This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1.  CVE-2025-0368

The Banner Garden Plugin for WordPress plugin through 0.1.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users.

https://nvd.nist.gov/vuln/detail/CVE-2025-0368

2. CVE-2025-68613

Improper neutralization of special elements used in a command (‘command injection’) in Windows PowerShell allows an unauthorized attacker to execute code locally.

https://nvd.nist.gov/vuln/detail/CVE-2025-68613

3. CVE-2016-10033

Improper neutralization of special elements used in a command (‘command injection’) in Windows PowerShell allows an unauthorized attacker to execute code locally.

https://nvd.nist.gov/vuln/detail/CVE-2016-10033

4. CVE-2022-21227

Improper neutralization of special elements used in a command (‘command injection’) in Windows PowerShell allows an unauthorized attacker to execute code locally.

https://nvd.nist.gov/vuln/detail/CVE-2022-21227

5. CVE-2021-40539

Improper neutralization of special elements used in a command (‘command injection’) in Windows PowerShell allows an unauthorized attacker to execute code locally.

https://nvd.nist.gov/vuln/detail/CVE-2021-40539

6. CVE-2025-50708

Improper neutralization of special elements used in a command (‘command injection’) in Windows PowerShell allows an unauthorized attacker to execute code locally.

https://nvd.nist.gov/vuln/detail/CVE-2025-50708

7. CVE-2024-21762

Improper neutralization of special elements used in a command (‘command injection’) in Windows PowerShell allows an unauthorized attacker to execute code locally.

https://nvd.nist.gov/vuln/detail/CVE-2024-21762

8. CVE-2025-21204

Improper neutralization of special elements used in a command (‘command injection’) in Windows PowerShell allows an unauthorized attacker to execute code locally.

https://nvd.nist.gov/vuln/detail/CVE-2025-21204

9. CVE-2024-34102

Improper neutralization of special elements used in a command (‘command injection’) in Windows PowerShell allows an unauthorized attacker to execute code locally.

https://nvd.nist.gov/vuln/detail/CVE-2024-34102

10. CVE-2017-8759

Improper neutralization of special elements used in a command (‘command injection’) in Windows PowerShell allows an unauthorized attacker to execute code locally.

https://nvd.nist.gov/vuln/detail/CVE-2017-8759

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1.  CVE-2026-2763

Race condition in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

https://nvd.nist.gov/vuln/detail/CVE-2026-2763

2. CVE-2026-2783

Race condition in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

https://nvd.nist.gov/vuln/detail/CVE-2026-2783

3. CVE-2026-2785

Race condition in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

https://nvd.nist.gov/vuln/detail/CVE-2026-2785

4. CVE-2026-2786

Race condition in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

https://nvd.nist.gov/vuln/detail/CVE-2026-2786

5. CVE-2026-2765

Race condition in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

https://nvd.nist.gov/vuln/detail/CVE-2026-2765

6. CVE-2026-2764

Race condition in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

https://nvd.nist.gov/vuln/detail/CVE-2026-2764

7. CVE-2026-2795

Race condition in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

https://nvd.nist.gov/vuln/detail/CVE-2026-2795

8. CVE-2026-2796

Race condition in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

https://nvd.nist.gov/vuln/detail/CVE-2026-2796

9. CVE-2026-2767

Race condition in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

https://nvd.nist.gov/vuln/detail/CVE-2026-2767

10. CVE-2026-2762

Race condition in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

https://nvd.nist.gov/vuln/detail/CVE-2026-2762

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1.  CVE-2025-55182

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

https://nvd.nist.gov/vuln/detail/CVE-2025-55182

2. CVE-2025-59718

An issue was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on Transaction Layer Packet (TLP) ordering and tag uniqueness may allow encrypted packets to be replayed or reordered without detection. This can enable local or physical attackers on the PCIe bus to violate data integrity protections.

https://nvd.nist.gov/vuln/detail/CVE-2025-59718

3. CVE-2025-42880

An issue was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on Transaction Layer Packet (TLP) ordering and tag uniqueness may allow encrypted packets to be replayed or reordered without detection. This can enable local or physical attackers on the PCIe bus to violate data integrity protections.

https://nvd.nist.gov/vuln/detail/CVE-2025-42880

4. CVE-2025-62557

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

https://nvd.nist.gov/vuln/detail/CVE-2025-62557

5. CVE-2025-61808

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

https://nvd.nist.gov/vuln/detail/CVE-2025-61808

6. CVE-2025-59719

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

https://nvd.nist.gov/vuln/detail/CVE-2025-59719

7. CVE-2025-62221

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

https://nvd.nist.gov/vuln/detail/CVE-2025-62221

8. CVE-2025-55754

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

https://nvd.nist.gov/vuln/detail/CVE-2025-55754

9. CVE-2025-62554

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

https://nvd.nist.gov/vuln/detail/CVE-2025-62554

10. CVE-2025-42928

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

https://nvd.nist.gov/vuln/detail/CVE-2025-42928

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1.  CVE-2026-20700

A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, visionOS 26.3, iOS 26.3 and iPadOS 26.3. An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.

https://nvd.nist.gov/vuln/detail/CVE-2026-20700

2. CVE-2025-43529

A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, visionOS 26.3, iOS 26.3 and iPadOS 26.3. An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.

https://nvd.nist.gov/vuln/detail/CVE-2025-43529

3. CVE-2025-14174

A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, visionOS 26.3, iOS 26.3 and iPadOS 26.3. An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.

https://nvd.nist.gov/vuln/detail/CVE-2025-14174

4. CVE-2024-49113

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-49113

5. CVE-2025-14847

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2025-14847

6. CVE-2024-21762

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2024-21762

7. CVE-2025-24118

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2025-24118

8. CVE-2024-34102

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2024-34102

9. CVE-2022-21227

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2022-21227

10. CVE-2024-38063

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2024-38063

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1.  CVE-2022-1364

Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

https://nvd.nist.gov/vuln/detail/CVE-2022-1364

2. CVE-2025-52691

Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.

