All news with #vulnerability disclosure tag

🔒 A critical vulnerability in jsPDF (CVE-2025-68428) affected Node.js deployments and allowed untrusted input passed to file-handling APIs to produce arbitrary file reads and local file inclusion. Endor Labs found that methods like addImage, html, and addFont relied on an insecure loadFile() call, enabling attackers to embed sensitive files into generated PDFs. Maintainers released jsPDF 4.0.0 to restrict filesystem access via Node.js permission mode, but researchers warn upgrading alone may not fully mitigate risk in environments without properly configured runtime permissions.

🔒 Cisco has issued updates to address a medium-severity XML parsing vulnerability (CVE-2026-20029, CVSS 4.9) in Identity Services Engine (ISE) and ISE Passive Identity Connector. The flaw in the licensing feature allows an authenticated administrator to upload a crafted file and read arbitrary files from the underlying operating system. Cisco lists specific fixed releases and patches (pre-3.2 must migrate; 3.2/3.3/3.4 have patches; 3.5 not vulnerable), reports no workaround, and acknowledges a public PoC while noting no known in-the-wild exploitation. The advisory also includes fixes for two Snort 3 DCE/RPC issues affecting multiple Cisco products.

🔴 Security researchers disclosed a critical vulnerability in the AI workflow automation platform n8n—dubbed “Ni8mare” (CVE-2026-21858)—with a CVSS score of 10.0 that allows remote, unauthenticated attackers to read files and potentially achieve code execution on local instances. The flaw arises from improper webhook parsing of the Content-Type header, letting adversaries control file metadata and local file paths. n8n has issued a patch; users should upgrade to 1.121.0 or later as there are no official workarounds.

🔒 Researchers disclosed 11 critical vulnerabilities in Coolify, an open-source self-hosting platform, including multiple authenticated command injections, remote code execution, container escape and an information disclosure of the root SSH private key. Several issues carry CVSS scores of 9.4–10.0 and allow attackers with low or moderate privileges to execute arbitrary commands as root or obtain persistent access. Operators should upgrade to patched releases or apply vendor mitigations immediately.

🔒 Cisco has released patches for an Identity Services Engine (ISE) XML-parsing vulnerability tracked as CVE-2026-20029 that can be abused by remote attackers with valid administrative credentials. The flaw in ISE and ISE Passive Identity Connector allows a crafted XML upload to read arbitrary files on the host. Cisco notes a public proof-of-concept is available and urges customers to upgrade to patched releases rather than rely on temporary mitigations.

⚠ The jsPDF library contains a critical local file inclusion and path traversal vulnerability (CVE-2025-68428) that can embed sensitive files from the local filesystem into generated PDFs when user-controlled input is passed to file-loading APIs. The issue affects Node.js builds (dist/jspdf.node.js and dist/jspdf.node.min.js) and functions such as loadFile, addImage, html, and addFont. The bug was addressed in jsPDF 4.0.0 by restricting filesystem access by default; maintainers recommend upgrading, sanitizing input paths, and using modern Node.js permission modes.

⚠ Security researchers at Cato Networks disclosed CVE-2025-64496, a vulnerability in Open WebUI that lets external model servers inject JavaScript via Server-Sent Events (SSE) when the Direct Connections feature is enabled. An attacker controlling a malicious model endpoint can exfiltrate JSON Web Tokens (JWTs) from the browser, enabling account takeover and access to documents, chats, and embedded API keys. If the compromised account has Workspace Tools privileges, the session token can be used to execute authenticated Python code on the backend, leading to remote code execution. The flaw affects versions up to 0.6.34 and is fixed in 0.6.35; organizations are urged to update and implement HttpOnly cookies, strict CSPs, and ban dynamic code evaluation.

🔔 CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2009-0556 (Microsoft Office PowerPoint code injection) and CVE-2025-37164 (HPE OneView code injection). CISA notes evidence of active exploitation and highlights that these vulnerability types are frequent attack vectors posing significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV entries by the specified due date. CISA strongly urges all organizations to prioritize timely remediation as part of sound vulnerability management.

⚠️ A high-severity vulnerability (CVE-2025-64496) affecting Open WebUI versions 0.6.34 and earlier can enable account takeover when the Direct Connections feature is enabled. A malicious OpenAI-compatible model server can send a crafted server-sent events message that executes JavaScript in a connected user's browser and steals authentication tokens from localStorage. Open WebUI 0.6.35 and later block the malicious execute events; administrators should upgrade immediately, restrict Direct Connections to trusted endpoints, and strengthen authentication and sandboxing.

⚠️Security researchers disclosed a high-severity vulnerability in Open WebUI (CVE-2025-64496) that allows external model servers connected via the Direct Connections feature to stream server-sent events that execute JavaScript in the browser. Malicious code can read long-lived JSON Web Tokens stored in localStorage to take over accounts and access workspaces, documents, chats, and embedded API keys. With elevated workspace.tools permissions, attackers can escalate to remote code execution on backend servers. Organizations should patch to v0.6.35 immediately.

