📝 An arbitrary write vulnerability in Microsoft signed UEFI firmware allows for code execution of untrusted software. This allows an attacker to control its value, leading to arbitrary memory writes, including modification of critical firmware settings stored in NVRAM. Exploiting this vulnerability could enable security bypasses, persistence mechanisms, or full system compromise.

📅 Published: 10/06/2025

📈 CVSS: 8.2

🧭 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

📣 Mentions: 21

⚠️ Priority: 2

📝 Analysis: Arbitrary write vulnerability found in Microsoft signed UEFI firmware. Allows for code execution of untrusted software and control over critical firmware settings. Despite a confirmed high CVSS score, no known exploits have been detected in the wild, making this a priority 2 issue due to low Exploit Prediction Scoring System (EPSS) score.

📝 Windows Kerberos Elevation of Privilege Vulnerability

📅 Published: 12/08/2025

📈 CVSS: 7.2

🧭 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

📣 Mentions: 14

⚠️ Priority: 2

📝 Analysis: A Windows Kerberos Elevation of Privilege flaw allows local attackers to gain full control; no known exploits in the wild, but the high CVSS score indicates a priority 2 concern due to low Exploitability Scoring System (EPSS) score.

📝 A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

📅 Published: 03/12/2025

📈 CVSS: 10

🛡️ CISA KEV: True

🧭 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

📣 Mentions: 908

⚠️ Priority: 1+

📝 Analysis: A critical pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, specifically in packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerability stems from unsafely deserializing HTTP request payloads. This is a confirmed exploited issue, designated as priority 1+.

📝 Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. This issue is fixed in version 1.0.111.

📅 Published: 03/10/2025

📈 CVSS: 8.7

🧭 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

📣 Mentions: 6

⚠️ Priority: 2

📝 Analysis: Code Injection vulnerability exists in Claude Code version prior to 1.0.111. Exploitation requires starting the software in an untrusted directory. Although no confirmed exploits are known, this is a priority 2 issue due to its high CVSS score and potential for user-triggered attacks. Users on auto-update have been protected, while those manually updating are advised to update to version 1.0.111 or later.

📝 Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Codes project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the users API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.

📅 Published: 21/01/2026

📈 CVSS: 5.3

🧭 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

📣 Mentions: 7

⚠️ Priority: 4

📝 Analysis: A data exfiltration issue exists in Claude Code's project-load flow prior to version 2.0.65. Malicious repositories can leak Anthropic API keys before trust confirmation. No exploits have been detected yet, but the low CVSS score and lack of known in-the-wild activity result in a priority 4 vulnerability. Users should update to version 2.0.65 or the latest version for protection.

📝 In the Linux kernel, the following vulnerability has been resolved: net/packet: fix a race in packet_set_ring() and packet_notifier() When packet_set_ring() releases po->bind_lock, another thread can run packet_notifier() and process an NETDEV_UP event. This race and the fix are both similar to that of commit 15fe076edea7 (net/packet: fix a race in packet_bind() and packet_notifier()). There too the packet_notifier NETDEV_UP event managed to run while a po->bind_lock critical section had to be temporarily released. And the fix was similarly to temporarily set po->num to zero to keep the socket unhooked until the lock is retaken. The po->bind_lock in packet_set_ring and packet_notifier precede the introduction of git history.

📅 Published: 22/08/2025

📈 CVSS: 0

🧭 Vector: n/a

📣 Mentions: 7

⚠️ Priority: 4

📝 Analysis: A race condition exists in Linux kernel packet handling, specifically in functions packet_set_ring() and packet_notifier(). This issue is similar to a previous one (commit 15fe076edea7). Although currently low-impact as no active exploitation has been observed, the nature of the vulnerability and its history suggest potential risks. Priority score: 4 (low CVSS & low EPSS).

📝 Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.

📅 Published: 22/09/2025

📈 CVSS: 10

🧭 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

📣 Mentions: 8

⚠️ Priority: 2

📝 Analysis: Remote code execution vulnerability found in Flowise v3.0.5 due to insufficient input validation in the CustomMCP node. JavaScript code can be executed with full Node.js privileges, potentially enabling dangerous operations like child_process and fs access. This issue has been patched in version 3.0.6. Given high CVSS score but low Exploitability Potential Score (EPSS), it is a priority 2 vulnerability.

📝 Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0.

📅 Published: 09/04/2026

📈 CVSS: 9.3

🧭 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

📣 Mentions: 3

⚠️ Priority: 2

📝 Analysis: A hostname normalization issue in Axios (prior to 1.15.0) allows attackers to bypass proxy settings and access sensitive loopback or internal services despite NO_PROXY protections. This can lead to proxy bypass and SSRF vulnerabilities. Despite no confirmed exploits, the high CVSS score and potential impact make this a priority 2 issue. Upgrade to version 1.15.0 for mitigation.

📝 Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

📅 Published: 11/04/2026

📈 CVSS: 8.6

🧭 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

📣 Mentions: 31

⚠️ Priority: 2

📝 Analysis: A prototype pollution vulnerability exists in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier, enabling arbitrary code execution after user interaction. Though no known exploits have been detected, the high CVSS score indicates a priority 2 issue due to its low Exploitability Maturity Model (EMM) score but high severity.

📝 An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution.This issue affects ShowDoc: before 2.8.7.

📅 Published: 29/04/2025

📈 CVSS: 9.4

🧭 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

📣 Mentions: 3

⚠️ Priority: 2

📝 Analysis: A critical Remote Code Execution vulnerability in ShowDoc (before 2.8.7) exists due to an improper file extension validation in unrestricted file upload functionality. High exploitability and a CISA KEV not specified, making it a priority 2 issue with high CVSS score.

