Vulnerability intelligence

CVE-2025-41117 is a remote code execution vulnerability identified in `streamlit-geospatial`, a Streamlit multipage application designed for geospatial uses. The flaw exists in the `pages/10_🌍_Earth_Engine_Datasets.py` file, specifically prior to commit `c4f81d9616d40c60584e36abb15300853a66e489`. The vulnerability arises because the `vis_params` variable on line 115 of the affected file accepts user input, which is subsequently processed by the `eval()` function on line 126. This improper handling of user-supplied data within the `eval()` function allows for remote code execution. The issue has been addressed by commit `c4f81d9616d40c60584e36abb15300853a66e489`.

CVE-2026-21722 describes an Insecure Direct Object Reference (IDOR) vulnerability found in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. This flaw affects all plugin versions up to and including 3.7.0. The vulnerability stems from insufficient authorization checks within the `wcfm-refund-requests-form` AJAX controller. This oversight enables unauthenticated attackers to generate arbitrary refund requests for any order or item ID.

CVE-2025-15556 describes an update integrity verification vulnerability present in Notepad++ versions prior to 8.8.9. This flaw specifically affects the WinGUp updater component, which fails to cryptographically verify downloaded update metadata and installers. An attacker capable of intercepting or redirecting update traffic can exploit this vulnerability. By doing so, they can cause the WinGUp updater to download and execute a malicious, attacker-controlled installer. This ultimately results in arbitrary code execution with the privileges of the user.

CVE-2025-40536 is a security control bypass vulnerability affecting SolarWinds Web Help Desk (WHD) software. This flaw enables an unauthenticated attacker to circumvent security measures and access functionalities that are typically restricted to authenticated users. Specifically, the vulnerability allows for the bypass of Cross-Site Request Forgery (CSRF) protections by injecting a particular URI parameter, which then grants access to restricted WebObjects components. This bypass can be a component in a chain of vulnerabilities, potentially leading to more significant compromises, such as unauthenticated remote code execution, when combined with other identified flaws in the software.

CVE-2026-20700 is a memory corruption vulnerability found within Apple's `dyld` component, which is the Dynamic Link Editor responsible for loading dynamic libraries into memory and bridging application code with system frameworks. This flaw could enable an attacker with memory write capabilities to execute arbitrary code on affected devices. Apple addressed this issue through improved state management in updates for watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, visionOS 26.3, iOS 26.3, and iPadOS 26.3. Reports indicate that this vulnerability may have been exploited in "extremely sophisticated attacks" targeting specific individuals on versions of iOS preceding iOS 26. Google's Threat Analysis Group is credited with discovering and reporting the vulnerability.

CVE-2025-15556 describes an update integrity verification vulnerability present in Notepad++ versions prior to 8.8.9. This flaw specifically affects the WinGUp updater component, which fails to cryptographically verify downloaded update metadata and installers. An attacker capable of intercepting or redirecting update traffic can exploit this vulnerability. By doing so, they can cause the WinGUp updater to download and execute a malicious, attacker-controlled installer. This ultimately results in arbitrary code execution with the privileges of the user.