CVE Updates (Dec. 29, 2025 – Jan. 4, 2026)

Vuln Recap Editor,

Here are the CVE updates for the week of December 29th, 2025 through the January 4th, 2026.

🔴 Critical Severity Vulnerabilities

MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability (CISA KEV) | CVE-2025-14847

Description:
A security vulnerability affects MongoDB Server due to mismatched length fields in Zlib-compressed protocol headers. Improper validation of these length fields allows an unauthenticated client to remotely trigger a condition where uninitialized heap memory is read and exposed. This vulnerability impacts many MongoDB versions, including v7.0 prior to 7.0.28, v8.0 prior to 8.0.17, v8.2 prior to 8.2.3, and others. Notably, attackers do not need authentication and can exploit the flaw by interacting with the MongoDB wire protocol.

Potential Impacts

  • Information Disclosure: Attackers may read uninitialized heap memory, potentially exposing sensitive data.
  • Exposure of Internal Data Structures: Memory contents could reveal MongoDB internal state or application data remnants.
  • Credential or Token Leakage: In some cases, authentication tokens, keys, or credentials might be exposed in heap memory.
  • Increased Attack Surface: The leaked information could help attackers craft further targeted exploits.
  • Security Posture Degradation: Repeated probing might leak incremental memory data over time.
  • Compliance Risk: Exposed sensitive data may violate data protection laws or regulatory requirements.

Mitigation Recommendations

  • Upgrade Immediately: Update MongoDB Server to fixed versions (e.g., 7.0.28+, 8.0.17+, 8.2.3+, etc.).
  • Disable Network Exposure: Prevent direct exposure of MongoDB instances to untrusted networks or the internet.
  • Enforce Network Controls: Use firewalls, security groups, and IP allowlists to restrict MongoDB port access.
  • Enable Authentication and TLS: Enforce strong authentication and encrypted connections to reduce exploitation chances.
  • Monitor for Anomalous Traffic: Watch logs and telemetry for malformed or unusual compressed protocol requests.
  • Apply Defense-in-Depth: Deploy IDS/IPS to detect malformed protocol abuse.
  • Review Data Handling Practices: Assess impacts of memory disclosure on stored data and rotate sensitive credentials if needed.

AdonisJS Multipart File Handling Path Traversal Vulnerability | CVE-2026-21440

Description:
AdonisJS, a TypeScript-first web framework, suffers a path traversal vulnerability in its multipart file handling implementation. This flaw affects the @adonisjs/bodyparser package through version 10.1.1 and all 11.x prerelease versions before 11.0.0-next.6. Because the system insufficiently validates file paths during multipart uploads, attackers can craft malicious upload requests to write arbitrary files outside intended directories. Consequently, this may lead to server compromise, data tampering, or code execution. The vulnerability is fixed in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.

Potential Impacts

  • Arbitrary File Write: Attackers can write files to unauthorized server locations.
  • Remote Code Execution: Malicious scripts or binaries might be uploaded and executed.
  • Full Application Compromise: Overwriting app files or configs could lead to total takeover.
  • Data Tampering or Destruction: Sensitive files may be modified or deleted.
  • Persistence Mechanisms: Attackers may plant backdoors or scheduled tasks.
  • Privilege Escalation: Uploaded files could escalate system or app privileges.
  • Service Disruption: Corrupted files might crash the app or cause downtime.
  • Lateral Movement: Compromised servers could pivot to other systems.

Mitigation Recommendations

  • Upgrade Immediately: Update @adonisjs/bodyparser to version 10.1.2, 11.0.0-next.6, or later.
  • Restrict Upload Directories: Confine uploads to dedicated, non-executable directories.
  • Validate File Paths Strictly: Enforce server-side normalization and path validation.
  • Limit Upload Permissions: Apply least privilege to directories used for storage.
  • Disable Execution in Upload Paths: Prevent script or binary execution in upload folders.
  • Monitor File System Changes: Detect unexpected file creations or modifications.
  • Deploy WAF: Use firewall rules to block malicious multipart upload patterns.
  • Conduct Security Testing: Regularly test file upload handling for traversal or injection flaws.

