vulnerability

CVE-2025-11953 in React Native CLI's Metro Development Server is being exploited in the wild to deploy Rust-based malware on developer systems, with attacks observed since December 2025.

A critical flaw in n8n (CVSS 9.4) exploits TypeScript/JavaScript type mismatch to bypass sanitization from a December 2025 patch, enabling authenticated remote command execution via webhook workflows.

Noma Labs discovered a critical flaw in Docker's Ask Gordon AI assistant allowing attackers to hijack AI reasoning through malicious image metadata, leading to remote code execution or data exfiltration.

CVE-2026-22778, a critical RCE in vLLM versions 0.8.3-0.14.0, chains a PIL information leak with a JPEG2000 heap overflow to achieve code execution through a malicious video link.

JFrog discovered two sandbox escape flaws in n8n: CVE-2026-1470 (CVSS 9.9) bypasses JavaScript sandboxing via deprecated 'with' statement, and CVE-2026-0863 (CVSS 8.5) escapes Python restrictions via AttributeError.obj.

Two chained Ivanti EPMM vulnerabilities (CVE-2026-1281 and CVE-2026-1340, both CVSS 9.8) allow unauthenticated RCE via Bash command injection. CISA gave federal agencies only 3 days to patch.

Four critical vulnerabilities in SolarWinds Web Help Desk allow unauthenticated remote code execution and authentication bypass. CISA confirms active exploitation with February 6 federal deadline.

CVE-2026-24858 allows attackers with any FortiCloud account to authenticate to other customers' devices. Arctic Wolf observed automated exploitation creating backdoor admin accounts within seconds.

CVE-2026-24002 allows remote code execution through malicious spreadsheet formulas via Pyodide sandbox escape. Affects government, education, and enterprise deployments.

CVE-2026-1483 rated CVSS 9.8 enables attackers with pod creation privileges to escape containers and seize control of entire clusters. CISA added to KEV catalog; exploitation observed within 48 hours of disclosure.

A WhatsApp vulnerability allows attackers to compromise devices by sending malicious PDF files to group chats without user interaction. Paragon Solutions' spyware exploited the flaw against 90+ targets including journalists and civil society members.

CVE-2026-21509 bypasses OLE security mitigations in Microsoft Office. Russia-linked APT28 is exploiting it against targets in Ukraine and the EU. Emergency patches available.

Massive security update includes patches across 122 products with two CVSS 10.0 flaws. Java SE receives 11 remotely exploitable patches, and Financial Services Applications have 33 unauthenticated attack vectors.

CVE-2025-62507 is a stack buffer overflow in Redis 8.2's XACKDEL command. JFrog researchers demonstrated full remote code execution is achievable, contradicting the initial 'authentication required' assessment.

CVE-2026-23550 in Modular DS plugin scores maximum CVSS 10.0, enabling unauthenticated privilege escalation. Attacks began January 13 targeting 40,000+ installations.

CVE-2026-21858 'Ni8mare' (CVSS 10.0) enables unauthenticated attackers to read files, bypass authentication, and execute commands on n8n servers through a Content-Type confusion flaw.

CVE-2026-0625 enables unauthenticated remote code execution on legacy D-Link DSL, DIR, and DNS devices via command injection. Attacks observed since November 2025; no patch available for end-of-life devices.