CVE-2025-70298 - GPAC v2.4.0 was discovered to contain an out-of-bounds read in the oggdmx_parse_tags function.
Published: January 15, 2026; 12:16:05 PM -0500

CVE-2025-70304 - A buffer overflow in the vobsub_get_subpic_duration() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet.
Published: January 15, 2026; 12:16:05 PM -0500

CVE-2025-70305 - A stack overflow in the dmx_saf function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .saf file.
Published: January 15, 2026; 12:16:05 PM -0500

CVE-2025-70308 - An out-of-bounds read in the GSF demuxer filter component of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .gsf file.
Published: January 15, 2026; 12:16:06 PM -0500

CVE-2025-70309 - A stack overflow in the pcmreframe_flush_packet function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted WAV file.
Published: January 15, 2026; 12:16:06 PM -0500

CVE-2025-70310 - A heap overflow in the vorbis_to_intern() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .ogg file.
Published: January 15, 2026; 12:16:06 PM -0500

CVE-2026-23768 - lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missin... read CVE-2026-23768
Published: January 16, 2026; 1:15:51 AM -0500

CVE-2026-23769 - lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files.
Published: January 16, 2026; 1:15:51 AM -0500

V3.1: 6.1 MEDIUM

CVE-2025-14757 - The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment... read CVE-2025-14757
Published: January 16, 2026; 4:15:59 AM -0500

V3.1: 5.3 MEDIUM

CVE-2025-52986 - A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low privileged user to cause an impact to the availability of the device. Wh... read CVE-2025-52986
Published: July 11, 2025; 12:15:26 PM -0400

CVE-2025-14844 - The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Ad... read CVE-2025-14844
Published: January 16, 2026; 5:16:04 AM -0500

V3.1: 7.5 HIGH

CVE-2025-52985 - A Use of Incorrect Operator vulnerability in the Routing Engine firewall of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to bypass security restrictions. When a firewall filter which is applied to the lo0 o... read CVE-2025-52985
Published: July 11, 2025; 12:15:25 PM -0400

CVE-2025-52984 - A NULL Pointer Dereference vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause impact to the availability of the device. When static route... read CVE-2025-52984
Published: July 11, 2025; 12:15:25 PM -0400

CVE-2025-59870 - HCL MyXalytics  is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk
Published: January 16, 2026; 6:16:02 AM -0500

V3.1: 9.8 CRITICAL

CVE-2025-52983 - A UI Discrepancy for Security Feature vulnerability in the UI of Juniper Networks Junos OS on VM Host systems allows a network-based, unauthenticated attacker to access the device. On VM Host Routing Engines (RE), even if the configured public... read CVE-2025-52983
Published: July 11, 2025; 12:15:25 PM -0400

CVE-2025-14894 - Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the... read CVE-2025-14894
Published: January 16, 2026; 8:16:11 AM -0500

V3.1: 9.8 CRITICAL

CVE-2025-52982 - An Improper Resource Shutdown or Release vulnerability in the SIP ALG of Juniper Networks Junos OS on MX Series with MS-MPC allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). When an MX Series device with an MS-... read CVE-2025-52982
Published: July 11, 2025; 12:15:25 PM -0400

CVE-2026-0612 - The Librarian contains a information leakage vulnerability through the `web_fetch` tool, which can be used to retrieve arbitrary external content provided by an attacker, which can be used to proxy requests through The Librarian infrastructure. Th... read CVE-2026-0612
Published: January 16, 2026; 8:16:11 AM -0500

CVE-2026-0613 - The Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning of the Hertzner cloud ... read CVE-2026-0613
Published: January 16, 2026; 8:16:11 AM -0500

CVE-2026-0615 - The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions.
Published: January 16, 2026; 8:16:11 AM -0500