Multiple High-Impact Vulnerabilities Disclosed Across Diverse Software Platforms
A series of critical and high-severity vulnerabilities have been disclosed affecting a wide range of software products, including workflow automation tools, web applications, network devices, and desktop software. Notable issues include remote code execution (RCE) flaws in n8n, Lilac-Reloaded for Nagios, FileZilla Client, and AVideo, as well as privilege escalation vulnerabilities in products like Versa SASE Client, AspEmail, and ActFax. Several vulnerabilities allow unauthenticated attackers to upload arbitrary files, bypass authentication, or exploit weak session management, potentially leading to full system compromise or unauthorized access to sensitive data. Many of these vulnerabilities have public exploits available, increasing the risk of active exploitation in the wild.
Vendors have released patches for several of the affected products, and administrators are strongly advised to update to the latest versions or apply recommended mitigations. The vulnerabilities span a variety of attack vectors, including buffer overflows, improper input validation, insecure file upload mechanisms, and misconfigured authentication endpoints. Organizations should prioritize patching systems exposed to the internet and review access controls to limit the impact of potential exploitation. Immediate attention is warranted for products with critical CVSS scores and those with known public exploits.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
20 events from the most recent confirmed update back to the earliest known activity.
SecurityOnline reports newly surfaced flaws in Apache NiFi, Exim, and Dify
On December 22, 2025, SecurityOnline published separate reports on a deserialization-related data leak risk in Apache NiFi, a failed-patch-plus-SQL-injection issue leading to Exim heap overflows, and CVE-2025-63387 in Dify exposing system configuration data to anonymous users. These articles indicate public emergence of additional vulnerability disclosures on those products.
SecurityOnline amplifies n8n RCE risk in follow-up coverage
SecurityOnline published follow-up reporting on the critical n8n remote code execution vulnerability, emphasizing the potential for total server compromise. The article did not introduce a separate new incident but reflected growing public attention to the flaw after disclosure.
Tenda FH1201 SetIpBind overflow is publicly documented
CVE-2025-14995 was publicly disclosed for Tenda FH1201 firmware 1.2.0.14(408), describing a stack-based buffer overflow in the SetIpBind handler. The publication referenced public proof-of-concept code and urged users to update firmware.
Wordfence reports arbitrary file copy flaw in Contact Form 7 add-on
CVE-2025-14800 was published on December 21, 2025, for Redirection for Contact Form 7 up to version 3.2.7. Reported by security@wordfence.com, the flaw allows unauthenticated arbitrary file copy via move_file_to_upload and can enable remote file upload when allow_url_fopen is enabled.
Tenda FH1201/FH1206 webtypelibrary overflow is disclosed
CVE-2025-14994 was published for Tenda FH1201 and FH1206 routers, covering a stack-based buffer overflow in the webtypelibrary handler. The disclosure referenced released proof-of-concept exploits and recommended applying firmware patches.
Tenda AC18 SetDlnaCfg overflow is published with exploit in the wild claim
CVE-2025-14993 was published for a stack-based buffer overflow in the Tenda AC18 SetDlnaCfg handler. The advisory said a public proof-of-concept was available and stated the exploit was confirmed in the wild.
Tenda AC18 GetParentControlInfo overflow is publicly disclosed
CVE-2025-14992 was publicly disclosed for Tenda AC18 version 15.03.05.05, describing a stack-based buffer overflow in the GetParentControlInfo handler. The disclosure noted public proof-of-concept exploit availability and advised firmware updates.
VulnCheck discloses Versa SASE Client local privilege-escalation flaw
CVE-2025-34290 was disclosed on December 20, 2025, affecting Versa SASE Client for Windows versions 7.8.7 through 7.9.4. The issue combines improper privilege handling, a TOCTOU race, and symlink abuse to enable arbitrary folder deletion and potential SYSTEM-level compromise.
Flex Store Users unauthenticated privilege-escalation bug is published
CVE-2025-13619 was published for Flex Store Users up to version 1.1.0, describing a critical vulnerability that allows unauthenticated privilege escalation. The brief disclosure assigned a CVSS 9.8 score and warned of severe exploitation risk.
Wordfence reports unauthenticated file upload flaw in WooCommerce plugin
CVE-2025-13329 was published on December 20, 2025, for File Uploader for WooCommerce up to version 1.0.3. Reported by security@wordfence.com, the flaw allows unauthenticated arbitrary file upload through the add-image-data REST API endpoint and can lead to remote code execution.
TP-Link Tapo C200 local-network auth flaw is published
CVE-2025-14300 was published for the Tapo C200 V3, describing unauthenticated access to the connectAP API endpoint over the local network. The issue allows attackers on the same network to alter Wi-Fi settings and potentially cause denial of service, with TP-Link references and firmware updates noted.
n8n publishes critical expression-injection RCE and fixed versions
CVE-2025-68613 was disclosed for n8n, describing authenticated remote code execution through workflow expression injection in versions from 0.211.0 up to fixed releases 1.120.4, 1.121.1, and 1.122.0. The advisory urged immediate upgrades and noted temporary hardening measures were insufficient to fully remove risk.
