Critical Watch
AI-curated daily picks – the most critical CVEs requiring immediate attention
ruoyi-vue-pro is a very widely deployed open-source Java RAD platform, and an unauthenticated path traversal allowing arbitrary file read AND write to its upload endpoint is effectively a pre-auth RCE/webshell vector across every affected version.
Cockpit CMS is a popular headless/API CMS, and this unauthenticated path-traversal lets attackers read files outside the web root (config, credentials, secrets) with a public exploit and no fix prerequisites.
Cherry Studio is a fast-growing AI/MCP desktop client now common on developer machines, and its OAuth callback server accepting authorization-code callbacks without validating the state parameter enables account/token compromise via auth-code injection.
GotoHTTP is a widely used remote-access/remote-desktop tool, so a reflected XSS in its web interface with a public PoC gives attackers a session-hijack path into machines that are remotely administered.
7-Zip is installed on a huge share of Windows endpoints, and this Mark-of-the-Web bypass via crafted RAR5 archives strips the Internet-zone marker that SmartScreen and Office rely on-exactly the technique phishing and malware campaigns weaponize to get payloads to run silently.
libssh2 is embedded in countless clients and tools (curl, git, language SSH bindings, appliances), and this free-of-uninitialized-pointer flaw lets any malicious or compromised SSH server corrupt memory in connecting clients on all platforms, turning routine outbound SSH into a client-side compromise vector.
FFmpeg/libavcodec is ubiquitous in media pipelines, web servers, and desktop apps, so this out-of-bounds heap write in the RASC decoder means any service that auto-transcodes untrusted video can be driven to memory corruption by a crafted stream.
This CRITICAL (9.4) container escape in Gitea's act_runner lets an authenticated user with workflow rights break out to root on the CI host even with privileged mode disabled, giving an attacker full control of build infrastructure-a high-value supply-chain pivot for any org self-hosting Gitea Actions.
nghttpx (nghttp2's reverse proxy) sits in front of production web services, and this HTTP request/response smuggling flaw lets unauthenticated attackers poison shared backend keep-alive connections, enabling cache poisoning, credential theft, and access-control bypass against internet-facing apps.
Unauthenticated admin account takeover in the Branda WordPress plugin (white-labeling, widely deployed across agency/multisite WordPress installs) lets remote attackers reset any user's password including admins, enabling full site compromise.
Unauthenticated remote DoS in Mitsubishi MELSEC iQ-F FX5-EIP EtherNet/IP modules with known threat actor interest poses a real risk to manufacturing/OT environments where PLC downtime can halt production lines.
Unauthenticated packet-flood DoS in Mitsubishi MELSEC iQ-F FX5-ENET/IP modules (all versions, no patch implied) is a high-severity OT risk with known actor tracking, and ICS teams should isolate/segment these modules immediately.
Prototype pollution in jsonata-js affects a widely-used JSONata library embedded in many Node.js applications and integration platforms, making this a supply-chain risk that could enable RCE or auth bypass downstream.
Unauthenticated path traversal in Microweber CMS exposes file system contents on publicly-reachable websites, and the public PoC makes opportunistic mass scanning highly likely.
Unauthenticated access to ShopXO's scheduled-task API lets attackers manipulate order state on e-commerce deployments, with direct financial and fraud impact for any shop running affected versions.
Prototype pollution in Avalon's template filter handler can be chained to gadget-based RCE in Node.js apps that embed the library, and a public PoC is already available.
Unauthenticated account hijacking in phpBB affects default installations even when OAuth is disabled, putting one of the most widely deployed forum platforms at immediate risk of mass compromise with no patch signal.
Command injection across Ubiquiti UniFi OS gateways, controllers, NVRs, and NAS devices threatens a massive enterprise and SMB footprint where a low-privileged foothold yields full device takeover on network infrastructure.
Privilege escalation in Ubiquiti UniFi OS lets low-privileged network-adjacent attackers fully compromise UniFi devices, which sit at the network edge of countless organizations and are frequent targets of botnet and APT campaigns.
Command injection in the Ubiquiti UID Enterprise Agent allows low-privileged attackers to run arbitrary commands on host devices, exposing endpoints managed by UniFi Identity across enterprise environments to lateral movement.
Unauthenticated remote takeover of Oracle PeopleSoft Enterprise PeopleTools (8.61/8.62) via the Updates Environment Management component - PeopleSoft hosts HR/financial data for large enterprises and government, and a CVSS 9.8 pre-auth RCE on an internet-adjacent admin component is a top-tier ransomware and data-theft target.