Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.
Three highest-priority changes — analyst brief, not a CVE dump.
Critical active threat
Synacor Zimbra Collaboration Suite (ZCS) Command Injection is on CISA KEV — confirmed in-the-wild exploitation. Expect continued targeting while the issue remains on the catalog.
Critical exposure
New critical Apache Hadoop RCE (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.
Critical exposure
New critical Joinbookwyrm Bookwyrm Auth Bypass (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.
CISA KEV — confirmed in-the-wild exploitation.
Synacor Zimbra Collaboration Suite (ZCS) Command Injection
Nothing flagged in this category for this digest.
Nothing flagged in this category for this digest.
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell.
Authentication Bypass by Primary Weakness in GitHub repository bookwyrm-social/bookwyrm prior to 0.4.5.
OMICARD EDM’s API function has insufficient validation for user input.
OMICARD EDM has a hard-coded machine key.
Crow before 1.0+4 has a heap-based buffer overflow via the function qs_parse in query_string.h.
Totolink A3600R_Firmware V4.1.2cu.5182_B20201102 contains a hard code password for root in /etc/shadow.sample.
Renato v0.17.0 employs weak password complexity requirements, allowing attackers to crack user passwords via brute-force attacks.