We are glad to announce Vulnerability-Lookup 3.0.0. Our second release of 2026 is a major milestone, featuring GCVE-BCP-07 support. Now, every Vulnerability-Lookup instance can publish its own KEV catalog while integrating KEV feeds from CISA and ENISA.

Let’s take a look at all the notable changes.

What's New

GCVE-BCP-07: Known Exploited Vulnerabilities (KEV) Catalogs Integration

This release implements support for GCVE-BCP-07, enabling seamless integration with multiple Known Exploited Vulnerabilities (KEV) catalogs from different Global Numbering Authorities (GNAs). PR #310

Out of the box, any Vulnerability-Lookup instance can publish its own GCVE-BCP-07–compliant KEV catalog and consume KEV catalogs from ENISA and CISA. Conversion and synchronization are performed using the following tool: https://github.com/gcve-eu/gcve-eu-kev

A huge thank you to CISA and ENISA for their continuous work and for making KEV data available. Their catalogs are key building blocks for effective vulnerability prioritization, and it’s great to see them fit naturally into a GCVE-aligned workflow.

New and updated tools

• CISA KEV and ENISA CNW EUVD to GCVE-BCP-07 Converter: https://github.com/gcve-eu/gcve-eu-kev

  $ gcve-from-cisa --push
  $ gcve-from-enisa --push
  

• BCP Validator: https://github.com/gcve-eu/bcp-validator

  $ python gcve_bcp05_validate.py --url https://vulnerability.circl.lu/api/vulnerability?source=gna-1
  OK: https://vulnerability.circl.lu/api/vulnerability/recent?source=gna-1
  

• GCVE Python client: https://github.com/gcve-eu/gcve

  $ gcve references --list
  {
    "kev": [
        {
        "uuid": "405284c2-e461-4670-8979-7fd2c9755a60",
        "short_name": "CISA KEV",
        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
        "automation_url": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json",
        "description": "For the benefit of the cybersecurity community and network defenders\u2014and to help every organization better manage vulnerabilities and keep pace with threat activity\u2014CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework."
        },
        {
        "uuid": "1a89b78e-f703-45f3-bb86-59eb712668bd",
        "short_name": "CIRCL",
        "gcve_gna_id": 1,
        "description": "CIRCL provides a known-exploited vulnerability and supporting the different status_reason described in GCVE BCP-07."
        },
        {
        "uuid": "cce329bf-df49-4c6e-a027-80be2e6483bd",
        "short_name": "EUVD KEV",
        "gcve_gna_id": 2,
        "automation_url": "https://github.com/enisaeu/CNW/raw/refs/heads/main/kev.csv",
        "description": "ENISA via the CSIRTs network provides list of known-exploited seen in the CSIRTs network."
        }
    ]
  }
  

New Vulnerability Sources

• new: [feeders] OSV importer for Drupal security advisories. Imports vulnerabilities from the Drupal security team's OSV feed. 14177ab

• new: [feeders] OSV importer for CleanStart security advisories. Imports vulnerabilities from CleanStart's OSV feed. 14177ab

• new: [feeders] Bitnami Vulnerability Database importer. Imports vulnerabilities from Bitnami's OSV-formatted vulnerability database, covering their application catalog. 165e99d

Changes

• chg: [gcve] Updated GCVE Python client with improved type hints and bug fixes. 78dbfc1 5ddf74d

• chg: [gcve] KEV catalog menu now handles production instances that have their own GNA ID. When a local instance (e.g., CIRCL - GNA-1) exists in the GCVE KEV catalog list, it's marked as local without creating duplicates. 2bba2d8

• chg: [api] Extended x_gcve injection to all vulnerability list endpoints: VulnerabilitiesList, Recent, Last, and LastLegacy. This ensures consistent GCVE integration across all API endpoints. 227da00

• Various graphical improvements.

Fixes

• fix: [gcve] Resolved circular import in gcve_utils module. e7aa364

• 'Ghost CVEs' toggle is wonky #303

• Fix CVSS 4.0 parsing crash in web filters #304

• Fix blacklist bypass vulnerability in username validation #314

• Support YYYYMMDD date format in API since parameter #315

Changelog

For the full list of changes, check the GitHub release:
v3.0.0 Release Notes

Thank you to all our contributors and testers!

Feedback and Support

If you encounter any issues or have suggestions, please open a ticket on our GitHub repository:
GitHub Issues

Follow Us on the Fediverse

Stay updated on security advisories in real-time by following us on Mastodon:
@vulnerability_lookup

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Set up a framework to fully man-in-the-middle my own browsers' networking and see what they're up to beyond just looking at their DNS queries and encrypted tcp packets. We force the browser to trust our mitmproxy cacert so we can peek inside cleartext traffic and made it conveniently reproducible and extensible.

