orikahmadov.com

Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability

Vendor: Synacor

Product: Zimbra Collaboration Suite (ZCS)

Added: 2026-01-22

Due Date: 2026-02-12

Description:

Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-98

Versa Concerto Improper Authentication Vulnerability

Vendor: Versa

Product: Concerto

Added: 2026-01-22

Due Date: 2026-02-12

Description:

Versa Concerto SD-WAN orchestration platform contains an improper authentication vulnerability in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-288

Vite Vitejs Improper Access Control Vulnerability

Vendor: Vite

Product: Vitejs

Added: 2026-01-22

Due Date: 2026-02-12

Description:

Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-200 CWE-284

Prettier eslint-config-prettier Embedded Malicious Code Vulnerability

Vendor: Prettier

Product: eslint-config-prettier

Added: 2026-01-22

Due Date: 2026-02-12

Description:

Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-506

Cisco Unified Communications Products Code Injection Vulnerability

Vendor: Cisco

Product: Unified Communications Manager

Added: 2026-01-21

Due Date: 2026-02-11

Description:

Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance contain a code injection vulnerability that could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-94

Microsoft Windows Information Disclosure Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2026-01-13

Due Date: 2026-02-03

Description:

Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-200

Gogs Path Traversal Vulnerability

Vendor: Gogs

Product: Gogs

Added: 2026-01-12

Due Date: 2026-02-02

Description:

Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-22

Microsoft Office PowerPoint Code Injection Vulnerability

Vendor: Microsoft

Product: Office

Added: 2026-01-07

Due Date: 2026-01-28

Description:

Microsoft Office PowerPoint contains a code injection vulnerability that allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-94

Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability

Vendor: Hewlett Packard Enterprise (HPE)

Product: OneView

Added: 2026-01-07

Due Date: 2026-01-28

Description:

Hewlett Packard Enterprise (HPE) OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-94

MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability

Vendor: MongoDB

Product: MongoDB and MongoDB Server

Added: 2025-12-29

Due Date: 2026-01-19

Description:

MongoDB Server contains an improper handling of length parameter inconsistency vulnerability in Zlib compressed protocol headers. This vulnerability may allow a read of uninitialized heap memory by an unauthenticated client.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-130

Digiever DS-2105 Pro Missing Authorization Vulnerability

Vendor: Digiever

Product: DS-2105 Pro

Added: 2025-12-22

Due Date: 2026-01-12

Description:

Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via time_tzsetup.cgi.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-862

WatchGuard Firebox Out of Bounds Write Vulnerability

Vendor: WatchGuard

Product: Firebox

Added: 2025-12-19

Due Date: 2025-12-26

Description:

WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-787

ASUS Live Update Embedded Malicious Code Vulnerability

Vendor: ASUS

Product: Live Update

Added: 2025-12-17

Due Date: 2026-01-07

Description:

ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-506

SonicWall SMA1000 Missing Authorization Vulnerability

Vendor: SonicWall

Product: SMA1000 appliance

Added: 2025-12-17

Due Date: 2025-12-24

Description:

SonicWall SMA1000 contains a missing authorization vulnerability that could allow for privilege escalation appliance management console (AMC) of affected devices.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable

CWEs:

CWE-862 CWE-250

Cisco Multiple Products Improper Input Validation Vulnerability

Vendor: Cisco

Product: Multiple Products

Added: 2025-12-17

Due Date: 2025-12-24

Description:

Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-20

CISA Known Exploited Vulnerabilities

Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability

Versa Concerto Improper Authentication Vulnerability

Vite Vitejs Improper Access Control Vulnerability

Prettier eslint-config-prettier Embedded Malicious Code Vulnerability

Cisco Unified Communications Products Code Injection Vulnerability

Microsoft Windows Information Disclosure Vulnerability

Gogs Path Traversal Vulnerability

Microsoft Office PowerPoint Code Injection Vulnerability

Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability

MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability

Digiever DS-2105 Pro Missing Authorization Vulnerability

WatchGuard Firebox Out of Bounds Write Vulnerability

ASUS Live Update Embedded Malicious Code Vulnerability

SonicWall SMA1000 Missing Authorization Vulnerability

Cisco Multiple Products Improper Input Validation Vulnerability