Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.
Three highest-priority changes — analyst brief, not a CVE dump.
Critical active threat
Microsoft WinVerifyTrust Function RCE is on CISA KEV — confirmed in-the-wild exploitation. Expect continued targeting while the issue remains on the catalog.
Active exploit activity
Vuplayer Buffer Overflow now has public exploit or PoC linkage — assume opportunistic scanning and targeted follow-on activity.
Critical exposure
New critical Posimyth The Plus Addons For Elementor SQL Injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.
CISA KEV — confirmed in-the-wild exploitation.
FatPipe WARP, IPVPN, and MPVPN Configuration Upload exploit
VMware vCenter Server Improper Access Control
Hikvision Improper Input Validation
Google Chrome Media Use-After-Free
Microsoft Win32k Privilege Escalation
Palo Alto Networks PAN-OS Remote Code Execution
Exim Mail Transfer Agent (MTA) Improper Input Validation
Fortinet FortiOS and FortiProxy Improper Authorization
Fortinet FortiOS and FortiProxy Out-of-bounds Write
Synacor Zimbra Collaboration Suite (ZCS) Improper Restriction of XML External Entity Reference
Oracle WebLogic Server, Injection
Kibana Arbitrary Code Execution
CoreFTP Server before 727 allows directory traversal (for file creation) by an authenticated attacker via ../ in an HTTP PUT request.
Opmantek Open-AudIT Community 4.2.0 (Fixed in 4.3.0) is affected by a Cross Site Scripting (XSS) vulnerability.
Buffer overflow in VUPlayer 2.49 and earlier allows user-assisted attackers to execute arbitrary code via a long URL in a File line in a...
Nothing flagged in this category for this digest.
The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the opti...
The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have au...
A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution.
In Teedy, versions v1.5 through v1.9 are vulnerable to Reflected Cross-Site Scripting (XSS).
In Teedy, versions v1.5 through v1.9 are vulnerable to Stored Cross-Site Scripting (XSS) in the name of a created Tag.
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
QXIP SIPCAPTURE homer-app before 1.4.28 for HOMER 7.x has the same 167f0db2-f83e-4baa-9736-d56064a5b415 JWT secret key across different c...
Formpipe Lasernet before 9.13.3 allows file inclusion in Client Web Services (either by an authenticated attacker, or in a configuration...