It has containers for official Firefox, its Debian version, and some other FF derivatives that market a focus on privacy or security. Might add a few more of those or do the chromium family later - if you read the thing and want more then please let us know what you want to see under the lens in a future update!

Tests were run against a basic protocol for each of them and results are aggregated at the end of the post.

Posting with ambition that this can trigger some follow-ups sharing derived or similar things. Maybe someone could make a viral blog post by doing some deeper tests and making their results digestible ;)

Cross-post. Original Thread @ https://discuss.tchncs.de/post/53845514

https://archive.is/dX5xd

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

It is not an universal RCE (it works from a service account with the correct permissions).

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

We’re delighted to announce the release of Vulnerability-Lookup 2.21.0.

This release brings several important improvements focused on search, data ingestion, and usability.

What's New

Product-level indexing & search API

Making it easier to explore vulnerabilities from a product-centric angle, without specifying a vendor name. (f906064)

New CSAF feeder for Schneider Electric

We have recently added a new CSAF feed for Schneider Electric. (e43fa03)

More flexible user registration configuration

New options to customize signup/about pages and restrict accepted email domains. (3855838, bfc82cf)

Improved notifications & UI refinements

Clearer emails, better metadata, and cleaner templates.

Ghost CVE

We now use the term Ghost CVE to refer to vulnerabilities observed in the wild via sightings that do not yet have a public CVE record.

Changes

A number of fixes and technical improvements are also included.

• chg: [notifications] Added the publication date in email notifications and a special icon for new vulnerabilities. Closes #299. 64bc631
• chg: [dependencies] Updated Python and dev/docs dependencies. 510233c b08c381
• chg: [config] Updated default value for ACCEPTED_DOMAINS_FOR_REGISTRATION. 6563f8a
• chg: [templates] Simplified titles for vuln and sightings pages; added Open Graph meta tag. 19c9a69 27eb6bf
• chg: [documentation] Updated installation instructions. 152212d

Fixes

• fix: [api] Preserve typing for flask-restx decorators (mypy). f5f31c5
• fix(cvss): Safely handle CVSS 4.0 vectors in Jinja filters. Closes #305. 5a303bb
• fix: [templates] Fix Bootstrap switch click handling (moved popover to help icon). Closes #303. 19a8c54
• fix: [bin] Corrected the script name for the CSAF Schneider Electric importer. 1386a76
• fix: [templates] Fixed an issue with batch deletion of users. 839345b
• fix: [templates] Fixed a tag id in vulnerability_templates.html. bc0d329

Changelog

For the full list of changes, check the GitHub release:
v2.21.0 Release Notes

Thank you to all our contributors and testers!

The new contributor of this release is Thai Nguyen.

Feedback and Support

If you encounter any issues or have suggestions, please open a ticket on our GitHub repository:
GitHub Issues

Follow Us on the Fediverse

Stay updated on security advisories in real-time by following us on Mastodon:
@vulnerability_lookup

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter. If the client supply a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes. This happens because the telnetd server do not sanitize the USER environment variable before passing it on to login(1), and login(1) uses the -f parameter to by-pass normal authentication. Severity: High Vulnerable versions: GNU InetUtils since version 1.9.3 up to and including version 2.7.

Happy 2026! The BusKill project published our Annual Report for the progress we made last year.

What is BusKill?

BusKill is a laptop kill-cord. It's a USB cable with a magnetic breakaway that you attach to your body and connect to your computer.

Watch the BusKill Explainer Video for more info youtube.com/v/qPwyoD_cQR4

If the connection between you to your computer is severed, then your device will lock, shutdown, or shred its encryption keys -- thus keeping your encrypted data safe from thieves that steal your device.

Executive Summary

• First Annual Report
• Video documentation
• Futo Grant Recipient

In 2025, we're changing from a twice-yearly Warrant Canary to a once-yearly-canary plus a new once-yearly-annual-report.

In 2025, we published two video to help spread awareness, provide a clear demo, and show how to use BusKill.

And in 2025, we were awarded a grant from Futo.

Happy New Year!

We're looking forward to continuing to improve the BusKill software and looking for other avenues to distribute our hardware BusKill cable to make it more accessible this year.

If you want to help, please consider purchasing a BusKill cable for yourself or a loved one. It helps us fund further development, and you get your own BusKill cable to keep you or your loved ones safe.