https://nvd.nist.gov/vuln/detail/CVE-2025-52691

3. CVE-2026-1281

Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.

https://nvd.nist.gov/vuln/detail/CVE-2026-1281

4. CVE-2026-21509

Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.

https://nvd.nist.gov/vuln/detail/CVE-2026-21509

5. CVE-2024-6409

A race condition vulnerability was discovered in how signals are handled by OpenSSH’s server (sshd). If a remote attacker does not authenticate within a set time period, then sshd’s SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.

https://nvd.nist.gov/vuln/detail/CVE-2024-6409

6. CVE-2025-68493

Missing XML Validation vulnerability in Apache Struts, Apache Struts.

This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.

Users are recommended to upgrade to version 6.1.1, which fixes the issue.

https://nvd.nist.gov/vuln/detail/CVE-2025-68493

7. CVE-2023-50224

The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9.

This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108.

Both products have reached the status of EOL (end-of-life).
It’s recommending to

purchase the new
product to ensure better performance and security. If replacement is not
an option in the short term, please use the second reference link to
download and install the patch(es).

https://nvd.nist.gov/vuln/detail/CVE-2023-50224

8. CVE-2024-37079

The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9.

This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108.

Both products have reached the status of EOL (end-of-life).
It’s recommending to

purchase the new
product to ensure better performance and security. If replacement is not
an option in the short term, please use the second reference link to
download and install the patch(es).

https://nvd.nist.gov/vuln/detail/CVE-2024-37079

9. CVE-2025-9377

The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9.

This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108.

Both products have reached the status of EOL (end-of-life).
It’s recommending to

purchase the new
product to ensure better performance and security. If replacement is not
an option in the short term, please use the second reference link to
download and install the patch(es).

https://nvd.nist.gov/vuln/detail/CVE-2025-9377

10. CVE-2020-1472

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.
For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020).
When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

https://nvd.nist.gov/vuln/detail/CVE-2020-1472

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1.  CVE-2025-59287

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2025-59287

2. CVE-2025-8088

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2025-8088

3. CVE-2024-49113

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-49113

4. CVE-2025-54100

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2025-54100

5. CVE-2025-14847

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2025-14847

6. CVE-2025-21204

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2025-21204

7. CVE-2025-24118

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2025-24118

8. CVE-2024-38063

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2024-38063

9. CVE-2025-68613

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2025-68613

10. CVE-2024-34102

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2024-34102

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1.  CVE-2025-59287

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2025-59287

2. CVE-2025-31133

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
* An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

https://nvd.nist.gov/vuln/detail/CVE-2025-31133

3. CVE-2025-41253

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
* An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

https://nvd.nist.gov/vuln/detail/CVE-2025-41253

4. CVE-2025-52472

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
* An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

https://nvd.nist.gov/vuln/detail/CVE-2025-52472

5. CVE-2025-52565

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
* An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

https://nvd.nist.gov/vuln/detail/CVE-2025-52565

6. CVE-2025-52881

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
* An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

https://nvd.nist.gov/vuln/detail/CVE-2025-52881

7. CVE-2025-55449

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
* An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

https://nvd.nist.gov/vuln/detail/CVE-2025-55449

8. CVE-2025-61757

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
* An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

https://nvd.nist.gov/vuln/detail/CVE-2025-61757

9. CVE-2025-62712

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
* An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

https://nvd.nist.gov/vuln/detail/CVE-2025-62712

10. CVE-2025-64446

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
* An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

https://nvd.nist.gov/vuln/detail/CVE-2025-64446

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1.  CVE-2025-59287

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-59287

2. CVE-2024-49113

Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

https://nvd.nist.gov/vuln/detail/CVE-2024-49113

3. CVE-2025-14847

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

https://nvd.nist.gov/vuln/detail/CVE-2025-14847

4. CVE-2025-8088

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2025-8088

5. CVE-2024-38063

Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

https://nvd.nist.gov/vuln/detail/CVE-2024-38063

6. CVE-2025-24118

Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

https://nvd.nist.gov/vuln/detail/CVE-2025-24118

7. CVE-2025-31133

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-31133

8. CVE-2025-41253

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-41253

9. CVE-2025-52472

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-52472

10. CVE-2025-52565

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-52565

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1.  CVE-2025-59287

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2025-59287

2. CVE-2024-49113

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-49113

3. CVE-2025-14847

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2025-14847

4. CVE-2024-38063

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38063

5. CVE-2025-24118

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2025-24118

6. CVE-2025-54100

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2025-54100

7. CVE-2025-8088

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2025-8088

8. CVE-2025-68613

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2025-68613

9. CVE-2022-21227

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2022-21227

10. CVE-2016-10033

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2016-10033

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1.  CVE-2025-59287

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2025-59287

2. CVE-2025-14847

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2025-14847

3. CVE-2025-68613

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2025-68613

4. CVE-2024-38063

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2024-38063

5. CVE-2025-8088

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2025-8088

6. CVE-2025-24118

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2025-24118

7. CVE-2025-54100

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2025-54100

8. CVE-2024-49113

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-49113

9. CVE-2025-50708

Improper link resolution before file access (‘link following’) in Windows Update Stack allows an authorized attacker to elevate privileges locally.

https://nvd.nist.gov/vuln/detail/CVE-2025-50708

10. CVE-2016-10033

Improper link resolution before file access (‘link following’) in Windows Update Stack allows an authorized attacker to elevate privileges locally.

https://nvd.nist.gov/vuln/detail/CVE-2016-10033