Trending now

CVE-2026-34621 is a 'Prototype Pollution' vulnerability affecting Adobe Acrobat Reader versions 24.001.30356, 26.001.21367, and earlier, including Acrobat DC and Acrobat 2024. This flaw, categorized as an Improperly Controlled Modification of Object Prototype Attributes, could enable arbitrary code execution within the context of the current user. Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data, unauthorized data modifications, and disruption of system operations. Exploitation of CVE-2026-34621 requires user interaction, specifically that a victim opens a malicious file. Reports indicate that this vulnerability has been actively exploited in the wild since at least December 2025, with some sources noting that no user interaction beyond simply opening a malicious PDF document is necessary for an attack to succeed. Adobe has released emergency updates to address this issue.

CVE-2025-38617 describes a race condition vulnerability found within the Linux kernel's networking subsystem. Specifically, the flaw occurs in the `net/packet` module during the interaction between the `packet_set_ring()` and `packet_notifier()` functions. The vulnerability arises when `packet_set_ring()` releases the `po->bind_lock`, which can allow a separate thread to execute `packet_notifier()` and process an `NETDEV_UP` event. This race condition is analogous to a previously addressed issue. The resolution involves temporarily setting `po->num` to zero, ensuring the socket remains unhooked until the lock is reacquired.

CVE-2025-0520 describes an unrestricted file upload vulnerability found in ShowDoc, an open-source documentation tool. This flaw stems from inadequate validation of file extensions during the upload process. The vulnerability, categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type), allows an attacker to upload and execute arbitrary PHP files on the server. This can lead to remote code execution (RCE) on the affected system. ShowDoc versions prior to 2.8.7 are impacted by this issue.

CVE-2025-8061 refers to a potential insufficient access control vulnerability found in the Lenovo Dispatcher 3.0 and 3.1 drivers. This vulnerability affects some Lenovo consumer notebooks and could allow a local, authenticated user to execute code with elevated privileges. The Lenovo Dispatcher 3.2 driver is not affected. It was reported that the product implements an IOCTL (Input/Output Control) with functionality that should be restricted, but it does not properly enforce access control for the IOCTL. Furthermore, this vulnerability does not affect systems where the Windows feature "Core Isolation Memory Integrity" is enabled, which is the default setting on Lenovo systems preloaded with Windows 11.

CVE-2024-50629 is an improper encoding or escaping of output vulnerability found in the webapi component of Synology products. The vulnerability affects Synology BeeStation Manager (BSM) before version 1.1-65374, Synology DiskStation Manager (DSM) before versions 6.2.4-25556-8, 7.1.1-42962-7, 7.2-64570-4, 7.2.1-69057-6, and 7.2.2-72806-1, and Synology Unified Controller (DSMUC) before 3.1.4-23079. This vulnerability allows remote attackers to read limited files through unspecified vectors. The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly, which results in the intended structure of the message not being preserved.

CVE-2025-59536 identifies a code injection vulnerability present in versions of Anthropic's Claude Code prior to 1.0.111. Claude Code is described as an agentic coding tool. The vulnerability stems from a flaw in the implementation of the startup trust dialog, which could allow the tool to execute code embedded within a project before a user explicitly accepts the trust dialog. Exploitation of this vulnerability typically requires a user to initiate Claude Code within an untrusted directory. Malicious project configurations, such as those leveraging "Hooks" or Model Context Protocol (MCP) servers, could be used to execute arbitrary shell commands or exfiltrate API keys when a developer opens untrusted repositories. The issue was addressed in version 1.0.111 of Claude Code.

CVE-2026-21852 is an information disclosure vulnerability identified in Claude Code, an agentic coding tool. This flaw allows malicious repositories to exfiltrate sensitive data, including Anthropic API keys, before users have confirmed their trust in the repository. The vulnerability arises because an attacker-controlled repository can include a settings file that sets the `ANTHROPIC_BASE_URL` to an endpoint controlled by the attacker. When such a repository is opened, Claude Code reads this configuration and immediately issues API requests, potentially leaking the user's API keys to the attacker's server before any trust prompt is displayed. This vulnerability is characterized as a configuration injection flaw (CWE-522: Insufficiently Protected Credentials) within Claude Code's initialization sequence. The core issue lies in the timing of configuration file parsing relative to user trust verification, allowing API requests with authentication credentials to be sent to an attacker-specified endpoint before user consent. This enables attackers to steal Anthropic API keys by convincing developers to clone and open malicious repositories. Versions of Claude Code prior to 2.0.65 are affected.

CVE-2025-50670 describes a buffer overflow vulnerability found in the D-Link DI-8003 router, specifically in firmware version 16.07.26A1. This flaw resides within the `/xwgl_bwr.asp` endpoint, where the device improperly handles parameters. An attacker can exploit this vulnerability by sending a specially crafted HTTP GET request. By providing malicious input in the `name`, `qq`, and `time` parameters, the attacker can trigger a buffer overflow. This could potentially lead to arbitrary code execution or a denial of service on the affected device.

CVE-2025-55182 is a critical unauthenticated remote code execution (RCE) vulnerability found in React Server Components (RSC) versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. This vulnerability affects packages including `react-server-dom-parcel`, `react-server-dom-turbopack`, and `react-server-dom-webpack`. The flaw stems from insecure deserialization in the RSC payload handling logic, allowing attacker-controlled data to influence server-side execution. Exploitation requires only a crafted HTTP request. Patches are available for React and Next.js. It is recommended to upgrade to patched React versions such as 19.0.1, 19.1.2, or 19.2.1, and to update frameworks like Next.js to their corresponding patched versions.

CVE-2025-53779 is a relative path traversal vulnerability affecting Windows Kerberos. It allows an authorized attacker to elevate privileges over a network. The vulnerability arises because the software constructs a pathname from external input without properly neutralizing sequences like ".." that could resolve to locations outside of the intended restricted directory. Exploitation involves relative path traversal in Windows Kerberos.