The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Vulnerability Summary for the Week of January 5, 2026
01/12/2026 11:00 AM EST
High Vulnerabilities
| Primary Vendor — Product | Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| AA-Team–Amazon Native Shopping Recommendations | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in AA-Team Amazon Native Shopping Recommendations allows SQL Injection.This issue affects Amazon Native Shopping Recommendations: from n/a through 1.3. | 2026-01-05 | 9.3 | CVE-2025-30633 | https://vdp.patchstack.com/database/wordpress/plugin/woozone-contextual/vulnerability/wordpress-amazon-native-shopping-recommendations-plugin-1-3-sql-injection-vulnerability?_s_id=cve |
| AA-Team–Premium Age Verification / Restriction for WordPress | Incorrect Privilege Assignment vulnerability in AA-Team Premium Age Verification / Restriction for WordPress, AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress allows Privilege Escalation.This issue affects Premium Age Verification / Restriction for WordPress: from n/a through 3.0.2; Responsive Coming Soon Landing Page / Holding Page for WordPress: from n/a through 3.0. | 2026-01-06 | 8.8 | CVE-2025-29004 | https://patchstack.com/database/wordpress/plugin/age-restriction/vulnerability/wordpress-premium-age-verification-restriction-for-wordpress-plugin-3-0-2-privilege-escalation-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/plugin/wordpress-flat-countdown/vulnerability/wordpress-responsive-coming-soon-landing-page-holding-page-for-wordpress-3-0-privilege-escalation-vulnerability?_s_id=cve |
| AA-Team–Premium SEO Pack | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in AA-Team Premium SEO Pack allows SQL Injection.This issue affects Premium SEO Pack: from n/a through 3.3.2. | 2026-01-05 | 8.5 | CVE-2025-31044 | https://vdp.patchstack.com/database/wordpress/plugin/premium-seo-pack/vulnerability/wordpress-premium-seo-pack-3-3-2-sql-injection-vulnerability?_s_id=cve |
| AA-Team–Woocommerce Sales Funnel Builder | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Funnel Builder: from n/a through 1.1; Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2. | 2026-01-06 | 7.1 | CVE-2025-30631 | https://patchstack.com/database/wordpress/plugin/woosales/vulnerability/wordpress-woocommerce-sales-funnel-builder-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/plugin/azon-addon-js-composer/vulnerability/wordpress-amazon-affiliates-addon-for-wpbakery-page-builder-formerly-visual-composer-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ABB–WebPro SNMP Card PowerValue | Incorrect Implementation of Authentication Algorithm vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K. | 2026-01-07 | 8.8 | CVE-2025-4676 | https://search.abb.com/library/Download.aspx?DocumentID=2CRT000009&LanguageCode=en&DocumentPartId=&Action=Launch |
| Adtecdigital–SignEdje Digital Signage Player | Adtec Digital SignEdje Digital Signage Player v2.08.28 contains multiple hardcoded default credentials that allow unauthenticated remote access to web, telnet, and SSH interfaces. Attackers can exploit these credentials to gain root-level access and execute system commands across multiple Adtec Digital product versions. | 2026-01-06 | 7.5 | CVE-2020-36915 | ExploitDB-48954 Adtec Digital Official Homepage Zero Science Lab Disclosure (ZSL-2020-5603) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange VulnCheck Advisory: Adtec Digital SignEdje Digital Signage Player v2.08.28 Default Credentials |
| aio-libs–aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host’s memory. This issue is fixed in version 3.13.3. | 2026-01-05 | 7.5 | CVE-2025-69223 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a |
| aksharsoftsolutions–AS Password Field In Default Registration Form | The AS Password Field In Default Registration Form plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not properly validating a user’s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user’s passwords, including administrators, and leverage that to gain access to their account. | 2026-01-06 | 9.8 | CVE-2025-14996 | https://www.wordfence.com/threat-intel/vulnerabilities/id/061f022b-b922-4499-bb34-8ea91ba5ace3?source=cve https://plugins.trac.wordpress.org/browser/as-password-field-in-default-registration-form/tags/2.0.0/as-password-field-default-registration.php |
| Alibaba–Fastjson | Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845. | 2026-01-09 | 10 | CVE-2025-70974 | https://github.com/alibaba/fastjson/compare/1.2.47…1.2.48 https://www.seebug.org/vuldb/ssvid-98020 https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238 https://www.freebuf.com/vuls/208339.html https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955 |
