Vulnerabilities
-
Malicious PyPI package sympy-dev impersonates SymPy to install XMRig miner
A malicious PyPI package named sympy-dev impersonates the SymPy library to deliver an XMRig cryptocurrency miner on Linux. The package has been downloaded over 1,100 times since January 17 2026 and remains available.
-
SmarterMail authentication bypass exploited days after patch enables admin reset and RCE
An authentication bypass in SmarterMail that allows resetting administrator passwords and enabling system-level command execution was exploited two days after a vendor patch. A watchTowr Labs technical analysis describes the vulnerability and exploitation timeline.
-
Two high severity flaws in Chainlit allow file theft and SSRF in cloud deployments
Two high severity Chainlit vulnerabilities allow arbitrary file reads and SSRF that can expose secrets and internal services. Patches were released in Chainlit 2.9.4 on December 24, 2025. Upgrades are recommended.
-
Researchers Hack Tesla Infotainment at Pwn2Own Automotive 2026, 37 Zero‑Days Exploited on Day One
Researchers exploited 37 zero-days at Pwn2Own Automotive 2026 in Tokyo to hack Tesla’s Infotainment System and other systems, earning $516,500 on day one. Vendors have 90 days to issue fixes.
-
ChainLeak flaws in Chainlit framework risk API key exposure and SSRF
High-severity ChainLeak vulnerabilities in the Chainlit AI framework can leak cloud API keys and enable SSRF. Two CVEs were disclosed in November 2025 and patches were issued in version 2.9.4 on December 24, 2025.
-
Critical ACF Extended bug lets attackers gain admin on about 50,000 WordPress sites
A flaw in ACF Extended allows unauthenticated attackers to gain administrator privileges. The bug, CVE-2025-14533, affects versions 0.9.2.1 and earlier. About 50,000 sites may still be exposed. Update to 0.9.2.2.
-
Three flaws in Anthropic mcp-server-git could expose files and enable code execution
Three vulnerabilities in Anthropic’s mcp-server-git could expose or overwrite files and enable code execution in chained attacks. Patches were released in versions 2025.9.25 and 2025.12.18 after a technical analysis by Cyata.
-
Evelyn Stealer targets VS Code extensions to harvest developer credentials
Trend Micro published a technical analysis describing Evelyn Stealer, an information stealer distributed via malicious VS Code extensions. The malware harvests developer credentials and crypto wallets and uploads data to an FTP server.
-
Cloudflare patches ACME HTTP-01 validation bug that could bypass WAF
Cloudflare said in a blog post it fixed an ACME HTTP-01 validation bug on October 27, 2025 that could disable WAF rules and allow requests to reach origin servers.
-
New vulnerability database db.gcve.eu launched to support European digital sovereignty
GCVE launched db.gcve.eu, a free public vulnerability database that integrates more than 25 data sources and uses a decentralized GNA numbering model. It offers a searchable catalog and an open API for tool integration.