Buy a BusKill Cable
https://buskill.in/buy

You can also buy a BusKill cable with bitcoin, monero, and other altcoins from our BusKill Store's .onion site.

Stay safe,
The BusKill Team
https://www.buskill.in/
http://www.buskillvampfih2iucxhit3qp36i2zzql3u6pmkeafvlxs3tlmot5yad.onion/

In January 2026, Huntress Senior Security Operations Analyst Tanner Filip observed threat actors using a malicious browser extension to display a fake security warning, claiming the browser had "stopped abnormally" and prompting users to run a “scan” to remediate the threats. Our analysis revealed this campaign is the work of KongTuke, a threat actor we have been tracking since the beginning of 2025. In this latest operation, we identified several new developments: a malicious browser extension called NexShield that impersonates the legitimate uBlock Origin Lite ad blocker, a new ClickFix variant we have dubbed “CrashFix” that intentionally crashes the browser then baits users into running malicious commands, and ModeloRAT, a previously undocumented Python RAT reserved exclusively for domain-joined hosts.

Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user. One such feature is audio transcription. Incoming SMS and RCS audio attachments received by Google Messages are now automatically decoded with no user interaction. As a result, audio decoders are now in the 0-click attack surface of most Android phones.

I’ve spent a fair bit of time investigating these decoders, first reporting CVE-2025-49415 in the Monkey’s Audio codec on Samsung devices. Based on this research, the team reviewed the Dolby Unified Decoder, and Ivan Fratric and I reported CVE-2025-54957. This vulnerability is likely in the 0-click attack surface of most Android devices in use today. In parallel, Seth Jenkins investigated a driver accessible from the sandbox the decoder runs in on a Pixel 9, and reported CVE-2025-36934.

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Establishing trusted, time-stamped records of system states in distributed environments presents a significant challenge for maintaining accountability and security. Organizations often struggle to produce non-repudiable proof that a specific check was performed or that a system was in a particular state at a precise moment in time. SCANDALE is a libre software solution designed to address this challenge by providing a robust backend architecture for collecting data from distributed probes and storing immutable proofs of those checks. Its core components include a high-performance HTTP API with real-time capabilities, an agent-based backend built on the Smart Python Agent Development Environment (SPADE) for scalable probe management, and a dedicated service for cryptographic timestamping in compliance with RFC 3161. The platform’s primary contribution is its ability to transform operational measurements into cryptographically verifiable evidence, yielding a durable and non-repudiable audit trail.

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for December 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.

A new section dedicated to detection rules is available.

The Month at a Glance

December 2025 was dominated by a massive surge in activity surrounding CVE-2025-55182 affecting Meta's react-server-dom-webpack. With 852 sightings, this critical vulnerability (referenced by contributors as "React2Shell") significantly outpaced all other vulnerabilities, highlighting a major focus on web application infrastructure exploitation.

Database and network security were also primary themes this month. MongoDB (CVE-2025-14847) ranked second in sightings and was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on December 29th. The networking sector remained volatile, with critical vulnerabilities in Cisco Secure Email, WatchGuard Fireware OS, Fortinet, and SonicWall appearing in both the top sightings and the CISA KEV list.

Despite the influx of 2025 vulnerabilities, "zombie" vulnerabilities continue to plague the internet. Legacy issues from 2015 (D-Link) and 2017 (Zyxel) persist in the Top 10, proving that unpatched IoT devices remain active attack vectors years after disclosure.

In the broader ecosystem, CISA added a wide variety of threats to their catalog, ranging from mobile operating systems (iOS, Android) and browsers (Chrome) to desktop utilities like WinRAR. Additionally, community contributors highlighted significant structural shifts, notably the End-of-Life status for the Linux 5.4 kernel and new cryptographic implementation flaws in GnuPG.

Evolution of published CVE in 2025

More information.

Top 10 Vendors of the Month

Top 10 Assigners of the Month

Top 10 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2025-55182	852	Meta	react-server-dom-webpack	Critical (confidence: 0.9783)
CVE-2025-14847	204	MongoDB Inc.	MongoDB Server	High (confidence: 0.9538)
CVE-2025-20393	89	Cisco	Cisco Secure Email	Critical (confidence: 0.5137)
CVE-2015-2051	62	dlink	dir-645	High (confidence: 0.607)
CVE-2017-18368	62	zyxel	p660hn-t1a_v1	Critical (confidence: 0.9763)
CVE-2025-14733	60	WatchGuard	Fireware OS	Critical (confidence: 0.976)
CVE-2025-66516	57	Apache Software Foundation	Apache Tika core	High (confidence: 0.8155)
CVE-2018-10562	56	dasannetworks	gpon_router	Critical (confidence: 0.9815)
CVE-2025-40602	53	SonicWall	SMA1000	Medium (confidence: 0.9162)
CVE-2025-59718	53	Fortinet	FortiSwitchManager	Critical (confidence: 0.7339)

