Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.
Three highest-priority changes — analyst brief, not a CVE dump.
Critical active threat
Adobe BlazeDS Info Disclosure is on CISA KEV — confirmed in-the-wild exploitation. Expect continued targeting while the issue remains on the catalog.
Active exploit activity
Part-db Project Part-db Command Injection now has public exploit or PoC linkage — assume opportunistic scanning and targeted follow-on activity.
Critical exposure
New critical Janeczku Calibre-web SSRF (CVSS 9.9) — fresh disclosure window; early internet scanning often precedes mature exploit chains.
CISA KEV — confirmed in-the-wild exploitation.
Mozilla Firefox Use-After-Free
Mozilla Firefox Use-After-Free
VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF)
Pulse Connect Secure Code Injection
Atlassian Jira Server and Data Center Server-Side Template Injection
NETGEAR DGN2200 Remote Code Execution
NETGEAR Multiple Routers Remote Code Execution
Adobe ColdFusion Authentication Bypass
Adobe ColdFusion Directory Traversal
Adobe ColdFusion Information Disclosure
Adobe BlazeDS Information Disclosure
OS Command Injection in GitHub repository part-db/part-db prior to 0.5.11.
VMware Spring Cloud Gateway Code Injection
Nothing flagged in this category for this digest.
The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, lead...
The Page View Count WordPress plugin before 2.4.15 does not sanitise and escape the post_ids parameter before using it in a SQL statement...
The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthe...
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.