Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.
Three highest-priority changes — analyst brief, not a CVE dump.
Critical active threat
JQuery XSS is on CISA KEV — confirmed in-the-wild exploitation. Expect continued targeting while the issue remains on the catalog.
Critical exposure
New critical Projectworlds Online Food Ordering System SQL Injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.
Critical exposure
New critical disclosure (CVSS 9.8) — high severity with a short public awareness window before exploit material typically surfaces.
CISA KEV — confirmed in-the-wild exploitation.
JQuery Cross-Site Scripting (XSS)
Nothing flagged in this category for this digest.
Nothing flagged in this category for this digest.
KWHotel 0.47 is vulnerable to CSV Formula Injection in the add guest function.
KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function.
ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates.
ECOVACS lawnmowers and vacuums do not properly validate TLS certificates.
An issue was discovered in Centreon Web 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23.10.x before 23.10.19, 23.04.x before 23.04.24.
OpenImageIO v3.1.0.0dev was discovered to contain a heap overflow via the component OpenImageIO_v3_1_0::farmhash::inlined::Fetch64(char c...
OpenImageIO v3.1.0.0dev was discovered to contain a segmentation violation via the component /OpenImageIO/string_view.h.
OpenImageIO v3.1.0.0dev was discovered to contain a heap overflow via the component /OpenImageIO/fmath.h.
An issue was discovered in Centreon centreon-web 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23.10.x before 23.10.19, 23.04.x before...
A SQL Injection vulnerability exists in the login form of Online Food Ordering System v1.0.