Multiple VulnCheck-disclosed CVEs are published with public exploit details
On December 19, 2025, a large set of vulnerabilities were publicly disclosed, including flaws in FileZilla Client, LDAP Tool Box Self Service Password, Kimai, Flatnux, InnovaStudio WYSIWYG Editor, Ever Gauzy, AspEmail, Dotclear, ActFax, Arcsoft PhotoStudio, Lilac-Reloaded for Nagios, OCS Inventory NG, and BrainyCP. The disclosures described impacts ranging from remote code execution and account takeover to local privilege escalation, and many referenced public proof-of-concept exploits.
GT Edge AI Platform code injection flaw is published with patch guidance
CVE-2025-63665 was published for a critical code injection vulnerability affecting GT Edge AI Platform versions before v2.0.10-dev. The disclosure said public proof-of-concept exploits existed and directed users to upgrade to v2.0.10-dev or later.
Dive fixes Mermaid XSS-to-RCE issue in version 0.11.1
A critical stored XSS vulnerability in Dive's Mermaid rendering component, tracked as CVE-2025-66580, was documented as enabling remote code execution after user interaction. The issue was addressed in Dive version 0.11.1 and later, with advisories and PoCs published on GitHub.
VulnCheck discloses AVideo unauthenticated RCE flaw
CVE-2025-34433 was disclosed on December 19, 2025, for AVideo versions before 20.1, where a predictable installation salt can be recovered and used to achieve unauthenticated remote code execution. Public GitHub proof-of-concept code was referenced in the disclosure.
M-Files discloses session token exposure flaw and releases patches
M-Files published CVE-2025-13008, describing a vulnerability in M-Files Web that lets an authenticated attacker capture other users' session tokens. The vendor released fixes for affected M-Files Server branches and advised customers to upgrade.
Authentication bypass CVE-2025-52692 is published and CSA issues alert
CVE-2025-52692, a high-severity authentication bypass affecting unspecified products, was published as allowing access to some administrative functions via a crafted URL from the local network. The Singapore Cyber Security Agency issued an alert on the vulnerability.
Mintlify SSTI vulnerability is published with public GitHub PoCs noted
CVE-2025-67843 was published for a high-severity server-side template injection flaw in Mintlify Platform's MDX Rendering Engine before version 2025-11-15. The disclosure noted public proof-of-concept exploits on GitHub and advised updating and sanitizing MDX content.
Palantir reports and Apollo deploys fix for Glutton V1 auth bypass
Palantir coordinated disclosure of CVE-2024-49587, a missing-authentication flaw exposing Glutton V1 endpoints on Gotham stacks. Apollo automatically deployed a patch to all Apollo-managed Gotham instances to mitigate the issue.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
35 references tracked. Mallory keeps watching after this page renders.
Exim’s Poisoned Record: How a Failed Patch and SQL Injection Lead to Critical Heap Overflows
securityonline.info
Open sourceApache NiFi’s Data Leak: How a High-Severity Deserialization Flaw Puts Your Asana Workflows at Risk
securityonline.info
Open sourcen8n Under Fire: Critical CVSS 10.0 RCE Vulnerability Grants Total Server Access
securityonline.info
Open sourceAI’s Exposed Side Door: Dify Flaw (CVE-2025-63387) Leaks System Configs to Anonymous Users
securityonline.info
Open sourceCVE-2025-34433 - AVideo < 20.1 Unauthenticated RCE via Predictable Installation Salt
cvefeed.io
Open sourceCVE-2025-13008 - Session Token Disclosure in M-Files Web
cvefeed.io
Open sourceCVE-2025-67843 - Mintlify Platform SSTI Vulnerability
cvefeed.io
Open sourceCVE-2025-52692 - Bypass Authentication
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple High-Impact Vulnerabilities Disclosed Across Diverse Software Products
A series of critical and high-severity vulnerabilities have been disclosed affecting a wide range of software products, including network devices, workflow automation platforms, document management systems, and developer tools. Notable issues include command injection flaws in TRENDnet TEW-800MB routers (CVE-2025-15136, CVE-2025-15137), remote code execution vulnerabilities in Xspeeder SXZOS (CVE-2025-54322), Eigent (CVE-2025-68952), StreamVault (CVE-2025-66203), n8n (CVE-2025-68668), and Yealink T21P_E2 phones (CVE-2025-66738). Additional vulnerabilities involve authentication bypasses in IBM API Connect (CVE-2025-13915) and Eaton UPS Companion (CVE-2025-59887), a session token capture flaw in M-Files Server (CVE-2025-13008), prototype pollution in apidoc-core (CVE-2025-13158), and a blind SQL injection in Cloudlog (CVE-2024-44065). Several of these vulnerabilities allow for remote exploitation, with some exploits already publicly available. Vendors have responded with patches for many of the affected products, such as Eigent, StreamVault, lmdeploy, and n8n, while some issues remain with public exploits and no vendor response, as seen with TRENDnet. The vulnerabilities present risks ranging from arbitrary code execution and privilege escalation to unauthorized access and data exposure. Organizations using the affected products are strongly advised to review the relevant advisories, apply available patches, and implement recommended mitigations to reduce the risk of exploitation. The diversity and severity of these vulnerabilities underscore the importance of timely vulnerability management and monitoring for emerging threats across the software supply chain.
