Security Vulnerabilities
A malicious actor with access to the adjacent network could obtain unauthorized access to a UniFi Protect Camera by exploiting a discovery protocol vulnerability in the Unifi Protect Application (Version 6.1.79 and earlier).
Affected Products:
UniFi Protect Application (Version 6.1.79 and earlier).
Mitigation:
Update your UniFi Protect Application to Version 6.2.72 or later.
CVSS Score
8.8
EPSS Score
0.0
Published
2026-01-05
A malicious actor with access to the adjacent network could overflow the UniFi Protect Application (Version 6.1.79 and earlier) discovery protocol causing it to restart.
Affected Products:
UniFi Protect Application (Version 6.1.79 and earlier).
Mitigation:
Update your UniFi Protect Application to Version 6.2.72 or later.
CVSS Score
6.5
EPSS Score
0.0
Published
2026-01-05
An Improper Access Control could allow a malicious actor in Wi-Fi range to the EV Station Lite (v1.5.2 and earlier) to use WiFi AutoLink feature on a device that was only adopted via Ethernet.
CVSS Score
5.3
EPSS Score
0.0
Published
2026-01-05
An issue in realme Internet browser v.45.13.4.1 allows a remote attacker to execute arbitrary code via a crafted webpage in the built-in HeyTap/ColorOS browser
CVSS Score
5.4
EPSS Score
0.001
Published
2026-01-05
An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, and 2500. Improper validation of user-space input in the issimian device driver leads to information disclosure and a denial of service.
CVSS Score
7.1
EPSS Score
0.0
Published
2026-01-05
An issue was discovered in Samsung Magician 6.3.0 through 8.3.2 on Windows. The installer creates a temporary folder with weak permissions during installation, allowing a non-admin user to perform DLL hijacking and escalate privileges.
CVSS Score
7.8
EPSS Score
0.0
Published
2026-01-05
A Cross-Site Scripting (XSS) vulnerability in the UCRM Argentina AFIP invoices Plugin (v1.2.0 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page.
This plugin is disabled by default.
Affected Products:
UCRM Argentina AFIP invoices Plugin (Version 1.2.0 and earlier)
Mitigation:
Update UCRM Argentina AFIP invoices Plugin to Version 1.3.0 or later.
CVSS Score
7.5
EPSS Score
0.001
Published
2026-01-05
Cross Site Request Forgery vulnerability in Employee Leave Management System v.2.1 allows a remote attacker to escalate privileges via the manage-employee.php component
CVSS Score
5.4
EPSS Score
0.0
Published
2026-01-05
Mega-Fence (webgate-lib.*) 25.1.914 and prior trusts the first value of the X-Forwarded-For (XFF) header as the client IP without validating a trusted proxy chain. An attacker can supply an arbitrary XFF value in a remote request to spoof the client IP, which is then propagated to security-relevant state (e.g., WG_CLIENT_IP cookie). Deployments that rely on this value for IP allowlists may be bypassed.
CVSS Score
6.5
EPSS Score
0.001
Published
2026-01-05
An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface
CVSS Score
7.5
EPSS Score
0.0
Published
2026-01-05