CVE Updates (January 5 – 11, 2026)

Vuln Recap Editor,

Here are the CVE updates for the week of January 5th through 11th.

🔴 Critical Severity Vulnerabilities

Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability (CISA KEV) | CVE-2025-37164

Description:
A remote code execution (RCE) vulnerability exists in HPE OneView. Consequently, a remote attacker can execute arbitrary code on affected HPE OneView instances.

Potential Impacts

  • Remote Code Execution: Attackers may run arbitrary commands on the OneView server.
  • Full System Compromise: Exploitation could grant attackers control over infrastructure management.
  • Infrastructure Manipulation: Attackers might alter configurations, deploy malicious firmware, or disrupt managed systems.
  • Data Exposure: Sensitive configuration data and credentials managed by OneView may be accessed or exfiltrated.
  • Service Disruption: Exploitation may cause outages or denial of service in managed environments.

Mitigation Recommendations

  • Apply Vendor Patches: Update OneView immediately to the latest version addressing CVE-2025-37164.
  • Restrict Network Access: Limit access to trusted management networks only.
  • Enforce Strong Authentication: Use strong passwords, role-based access controls, and multi-factor authentication (MFA).
  • Monitor Logs and Alerts: Regularly review OneView and system logs for suspicious activity.
  • Follow HPE Security Advisories: Stay updated with official security bulletins and implement recommendations promptly.

Apache NimBLE Authentication Bypass by Spoofing Vulnerability | CVE-2025-62235

Description:
Apache NimBLE versions up to 1.8.0 contain an authentication bypass by spoofing vulnerability. When processing a specially crafted Security Request, the system may remove a trusted bond, enabling an attacker to impersonate the device. This compromises the Bluetooth security model and allows unauthorized device access. Apache NimBLE 1.9.0 fixes this issue.

Potential Impacts

  • Authentication Bypass: Attackers can impersonate trusted devices.
  • Unauthorized Device Pairing: Legitimate bonds can be replaced with attacker-controlled bonds.
  • Man-in-the-Middle Risk: Attackers might intercept or alter Bluetooth data.
  • Loss of Device Trust: Secure device relationships may become invalid unknowingly.
  • Data Exposure: Sensitive Bluetooth data could be accessed or manipulated.
  • Operational Disruption: Re-bonding attacks may interrupt normal device function.

Mitigation Recommendations:

  • Upgrade Apache NimBLE: Update to version 1.9.0 or later.
  • Restrict Pairing Windows: Limit when Bluetooth pairing occurs, especially in production.
  • Enforce Strong Authentication: Use secure pairing modes and avoid legacy methods.
  • Monitor Bluetooth Events: Log and review bonding and security events for anomalies.
  • Enhance Physical and RF Security: Limit device proximity and signal exposure.
  • Conduct Regular Security Testing: Include Bluetooth protocol abuse scenarios.

OpenProject Local File Read (LFR) Vulnerability via Work Package PDF Export | CVE-2026-22600

Description:
Versions of OpenProject before 16.6.4 suffer a Local File Read vulnerability in work package PDF export. Attackers with upload permission can submit specially crafted SVG files disguised as PNGs. When exporting to PDF, ImageMagick processes these images, triggering a feature that can read arbitrary files accessible by the application user, such as /etc/passwd or private project data. A manual patch exists for users unable to upgrade immediately.

Potential Impacts

  • Local File Disclosure: Attackers can read sensitive local files.
  • Information Leakage: Configuration files and private data may be exposed.
  • Reconnaissance Aid: Disclosure assists attackers in further exploitation.
  • Privacy Breach: Sensitive user or project information could be revealed.
  • Compliance Risk: Data leakage may violate regulations.

Mitigation Recommendations

  • Upgrade to Version 16.6.4+: Install the fixed release as soon as possible.
  • Apply Manual Patch: Use vendor’s patch if upgrading is delayed.
  • Restrict Upload Permissions: Allow only trusted users to upload attachments.
  • Validate and Sanitize Uploads: Block malicious or disguised file types.
  • Monitor Export Logs: Watch for unusual or unauthorized PDF exports.
  • Harden ImageMagick: Disable or restrict risky features where possible.
  • Apply Least Privilege: Run OpenProject with minimal necessary file system permissions.

Salesforce Uni2TS Code Injection Vulnerability | CVE-2026-22584

Description:
Salesforce Uni2TS (macOS, Windows, Linux) through version 1.2.0 suffers improper control of code generation, allowing attackers to inject and execute arbitrary code via executable content hidden in non-executable files.

Potential Impacts

  • Code Injection: Attackers can execute arbitrary code within the app context.
  • System Compromise: Full host control may be gained.
  • Data Corruption: Malicious code may alter or damage data and configurations.
  • Security Bypass: Malicious execution may bypass protections.

Mitigation Recommendations

  • Update Uni2TS: Upgrade beyond version 1.2.0 as soon as fixes are available.
  • Validate Inputs: Enforce strict validation and sanitization of processed files.
  • Limit Execution Context: Run Uni2TS with least privilege in isolated environments.
  • Monitor Behavior: Watch for unauthorized or abnormal activities.
  • Use Endpoint Security: Deploy antivirus and EDR solutions.
  • Follow Vendor Updates: Stay informed on patches and advisories.

🟠 High Severity Vulnerabilities

Microsoft Office PowerPoint Code Injection Vulnerability (CISA KEV) | CVE-2009-0556: Microsoft Microsoft Office PowerPoint 2000 SP3, 2002 SP3, 2003 SP3, and 2004 for Mac can process crafted files causing memory corruption, which lets attackers execute code as the logged-in user. This exploit was actively used in the wild.

DevToys Extension Installation Path Traversal Vulnerability | CVE-2026-22685: DevToys versions 2.0.0.0–2.0.8.9 improperly validate file paths in extension packages. Malicious entries can escape the extensions directory, letting attackers overwrite arbitrary files with DevToys’ privileges. Fixed in 2.0.9.0.

GestSup Multiple SQL Injection Vulnerabilities | CVE-2026-22197: GestSup versions ≤3.2.56 have multiple SQL injection issues in asset filtering parameters. Authenticated attackers can manipulate SQL queries, risking unauthorized data access and modification.

🟡 Medium Severity Vulnerabilities

QuestDB Web Console Cross-Site Scripting (XSS) Vulnerability  | CVE-2026-0824: QuestDB Web Console up to 1.11.9 mishandles input, enabling remote injection of malicious scripts. A public exploit is available. Fixed in versions 1.1.10 and QuestDB 9.3.0.

Sangfor Operation and Maintenance Management System Unrestricted File Upload Vulnerability  | CVE-2025-15503: Sangfor O&M versions ≤3.0.8 improperly validate file uploads, allowing arbitrary files to be uploaded remotely. Public exploit disclosed; patch pending.

Memory Initialization Vulnerability in Apple Platforms  | CVE-2025-46299: Multiple Apple platforms (tvOS, Safari, watchOS, visionOS, iOS, iPadOS, macOS Tahoe) version 26.2 had a memory handling flaw, risking internal state disclosure when processing crafted web content.

Dell PowerProtect Data Domain OS Command Injection Vulnerability  | CVE-2025-46645: Dell PowerProtect Data Domain OS versions 7.7.1.0 through 8.4.0.0 (various LTS releases) contain an OS command injection flaw from improper neutralization of special elements in OS commands. High-privileged remote attackers could execute arbitrary commands on affected systems.

Post Views: 6
What You Missed Last Week

Leave a Reply

Your email address will not be published. Required fields are marked *