Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.
Three highest-priority changes — analyst brief, not a CVE dump.
Critical active threat
SysAid On-Prem XXE is on CISA KEV — confirmed in-the-wild exploitation. Expect continued targeting while the issue remains on the catalog.
Active exploit activity
Microsoft Edge XSS now has public exploit or PoC linkage — assume opportunistic scanning and targeted follow-on activity.
Critical exposure
New critical disclosure (CVSS 10) — high severity with a short public awareness window before exploit material typically surfaces.
CISA KEV — confirmed in-the-wild exploitation.
CrushFTP Unprotected Alternate Channel
Google Chromium ANGLE and GPU Improper Input Validation
Microsoft SharePoint Code Injection
Microsoft SharePoint Improper Authentication
SysAid On-Prem Improper Restriction of XML External Entity Reference
SysAid On-Prem Improper Restriction of XML External Entity Reference
A stored cross-site scripting (XSS) vulnerability in Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via...
A stored cross-site scripting (XSS) vulnerability in the Facebook Chat module of Live Helper Chat v4.60 allows attackers to execute arbit...
A stored cross-site scripting (XSS) vulnerability in the Facebook registration page of Live Helper Chat v4.60 allows attackers to execute...
A stored cross-site scripting (XSS) vulnerability in the Personal Canned Messages of Live Helper Chat v4.60 allows attackers to execute a...
A stored cross-site scripting (XSS) vulnerability in the chat transfer function of Live Helper Chat v4.60 allows attackers to execute arb...
A stored cross-site scripting (XSS) vulnerability in the department assignment editing module of of Live Helper Chat v4.60 allows attacke...
A SQL injection vulnerability in the JS Jobs plugin versions 1.0.0-1.4.1 for Joomla allows low-privilege users to execute arbitrary SQL c...
A vulnerability, which was classified as critical, has been found in Tenda FH451 1.0.0.9.
The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename f...
An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to imp...
Discourse is an open source platform for community discussion.
Microsoft Edge mishandles HTML attributes in HTTP responses, which allows remote attackers to bypass a cross-site scripting (XSS) protect...
Nothing flagged in this category for this digest.
An authentication bypass vulnerability exists in ETQ Reliance on the CG (legacy) platform.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rolantis Information Technologies A...
The bSecure plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its order_info REST endpoint i...
Use of weak credentials in emergency authentication component in Devolutions Server allows an unauthenticated attacker to bypass authenti...
On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncati...
The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials.
Setting a nameless cookie with an equals sign in the value shadowed other cookies.
Thunderbird ignored paths when checking the validity of navigations in a frame.
Focus incorrectly truncated URLs towards the beginning instead of around the origin.
Memory safety bugs present in Firefox 140 and Thunderbird 140.