| arraytics–Eventin Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) | The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘post_settings’ function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the ‘etn_primary_color’ setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded. | 2026-01-09 | 7.2 | CVE-2025-14657 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e4188b26-80f8-41b8-be19-1ddcbd7e39f5?source=cve https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/base/Enqueue/register.php?old=3390273&old_path=wp-event-solution%2Ftrunk%2Fbase%2FEnqueue%2Fregister.php https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/base/api-handler.php?old=3390273&old_path=wp-event-solution%2Ftrunk%2Fbase%2Fapi-handler.php https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/core/event/api.php?old=3390273&old_path=wp-event-solution%2Ftrunk%2Fcore%2Fevent%2Fapi.php |
| Arteco-Global–Arteco Web Client DVR/NVR | Arteco Web Client DVR/NVR contains a session hijacking vulnerability with insufficient session ID complexity that allows remote attackers to bypass authentication. Attackers can brute force session IDs within a specific numeric range to obtain valid sessions and access live camera streams without authorization. | 2026-01-06 | 9.8 | CVE-2020-36925 | ExploitDB-49348 Arteco Official Vendor Homepage Zero Science Lab Disclosure (ZSL-2020-5613) Packet Storm Security Exploit Archive IBM X-Force Exchange Vulnerability Entry 1 IBM X-Force Exchange Vulnerability Entry 2 CXSecurity Vulnerability Listing VulnCheck Advisory: Arteco Web Client DVR/NVR Session ID Brute Force Authentication Bypass |
| AWS–Kiro IDE | Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces. To mitigate, users should update to the latest version. | 2026-01-09 | 7.8 | CVE-2026-0830 | https://kiro.dev/changelog/spec-correctness-and-cli/ https://aws.amazon.com/security/security-bulletins/2026-001-AWS/ |
| bg5sbk–MiniCMS | A vulnerability was found in bg5sbk MiniCMS up to 1.8. The impacted element is an unknown function of the file /minicms/mc-admin/post.php of the component Trash File Restore Handler. Performing a manipulation results in improper authentication. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 7.3 | CVE-2025-15457 | VDB-339490 | bg5sbk MiniCMS Trash File Restore post.php improper authentication VDB-339490 | CTI Indicators (IOB, IOC, IOA) Submit #725139 | MiniCMS https://github.com/bg5sbk/MiniCMS V1.8 unauthorized vulnerability https://github.com/ueh1013/VULN/issues/12 |
| bg5sbk–MiniCMS | A vulnerability was determined in bg5sbk MiniCMS up to 1.8. This affects an unknown function of the file /mc-admin/post-edit.php of the component Article Handler. Executing a manipulation can lead to improper authentication. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 7.3 | CVE-2025-15458 | VDB-339491 | bg5sbk MiniCMS Article post-edit.php improper authentication VDB-339491 | CTI Indicators (IOB, IOC, IOA) Submit #725142 | MiniCMS https://github.com/bg5sbk/MiniCMS V1.8 unauthorized vulnerability https://github.com/ueh1013/VULN/issues/9 |
| Brecht–Custom Related Posts | Insertion of Sensitive Information Into Sent Data vulnerability in Brecht Custom Related Posts allows Retrieve Embedded Sensitive Data.This issue affects Custom Related Posts: from n/a through 1.8.0. | 2026-01-05 | 7.5 | CVE-2025-68033 | https://vdp.patchstack.com/database/wordpress/plugin/custom-related-posts/vulnerability/wordpress-custom-related-posts-plugin-1-8-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| buddydev–BuddyPress Xprofile Custom Field Types | The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ‘delete_field’ function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2026-01-06 | 7.2 | CVE-2025-14997 | https://www.wordfence.com/threat-intel/vulnerabilities/id/89a7a717-dac3-490e-89dd-268be8eb7bf5?source=cve https://plugins.trac.wordpress.org/browser/bp-xprofile-custom-field-types/tags/1.2.8/src/handlers/class-field-upload-helper.php https://plugins.trac.wordpress.org/changeset/3430565/bp-xprofile-custom-field-types |
| CAYIN Technology–SMP-8000QD | Cayin Signage Media Player 3.0 contains an authenticated remote command injection vulnerability in system.cgi and wizard_system.cgi pages. Attackers can exploit the ‘NTP_Server_IP’ parameter with default credentials to execute arbitrary shell commands as root. | 2026-01-06 | 8.8 | CVE-2020-36910 | ExploitDB-48557 Cayin Technology Official Website Zero Science Lab Disclosure (ZSL-2020-5569) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Listing VulnCheck Advisory: Cayin Signage Media Player 3.0 Authenticated Remote Command Injection via NTP Parameter |
| Centreon–Infra Monitoring | Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3. | 2026-01-05 | 9.8 | CVE-2025-15026 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15026-centreon-awie-critical-severity-5357 |
