Web Security Archives • Page 3 of 5 • Daily CyberSecurity

Code Red: 4 Critical SandboxJS Flaws (CVSS 10.0) Allow Host Takeover

shell-quote command injection AI-Driven Vulnerabilities Q1 2026 Cyber Threats vm2 Sandbox Escape Node.js RCE upKeeper Privilege Escalation CVE-2026-2449 Pharos Controls Vulnerability Root Access Exploit Cybersecurity Vulnerability Roundup CVSS 10.0 Flaws Shadow Archives CVE-2026-0866 MS-Agent Prompt Injection CVE-2026-2256 basic-ftp Path Traversal CVE-2026-27699 telnetd Root Vulnerability CVE-1999-0073 Regression USR-W610 Vulnerabilities End-of-Life IoT Security IceWarp Security Update IceWarp Vulnerabilities Airleader Master Vulnerability CVE-2026-1358 ZLAN5143D Vulnerability CISA ICS Advisory Acronis Cyber Protect Vulnerability CVE-2025-30411 WAGO 852 Vulnerability OT Network Security SandboxJS Vulnerability Sandbox Escape (CVSS 10.0) Kubernetes Local Path Provisioner CVE-2025-62878 CISA Unresponsive Vendors Avation & RISS Vulnerabilities KiloView Vulnerability CVE-2026-1453 OpenClaw RCE vulnerability Johnson Controls Vulnerability CVE-2025-26385 SandboxJS Vulnerability CVE-2026-23830 ibaPDA Vulnerability CVE-2025-14988 Protobuf Vulnerability CVE-2026-0994 AVEVA Process Optimization Vulnerability CVE-2025-61937 ConnectWise PSA Vulnerability CVE-2026-0695 Aruba VIA Vulnerability CVE-2025-37186 aiohttp v3.13.3, Denial of Service (DoS) SmarterMail RCE, CVE-2025-52691 Airoha RACE, Headphone Jacking HPE OneView RCE CVE-2025-37164 FreePBX Auth Bypass, PBX Takeover ScreenConnect Config Flaw, Untrusted Extensions Ruby SAML Auth Bypass, XML Parser Differential Devolutions SQL Injection, Password Manager Flaw Vivotek Unauthenticated RCE, EOL IP Camera Flaw Lynx+ Critical Flaw, Unauthenticated Reset Firebox Default Credentials, CVE-2025-59396 Veeder-Root RCE, Critical ATG Flaw ArcGIS Server SQLi Watchdoc RCE, CVE-2025-58384 Delta DIALink Daikin Security Gateway, authentication bypass Frostbyte10, industrial controller security SunPower, vulnerability Ubiquiti UniFi Connect, EV Station Vulnerabilities Adobe Experience Manager, RCE Vulnerability UniFi Access, Command Injection LDAPNightmare - CVE-2025-1316

Code Red: 4 Critical SandboxJS Flaws (CVSS 10.0) Allow Host Takeover

Do Son February 9, 2026

A quartet of critical vulnerabilities has been discovered in SandboxJS, a library designed to isolate and secure...

“PDF” Poison: Popular JavaScript Library Patches Critical Injection and Crash Flaws

Do Son February 6, 2026

Developers using jsPDF, a widely adopted library for generating PDF files directly in the browser, are being...

Urgent Django Update: Patches 3 Critical SQL Injections & DoS Risks Django Security Update CVE-2026-25673 Django Security Update SQL Injection Vulnerability Django SQL Injection, PostgreSQL Flaw CVE-2022-34265 PoC Django, SQL injection

Django Security Update CVE-2026-25673 Django Security Update SQL Injection Vulnerability Django SQL Injection, PostgreSQL Flaw CVE-2022-34265 PoC Django, SQL injection

Urgent Django Update: Patches 3 Critical SQL Injections & DoS Risks

Do Son February 4, 2026

The maintainers of the popular Python web framework Django have issued an urgent security release to squash...

Weaver E-cology RCE CVE-2026-22679 CVE-2026-20127 Cisco SD-WAN Exploitation AI-Driven Cyberattack ARXON Malware React Server Components Vulnerability CVE-2025-55182 FortiWeb Auth Bypass, Unauthenticated Admin Takeover RayInitiator Bootkit, LINE VIPER CVE-2025-59689 Department of the Treasury cybersecurity - CVE-2025-0108 PoC CVE-2025-31103 Dior Data Breach SK Telecom data breach, long-term intrusion

React Under Siege: Two IPs Drive 56% of Critical CVE-2025-55182 Attacks

Do Son February 4, 2026

Two months after the disclosure of a catastrophic vulnerability in React Server Components, the attack landscape has...