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2025-14847	29/12/25	MongoDB Inc.	MongoDB Server	High (confidence: 0.9538)
CVE-2023-52163	22/12/25	digiever	ds-2105_pro	High (confidence: 0.9141)
CVE-2025-14733	19/12/25	WatchGuard	Fireware OS	Critical (confidence: 0.976)
CVE-2025-20393	17/12/25	Cisco	Cisco Secure Email	Critical (confidence: 0.5137)
CVE-2025-40602	17/12/25	SonicWall	SMA1000	Medium (confidence: 0.9162)
CVE-2025-59374	17/12/25	ASUS	live update	Critical (confidence: 0.7584)
CVE-2025-59718	16/12/25	Fortinet	FortiSwitchManager	Critical (confidence: 0.7339)
CVE-2025-43529	15/12/25	Apple	iOS and iPadOS	High (confidence: 0.9918)
CVE-2025-14611	15/12/25	Gladinet	CentreStack and TrioFox	High (confidence: 0.8669)
CVE-2025-14174	12/12/25	Google	Chrome	High (confidence: 0.8175)
CVE-2018-4063	12/12/25	sierrawireless	aleos	High (confidence: 0.7137)
CVE-2025-58360	11/12/25	geoserver	geoserver	High (confidence: 0.5288)
CVE-2025-62221	09/12/25	Microsoft	Windows 10 Version 1809	High (confidence: 0.9943)
CVE-2025-6218	09/12/25	RARLAB	WinRAR	High (confidence: 0.9977)
CVE-2025-66644	08/12/25	Array Networks	ArrayOS AG	High (confidence: 0.8361)
CVE-2022-37055	08/12/25	dlink	go-rt-ac750	Critical (confidence: 0.9698)
CVE-2025-55182	05/12/25	Meta	react-server-dom-webpack	Critical (confidence: 0.9783)
CVE-2021-26828	03/12/25	scadabr	scadabr	High (confidence: 0.7378)
CVE-2025-48633	02/12/25	Google	Android	High (confidence: 0.8796)
CVE-2025-48572	02/12/25	Google	Android	High (confidence: 0.9629)

ENISA

No new entry in December.

Top 10 Weaknesses of the Month

Detection rules

CVE-2025-55182

• ET WEB_SPECIFIC_APPS Waku RSC React2Shell Unsafe Flight Protocol Property Access [SURICATA]
• ET WEB_SPECIFIC_APPS Vite RSC React2Shell Unsafe Flight Protocol Property Access [SURICATA]
• ET WEB_SPECIFIC_APPS React Server Components React2Shell Unsafe Flight Protocol Property Access [SURICATA]

CVE-2015-2051

• ET EXPLOIT D-Link HNAP SOAPAction Command Injection [SURICATA]

CVE-2017-18368

• ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE [SURICATA]

CVE-2025-66516

• ET WEB_SPECIFIC_APPS Apache Tika XML External Entity Injection [SURICATA]

CVE-2023-52163

• ET WEB_SPECIFIC_APPS DigiEver DS-2105 Pro time_tzsetup.cgi ntp Parameter Command Injection Attempt [SURICATA]

CVE reserved, but partial information has already appeared on the public internet

Sightings detected between 2025-12-01 and 2025-12-31 that are associated with vulnerabilities without public records.

Vulnerability ID	Occurrences	Comment
CVE-2023-42344	11	OpenCMS Unauthenticated XXE Vulnerability
CVE-2025-14269	9	Credential caching in Headlamp with Helm enabled
CVE-2025-14282	6	dropbear: privilege escalation via unix domain socket forwardings
CVE-2025-14558	5	FreeBSD IPv6 Flaw Enables Remote Code Execution Attacks
CVE-2025-9820	2	gnutls 3.8.11 released with fix for CVE-2025-9820
CVE-2025-66387	2	QL Injection in Orkes Conductor
CVE-2025-65995	2	Apache Airflow: Disclosure of secrets to UI via kwargs

Insights from Contributors

• gpg.fail - multiple vulnerabilities in GnuPG
• React2Shell
• The LAST Linux 5.4.y release. It is now end-of-life and should not be > used by anyone, anymore.
• Apache Tika
• Security content of iOS 26.2 and iPadOS 26.2
• Reports About Cyberattacks Against Cisco Secure Email Gateway And Cisco Secure Email and Web Manage

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.

Press release