| Centreon–Infra Monitoring | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Centreon Infra Monitoring (Awie export modules) allows SQL Injection to unauthenticated user. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3. | 2026-01-05 | 9.8 | CVE-2025-15029 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15029-centreon-awie-critical-severity-5356 |
| Centreon–Infra Monitoring | In the backup parameters, a user with high privilege is able to concatenate custom instructions to the backup setup. Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in Centreon Infra Monitoring (Backup configuration in the administration setup modules) allows OS Command Injection.This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | 2026-01-05 | 7.2 | CVE-2025-5965 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-5965-centreon-web-high-severity-5362 |
| code-projects–Intern Membership Management System | A vulnerability was determined in code-projects Intern Membership Management System 1.0. Affected is an unknown function of the file /intern/admin/check_admin.php. Executing a manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-08 | 7.3 | CVE-2026-0700 | VDB-339977 | code-projects Intern Membership Management System check_admin.php sql injection VDB-339977 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733001 | code-projects Intern Membership Management System check_admin.php 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20check_admin.php%20sql%20injection.md https://code-projects.org/ |
| code-projects–Online Music Site | A security vulnerability has been detected in code-projects Online Music Site 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. Such manipulation of the argument username/password leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2026-01-05 | 7.3 | CVE-2026-0605 | VDB-339549 | code-projects Online Music Site login.php sql injection VDB-339549 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731695 | code-projects https://code-projects.org/online-music-site-in-php-with-source-code/ 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A52.md https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A52.md#vulnerability-details-and-poc https://code-projects.org/ |
| code-projects–Online Music Site | A vulnerability was detected in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /FrontEnd/Albums.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-01-05 | 7.3 | CVE-2026-0606 | VDB-339550 | code-projects Online Music Site Albums.php sql injection VDB-339550 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731696 | code-projects https://code-projects.org/online-music-site-in-php-with-source-code/ 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A51.md https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A51.md#vulnerability-details-and-poc https://code-projects.org/ |
| code-projects–Online Music Site | A flaw has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminViewSongs.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-01-05 | 7.3 | CVE-2026-0607 | VDB-339551 | code-projects Online Music Site AdminViewSongs.php sql injection VDB-339551 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731697 | code-projects https://code-projects.org/online-music-site-in-php-with-source-code/ 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A53.md https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A53.md#vulnerability-details-and-poc https://code-projects.org/ |
| code-projects–Online Music Site | A vulnerability was identified in code-projects Online Music Site 1.0. The affected element is an unknown function of the file /Administrator/PHP/AdminAddUser.php. The manipulation of the argument txtusername leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2026-01-11 | 7.3 | CVE-2026-0851 | VDB-340446 | code-projects Online Music Site AdminAddUser.php sql injection VDB-340446 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733644 | Code-Projects Online Music Site V1.0 SQLinjection https://github.com/tuo159515/sql-injection/issues/2 https://code-projects.org/ |
| code-projects–Online Product Reservation System | A security flaw has been discovered in code-projects Online Product Reservation System 1.0. This vulnerability affects unknown code of the file app/user/login.php of the component User Login. The manipulation of the argument emailadd results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-05 | 7.3 | CVE-2026-0583 | VDB-339475 | code-projects Online Product Reservation System User Login login.php sql injection VDB-339475 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731093 | code-projects Online Product Reservation system V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_login.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_login.php.md#poc https://code-projects.org/ |
