Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.
Three highest-priority changes — analyst brief, not a CVE dump.
Active exploit activity
Troglobit Uftpd RCE now has public exploit or PoC linkage — assume opportunistic scanning and targeted follow-on activity.
Critical exposure
New critical Quest Kace Systems Management Appliance RCE (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.
Critical exposure
New critical Easyuse Mailhunter Ultimate Deserialization (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.
CISA KEV — confirmed in-the-wild exploitation.
Nothing flagged in this category for this digest.
There are multiple unauthenticated directory traversal vulnerabilities in different FTP commands in uftpd FTP server versions 2.7 to 2.10...
Nothing flagged in this category for this digest.
This affects all versions of package monorepo-build.
This affects all versions of package gitblame.
This affects all versions of package heroku-env.
This affects the package image-tiler before 2.0.2.
This affects all versions of package npos-tesseract.
A SQL injection vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.0 that can allow for remote code exe...
In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash collision is possible during authentication.
Mealie 1.0.0beta3 contains an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file.
EasyUse MailHunter Ultimate’s cookie deserialization function has an inadequate validation vulnerability.
NextAuth.js is a complete open source authentication solution for Next.js applications.