Trending now

CVE-2025-64155 is an OS Command Injection vulnerability affecting Fortinet FortiSIEM's Super and Worker nodes. This flaw allows an unauthenticated attacker to execute unauthorized code or commands by sending specially crafted TCP requests. The vulnerability resides within the phMonitor service, which operates on TCP port 7900 and is responsible for inter-node communication and data exchange within FortiSIEM deployments. Exploitation of CVE-2025-64155 stems from improper neutralization of user-supplied input to an unauthenticated API endpoint exposed by the phMonitor service. This can lead to arbitrary file writes and, subsequently, privilege escalation to gain full administrative control and root access on the affected appliance. Fortinet has released patches to address this issue, and a recommended workaround involves limiting access to the phMonitor port (7900).

CVE-2025-68670 is identified as an unauthenticated stack-based buffer overflow vulnerability affecting xrdp, an open-source Remote Desktop Protocol (RDP) server. This flaw is present in xrdp versions prior to v0.10.5. The vulnerability arises from inadequate bounds checking when the xrdp server processes user domain information during the initial RDP connection sequence. This improper handling allows remote attackers to potentially overwrite stack buffers and return addresses, which could lead to the execution of arbitrary code on affected systems without requiring any authentication. A patch for this issue is available in xrdp version 0.10.5 and later.

CVE-2026-44573 is identified as a Pages Router i18n Middleware Bypass vulnerability affecting applications built with Next.js. This flaw specifically impacts applications that utilize the Pages Router with internationalization (i18n) configured in conjunction with middleware-based authorization. The vulnerability allows locale-less requests to `/next/data/<buildId>/<page>.json` to completely bypass the middleware. This bypass enables attackers to retrieve server-side rendered JSON data for pages that should otherwise be protected by authorization checks. To address this, the matcher logic has been updated to ensure consistent matching for both prefixed and unprefixed data routes.

CVE-2026-44578 is a Server-Side Request Forgery (SSRF) vulnerability that impacts self-hosted Next.js applications utilizing the built-in Node.js server. This flaw is triggered by specially crafted WebSocket upgrade requests. An attacker can exploit this vulnerability to manipulate the affected server into proxying requests to arbitrary internal or external destinations. This could potentially expose internal network resources or cloud metadata endpoints. Vercel-hosted deployments are not affected by this specific vulnerability, and the resolution involves implementing the same safety checks for WebSocket upgrade handling that are already present for standard HTTP requests.

CVE-2026-44574 is a vulnerability affecting Next.js and React Server Components that allows an attacker to bypass middleware defenses. By injecting specially crafted query parameters, an attacker can modify dynamic route values, effectively concealing the true request path from security measures. This manipulation still permits the rendering of protected data on the backend, creating a blind spot within the application's security framework. This flaw requires only low privileges to exploit. The issue was addressed as part of a series of security patches released for React, which included fixes for several other vulnerabilities.

CVE-2026-44579 is a recently identified Denial of Service (DoS) vulnerability impacting Next.js applications that utilize Cache Components for Partial Prerendering. This flaw can be triggered by malicious POST requests, which lead to a request-body handling deadlock. The deadlock causes server connections to remain open indefinitely, ultimately exhausting file descriptors and overall server capacity. As a temporary mitigation, Vercel advises blocking all incoming requests containing the `Next-Resume` header at the edge layer for teams unable to apply patches immediately.

CVE-2026-44575 is a vulnerability impacting Next.js App Router applications, enabling attackers to bypass middleware and proxy-based authorization checks. This flaw allows unauthorized access to protected content and potentially sensitive application data. The bypass is achieved by crafting specially formed `.rsc` and `segment-prefetch` URLs that can reach restricted content without triggering the intended security rules. To address this, users are advised to upgrade to Next.js versions 15.5.16 or 16.2.5 or later.

CVE-2026-23870 is a denial-of-service vulnerability impacting React Server Components (RSC) and frameworks that utilize RSC functionality, such as Next.js. This flaw allows an attacker to trigger a denial of service by sending specially crafted HTTP requests to server function endpoints. Successful exploitation of this vulnerability can lead to server crashes, out-of-memory exceptions, or excessive CPU usage. The affected packages include `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` across various versions of React 19.x.

CVE-2026-44581 describes a cross-site scripting (XSS) vulnerability affecting Next.js App Router applications that employ Content Security Policy (CSP) nonces. This flaw is particularly noteworthy as it exploits a mechanism specifically designed to prevent XSS attacks, effectively turning CSP nonces against their intended purpose. The vulnerability impacts React's server component packages, including `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`, for which patched versions have been released.

CVE-2024-4577 is a vulnerability that enables remote code execution in PHP installations on Windows servers. It specifically affects systems running PHP in CGI mode or those exposing the PHP binary. Exploitation involves leveraging the Windows "Best-Fit" encoding feature, typically by inserting a "soft hyphen" character within a URL. This allows attackers to bypass PHP sanitization measures and execute arbitrary code via the `php.exe` executable. While initially believed to have a broader impact, further research revealed that successful exploitation primarily hinges on the system's locale being configured for Chinese (simplified or traditional) or Japanese. Other similar locales might also be susceptible. The vulnerability affects PHP versions 8.1 before 8.1.29, 8.2 before 8.2.20, and 8.3 before 8.3.8. Proof-of-concept exploits were observed shortly after the vulnerability's disclosure, highlighting its potential for misuse.