| code-projects–Online Product Reservation System | A security vulnerability has been detected in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the file /order_view.php of the component GET Parameter Handler. Such manipulation of the argument transaction_id leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2026-01-05 | 7.3 | CVE-2026-0585 | VDB-339477 | code-projects Online Product Reservation System GET Parameter order_view.php sql injection VDB-339477 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731096 | code-projects Online Product Reservation system V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_order_view.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_order_view.php.md#poc https://code-projects.org/ |
| code-projects–Online Product Reservation System | A vulnerability was found in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the component Administration Backend. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be used. | 2026-01-05 | 7.3 | CVE-2026-0589 | VDB-339499 | code-projects Online Product Reservation System Administration Backend improper authentication VDB-339499 | CTI Indicators (IOB, IOC) Submit #731127 | code-projects Online Product Reservation System V1.0 Authentication Bypass Issues https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/auth_bypass_admin_panel.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/auth_bypass_admin_panel.md#poc https://code-projects.org/ |
| code-projects–Online Product Reservation System | A security flaw has been discovered in code-projects Online Product Reservation System 1.0. This affects an unknown function of the file /handgunner-administrator/register_code.php of the component User Registration Handler. Performing a manipulation of the argument fname/lname/address/city/province/country/zip/tel_no/email/username results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-05 | 7.3 | CVE-2026-0592 | VDB-339502 | code-projects Online Product Reservation System User Registration register_code.php sql injection VDB-339502 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731130 | code-projects Online Product Reservation System V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_register_code.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_register_code.php.md#poc https://code-projects.org/ |
| codename065–Download Manager | The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user’s identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change user’s passwords, except administrators, and leverage that to gain access to their account. | 2026-01-06 | 7.3 | CVE-2025-15364 | https://www.wordfence.com/threat-intel/vulnerabilities/id/067031e8-6aa8-451c-a318-b1848c7a4f92?source=cve https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.40/src/__/Crypt.php#L18 https://plugins.trac.wordpress.org/changeset/3431915/download-manager#file7 |
| Codepeople–Sell Downloads | Missing Authorization vulnerability in Codepeople Sell Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sell Downloads: from n/a through 1.1.12. | 2026-01-05 | 7.5 | CVE-2025-68850 | https://vdp.patchstack.com/database/wordpress/plugin/sell-downloads/vulnerability/wordpress-sell-downloads-plugin-1-1-12-broken-access-control-vulnerability?_s_id=cve |
| Columbia Weather Systems–MicroServer | An unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. An attacker on the local network with admin access to the web server, and the ability to manipulate DNS responses, can redirect the SSH connection to an attacker controlled device. | 2026-01-07 | 8.8 | CVE-2025-61939 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json |
| Columbia Weather Systems–MicroServer | An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories. An attacker with admin access to MicroServer can gain limited shell access, enabling persistence through reverse shells, and the ability to modify or remove data stored in the file system. | 2026-01-07 | 8 | CVE-2025-66620 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json |
| Comfy-Org–ComfyUI-Manager | ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior. This issue has been patched in versions 3.39.2 and 4.0.5. | 2026-01-10 | 7.5 | CVE-2026-22777 | https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2 https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410 |
| coollabsio–coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary shell commands that execute on the underlying server during the deployment workflow. A regular member user can exploit this vulnerability. Version 4.0.0-beta.420.7 contains a patch for the issue. | 2026-01-05 | 10 | CVE-2025-59157 | https://github.com/coollabsio/coolify/security/advisories/GHSA-5cg9-38qj-8mc3 |