Sabotage & Exploited in the Wild: Critical Backdoor Found in LA-Studio Element Kit CVE-2022-45359 LA-Studio Element Kit Backdoor CVE-2026-0920

Sabotage & Exploited in the Wild: Critical Backdoor Found in LA-Studio Element Kit

Do Son January 23, 2026

A critical security incident has rocked the WordPress community after a “backdoor” vulnerability was discovered in the...

ImageMagick Alert (CVE-2026-23876): “XBM” Image Uploads Trigger Massive Heap Overflow ImageMagick Vulnerability CVE-2026-23876 ImageMagick TIM Overflow, Memory Disclosure Flaw ImageMagick vulnerabilities, memory corruption CVE-2023-34152

ImageMagick Alert (CVE-2026-23876): “XBM” Image Uploads Trigger Massive Heap Overflow

Do Son January 21, 2026

A new high-severity vulnerability has been discovered in ImageMagick, the ubiquitous image processing library powering everything from...

Critical Flaw in “Advanced Custom Fields: Extended” Exposes 100K WordPress Sites to Takeover ACF Extended Vulnerability CVE-2025-14533

Critical Flaw in “Advanced Custom Fields: Extended” Exposes 100K WordPress Sites to Takeover

Do Son January 20, 2026

A critical security vulnerability has been discovered in Advanced Custom Fields: Extended, a popular WordPress plugin with...

CVE-2026-0695: High-Severity XSS Flaw Patched in ConnectWise PSA 2026.1

Do Son January 19, 2026

ConnectWise has released a crucial security update for its Professional Services Automation (PSA) platform, addressing two significant...

Unpatched RCE: Livewire Filemanager Upload Flaw (CVE-2025-14894) Exposes Laravel Apps Livewire Filemanager RCE CVE-2025-14894

Unpatched RCE: Livewire Filemanager Upload Flaw (CVE-2025-14894) Exposes Laravel Apps

Do Son January 19, 2026

A critical new security flaw has been unearthed in Livewire Filemanager, a popular tool used within the...

Check Point VPN vulnerability exploited in the wild Check Point VPN exploit CVE-2026-50751 zero-day Checkmarx Breach Supply Chain Attack Ivanti EPMM RCE CVE-2026-1281 Modular DS Vulnerability CVE-2026-23550 D-Link RCE Vulnerability CVE-2026-0625 Christmas 2025 GreyNoise Campaign, Japan-Based Initial Access Broker React2Shell Zero-Day, APT Active Exploitation WordPress vulnerability, authentication bypass FreePBX, zero-day Trend Micro Apex One, Remote Code Execution BitoPro Hack, Crypto Theft UNC5337 - CVE-2022-47945 Safe{Wallet} hack Fortinet vulnerability, CVE-2024-21762, FortiGate attack Balloonfly, Play ransomware Ivanti EPMM CVE-2025-4427 and CVE-2025-4428

Exploited in the Wild: Critical Modular DS Flaw CVE-2026-23550 (CVSS 10) Allows Instant Admin Takeover

Do Son January 15, 2026

A critical privilege escalation vulnerability, tracked as CVE-2026-23550 (CVSS 10), has been discovered in the Modular DS...

Node.js Patches Memory Leak and Permission Bypasses CVE-2024-27980 Node.js Vulnerability CVE-2025-55131

Node.js Patches Memory Leak and Permission Bypasses

Do Son January 14, 2026

The Node.js maintainers have kicked off the new year with a critical security release, addressing a trio...

Chrome 148 lazy loading Chrome for Linux ARM64 Chrome 145 Update Chrome Security Fixes Chrome Security Update CVE-2026-1220 Chrome 144 Security Update CVE-2026-0899 Chrome Memory Safety, WebGPU UAF Chrome V8 Type Confusion, Google Updater Flaw Chrome V8 Flaw, CVE-2025-13042 Chrome V8, Type Confusion, Chrome 142 Update Chrome V8 Flaw, CVE-2025-12036 Chrome 141, WebGPU Overflow Google Chrome preloading Chrome, V8 vulnerability CVE-2025-9132 Chrome Security Update, Use-After-Free Chrome V8, Type Confusion Chrome Telemetry, Windows 10 EOL Microsoft Family Safety, Chrome Blocking Chrome Security Update, High-Severity Google Chrome, Antitrust CVE-2024-10487 and CVE-2024-10488 Google Chrome Root Program Chrome Update, CVE-2025-3619 Chrome Acquisition, Perplexity.ai

Chrome 144 Released: 10 Security Fixes Patch Dangerous V8 Engine Flaws

Do Son January 14, 2026

Google has officially promoted Chrome 144 to the stable channel, rolling out a crucial security update that...

