Vulnerability intelligence

CVE-2025-55182 is a critical unauthenticated remote code execution (RCE) vulnerability found in React Server Components (RSC) versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. This vulnerability affects packages including `react-server-dom-parcel`, `react-server-dom-turbopack`, and `react-server-dom-webpack`. The flaw stems from insecure deserialization in the RSC payload handling logic, allowing attacker-controlled data to influence server-side execution. Exploitation requires only a crafted HTTP request. Patches are available for React and Next.js. It is recommended to upgrade to patched React versions such as 19.0.1, 19.1.2, or 19.2.1, and to update frameworks like Next.js to their corresponding patched versions.

CVE-2025-14174 is an out-of-bounds memory access vulnerability found in ANGLE, a component of Google Chrome. The vulnerability could allow a remote attacker to perform out-of-bounds memory access via a crafted HTML page. Google is aware that an exploit for this vulnerability exists in the wild. Apple also addressed CVE-2025-14174, describing it as a memory corruption flaw in WebKit that could lead to memory corruption. Apple indicated that this vulnerability may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.

CVE-2025-46279 is a vulnerability that affects Apple products. Specifically, it is a permissions issue in the Kernel that was addressed with additional restrictions. It impacts devices including iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later. Duy Trần (@khanhduytran0) is credited with reporting this vulnerability. Successful exploitation of CVE-2025-46279 could allow an app to elevate privileges or gain root privileges. The vulnerability is addressed in macOS Tahoe 26.2, as well as iOS and iPadOS 26.2.

An exploitable remote code execution vulnerability exists in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CVE-2025-14174 is an out-of-bounds memory access vulnerability found in ANGLE, a component of Google Chrome. The vulnerability could allow a remote attacker to perform out-of-bounds memory access via a crafted HTML page. Google is aware that an exploit for this vulnerability exists in the wild. Apple also addressed CVE-2025-14174, describing it as a memory corruption flaw in WebKit that could lead to memory corruption. Apple indicated that this vulnerability may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.

CVE-2025-58360 is an XML External Entity (XXE) vulnerability found in GeoServer. The application improperly sanitizes XML input at the `/geoserver/wms` endpoint, specifically within the `GetMap` operation. This allows an attacker to define external entities within an XML request. By exploiting this vulnerability, an attacker can read arbitrary files from the server's file system and conduct Server-Side Request Forgery (SSRF) to interact with internal systems. GeoServer versions before 2.25.6, versions 2.26.0 to before 2.26.3, and versions before 2.27.0 are affected. Users are advised to update to GeoServer 2.25.6, 2.26.3, or 2.27.0 to remediate the vulnerability.