Mar 21, 2026
Multiple Critical Vulnerabilities Disclosed Across Popular Software Platforms
A series of critical vulnerabilities have been disclosed affecting a wide range of popular software platforms, including WordPress plugins, web frameworks, developer tools, and enterprise applications. Notable issues include unauthenticated remote code execution (RCE) flaws in Next.js (CVE-2025-66478), WordPress core (CVE-2025-6389), and the ACF Extended plugin (CVE-2025-13486), as well as privilege escalation and authentication bypass vulnerabilities in the WP Directory Kit plugin (CVE-2025-13390) and cPanel. Several of these vulnerabilities are reported to be under active exploitation, with proof-of-concept code available for some, increasing the urgency for immediate patching and mitigation. Other significant disclosures include a high-severity flaw in Vim for Windows (CVE-2025-66476) allowing arbitrary code execution, a critical SQL injection chain in Synology BeeStation, and a directory traversal vulnerability in cPanel that could lead to full server takeover. Additional advisories cover issues in lz4-java, Longwatch OT surveillance, Django, Elementor, Apache Struts, nopCommerce, and OpenVPN, with many rated as critical or high severity by CVSS. Organizations are strongly advised to review affected products and apply security updates promptly to mitigate the risk of exploitation.
Mar 21, 2026
Multiple Unrelated Critical Vulnerabilities Disclosed in October 2025
A series of critical and high-severity vulnerabilities affecting a diverse set of software products were publicly disclosed in October 2025. Epsilon RH by Grupo Castilla was found to have a SQL injection vulnerability (CVE-2025-41028) that allows attackers to manipulate the database by sending crafted POST requests to the 'sEstadoUsr' parameter in the '/epsilonnetws/WSAvisos.asmx' endpoint. Lanscope Endpoint Manager (CVE-2025-61932) was reported to have an improper origin verification flaw, enabling attackers to execute arbitrary code via specially crafted packets, though remote exploitation is not possible. Galaxy Software Services Vitals ESP Forum Module (CVE-2025-31342) was discovered to allow remote authenticated users to upload dangerous files, leading to arbitrary command execution. Fsas Technologies Inc.'s ETERNUS SF (CVE-2025-62577) contains incorrect default permissions, allowing low-privileged users to obtain database credentials and potentially escalate privileges to execute OS commands as an administrator. Excellent Infotek's Document Management System (CVE-2025-11948) is vulnerable to unauthenticated arbitrary file upload, enabling attackers to deploy web shells and execute code on the server. Vvveb CMS up to version 1.0.5 is susceptible to authenticated code injection via its Code Editor, allowing attackers to modify files and achieve remote code execution. The Theme Editor plugin for WordPress (CVE-2025-9890) is vulnerable to cross-site request forgery, which can be exploited to achieve remote code execution if an administrator is tricked into clicking a malicious link. The PPOM plugin for WooCommerce (CVE-2025-11391) allows unauthenticated arbitrary file uploads, posing a severe risk to affected e-commerce sites. The Appointments plugin for WordPress (CVE-2017-20206) and the Flickr Gallery plugin (CVE-2017-20207) both suffer from unauthenticated PHP object injection vulnerabilities, which have been actively exploited to create backdoors using the WP_Theme() class. RegistrationMagic (CVE-2017-20208) is also affected by a PHP object injection flaw, allowing attackers to fetch and install remote files. Finally, BLU-IC2 and BLU-IC4 devices (CVE-2025-11925) have an API that returns an incorrect Content-Type header, potentially enabling HTML/JavaScript injection in responses. Each of these vulnerabilities presents a significant risk, with several allowing remote code execution, privilege escalation, or the installation of persistent backdoors. The affected products span web applications, content management systems, endpoint management tools, and specialized enterprise software. Security teams are advised to review the specific advisories, apply patches or mitigations where available, and monitor for signs of exploitation, as several vulnerabilities have been reported as actively exploited in the wild. The diversity and severity of these disclosures underscore the ongoing need for rigorous vulnerability management and timely response to public advisories.
Mar 21, 2026