All news with #vulnerability disclosure tag

⚠ Four vulnerabilities were disclosed in the open source Ingress NGINX controller used in Kubernetes, with two rated CVSS 8.8. CVE-2026-1580 can enable authentication bypass when a misconfigured custom-errors backend ignores the X-Code header, and CVE-2026-24512 allows configuration injection via rules.http.paths.path, enabling code execution and secret disclosure. The other two issues pose lower or medium risks, including a potential DoS. Affected releases are 1.13.7 and below and 1.14.3 and below, and the only reliable mitigation is upgrading or migrating before Ingress NGINX reaches end of support.

🔐 Substack disclosed that a third party exploited an unspecified weakness in its systems in October, exposing user email addresses, phone numbers and other internal metadata. The company identified the issue on February 3, said it has fixed the vulnerability, and is conducting a full investigation. Substack maintains the breach did not include passwords, credit card numbers, or financial data, but has not disclosed the full scope or publicly posted a detailed incident report.

🔒 Multiple critical vulnerabilities in the open-source workflow platform n8n (tracked as CVE-2026-25049) allow any authenticated user who can create or edit workflows to escape sandboxing and execute arbitrary code on the host server. Independent researchers at Pillar Security, Endor Labs and SecureLayer7 identified sanitization and AST-sandboxing bypasses — including a type-confusion issue and Function-constructor exploits — enabling access to Node.js globals, the filesystem, credentials and connected cloud accounts. n8n released fixes (notably 2.4.0, later 2.5.2 and 1.123.17) and recommends immediate patching, rotating the N8N_ENCRYPTION_KEY and stored credentials, and limiting workflow creation until environments are hardened.

⚠️ Noma Labs disclosed a critical vulnerability, dubbed DockerDash, in Docker's Ask Gordon AI assistant that allows unverified image metadata to be treated as executable instructions. The flaw exploits a trust failure in the Model Context Protocol (MCP) gateway: Ask Gordon reads Docker LABEL metadata, forwards the interpreted content to MCP, and MCP tools execute it without validation. Depending on deployment this can enable remote code execution (cloud/CLI) or large-scale data exfiltration and reconnaissance in Docker Desktop. Docker issued mitigations in Docker Desktop 4.50.0 and users are urged to upgrade.

🔒 CISA has added four vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog: CVE-2019-19006 (Sangoma FreePBX improper authentication), CVE-2021-39935 (GitLab SSRF), CVE-2025-40551 (SolarWinds Web Help Desk deserialization), and CVE-2025-64328 (Sangoma FreePBX OS command injection). Evidence indicates active exploitation and these issues pose significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV items by required deadlines. CISA strongly urges all organizations to prioritize timely remediation and will continue updating the catalog.

🔒 Responsible disclosure expects timely, respectful responses, but many researchers now face months-long silence, disputed severity, or shifting scope that turn cooperative reports into unpaid, uncertain work. When maintainers lack resources or formal processes, reporters are pushed into a gray zone of public disclosure, legal escalation, or ethically ambiguous actions. CISOs should treat disclosure as an operational function: set SLAs, clarify triage criteria, offer non-cash recognition, and fund critical open-source dependencies to reduce adversarial outcomes. These steps help preserve trust, lower regulatory and reputational risk, and improve patching outcomes.

🛡️ January brought several high-impact incidents that underline persistent enterprise risks. ServiceNow patched a critical AI-driven vulnerability (CVE-2025-12420) that could let unauthenticated actors impersonate admins on its AI platform. Unsecured Zendesk systems were abused for a large spam campaign, while the World Economic Forum reports cyber-fraud has overtaken ransomware as CEOs' top worry. Nike is also probing an alleged theft of 1.4 TB of data.

⚠️ SmarterTools released builds addressing critical vulnerabilities in SmarterMail, including an unauthenticated remote code execution flaw (CVE-2026-24423) rated CVSS 9.3. The flaw in the ConnectToHub API allowed an attacker to direct SmarterMail to a malicious HTTP server that serves OS commands, which the application could execute; this was fixed in Build 9511 on January 15, 2026. A separate NTLM-related path coercion issue (CVE-2026-25067, CVSS 6.9) that could force outbound SMB authentication and enable NTLM relay was patched in Build 9518 (January 22, 2026). Administrators should update immediately.

⚠️ SolarWinds has released updates for Web Help Desk to address multiple high‑severity vulnerabilities, including four critical flaws that can enable authentication bypass and remote code execution. Affected issues include deserialization and hard‑coded credential bugs tracked as CVE‑2025‑40536 through CVE‑2025‑40554. Rapid7 highlights that the deserialization flaws are particularly exploitable without authentication. SolarWinds fixed the issues in WHD 2026.1 and customers are urged to upgrade immediately.

⚠️ SolarWinds has issued emergency updates for Web Help Desk (WHD) to patch six vulnerabilities—four rated critical—that include unauthenticated data deserialization RCEs and authentication bypasses. Researchers from watchTowr and Horizon3.ai disclosed the flaws, which could let attackers execute commands, access protected functions, or leverage hardcoded credentials. Administrators should upgrade to WHD 2026.1 immediately and investigate any anomalous activity on affected servers.