📝 An arbitrary write vulnerability in Microsoft signed UEFI firmware allows for code execution of untrusted software. This allows an attacker to control its value, leading to arbitrary memory writes, including modification of critical firmware settings stored in NVRAM. Exploiting this vulnerability could enable security bypasses, persistence mechanisms, or full system compromise.

📅 Published: 10/06/2025

📈 CVSS: 8.2

🧭 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

📣 Mentions: 21

⚠️ Priority: 2

📝 Analysis: Arbitrary write vulnerability found in Microsoft signed UEFI firmware. Allows for code execution of untrusted software and control over critical firmware settings. Despite a confirmed high CVSS score, no known exploits have been detected in the wild, making this a priority 2 issue due to low Exploit Prediction Scoring System (EPSS) score.

📝 Windows Kerberos Elevation of Privilege Vulnerability

📅 Published: 12/08/2025

📈 CVSS: 7.2

🧭 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

📣 Mentions: 14

⚠️ Priority: 2

📝 Analysis: A Windows Kerberos Elevation of Privilege flaw allows local attackers to gain full control; no known exploits in the wild, but the high CVSS score indicates a priority 2 concern due to low Exploitability Scoring System (EPSS) score.

📝 A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

📅 Published: 03/12/2025

📈 CVSS: 10

🛡️ CISA KEV: True

🧭 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

📣 Mentions: 908

⚠️ Priority: 1+

📝 Analysis: A critical pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, specifically in packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerability stems from unsafely deserializing HTTP request payloads. This is a confirmed exploited issue, designated as priority 1+.

📝 Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. This issue is fixed in version 1.0.111.

📅 Published: 03/10/2025

📈 CVSS: 8.7

🧭 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

📣 Mentions: 6

⚠️ Priority: 2

📝 Analysis: Code Injection vulnerability exists in Claude Code version prior to 1.0.111. Exploitation requires starting the software in an untrusted directory. Although no confirmed exploits are known, this is a priority 2 issue due to its high CVSS score and potential for user-triggered attacks. Users on auto-update have been protected, while those manually updating are advised to update to version 1.0.111 or later.

📝 Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Codes project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the users API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.

📅 Published: 21/01/2026

📈 CVSS: 5.3

🧭 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

📣 Mentions: 7

⚠️ Priority: 4

📝 Analysis: A data exfiltration issue exists in Claude Code's project-load flow prior to version 2.0.65. Malicious repositories can leak Anthropic API keys before trust confirmation. No exploits have been detected yet, but the low CVSS score and lack of known in-the-wild activity result in a priority 4 vulnerability. Users should update to version 2.0.65 or the latest version for protection.

📝 In the Linux kernel, the following vulnerability has been resolved: net/packet: fix a race in packet_set_ring() and packet_notifier() When packet_set_ring() releases po->bind_lock, another thread can run packet_notifier() and process an NETDEV_UP event. This race and the fix are both similar to that of commit 15fe076edea7 (net/packet: fix a race in packet_bind() and packet_notifier()). There too the packet_notifier NETDEV_UP event managed to run while a po->bind_lock critical section had to be temporarily released. And the fix was similarly to temporarily set po->num to zero to keep the socket unhooked until the lock is retaken. The po->bind_lock in packet_set_ring and packet_notifier precede the introduction of git history.

📅 Published: 22/08/2025

📈 CVSS: 0

🧭 Vector: n/a

📣 Mentions: 7

⚠️ Priority: 4

📝 Analysis: A race condition exists in Linux kernel packet handling, specifically in functions packet_set_ring() and packet_notifier(). This issue is similar to a previous one (commit 15fe076edea7). Although currently low-impact as no active exploitation has been observed, the nature of the vulnerability and its history suggest potential risks. Priority score: 4 (low CVSS & low EPSS).

📝 Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.

📅 Published: 22/09/2025

📈 CVSS: 10

🧭 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

📣 Mentions: 8

⚠️ Priority: 2

📝 Analysis: Remote code execution vulnerability found in Flowise v3.0.5 due to insufficient input validation in the CustomMCP node. JavaScript code can be executed with full Node.js privileges, potentially enabling dangerous operations like child_process and fs access. This issue has been patched in version 3.0.6. Given high CVSS score but low Exploitability Potential Score (EPSS), it is a priority 2 vulnerability.

📝 Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0.

📅 Published: 09/04/2026

📈 CVSS: 9.3

🧭 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

📣 Mentions: 3

⚠️ Priority: 2

📝 Analysis: A hostname normalization issue in Axios (prior to 1.15.0) allows attackers to bypass proxy settings and access sensitive loopback or internal services despite NO_PROXY protections. This can lead to proxy bypass and SSRF vulnerabilities. Despite no confirmed exploits, the high CVSS score and potential impact make this a priority 2 issue. Upgrade to version 1.15.0 for mitigation.

📝 Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

📅 Published: 11/04/2026

📈 CVSS: 8.6

🧭 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

📣 Mentions: 31

⚠️ Priority: 2

📝 Analysis: A prototype pollution vulnerability exists in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier, enabling arbitrary code execution after user interaction. Though no known exploits have been detected, the high CVSS score indicates a priority 2 issue due to its low Exploitability Maturity Model (EMM) score but high severity.

📝 An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution.This issue affects ShowDoc: before 2.8.7.

📅 Published: 29/04/2025

📈 CVSS: 9.4

🧭 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

📣 Mentions: 3

⚠️ Priority: 2

📝 Analysis: A critical Remote Code Execution vulnerability in ShowDoc (before 2.8.7) exists due to an improper file extension validation in unrestricted file upload functionality. High exploitability and a CISA KEV not specified, making it a priority 2 issue with high CVSS score.