| coollabsio–coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available. | 2026-01-05 | 10 | CVE-2025-64420 | https://github.com/coollabsio/coolify/security/advisories/GHSA-qwxj-qch7-whpc |
| coollabsio–coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker repository (using build pack “docker compose”), the attacker can execute commands on the Coolify instance as root. Version 4.0.0-beta.445 fixes the issue. | 2026-01-05 | 9.7 | CVE-2025-64419 | https://github.com/coollabsio/coolify/security/advisories/GHSA-234r-xrrg-m8f3 https://github.com/coollabsio/coolify/commit/f86ccfaa9af572a5487da8ea46b0a125a4854cf6 |
| coreruleset–coreruleset | The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue. | 2026-01-08 | 9.3 | CVE-2026-21876 | https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5 https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221e3c74e4eb83 https://github.com/coreruleset/coreruleset/commit/9917985de09a6cf38b3261faf9105e909d67a7d6 https://github.com/coreruleset/coreruleset/releases/tag/v3.3.8 https://github.com/coreruleset/coreruleset/releases/tag/v4.22.0 |
| Corourke–iPhone Webclip Manager | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Corourke iPhone Webclip Manager allows Stored XSS.This issue affects iPhone Webclip Manager: from n/a through 0.5. | 2026-01-05 | 7.1 | CVE-2024-53735 | https://vdp.patchstack.com/database/wordpress/plugin/iphone-webclip-manager/vulnerability/wordpress-iphone-webclip-manager-plugin-0-5-csrf-to-stored-xss-vulnerability?_s_id=cve |
| danny-avila–LibreChat | LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 is prone to a server-side request forgery (SSRF) vulnerability due to missing restrictions of the Actions feature in the default configuration. LibreChat enables users to configure agents with predefined instructions and actions that can interact with remote services via OpenAPI specifications, supporting various HTTP methods, parameters, and authentication methods including custom headers. By default, there are no restrictions on accessible services, which means agents can also access internal components like the RAG API included in the default Docker Compose setup. This issue is fixed in version 0.8.1-rc2. | 2026-01-07 | 9.1 | CVE-2025-69222 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8 https://github.com/danny-avila/LibreChat/commit/3b41e392ba5c0d603c1737d8582875e04eaa6e02 https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2 |
| danny-avila–LibreChat | LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior of arbitrary agents by uploading new files to the file context or file search, even if they have no permissions for this agent. This issue is fixed in version 0.8.2-rc2. | 2026-01-07 | 7.1 | CVE-2025-69220 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-xcmf-rpmh-hg59 https://github.com/danny-avila/LibreChat/commit/4b9c6ab1cb9de626736de700c7981f38be08d237 https://cwe.mitre.org/data/definitions/284.html https://cwe.mitre.org/data/definitions/862.html https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2 https://owasp.org/Top10/A01_2021-Broken_Access_Control https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html https://raw.githubusercontent.com/OWASP/ASVS/v5.0.0/5.0/OWASP_Application_Security_Verification_Standard_5.0.0_en.pdf |
| Dasinfomedia–WPCHURCH | Incorrect Privilege Assignment vulnerability in Dasinfomedia WPCHURCH allows Privilege Escalation.This issue affects WPCHURCH: from n/a through 2.7.0. | 2026-01-07 | 8.8 | CVE-2025-31643 | https://patchstack.com/database/wordpress/plugin/church-management/vulnerability/wordpress-wpchurch-2-7-0-privilege-escalation-vulnerability?_s_id=cve |
| Dasinfomedia–WPCHURCH | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Dasinfomedia WPCHURCH allows Reflected XSS.This issue affects WPCHURCH: from n/a through 2.7.0. | 2026-01-06 | 7.1 | CVE-2025-31642 | https://patchstack.com/database/wordpress/plugin/church-management/vulnerability/wordpress-wpchurch-plugin-2-7-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Dell–Unisphere for PowerMax | Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access to data and resources outside of the intended sphere of control. | 2026-01-06 | 7.6 | CVE-2025-36589 | https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities |
| devolo AG–devolo dLAN Cockpit | devolo dLAN Cockpit 4.3.1 contains an unquoted service path vulnerability in the ‘DevoloNetworkService’ that allows local non-privileged users to potentially execute arbitrary code. Attackers can exploit the insecure service path configuration by inserting malicious code in the system root path to execute with elevated privileges during application startup or system reboot. | 2026-01-07 |
Source: CISA
Share this:
Discover more from #News247WorldPress
Subscribe to get the latest posts sent to your email.