CVE Updates (January 12 – 18, 2026)

Vuln Recap Editor,

Here are the CVE updates for the week of January 12th through 18th.

🔴 Critical Severity Vulnerabilities

WeGIA Reflected Cross-Site Scripting (XSS) Vulnerability | CVE-2026-23722

Description:
A reflected cross-site scripting (XSS) vulnerability affects WeGIA, a web management system for charitable institutions, in versions prior to 3.6.2. Specifically, the flaw appears in the html/memorando/insere_despacho.php file. Here, the application fails to properly sanitize or encode user input supplied through the id_memorando GET parameter. Consequently, unauthenticated attackers can inject arbitrary JavaScript or HTML into the HTML response. As a result, the malicious code executes directly within the victim’s browser context. Fortunately, WeGIA version 3.6.2 resolves this issue.

Potential Impacts

  • Cross-Site Scripting (XSS): Attackers can execute arbitrary JavaScript in a victim’s browser.
  • Session Hijacking: Malicious scripts can steal session cookies or authentication tokens.
  • Account Takeover: Compromised sessions may allow attackers to impersonate legitimate users.
  • Phishing and Social Engineering: Attackers can inject fake forms or misleading messages.
  • Defacement: Malicious content can alter page appearance or behavior.
  • Unauthorized Actions: Scripts may trigger actions on behalf of authenticated users.
  • Trust and Reputation Damage: Exploitation can undermine trust, especially in charitable platforms.

Mitigation Recommendations

  • Upgrade Immediately: Update WeGIA to version 3.6.2 or later.
  • Validate and Encode Input: Always validate user input and apply context-aware encoding.
  • Escape Output: Enforce strict HTML and JavaScript escaping for reflected parameters.
  • Apply Security Headers: Use Content Security Policy (CSP) to reduce XSS impact.
  • Deploy a WAF: Configure rules to detect and block XSS payloads.
  • Monitor Logs: Regularly review requests containing suspicious script patterns.
  • Conduct Security Testing: Perform code reviews and penetration tests routinely.

Omni Secure Files WordPress Plugin Arbitrary File Upload Vulnerability | CVE-2012-10064

Description:
An arbitrary file upload vulnerability affects the Omni Secure Files WordPress plugin in versions prior to 0.1.14. Specifically, the issue resides in the bundled plupload example endpoint located at
/wp-content/plugins/omni-secure-files/plupload/examples/upload.php. Because this endpoint lacks authentication checks and file-type restrictions, attackers can upload arbitrary files without authorization. Consequently, if attackers upload executable files such as PHP scripts, they can remotely access and execute them, leading to full site compromise.

Potential Impacts

  • Arbitrary File Upload: Attackers can upload unrestricted file types.
  • Remote Code Execution (RCE): Executable uploads may allow command execution.
  • Full Website Compromise: Attackers can gain control over the WordPress site.
  • Data Breach: Sensitive data and credentials may be exposed.
  • Malware Distribution: Compromised sites may host malicious payloads.
  • Persistent Backdoors: Web shells can maintain long-term access.
  • Reputation Damage: Compromise can negatively impact SEO and user trust.

Mitigation Recommendations

  • Upgrade the Plugin: Update Omni Secure Files to 0.1.14 or later.
  • Remove Example Files: Delete unused plupload example directories.
  • Restrict File Types: Enforce strict server-side file validation.
  • Disable Script Execution: Prevent execution within upload directories.
  • Use a WAF: Block unauthenticated upload attempts.
  • Scan for Malicious Files: Regularly inspect plugin directories.
  • Apply Least Privilege: Limit WordPress and server permissions.

Gotac Police Statistics Database System Arbitrary File Upload & Remote Code Execution | CVE-2026-1021

Description:
An arbitrary file upload vulnerability affects the Police Statistics Database System developed by Gotac. Due to insufficient validation and access controls, unauthenticated attackers can upload malicious files directly to the server. Once uploaded, attackers can execute these files through the web interface. Consequently, this flaw enables arbitrary code execution and allows full system compromise without valid credentials.

Potential Impacts

  • Remote Code Execution: Attackers can run arbitrary commands.
  • Full Server Compromise: Successful exploitation grants complete system control.
  • Unauthorized Data Access: Sensitive police records may be accessed or altered.
  • Persistence Installation: Attackers can deploy backdoors or malware.
  • Lateral Movement: Compromised servers may attack internal systems.
  • Service Disruption: Malicious actions may interrupt operations.

Mitigation Recommendations

  • Apply Vendor Fixes: Install any available security patches immediately.
  • Restrict File Uploads: Disable uploads or strictly limit file types.
  • Enforce Authentication: Require authorization for upload functionality.
  • Harden Storage Locations: Store uploads outside web-accessible paths.
  • Deploy a WAF: Detect malicious upload patterns and web shells.
  • Monitor for IoCs: Review logs for suspicious file activity.
  • Segment Networks: Isolate the system from critical internal assets.

🟠 High Severity Vulnerabilities

Gogs Path Traversal Vulnerability (CISA KEV) | CVE-2025-8110: Gogs contains an improper symbolic link handling vulnerability in the PutContents API. Because the application fails to validate symbolic links during file write operations, attackers can write files to unintended filesystem locations. Consequently, this flaw can lead to local code execution on the host system.

Gotac Statistics Database System Missing Authentication Vulnerability | CVE-2026-1023: The Gotac Statistics Database System lacks proper authentication checks on a specific function. As a result, unauthenticated remote attackers can directly access and query backend databases. Therefore, sensitive data becomes exposed without valid credentials.

WifiHotSpot Unquoted Service Path Privilege Escalation Vulnerability | CVE-2021-47833: WifiHotSpot uses an unquoted executable path in its Windows service configuration. Consequently, a local attacker can place a malicious executable in a writable directory along the service path. When the service starts, Windows may execute the attacker’s file with LocalSystem privileges, leading to privilege escalation.

🟡 Medium Severity Vulnerabilities

Microsoft Windows Information Disclosure Vulnerability (CISA KEV) | CVE-2026-20805: An information disclosure vulnerability affects the Windows Desktop Window Manager (DWM). Specifically, improper handling of internal data allows a local attacker to expose sensitive information. As a result, system confidentiality may weaken, even though exploitation requires local access.

lucy-xss-filter Improper Sanitization Leading to Cross-Site Scripting (XSS) | CVE-2026-23769: The lucy-xss-filter library contains improper input sanitization due to misconfigured default rule sets. Consequently, attackers can bypass filtering controls and inject malicious JavaScript when applications process untrusted input.

Shield WordPress Plugin Insecure Direct Object Reference (IDOR) Vulnerability | CVE-2025-15370: The Shield WordPress plugin fails to properly validate user-controlled keys in the MfaGoogleAuthToggle class. Therefore, authenticated users with low privileges can disable Google Authenticator (2FA) for other users, including administrators, which significantly weakens site security.

Telegram Desktop Oversized Message DoS | CVE-2021-47793: Telegram Desktop version 2.9.2 does not properly handle oversized message payloads. As a result, attackers can crash the client by sending or pasting excessively large messages, causing denial of service without elevated privileges.

Post Views: 12
What You Missed Last Week

Leave a Reply

Your email address will not be published. Required fields are marked *