Trending now

CVE-2025-67038 is an OS command injection vulnerability affecting Lantronix EDS5000 devices, specifically version 2.1.0.0R3. This flaw resides within the HTTP RPC module, which logs failed user authentication attempts by executing shell commands. The vulnerability arises because the username parameter is directly incorporated into these shell commands without proper sanitization, allowing an attacker to inject arbitrary operating system commands. Exploitation of CVE-2025-67038 does not require prior authentication and can be performed remotely over the network by leveraging intentionally failed login attempts. The injected commands execute with root privileges, enabling complete system compromise. Given that Lantronix EDS5000 devices are frequently deployed in industrial control system (ICS) environments for serial-to-Ethernet connectivity, a successful exploit could provide attackers with a foothold into operational technology (OT) networks. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation.

CVE-2026-4282 describes a privilege escalation vulnerability found in Keycloak, an open-source identity and access management solution. The flaw resides within Keycloak's SingleUseObjectProvider component, which functions as a global key-value store for single-use tokens like authorization codes. The vulnerability stems from an improper isolation or compartmentalization of types and namespaces within this provider. This deficiency allows an unauthenticated attacker to forge authorization codes. Successful exploitation of this flaw can lead to the creation of access tokens with administrative capabilities.

CVE-2026-9802 describes a vulnerability identified in Keycloak, an open-source identity and access management solution. This flaw manifests when Keycloak is configured with `revokeRefreshToken=true` and utilizes persistent session storage. Under these specific conditions, a server restart can inadvertently reset internal timing mechanisms responsible for managing refresh tokens. The vulnerability allows a remote attacker, who has previously obtained a user's refresh token, to replay that token even after it has been revoked. This replaying of a revoked token grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.

CVE-2025-54068 is a remote command execution (RCE) vulnerability found in Livewire, a full-stack framework for Laravel. Specifically, it affects Livewire v3 versions up to and including v3.6.3. The vulnerability stems from how certain component property updates are handled during hydration, which could allow unauthenticated attackers to execute arbitrary code. Exploitation requires a component to be mounted and configured in a particular way but does not require authentication or user interaction. The vulnerability lies in the `hydrateForUpdate` method within the `Livewire\Mechanisms\HandleComponents\HandleComponents` class. A specially crafted update payload can bypass validation and sanitization during the hydration process, causing the framework to interpret untrusted input as executable code. This issue has been patched in Livewire v3.6.4, and users are strongly encouraged to upgrade to this version or later as soon as possible. There are no known workarounds.

CVE-2024-1065 is identified as a Use After Free vulnerability present in specific Arm Ltd GPU Kernel Drivers. This flaw allows a local, non-privileged user to perform improper GPU memory processing operations. Through these operations, an attacker can gain access to memory that has already been freed. The vulnerability impacts Bifrost GPU Kernel Driver versions from r45p0 through r48p0, Valhall GPU Kernel Driver versions from r45p0 through r48p0, and Arm 5th Gen GPU Architecture Kernel Driver versions from r45p0 through r48p0.

CVE-2026-41947 describes an authorization bypass vulnerability found in Dify, an open-source platform for building AI applications, specifically in versions prior to 1.14.2. This flaw allows authenticated editor users to set and enable trace configurations for any application, even those not owned by their tenant. Exploiting this vulnerability enables attackers to redirect all messages and responses from victim applications to their own controlled Large Language Model (LLM) trace providers. This is facilitated by missing tenant ownership checks within the trace configuration endpoints. Furthermore, Dify Cloud's allowance of unauthenticated free self-registration simplifies account creation for potential attackers.

CVE-2025-8088 is a path traversal vulnerability affecting the Windows version of WinRAR. It allows attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild. It was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET. The vulnerability was exploited in phishing attacks to deliver RomCom malware. The attackers can trick the program into saving a file in a different location than the user intended, such as the computer's Startup folder. This allows the attackers to execute their own code. WinRAR patched the vulnerability in version 7.13.

CVE-2026-34908 is an Improper Access Control vulnerability (CWE-284) affecting Ubiquiti UniFi OS devices. Disclosed on May 21, 2026, this flaw allows a malicious actor with network access to bypass access restrictions and make unauthorized changes to the system. The vulnerability does not require authentication or user interaction for exploitation. This issue impacts various Ubiquiti UniFi OS devices, including models such as UDM, UDM-Pro, UDM-SE, and UDM-Pro-Max systems. Ubiquiti has released security updates to address this vulnerability.

CVE-2026-45504 is identified as a Server-Side Request Forgery (SSRF) vulnerability affecting Microsoft Exchange Server. This flaw, categorized under CWE-918, enables an authenticated attacker to elevate privileges across a network. The vulnerability resides in Exchange Server's request-handling logic, which processes attacker-controlled URLs without adequate validation, allowing the server to initiate requests to internal resources on behalf of the attacker. Exploitation of CVE-2026-45504 can allow an authenticated user with low privileges to submit crafted requests, causing the Exchange server to make outbound or internal HTTP calls. These requests inherit the trust of the Exchange service account, potentially granting the attacker access to resources that would otherwise be inaccessible from their session. In some instances, this SSRF can be leveraged to read arbitrary local files from the Exchange server. This vulnerability was disclosed as part of Microsoft's June 2026 Patch Tuesday release.

CVE-2026-44083 describes an authorization bypass vulnerability found in QNAP's QuMagie, a photo management application designed for QNAP NAS devices. This flaw, categorized as CWE-639 (Authorization Bypass Through User-Controlled Key), allows remote attackers to exploit user-controlled keys to gain unintended privileges within the application. The vulnerability can be exploited over the network without requiring authentication or user interaction, increasing the exposure for internet-facing deployments of QuMagie. QNAP Systems, Inc. has addressed this issue, and a fix is available in QuMagie version 2.9.1 and later.