vulnerabilities at the Speed of AI

Trend Micro's ÆSIR platform, combining AI-assisted vulnerability discovery with human oversight, has identified 21 critical CVEs across NVIDIA, Tencent, MLflow, and MCP tooling since mid-2025. The research demonstrates systematic exploitation of deserialization, authentication bypass, and command injection flaws in foundational AI infrastructure, with particular emphasis on patch bypass identification in NVIDIA Isaac GR00T. The platform's dual-component architecture (MIMIR for threat intelligence, FENRIR for zero-day discovery) operates at machine speed while maintaining human-directed validation and responsible disclosure.

SRFApplicationTACTA0001SRFAiVNDNvidiaVNDMlflowVNDTencentTYPResearchTYPTool
82
Edit Score
2026-01-14
2026-01-14 18:16Z
CRIT

CVE-2026-22859 — Freerdp Freerdp: Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-22859

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out‑of‑bounds read. This vulnerability is fixed in 3.20.1. CVSSv3.1 9.1 (CRITICAL)

CWECWE 125CWECWE 129VNDFreerdpTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-01-14
2026-01-14 18:16Z
CRIT

CVE-2026-22858 — Freerdp Freerdp: As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-22858

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup t CVSSv3.1 9.1 (CRITICAL)

CWECWE 125CWECWE 787CWECWE 758VNDFreerdpTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-01-14
2026-01-14 18:16Z
CRIT

CVE-2026-22855 — Freerdp Freerdp: Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-22855

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when cbAttrLen does not match the actual NDR buffer length. This vulnerability is fixed in 3.20.1. CVSSv3.1 9.1 (CRITICAL)

CWECWE 125VNDFreerdpTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-01-14
2026-01-14 18:16Z
CRIT

CVE-2026-22853 — Freerdp Freerdp: Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-22853

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1. CVSSv3.1 9.8 (CRITICAL)

CWECWE 787VNDFreerdpTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-01-14
2026-01-14 18:01Z
CRIT

A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here?

Project Zero·googleprojectzero.blogspot.comCVE-2025-54957CVE-2025-36934in the wild

Project Zero published the third installment of their Pixel 9 0-click exploit chain analysis, detailing systemic vulnerabilities in Android's attack surface management, patch prioritization, and deployment timelines. The chain exploited CVE-2025-54957 (Dolby UDC memory corruption) and CVE-2025-36934 (BigWave driver privilege escalation) to achieve kernel code execution from untrusted audio messages—requiring only two bugs and taking ~11 person-weeks to develop. The post reveals critical gaps: the Dolby UDC vulnerability took 139 days to patch on any Android device and 82 days after public disclosure before Pixel patched it, Dolby's advisory significantly understated exploitability, and Android's severity matrix initially rated both bugs as Moderate despite their 0-click nature.

SRFOsTACTA0004SRFMobileTACTA0001TACTA0002VNDDolbyVNDGoogleVNDQualcomm
95
Edit Score
2026-01-14
2026-01-14 18:00Z
CRIT

A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave

Project Zero·googleprojectzero.blogspot.com

Project Zero discloses a complete 0-click exploit chain for Pixel 9 combining a Dolby decoder RCE with three BigWave driver vulnerabilities, culminating in kernel arbitrary read/write and SELinux bypass. The primary vulnerability is a use-after-free in the BigWave AV1 hardware decoder driver triggered by race conditions between ioctl timeout handling and worker thread job processing, patched January 5, 2026.

TACTA0004TACTA0005SRFMobileSRFFirmwareVNDGoogleVNDQualcommTYPResearchTYPWriteup
98
Edit Score