The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them. Follow links with caution.

CVE-2026-24061

• Severity: 9.8 CRITICAL
• Impacted Products: GNU Inetutils 1.9.3 through 2.7
• Description: GNU Inetutils telnetd is affected by an argument injection vulnerability that allows remote, unauthenticated attackers to bypass authentication and gain root access. This flaw occurs because the daemon fails to sanitize the USER environment variable before passing it to the system’s login utility.
• Remediation:
  • oss-sec: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
  • oss-security - GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
  • oss-security - GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
• More Info: NVD - CVE-2026-24061
• PoC:
  • https://github.com/duy-31/CVE-2026-24061---telnetd
  • https://github.com/Mr-Zapi/CVE-2026-24061
  • https://github.com/z3n70/CVE-2026-24061

CVE-2026-21533 NEW

• Severity: 7.8 HIGH
• Impacted Products: Microsoft Windows Remote Desktop Services
• Description: Microsoft Windows Remote Desktop Services is affected by an improper privilege management vulnerability that allows for local privilege escalation. This flaw enables an authenticated user to gain higher-level permissions than intended on the host system.
• Remediation:
  • Windows Remote Desktop Services Elevation of Privilege Vulnerability
  • Microsoft KB 5075897
  • Microsoft KB 5075899
• More Info: NVD - CVE-2026-21533
• PoC:
  • https://github.com/elvin31thai/CVE-2026-21533
  • https://github.com/jenniferreire26/CVE-2026-21533

CVE-2026-21510 NEW

• Severity: 8.8 HIGH
• Impacted Products: Windows Shell
• Description: Windows Shell is affected by a protection mechanism failure that allows a remote attacker to bypass security features. This vulnerability occurs when a user is induced to open a malicious link or shortcut file.
• Remediation:
  • Windows Shell Security Feature Bypass Vulnerability
  • Microsoft KB 5075897
  • Microsoft KB 5075899
• More Info: NVD - CVE-2026-21510
• PoC:
  • https://github.com/andreassudo/CVE-2026-21510-CVSS-8.8-Important-Windows-Shell-security-feature-bypass

CVE-2026-21531 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: Azure SDK for Python, Azure AI Language Conversations Authoring SDK
• Description: The Azure SDK for Python, specifically the Azure AI Language Conversations Authoring SDK, is affected by a remote code execution vulnerability due to the unsafe deserialization of untrusted data. An unauthenticated attacker can exploit this flaw by providing a maliciously crafted continuation token to the SDK.
• Remediation:
  • Azure SDK for Python Remote Code Execution Vulnerability
• More Info: NVD - CVE-2026-21531
• PoC:
  • https://github.com/NetVanguard-cmd/CVE-2026-21531

CVE-2026-25643 NEW

• Severity: 9.1 CRITICAL
• Impacted Products: Frigate 0.16.4
• Description: Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable b…
• Remediation:
  • Frigate Affected by Authenticated Remote Command Execution (RCE) and Container Escape
  • Frigate Affected by Authenticated Remote Command Execution (RCE) and Container Escape
  • Authenticated Remote Command Execution (RCE) and Container Escape
• More Info: NVD - CVE-2026-25643
• PoC:
  • https://github.com/jduardo2704/CVE-2026-25643-Frigate-RCE

CVE-2026-25641 NEW

• Severity: 10.0 CRITICAL
• Impacted Products: SandboxJS < 0.8.29
• Description: SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validation is performed and the key used for accessing properties. Even though the key used in property accesses is annotated as string, this is never enforced. So, attackers can pass malicious objects that coerce to different string values when used, e.g., one for the time the key is sanitized using hasOwnProperty(key) and a different one for w…
• Remediation:
  • SandboxJS has a sandbox escape via TOCTOU bug on keys in property accesses
  • SandboxJS has a sandbox escape via TOCTOU bug on keys in property accesses
  • @nyariv/sandboxjs vulnerable to sandbox escape via TOCTOU bug on keys in property accesses · CVE-2026-25641 · GitHub Advisory Database · GitHub
• More Info: NVD - CVE-2026-25641
• PoC:
  • https://github.com/nyariv/SandboxJS/security/advisories/GHSA-7x3h-rm86-3342