⚠️ A critical sandbox bypass, CVE-2025-68668 (CVSS 9.9), has been disclosed in n8n, allowing an authenticated user with workflow create/modify permissions to execute arbitrary OS commands on the host running n8n. The flaw resides in the Python Code Node that uses Pyodide and affects n8n versions 1.0.0 up to, but not including, 2.0.0. The issue is resolved in n8n 2.0.0, which makes the task-runner native Python implementation the default. Short-term mitigations include disabling the Code Node, disabling Python in the Code Node, or enabling the task-runner Python sandbox via environment variables.

⚠️ The Cyber Security Agency of Singapore (CSA) has warned of a maximum-severity vulnerability, CVE-2025-52691 (CVSS 10.0), in SmarterTools SmarterMail that permits unauthenticated arbitrary file uploads and could enable remote code execution. The flaw affects builds 9406 and earlier and was fixed in Build 9413 (Oct 9, 2025); CSA recommends updating to Build 9483 (Dec 18, 2025). While no active exploitation has been reported, administrators should apply the vendor update promptly to mitigate the risk of web shells or malicious binaries being deployed and executed with SmarterMail service privileges.

🔒 CISA has ordered federal civilian agencies to secure systems against MongoBleed (CVE-2025-14847), a high-severity MongoDB Server vulnerability patched on December 19, 2025. The flaw, rooted in how the server uses the zlib compression library, can be exploited by unauthenticated actors to leak credentials, API/cloud keys, session tokens, logs, and PII. An Elastic researcher released a PoC and telemetry shows tens of thousands of potentially vulnerable instances; agencies must patch by January 19, 2026, or apply vendor mitigations or temporarily disable zlib until updates can be deployed.

🔒 WHILL Inc. electric wheelchairs (Model C2 and Model F) are affected by a critical Bluetooth authentication vulnerability, CVE-2025-14346, that allows an attacker within wireless range to pair without credentials and issue movement and configuration commands. The flaw is rated CVSS 3.1 9.8 (CRITICAL) and is classified as CWE-306 Missing Authentication for Critical Function. WHILL deployed mitigations on 29 December 2025 that restrict unlock commands during motion, protect speed profiles, and obfuscate application JSON configuration files on Android and iOS.

🔒 Traditional security frameworks like NIST CSF, ISO 27001, and CIS Controls were designed for legacy IT assets and do not map cleanly to AI-specific risks. Recent incidents — including the December 2024 Ultralytics compromise, ChatGPT memory-extraction flaws across 2024, and August 2025 malicious Nx packages — show organizations can meet compliance yet remain exposed. The article argues security teams must adopt AI-tailored controls such as prompt validation, model integrity verification, semantic DLP, and AI-focused red teaming.

⚠️ CISA has published an updated Industrial Control Systems advisory, ICSA-25-177-01 (Update B), addressing multiple vulnerabilities affecting Mitsubishi Electric air conditioning systems and associated operational components. The advisory outlines technical findings, potential impacts to building automation and HVAC control networks, and prioritized mitigation steps. Administrators and operators should review the guidance promptly, apply vendor updates where available, and implement network segmentation and enhanced monitoring to reduce risk.

⚠️ CISA has added CVE-2023-52163 — a missing authorization flaw in Digiever DS-2105 Pro — to its Known Exploited Vulnerabilities (KEV) Catalog after observing evidence of active exploitation. BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate cataloged vulnerabilities by specified due dates, and CISA emphasizes this entry represents a common and significant attack vector. While the binding directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation and incorporate this KEV into their vulnerability management processes.

🔒 WatchGuard has issued an urgent advisory for a critical remote code execution vulnerability (CVE-2025-14733) affecting Firebox appliances running Fireware OS 11.x, 12.x and 2025.1 releases. The flaw enables unauthenticated attackers to execute code via an out-of-bounds write when IKEv2 VPN is enabled. WatchGuard reports active exploitation in the wild and provides a temporary workaround for Branch Office VPN configurations where immediate patching is not possible. Administrators are urged to apply vendor updates and review provided indicators of compromise.

⚠️ Certain motherboard models from vendors including ASRock, ASUS, GIGABYTE, and MSI are affected by a firmware flaw that reports DMA protection as active but fails to initialize the IOMMU during early boot. That discrepancy allows a physically present attacker with a DMA-capable PCIe device to read or modify system memory and potentially enable pre-boot code injection before OS protections load. CERT/CC warned the gap undermines boot integrity and access to sensitive memory. Affected vendors have released firmware updates to correct the IOMMU initialization sequence; users and administrators should apply patches promptly.

🔔 CISA published nine Industrial Control Systems (ICS) advisories on 2025-12-18 that detail current security issues, vulnerabilities, and known exploits affecting a range of vendors and products. The advisories cover Inductive Automation Ignition, Schneider Electric EcoStruxure Foxboro DCS Advisor, National Instruments LabView, Mitsubishi Electric components, Siemens IP-Stack, Advantech WebAccess/SCADA, Rockwell Automation Micro controllers, Axis Communications Camera Station offerings, and an updated notice for Mitsubishi Electric CNC Series (Update C). Each advisory provides technical details, impact assessments, and recommended mitigations for administrators and asset owners. CISA urges users to review the advisories promptly and implement the suggested mitigations to reduce operational risk.