⚠️ A critical vulnerability in vm2, a widely used Node.js sandboxing library, allows attackers to escape the sandbox and execute arbitrary code. Tracked as CVE-2026-22709, the flaw affects versions older than 3.10.2; users are urged to upgrade immediately. The issue stems from a bypass in Promise.prototype.then and Promise.prototype.catch callback sanitization, and the project maintainer warns that in-process sandboxing will remain a cat-and-mouse challenge. Where possible, combine vm2 with additional isolation, resource limits, and monitoring, or consider stronger isolation alternatives.

🔓 Two sandbox-escape vulnerabilities in the n8n workflow automation platform allow authenticated users to execute arbitrary code and potentially take full control of affected instances. JFrog researchers disclosed CVE-2026-1470, a JavaScript AST sandbox bypass that can resolve to Function and execute code in the main node, and CVE-2026-0863, a Python AST bypass that abuses format-string introspection and Python 3.10+ behavior to regain restricted builtins and run OS commands. CVE-2026-1470 was rated critical (9.9) because it grants execution in the main node; both issues affect self-hosted deployments while n8n Cloud has been mitigated. Fixes are available in specific 1.x and 2.x releases and users should upgrade immediately.

🔒 A coordinated security update addressed 12 previously unknown vulnerabilities in OpenSSL, disclosed by AISLE through a coordinated process with project maintainers. The issues span multiple subsystems — from legacy CMS parsing to QUIC and post-quantum signature handling — and include a high-severity stack buffer overflow in CMS AuthEnvelopedData that could enable remote code execution under specific conditions. Remediation included fixes merged into releases and six additional issues resolved before reaching users.

⚠️Two vulnerabilities in n8n sandboxing allow authenticated users to achieve remote code execution by bypassing JavaScript and Python sandbox controls. JFrog Security Research disclosed CVE-2026-1470 (CVSS 9.9) affecting the JavaScript expression engine and CVE-2026-0863 (CVSS 8.5) targeting Python execution in the Code node. Both issues exploit gaps in AST validation and require the ability to create or modify workflows, enabling attackers to access environment variables and run system-level commands. Users should upgrade immediately to the patched releases listed by the vendor.

⚠️ A critical sandbox escape in vm2 (CVE-2026-22709) can allow execution of arbitrary code on the host by bypassing Promise handler sanitization. Endor Labs researchers Peyton Kennedy and Cris Staicu reported that async functions return global Promise objects whose then and catch handlers were not properly sanitized, creating an escape vector. The flaw carries a CVSS score of 9.8 and was addressed in vm2 3.10.2; the article cites 3.10.3 with additional fixes. Users are urged to update and consider stronger isolation alternatives such as isolated-vm or container-level separation.

⚠️ Researchers disclosed two high-severity eval-injection vulnerabilities in n8n that can bypass sandboxing and enable remote code execution. JFrog Security Research identified CVE-2026-1470 (JavaScript eval, CVSS 9.9) and CVE-2026-0863 (Python eval, CVSS 8.5), which can compromise instances even in internal execution mode. Users should update to the patched releases listed by the vendor without delay.

🔒 Shadowserver has identified over 6,000 internet-exposed SmarterMail servers likely vulnerable to a critical authentication bypass that enables unauthenticated attackers to hijack administrator accounts. The issue was reported to SmarterTools on January 8 and patched in build 9511 on January 15; it was later assigned CVE-2026-23760. A permissive force-reset-password endpoint accepts anonymous requests and fails to verify the existing password or a reset token, allowing an attacker who knows an administrator username to reset credentials and achieve full administrative compromise and potential remote code execution. Organizations should confirm they have applied the vendor update or recommended mitigations and audit logs for unauthorized resets or other indicators of compromise.

⚠️ A critical vulnerability (CVE-2025-14988) in iba Systems ibaPDA 8.12.0 permits unauthorized file-system actions that can affect confidentiality, integrity, and availability; CISA assigns a CVSS v3.1 base score of 9.8. Siemens reported the issue and the vendor has released ibaPDA 8.12.1 as a remediation. If immediate updating is not possible, vendor-recommended mitigations include enabling User Management and setting a strong admin password, configuring Server Access Manager to restrict access (for example to 127.0.0.1 or specific system IPs), disabling automatic Windows Firewall port openings and removing or deactivating incoming ibaPDA firewall rules, and creating manual rules that permit only required ports. After applying updates or mitigations, verify that all ibaPDA services and data acquisition continue to function correctly.

🚗 The third annual Pwn2Own Automotive contest in Tokyo revealed 76 unique zero-day vulnerabilities across targets from Tesla infotainment to EV chargers, with Trend Micro's Zero Day Initiative paying out more than $1 million. A Fuzzware.io team took top honors, earning Master of Pwn with $215,500 and a $60,000 single-exploit prize for an Alpitronic HYC50 out-of-bounds write. Other teams compromised Automotive Grade Linux and exploited charger logic to install a playable Doom on a charger's screen. Vendors are urged to patch promptly.

⚠️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities affecting enterprise software to its KEV catalog after observing active exploitation. Affected projects include Versa Concerto, Zimbra Collaboration Suite, the Vite frontend toolchain, and the eslint-config-prettier package used with Prettier. CISA requires federal agencies to apply vendor patches or mitigations, or stop using impacted products by February 12, 2026. Details on the nature and scope of in-the-wild exploitation remain limited.