Trending now

CVE-2025-55182 is a critical unauthenticated remote code execution (RCE) vulnerability found in React Server Components (RSC) versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. This vulnerability affects packages including `react-server-dom-parcel`, `react-server-dom-turbopack`, and `react-server-dom-webpack`. The flaw stems from insecure deserialization in the RSC payload handling logic, allowing attacker-controlled data to influence server-side execution. Exploitation requires only a crafted HTTP request. Patches are available for React and Next.js. It is recommended to upgrade to patched React versions such as 19.0.1, 19.1.2, or 19.2.1, and to update frameworks like Next.js to their corresponding patched versions.

CVE-2025-46279 is a vulnerability that affects Apple products. Specifically, it is a permissions issue in the Kernel that was addressed with additional restrictions. It impacts devices including iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later. Duy Trần (@khanhduytran0) is credited with reporting this vulnerability. Successful exploitation of CVE-2025-46279 could allow an app to elevate privileges or gain root privileges. The vulnerability is addressed in macOS Tahoe 26.2, as well as iOS and iPadOS 26.2.

CVE-2025-43529 is a use-after-free vulnerability in WebKit that can be exploited by processing maliciously crafted web content. Google's Threat Analysis Group discovered this flaw. Apple has released security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari to address this vulnerability, as it may have been exploited in targeted attacks against specific individuals using versions of iOS before iOS 26. Devices impacted include iPhone 11 and later, iPad Pro 12.9-inch (3rd generation and later), iPad Pro 11-inch (1st generation and later), iPad Air (3rd generation and later), iPad (8th generation and later), and iPad mini (5th generation and later).

CVE-2025-67846 refers to an arbitrary file deletion vulnerability found in the WordPress User Extra Fields plugin for WordPress. This vulnerability exists due to insufficient file path validation in the `save_fields()` function, affecting all versions up to and including 16.7. The vulnerability makes it possible for authenticated attackers with Subscriber-level access and above to delete arbitrary files on the server. This can potentially lead to remote code execution if critical files, such as `wp-config.php`, are deleted.

Here are descriptions of different CVEs with the identifier CVE-2025-67844, CVE-2025-61844, CVE-2025-55182 and CVE-2025-37844 based on the search results: * **CVE-2025-6844:** This vulnerability affects Simple Forum 1.0 by code-projects. It involves an SQL injection vulnerability in the `/signin.php` file, specifically through the manipulation of the "User" argument. This vulnerability can be exploited remotely. * **CVE-2025-61844:** This vulnerability affects Format Plugins versions 1.1.1 and earlier. It is an out-of-bounds read flaw that could allow attackers to access sensitive information stored in memory. Exploitation requires user interaction, where victims must be tricked into opening a malicious file. * **CVE-2025-55182:** This critical vulnerability is found in React Server Components (RSC) and is related to insecure deserialization within the Flight protocol. It allows unauthenticated attackers to execute arbitrary code on the server by sending specially crafted HTTP requests. The attack complexity is low, requires no user interaction or privileges, and has near-100% reliability. * **CVE-2025-37844:** This vulnerability resides in the Linux kernel and involves a potential NULL pointer dereference in the `cifs_server_dbg` function within the CIFS filesystem module. The vulnerability can lead to a system crash if the CIFS debugging functionality is triggered when the server pointer is NULL.

CVE-2025-61843 affects Format Plugins versions 1.1.1 and earlier. It is an out-of-bounds read vulnerability that could lead to memory exposure. An attacker could exploit this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction, as a victim must open a malicious file.

CVE-2025-67845 refers to a critical SQL injection vulnerability found in Simple Forum version 1.0. The vulnerability affects the `/register1.php` file, specifically the `User` argument. The vulnerability allows remote attackers to perform SQL injection by manipulating the `User` argument. Exploits for this vulnerability are publicly available.

CVE-2025-14174 is an out-of-bounds memory access vulnerability found in ANGLE, a component of Google Chrome. The vulnerability could allow a remote attacker to perform out-of-bounds memory access via a crafted HTML page. Google is aware that an exploit for this vulnerability exists in the wild. Apple also addressed CVE-2025-14174, describing it as a memory corruption flaw in WebKit that could lead to memory corruption. Apple indicated that this vulnerability may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.

CVE-2025-55183 is an information disclosure vulnerability found in React Server Components. It affects specific configurations of React Server Components versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1, including the packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerability allows attackers to extract the compiled source code of Server Actions through specially crafted HTTP requests. By sending a crafted HTTP request to a vulnerable Server Function, an attacker can potentially retrieve the source code of any Server Function if it explicitly or implicitly exposes a stringified argument. Exploitation requires the existence of a Server Function that exposes a stringified argument.

CVE-2025-55184 is a denial-of-service vulnerability affecting React Server Components (RSC) in versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1. It exists because the affected code unsafely deserializes payloads from HTTP requests to Server Function endpoints. This can lead to an infinite loop that hangs the server process, preventing it from serving future HTTP requests. The vulnerability can be triggered by sending a specially crafted HTTP request to any App Router endpoint. Exploitation does not require authentication and can be achieved with basic HTTP request crafting skills. An initial fix for this vulnerability was incomplete, and a complete fix has been issued under CVE-2025-67779.