Signal K Server Restore Function Hijacking Vulnerability | CVE-2025-66398

Description:
Signal K Server, a central hub server application on boats, contains a critical flaw in versions prior to 2.19.0. An unauthenticated attacker can manipulate the server’s internal state via the /skServer/validateBackup endpoint. Specifically, attackers hijack the administrator’s “Restore” function to overwrite critical files such as security.json and package.json. Exploiting this allows account takeover and remote code execution (RCE). The issue has been fixed in version 2.19.0.

Potential Impacts

  • Remote Code Execution (RCE): Attackers may execute arbitrary code by overwriting key files.
  • Account Takeover: Unauthorized administrative access can be achieved by modifying configs.
  • Configuration Tampering: Critical settings might be corrupted or altered, disrupting operations.
  • Persistence: Attackers could install backdoors or malicious scripts.
  • Service Disruption: Modified configs may cause instability or downtime.
  • Lateral Movement: Compromised servers might be used to attack other devices on the network.

Mitigation Recommendations

  • Upgrade Immediately: Update Signal K Server to version 2.19.0 or later.
  • Restrict Endpoint Access: Limit /skServer/validateBackup access to trusted users or internal networks.
  • Implement Strong Authentication: Enforce authentication and authorization on sensitive endpoints.
  • Monitor Server Logs: Look for unusual restore requests or config file changes.
  • Backup Configurations Regularly: Keep secure, versioned backups for rapid restoration.
  • Network Segmentation: Isolate Signal K Server from critical assets to limit damage.

🟠 High Severity Vulnerabilities

listmonk Stored Cross-Site Scripting (XSS) Leading to Privilege Escalation | CVE-2026-21483: listmonk (versions before 6.0.0) allows lower-privileged users with campaign management rights to inject malicious JavaScript into campaigns or templates. When higher-privileged users view these, the script executes in their browser, enabling attackers to perform privileged actions such as creating backdoor admin accounts. The vulnerability also works via the public archive feature. Fixed in version 6.0.0.

QNAP Operating System Resource Allocation Vulnerability | CVE-2025-47208: Multiple QNAP OS versions suffer from resource allocation flaws due to lack of throttling. Valid users can exhaust resources remotely, denying service to others and degrading system performance. Fixed in QTS 5.2.6.3195 and QuTS hero h5.2.6.3195 builds (20250715+).

feast-dev/feast Kubernetes Materializer Remote Code Execution Vulnerability | CVE-2025-11157: feast-dev/feast version 0.53.0 suffers an RCE vulnerability in the Kubernetes materializer job. It stems from unsafe deserialization using yaml.load() on config files, allowing attackers who modify these YAML files to execute arbitrary OS commands on worker pods, potentially compromising the cluster.

libcoap Stack-Based Buffer Overflow in Address Resolution | CVE-2025-34468: ibcoap (up to version 4.3.5) suffers a stack-based buffer overflow during address resolution. Attacker-controlled hostname data is copied into a fixed 256-byte buffer without bounds checking. Remote triggering is possible if proxy logic is enabled.

🟡 Medium Severity Vulnerabilities

Code-Projects CMS 1.0 Unrestricted File Upload Vulnerability  | CVE-2026-0566: Code-Projects CMS 1.0 improperly validates the image parameter in /admin/edit_posts.php, allowing unrestricted file upload. Attackers can upload malicious executable scripts, which may be accessed and executed on the server. Public exploit exists.

Daptin Aggregate API SQL Injection Vulnerability | CVE-2025-15439: Daptin 0.10.3’s Aggregate API improperly handles user input in SQL queries (goqu.L function). This allows remote attackers to inject SQL statements. Public exploit is available. Vendor notified, no response yet.

PHPGurukul Online Course Registration Missing Authorization Vulnerability | CVE-2025-15406: PHPGurukul Online Course Registration (up to version 3.1) suffers missing authorization checks in an unknown function, letting attackers bypass access controls and perform unauthorized actions. Public exploit exists.

Post Views: 10
What You Missed Last Week

Leave a Reply

Your email address will not be published. Required fields are marked *