CVE-2026-25526 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: JinJava 2.7.6, JinJava 2.8.3
• Description: JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.
• Remediation:
  • JinJava Bypass through ForTag leads to Arbitrary Java Execution
  • Arbitrary Java Execution via JinJava Bypass through ForTag · Advisory · HubSpot/jinjava · GitHub
• More Info: NVD - CVE-2026-25526
• PoC:
  • https://github.com/av4nth1ka/jinjava-cve-2026-25526-poc

CVE-2026-25505 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: Bambuddy 0.1.7
• Description: Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7.
• Remediation:
  • Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication · GHSA-gc24-px2r-5qmf · GitHub Advisory Database · GitHub
  • Changelog
  • Use of Hardcoded Secret Key + Many API endpoints do not require authentication · Advisory · maziggy/bambuddy · GitHub
• More Info: NVD - CVE-2026-25505
• PoC:
  • https://github.com/advisories/GHSA-gc24-px2r-5qmf

CVE-2026-21509

• Severity: 7.8 HIGH
• Impacted Products: Microsoft Office, Microsoft 365
• Description: Microsoft Office is affected by a security feature bypass vulnerability due to a reliance on untrusted inputs in a security decision. This flaw allows an attacker to circumvent mitigations designed to protect users from vulnerable COM/OLE controls.
• Remediation:
  • Microsoft Office Security Feature Bypass Vulnerability
  • CVE-2026-21509 - Security Update Guide - Microsoft - Microsoft Office Security Feature Bypass Vulnerability
• More Info: NVD - CVE-2026-21509
• PoC:
  • https://github.com/ksk-itdk/KSK-ITDK-CVE-2026-21509-Mitigation
  • https://github.com/nicole2ilodl/CVE-2026-21509-PoC
  • https://github.com/Ashwesker/Ashwesker-CVE-2026-21509

CVE-2026-2017 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: IP-COM W30AP up to 1.0.0.11(1340)
• Description: A vulnerability was detected in IP-COM W30AP up to 1.0.0.11(1340). Affected by this issue is the function R7WebsSecurityHandler of the file /goform/wx3auth of the component POST Request Handler. The manipulation of the argument data results in stack-based buffer overflow. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2026-2017
• PoC:
  • https://gitee.com/GXB0_0/iot-vul/blob/master/IP-COM/W30AP/wx3auth-sprintf.md#poc

CVE-2026-1862 NEW

• Severity: 8.8 HIGH
• Impacted Products: Google Chrome, Microsoft Edge, Chromium
• Description: Google Chrome and Chromium-based browsers, such as Microsoft Edge, are affected by a type confusion vulnerability within the V8 JavaScript engine. This flaw allows a remote attacker to potentially execute arbitrary code via a specially crafted HTML page.
• Remediation:
  • PAN-SA-2026-0002 Chromium: Monthly Vulnerability Update (February 2026)
  • VuXML: chromium – multiple security fixes
  • Chrome Releases: Stable Channel Update for Desktop
• More Info: NVD - CVE-2026-1862
• PoC:
  • https://github.com/b1gchoi/CVE-2026-1862-exp

CVE-2026-1731 NEW

• Severity: Unknown
• Impacted Products: BeyondTrust Remote Support (RS) 25.3.1 and prior, Privileged Remote Access (PRA) 24.3.4 and prior
• Description: BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) are affected by an OS command injection vulnerability that allows for unauthenticated remote code execution. An attacker can exploit this flaw by sending specially crafted requests to the application to execute arbitrary operating system commands.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2026-1731
• PoC:
  • https://github.com/z3r0h3ro/CVE-2026-1731-exp
  • https://github.com/win3zz/CVE-2026-1731
  • https://github.com/bytehazard/CVE-2026-1731

CVE-2025-68723 NEW

• Severity: 9.0 CRITICAL
• Impacted Products: Axigen Mail Server before 10.5.57
• Description: Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting (XSS) vulnerabilities in the WebAdmin interface. Three instances exist: (1) the log file name parameter in the Local Services Log page, (2) certificate file content in the SSL Certificates View Usage feature, and (3) the Certificate File name parameter in the WebMail Listeners SSL settings. Attackers can inject malicious JavaScript payloads that execute in administrators' browsers when they access affected pages o…
• Remediation:
  • Axigen WebAdmin Stored XSS Vulnerabilities (CVE-2025-68723) | Axigen
• More Info: NVD - CVE-2025-68723
• PoC:
  • https://github.com/osmancanvural/CVE-2025-68723

