Multiple Critical Vulnerability Disclosures Across Gogs, Jinjava, and Kubernetes Local Path Provisioner
Several high-severity vulnerability disclosures were published across widely used developer and infrastructure components, with impacts ranging from remote code execution (RCE) to account takeover and arbitrary host file writes. In Gogs (self-hosted Git service), three CVEs were reported: CVE-2025-64111 (CVSS 9.3) enables RCE by bypassing checks in UpdateRepoFile to modify .git/config via the API (described as an insufficient fix for an earlier issue); CVE-2025-64175 (CVSS 7.7) allows a cross-account 2FA recovery-code bypass in versions 0.13.3 and earlier if an attacker already has a victim’s username/password; and CVE-2026-24135 (CVSS 7.2) is a wiki rename path traversal that can delete arbitrary files by manipulating old_title. Separately, Jinjava (HubSpot CMS template engine) disclosed CVE-2026-25526 (CVSS 9.8), a sandbox escape chain that permits arbitrary Java code execution by abusing ForTag iteration behavior (Bean ELResolver restriction bypass) and ObjectMapper-based JSON deserialization to instantiate disallowed classes.
A critical Kubernetes storage issue was also disclosed in Kubernetes Local Path Provisioner: CVE-2025-62878 (CVSS 10.0) allows directory traversal via the parameters.pathPattern setting, enabling a user who can create storage resources to provision volumes in arbitrary host locations (e.g., /etc) and potentially overwrite sensitive files on cluster nodes. In parallel to these product flaws, separate research reported widespread exposure of Git metadata on the public internet—approximately 4.96 million IPs with accessible .git directories and 250,000+ exposing .git/config files that may contain deployment credentials—highlighting a common, high-impact misconfiguration pattern that can enable source code reconstruction and secret theft. Active exploitation activity was reported for Ivanti Endpoint Manager Mobile (EPMM) involving CVE-2026-1281 and CVE-2026-1340, where attackers were observed dropping /mifs/403.jsp and using a Base64-delivered Java class loader designed for delayed, in-memory activation rather than immediate interactive webshell use.
Timeline
Feb 10, 2026
Gogs fixes released for RCE, 2FA bypass, and file deletion flaws
Maintainers released patched versions of Gogs to fix the three disclosed vulnerabilities. Administrators were advised to upgrade promptly to mitigate the risk of exploitation.
Feb 10, 2026
Three Gogs vulnerabilities disclosed, including RCE and 2FA bypass
Three Gogs vulnerabilities were disclosed: CVE-2025-64111 enabling remote command execution, CVE-2025-64175 enabling cross-account 2FA recovery-code bypass, and CVE-2026-24135 enabling path traversal that can delete arbitrary .md files. The issues affect self-hosted Gogs deployments and can lead to account takeover, file deletion, and server compromise.
Feb 9, 2026
Jinjava maintainers release fixes for sandbox bypass chain
Maintainers released patches for CVE-2026-25526 that add security checks to ForTag rendering and tighten ObjectMapper behavior. Users were urged to upgrade to patched versions to prevent remote code execution.
Feb 9, 2026
Jinjava RCE flaw CVE-2026-25526 disclosed
A critical Jinjava vulnerability was disclosed as CVE-2026-25526 with a CVSS score of 9.8. The flaw chains sandbox bypasses in ForTag handling and ObjectMapper deserialization to enable arbitrary Java code execution in environments where users can edit or customize templates.
Feb 9, 2026
Local Path Provisioner v0.0.34 released to fix traversal issue
Maintainers released Local Path Provisioner v0.0.34 to address CVE-2025-62878 by adding stricter validation that rejects directory traversal attempts. The advisory said there are no workarounds and that upgrading is required.