Angular Security Alert: High-Severity SVG Flaw CVE-2026-22610 Exposes Apps to XSS Angular hostname hijacking vulnerability Angular SSRF Origin Hijacking Angular XSS Vulnerability CVE-2026-32635 Angular i18n XSS CVE-2026-27970 Angular SSR SSRF CVE-2026-27739 Angular Vulnerability CVE-2026-22610 CVE-2025-59052 Angular security Angular XSS Bypass, SVG Injection

Angular hostname hijacking vulnerability Angular SSRF Origin Hijacking Angular XSS Vulnerability CVE-2026-32635 Angular i18n XSS CVE-2026-27970 Angular SSR SSRF CVE-2026-27739 Angular Vulnerability CVE-2026-22610 CVE-2025-59052 Angular security Angular XSS Bypass, SVG Injection

Angular Security Alert: High-Severity SVG Flaw CVE-2026-22610 Exposes Apps to XSS

Do Son January 13, 2026

A seemingly harmless feature in Scalable Vector Graphics (SVG) has become a major security headache for Angular...

Critical React Router Flaws: CVE-2025-61686 Exposes Server Files React Router vulnerabilities patch React Router Vulnerabilities CVE-2025-61686

React Router vulnerabilities patch React Router Vulnerabilities CVE-2025-61686

Critical React Router Flaws: CVE-2025-61686 Exposes Server Files

Do Son January 12, 2026

Developers relying on the popular React Router library are being urged to patch their applications immediately following...

Critical Flaw in Livewire Exposes Laravel Apps to Stealthy RCE, PoC Releases CVE-2025-54068, Livewire RCE

Critical Flaw in Livewire Exposes Laravel Apps to Stealthy RCE, PoC Releases

Do Son December 26, 2025

Developers relying on Livewire, a cornerstone framework for building dynamic interfaces in Laravel, are facing a severe...

“Better Auth” Framework Alert: The Double-Slash Trick That Bypasses Security Controls Better Auth Bypass, rou3 Path Normalization Better Auth Bypass, CVE-2025-61928 Better Auth vulnerability

Better Auth Bypass, rou3 Path Normalization Better Auth Bypass, CVE-2025-61928 Better Auth vulnerability

“Better Auth” Framework Alert: The Double-Slash Trick That Bypasses Security Controls

Do Son December 18, 2025

A high-severity vulnerability has been disclosed in Better Auth, a rapidly growing authentication framework for TypeScript, potentially...

Security Tightens: Let’s Encrypt Will Cap Certificate Validity at 45 Days by 2028 Let's Encrypt subscriber agreement Let's Encrypt OCSP Support 45-Day Certificate Limit Let's Encrypt Automation

Let's Encrypt subscriber agreement Let's Encrypt OCSP Support 45-Day Certificate Limit Let's Encrypt Automation

Security Tightens: Let’s Encrypt Will Cap Certificate Validity at 45 Days by 2028

Do Son December 3, 2025

Apple previously submitted a proposal to the CA/Browser Forum — the industry body governing certificate authorities and...

Angular Alert: Protocol-Relative URLs Leak XSRF Tokens (CVE-2025-66035) Angular, CVE-2025-66035

Angular Alert: Protocol-Relative URLs Leak XSRF Tokens (CVE-2025-66035)

Do Son November 27, 2025

The Angular team has issued a high-severity security advisory regarding a logic flaw in the framework’s HTTP...

Critical WordPress Flaw (CVE-2025-6389, CVSS 9.8) Under Active Exploitation Allows Unauthenticated RCE Sneeit Framework RCE, Unauthenticated RCE

Sneeit Framework RCE, Unauthenticated RCE

Critical WordPress Flaw (CVE-2025-6389, CVSS 9.8) Under Active Exploitation Allows Unauthenticated RCE

Do Son November 25, 2025

A newly disclosed critical vulnerability in the Sneeit Framework — a widely used WordPress plugin powering premium...

Symfony Patches PATH_INFO Parsing Flaw Leading to Authorization Bypass (CVE-2025-64500) Symfony Path Info Flaw, Authorization Bypass

Symfony Patches PATH_INFO Parsing Flaw Leading to Authorization Bypass (CVE-2025-64500)

Do Son November 15, 2025

The Symfony project has released security updates to address a newly disclosed vulnerability affecting its widely used...

Critical Alert 1 Active Exploit Detected Today