CVE-2025-24799 NEW

• Severity: 7.5 HIGH
• Impacted Products: GLPI
• Description: GLPI is affected by an unauthenticated SQL injection vulnerability in its inventory endpoint that allows for unauthorized data manipulation and exfiltration. This flaw exists due to improper neutralization of user-supplied input within XML-based requests sent to the application.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-24799
• PoC:
  • https://github.com/Rosemary1337/CVE-2025-24799
  • https://github.com/airbus-cert/CVE-2025-24799-scanner/blob/main/CVE-2025-24799-scanner.py
  • https://github.com/MuhammadWaseem29/CVE-2025-24799/blob/main/exploit.py

CVE-2025-10878

• Severity: 10.0 CRITICAL
• Impacted Products: Fikir Odalari AdminPando 1.0.1
• Description: A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full administrative access to the application, including the ability to manipulate the public-facing website content (HTML/DOM manipulation).
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-10878
• PoC:
  • https://github.com/onurcangnc/CVE-2025-10878-AdminPandov1.0.1-SQLi

CVE-2020-37125 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: Edimax EW-7438RPn-v3 Mini 1.27
• Description: Edimax EW-7438RPn-v3 Mini 1.27 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands through the /goform/mp endpoint. Attackers can exploit the vulnerability by sending crafted POST requests with command injection payloads to download and execute malicious scripts on the device.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2020-37125
• PoC:
  • https://www.exploit-db.com/exploits/48318

CVE-2020-37080 NEW

• Severity: 8.1 HIGH
• Impacted Products: webTareas 2.0.p8
• Description: webTareas 2.0.p8 contains a file deletion vulnerability in the print_layout.php administration component that allows authenticated attackers to delete arbitrary files. Attackers can exploit the vulnerability by manipulating the ‘atttmp1’ parameter to specify and delete files on the server through an unauthenticated file deletion mechanism.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2020-37080
• PoC:
  • https://www.exploit-db.com/exploits/48430

CVE-2020-37065 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: StreamRipper32 version 2.6
• Description: StreamRipper32 version 2.6 contains a buffer overflow vulnerability in the Station/Song Section that allows attackers to overwrite memory by manipulating the SongPattern input. Attackers can craft a malicious payload exceeding 256 bytes to potentially execute arbitrary code and compromise the application.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2020-37065
• PoC:
  • https://www.exploit-db.com/exploits/48517

CVE-2025-61882

• Severity: 9.8 CRITICAL
• Impacted Products: Oracle E-Business Suite Concurrent Processing 12.2.3, Oracle E-Business Suite Concurrent Processing 12.2.4, Oracle E-Business Suite Concurrent Processing 12.2.5, Oracle E-Business Suite Concurrent Processing 12.2.6, Oracle E-Business Suite Concurrent Processing 12.2.7
• Description: Oracle E-Business Suite Concurrent Processing versions 12.2.3 through 12.2.14 are affected by an improper authentication vulnerability within the BI Publisher Integration component. This flaw allows an unauthenticated, remote attacker with network access via HTTP to achieve arbitrary code execution.
• Remediation:
  • Oracle Security Alerts CVE-2025-61882
  • Oracle Critical Patch Update Advisory - October 2025
• More Info: NVD - CVE-2025-61882
• PoC:
  • https://github.com/GhoStZA-debug/CVE-2025-61882
  • https://github.com/Zhert-lab/CVE-2025-61882-CVE-2025-61884

CVE-2025-55182

• Severity: 10.0 CRITICAL
• Impacted Products: React Server Components (RSC) 19.0.0, React Server Components (RSC) 19.1.0, React Server Components (RSC) 19.1.1, React Server Components (RSC) 19.2.0
• Description: React Server Components (RSC) versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 are affected by a deserialization of untrusted data vulnerability. This flaw allows an unauthenticated, remote attacker to achieve arbitrary code execution on affected systems.
• Remediation:
  • oss-security - CVE-2025-55182: RCE in React Server Components
  • Critical Security Vulnerability in React Server Components – React
  • GCP-2025-072
• More Info: NVD - CVE-2025-55182
• PoC:
  • https://github.com/assetnote/react2shell-scanner/blob/master/scanner.py
  • https://github.com/sickwell/CVE-2025-55182/blob/main/cve-2025-55182.yaml
  • https://github.com/Cillian-Collins/CVE-2025-55182/blob/main/CVE-2025-55182.py

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.