TheHackerWire

Two critical SAP vulnerabilities (CVE-2026-0488, CVE-2026-0509) highlight risks in authorization handling inside enterprise platforms.

• SQL execution leading to database compromise
• Unauthorized background RFC execution
• High integrity and availability impact

Exposure discovery commonly focuses on internet-facing NetWeaver and Fiori interfaces using queries such as:

product:"SAP NetWeaver"
body="/sap/public/"

https://www.thehackerwire.com/vulnerability/CVE-2026-0509/
https://www.thehackerwire.com/vulnerability/CVE-2026-0488/

🟠 CVE-2026-24763 - High (8.8)

OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authe...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24763/

#CVE #vulnerability #infosec #cybersecurity

🟠 CVE-2026-24737 - High (8.1)

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properti...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24737/

#CVE #vulnerability #infosec #cybersecurity

🔴 CVE-2026-25142 - Critical (10)

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25142/

#CVE #vulnerability #infosec #cybersecurity

🔴 CVE-2026-25137 - Critical (9.1)

The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store....

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25137/

#CVE #vulnerability #infosec #cybersecurity

🟠 CVE-2026-20411 - High (7.8)

In cameraisp, there is a possible escalation of privilege due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10351676; Issue ID: MSV-5737.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-20411/

#CVE #vulnerability #infosec #cybersecurity

🟠 CVE-2026-20412 - High (7.8)

In cameraisp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10351676; Issue ID: MSV-5733.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-20412/

#CVE #vulnerability #infosec #cybersecurity

🔴 CVE-2026-24071 - Critical (9.3)

It was found that the XPC service offered by the privileged helper of Native Access uses the PID of the connecting client to verify its code signature. This is considered insecure and can be exploited by PID reuse attacks. The connection handler function uses _xpc_connection_get_pid(arg2) as ar...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24071/

#CVE #vulnerability #infosec #cybersecurity

🟠 CVE-2026-24070 - High (8.8)

During the installation of the Native Access application, a privileged helper `com.native-instruments.NativeAccess.Helper2`, which is used by Native Access to trigger functions via XPC communication like copy-file, remove or set-permissions, is deployed as well. The communication with the XPC ser...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24070/

#CVE #vulnerability #infosec #cybersecurity

🔴 CVE-2025-15030 - Critical (9.8)

The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-15030/

#CVE #vulnerability #infosec #cybersecurity

🟠 CVE-2025-9974 - High (8.8)

The unified WEBUI application of the ONT/Beacon device contains an input handling flaw that allows authenticated users to trigger unintended system-level command execution. Due to insufficient validation of user-supplied data, a low-privileged authenticated attacker may be able to execute arbitra...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-9974/

#CVE #vulnerability #infosec #cybersecurity

🟠 CVE-2025-14914 - High (7.6)

IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading to arbitrary code execution.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-14914/

#CVE #vulnerability #infosec #cybersecurity

🟠 CVE-2025-47359 - High (7.8)

Memory Corruption when multiple threads simultaneously access a memory free API.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-47359/

#CVE #vulnerability #infosec #cybersecurity

🟠 CVE-2025-47358 - High (7.8)

Memory Corruption when user space address is modified and passed to mem_free API, causing kernel memory to be freed inadvertently.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-47358/

#CVE #vulnerability #infosec #cybersecurity

🟠 CVE-2025-47399 - High (7.8)

Memory Corruption while processing IOCTL call to update sensor property settings with invalid input parameters.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-47399/

#CVE #vulnerability #infosec #cybersecurity

🟠 CVE-2025-47398 - High (7.8)

Memory Corruption while deallocating graphics processing unit memory buffers due to improper handling of memory pointers.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-47398/

#CVE #vulnerability #infosec #cybersecurity

🟠 CVE-2025-47397 - High (7.8)

Memory Corruption when initiating GPU memory mapping using scatter-gather lists due to unchecked IOMMU mapping errors.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-47397/

#CVE #vulnerability #infosec #cybersecurity

🟠 CVE-2026-20408 - High (8)

In wlan, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461651; Issue ID: MSV-4758.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-20408/

#CVE #vulnerability #infosec #cybersecurity

🟠 CVE-2026-20419 - High (7.5)

In wlan AP/STA firmware, there is a possible system becoming irresponsive due to an uncaught exception. This could lead to remote (proximal/adjacent) denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461663 / WCNCR...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-20419/

#CVE #vulnerability #infosec #cybersecurity

🟠 CVE-2026-20418 - High (8.8)

In Thread, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00465153; Issue ID: MSV-4927.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-20418/

#CVE #vulnerability #infosec #cybersecurity