Feb 9, 2026
Kubernetes Local Path Provisioner flaw CVE-2025-62878 disclosed
A critical directory traversal vulnerability in Kubernetes Local Path Provisioner was disclosed as CVE-2025-62878 with a CVSS score of 10.0. The issue allows attackers who can create storage resources to write files outside the intended storage directory on the host via a crafted pathPattern value.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Organizations
Affected Products
Sources
Related Stories
Multiple High-Severity Vulnerability Disclosures Across ICS, Open-Source Software, and SOHO Routers
Public disclosures highlighted multiple high-severity vulnerabilities across industrial control systems, open-source software, and consumer networking gear, with several issues enabling **unauthenticated remote compromise**. Johnson Controls disclosed **CVE-2025-26385** (CVSS 10.0), a critical SQL injection affecting multiple building/ICS management products (including *ADS/ADX, LCS8500, NAE8500, SCT, CCT*) that can allow remote, unauthenticated attackers to execute arbitrary SQL to alter/delete/exfiltrate data; CISA guidance emphasized isolating control system networks from the internet, segmentation, and controlled remote access (e.g., VPNs). Additional unauthenticated remote issues include **CVE-2026-25069** in *SunFounder Pironman Dashboard* (path traversal in log API endpoints enabling arbitrary file read/deletion) and **CVE-2025-51958** in the *DokuWiki* `runcommand` plugin (unauthenticated command execution via `lib/plugins/runcommand/postaction.php`). Other disclosures include developer-tooling and application-layer injection flaws and multiple router memory-corruption bugs with public exploit references. *Orval* fixed **CVE-2026-25141**, a code-injection issue where incomplete escaping can be bypassed using **JSFuck**-style payloads, and *Cybersecurity AI (CAI)* addressed **CVE-2026-25130**, where `subprocess.Popen(..., shell=True)` enables argument/command injection leading to RCE (notably via the `find_file()` tool). Data-layer issues include **CVE-2025-69662** in *geopandas* (`to_postgis()` SQL injection) and **CVE-2026-24854** in *ChurchCRM* (authenticated SQL injection via `PerID` in `/PaddleNumEditor.php`, patched in 6.7.2), while **CVE-2025-36384** affects *IBM Db2 for Windows* (local privilege escalation via unquoted search path). SOHO router flaws **CVE-2026-1686** (*Totolink A3600R*) and **CVE-2026-1637** (*Tenda AC21*) describe remotely reachable buffer/stack overflows with publicly available exploit material, increasing the likelihood of opportunistic exploitation where exposed management interfaces exist.
1 months ago
CISA Flags Actively Exploited Gogs Path Traversal Leading to RCE (CVE-2025-8110)
CISA added **CVE-2025-8110** affecting the *Gogs* self-hosted Git service to its **Known Exploited Vulnerabilities (KEV) Catalog**, citing evidence of active exploitation and triggering mandatory remediation timelines for U.S. Federal Civilian Executive Branch (FCEB) agencies under **BOD 22-01**. The issue is described as a **path traversal** weakness that can be leveraged for **remote code execution (RCE)** in real-world attacks, increasing risk for organizations running Internet-exposed Gogs instances. Technical reporting indicates the flaw resides in the `PutContents` API and can be abused by authenticated attackers using **symbolic links** to write outside a repository and overwrite sensitive files; one described route to code execution is overwriting Git configuration (e.g., `sshCommand`) to force arbitrary command execution. Wiz Research tied the vulnerability to observed malware activity on an Internet-facing Gogs server and reported large-scale exposure and compromise signals across the ecosystem (including thousands of exposed servers and hundreds showing signs of compromise), with exploitation observed as a zero-day prior to patch availability; CISA’s KEV action formalizes the exploitation status and elevates patching priority for both government and non-government operators.
1 months ago
Active Exploitation of Critical Enterprise Software Vulnerabilities Added to CISA KEV
Multiple **critical, unauthenticated remote code execution and authentication-bypass vulnerabilities** in widely deployed enterprise products were reported as **actively exploited** and, in several cases, added to CISA’s **Known Exploited Vulnerabilities (KEV)** catalog. SmarterTools *SmarterMail* is being targeted in **ransomware** activity via **CVE-2026-24423**, an unauthenticated RCE caused by missing authentication on the `ConnectToHub` API (`/api/v1/settings/sysadmin/connect-to-hub`), where an attacker-controlled server can return JSON containing a `CommandMount` value that drives arbitrary command execution; the issue affects versions prior to `v100.0.9511`. Separately, SolarWinds *Web Help Desk* is affected by **CVE-2025-40551** (CVSS 9.8), a **deserialization of untrusted data** flaw in the `AjaxProxy` component enabling remote, unauthenticated command execution; CISA added it to KEV amid in-the-wild exploitation and set an accelerated patch deadline for US federal agencies. In parallel, Fortinet environments using **FortiCloud SSO** face authentication-bypass risk from **CVE-2025-59718**, **CVE-2025-59719**, and **CVE-2026-24858**, which can allow an attacker with a FortiCloud account to log into organizations’ **FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb** if SSO is enabled; Kaspersky published **SIEM correlation rules** to detect related suspicious logins and admin actions. Samsung *MagicInfo 9 Server* (digital signage management) was also reported with a trio of severe flaws affecting versions prior to `21.1090.1`, including **CVE-2026-25202** (hardcoded credentials, CVSS 9.8) and **CVE-2026-25201** (unauthenticated arbitrary file upload leading to RCE, CVSS 8.8), creating risk of server takeover and potential network compromise; the article does not indicate KEV inclusion or confirmed exploitation for these MagicInfo issues.
1 months ago