BDU:2015-02872 RU

2026-01-25

Astra Linux Common Edition, Tivoli Business Service Manager, Glib, Debian GNU/Linux (IBM Corp., Сообщество свободного программного обеспечения, The GNOME Project, ООО «РусБИТех-Астра»)

Множественные уязвимости пакета libxml-security-c-doc операционной системы Debian GNU/Linux, эксплуатация которых может привести к нарушению целостности защищаемой информации. Эксплуатация уязвимостей может быть осуществлена удаленно

CVE-2024-37079

2026-01-23

VMware vCenter Server (Broadcom)

Broadcom VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. This could allow a malicious actor with network access to vCenter Server to send specially crafted network packets, potentially leading to remote code execution. 82.7%

CVE-2025-68645

2026-01-22

Zimbra Collaboration Suite (ZCS) (Synacor)

Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory. 26.2%

CVE-2025-34026

2026-01-22

Concerto (Versa)

Versa Concerto SD-WAN orchestration platform contains an improper authentication vulnerability in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs. 53.0%

CVE-2025-31125

2026-01-22

Vitejs (Vite)

Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. 62.3%

CVE-2025-54313

2026-01-22

eslint-config-prettier (Prettier)

Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows. 5.0%

CVE-2026-20045

2026-01-21

Unified Communications Manager (Cisco)

Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance contain a code injection vulnerability that could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. 0.8%

CVE-2026-20805

2026-01-13

Windows (Microsoft)

Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally. 4.6%

CVE-2025-8110

2026-01-12

Gogs (Gogs)

Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution. 22.3%

CVE-2009-0556

2026-01-07

Office (Microsoft)

Microsoft Office PowerPoint contains a code injection vulnerability that allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption. 78.5%

CVE-2025-37164

2026-01-07

OneView (Hewlett Packard Enterprise (HPE))

Hewlett Packard Enterprise (HPE) OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution. 84.9%

CVE-2025-14847

2025-12-29

MongoDB and MongoDB Server (MongoDB)

MongoDB Server contains an improper handling of length parameter inconsistency vulnerability in Zlib compressed protocol headers. This vulnerability may allow a read of uninitialized heap memory by an unauthenticated client. 52.0%

CVE-2023-52163

2025-12-22

DS-2105 Pro (Digiever)

Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via time_tzsetup.cgi. 69.2%

CVE-2025-14733

2025-12-19

Firebox (WatchGuard)

WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer. 40.7%

BDU:2025-16325 RU

2025-12-19

Импорт из Excel. Загрузка каталога товаров 1С-Битрикс (ИП Кривочуров Дмитрий Анатольевич)

Уязвимость плагина «Импорт из Excel» связана с неверным ограничением имени пути к каталогу. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, получить несанкционированный доступ к защищаемой информации

CVE-2025-59374

2025-12-17

Live Update (ASUS)

ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. 30.9%

CVE-2025-40602

2025-12-17

SMA1000 appliance (SonicWall)

SonicWall SMA1000 contains a missing authorization vulnerability that could allow for privilege escalation appliance management console (AMC) of affected devices. 0.3%

CVE-2025-20393

2025-12-17

Multiple Products (Cisco)

Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. 4.6%

CVE-2025-59718

2025-12-16

Multiple Products (Fortinet)

Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message. Please be aware that CVE-2025-59719 pertains to the same problem and is mentioned in the same vendor advisory. Ensure to apply all patches mentioned in the advisory. 2.3%

CVE-2025-14611

2025-12-15

CentreStack and Triofox (Gladinet)

Gladinet CentreStack and TrioFox contain a hardcoded cryptographic keys vulnerability for their implementation of the AES cryptoscheme. This vulnerability degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. 61.0%