Trending CVEs

Vulnerability: An out of bounds write vulnerability in Skia in Google Chrome prior to version 146.0.7680.75 allows a remote attacker to perform out of bounds memory access via a crafted HTML page. This high-severity vulnerability affects Google Chrome users across multiple platforms.

Trending: CVE-2026-3909 is trending due to active exploitation in the wild, with confirmed exploit code documented in CISA's Known Exploited Vulnerabilities catalog and VulnCheck KEV. Google released multiple emergency patches within days after the initial fix proved insufficient, triggering widespread urgent patching advisories across security communities.

Vulnerability: An inappropriate implementation in V8 in Google Chrome prior to version 146.0.7680.75 allowed remote attackers to execute arbitrary code inside a sandbox via a crafted HTML page. This is a high-severity vulnerability affecting Google Chrome users.

Trending: CVE-2026-3910 is trending due to active exploitation in the wild, with confirmed exploit code documented in CISA's Known Exploited Vulnerabilities catalog and VulnCheck KEV. Multiple security organizations and CISA have issued urgent alerts recommending immediate patching within 24-48 hours, as threat actors are actively exploiting this zero-day vulnerability alongside CVE-2026-3909.

Vulnerability: An Incorrect Permission Assignment vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series allows unauthenticated, network-based attackers to execute code as root. The vulnerable service is exposed over an external port by default and affects Junos OS Evolved versions 25.4 before 25.4R1-S1-EVO and 25.4R2-EVO.

Trending: CVE-2026-21902 is trending due to confirmed exploit code being actively available in public repositories like VulnCheck KEV, prompting Juniper to issue an emergency out-of-band security update. The vulnerability is receiving significant attention because PTX Series routers are critical network infrastructure devices that sit in the core of networks, making them high-value targets for attackers seeking to intercept or redirect data.

Vulnerability: A use-after-free vulnerability in CSS processing within Google Chrome prior to version 145.0.7632.75 allows remote attackers to execute arbitrary code within a sandbox through a crafted HTML page. The vulnerability affects Google Chrome and Chromium-based browsers.

Trending: CVE-2026-2441 is trending due to active exploitation in the wild, with CISA formally adding it to the Known Exploited Vulnerabilities (KEV) catalog and multiple security agencies issuing warnings about ongoing attacks. Google released an emergency patch, and the vulnerability has generated significant social media discussion across multiple platforms regarding the need for immediate updates to block remote code execution attacks.

Vulnerability: CVE-2026-25253 is a critical remote code execution flaw in OpenClaw (clawdbot/Moltbot) before version 2026.1.29 that allows attackers to obtain a gatewayUrl value from a query string and automatically establish WebSocket connections while sending token values without user prompts. The vulnerability affects tens of thousands of exposed OpenClaw instances across multiple deployments.

Trending: This vulnerability is trending due to widespread exploitation in the wild, with security researchers reporting over 42,000 exposed OpenClaw instances, 1.5 million compromised API tokens, and active malicious activity including malicious websites triggering one-click remote code execution. The incident has garnered significant attention on social media and security news outlets as one of the largest AI security incidents, with particular concern raised following a report of a Meta AI safety director's email being deleted by a compromised OpenClaw instance.

Vulnerability: CVE-2026-20127 is an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager that allows unauthenticated remote attackers to obtain administrative privileges and manipulate network configuration through improper peering authentication mechanisms.

Trending: This vulnerability is trending due to active exploitation in the wild by threat actors, with CISA issuing an Emergency Directive ordering federal agencies to mitigate the flaw. Public proof-of-concept exploits have been released, and security agencies including the UK's NCSC are warning of ongoing attacks that bypass multi-factor authentication and enable attackers to control SD-WAN fabrics.

Vulnerability: A critical authentication bypass vulnerability in HPE Aruba Networking AOS-CX switch management interfaces allows unauthenticated remote actors to circumvent authentication controls and reset administrator passwords, affecting multiple CX series switch versions.

Trending: CVE-2026-23813 is trending due to its critical CVSS score of 9.8/10 and widespread coverage across major security news outlets and social media platforms highlighting the severity of unauthenticated remote admin access to enterprise network infrastructure, though current reports indicate no active exploits in the wild yet.

Vulnerability: CVE-2026-1731 is a critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) that allows unauthenticated remote attackers to execute operating system commands by sending specially crafted requests.

Trending: The vulnerability is actively being exploited in the wild with confirmed exploit code available in CISA KEV, Metasploit modules, Nuclei, and VulnCheck. Threat actors are leveraging CVE-2026-1731 to deploy tools like VShell and SparkRAT, establish persistence, conduct lateral movement, and it is being used in ransomware campaigns with an EPSS score exceeding 40%.

Vulnerability: A command injection flaw exists in Wavlink WL-WN578W2 (version 221110) in the Delete_Mac_list/SetName/GuestWifi functions of the /cgi-bin/wireless.cgi POST request handler, allowing remote attackers to execute arbitrary commands.

Trending: This vulnerability is trending due to the availability of a public exploit and active discussion across security communities on Bluesky and Mastodon, with multiple sources emphasizing the critical severity and recommending immediate patching or access restrictions.

Vulnerability: CVE-2026-24289 is a use-after-free flaw in the Windows Kernel that allows an authorized attacker to elevate privileges locally. The vulnerability affects Windows operating systems and was addressed in Microsoft's March 2026 Patch Tuesday release.

Trending: The vulnerability is receiving attention as part of Microsoft's March 2026 Patch Tuesday cycle, which addressed 77-93 vulnerabilities across multiple product families. CVE-2026-24289 is being discussed alongside other privilege escalation vulnerabilities in security news coverage and community channels focused on the monthly patch release.

Vulnerability: CVE-2026-21262 is an improper access control vulnerability in Microsoft SQL Server that allows an authorized attacker to elevate privileges over a network. The flaw affects SQL Server systems and was addressed in Microsoft's March 2026 Patch Tuesday release.

Trending: This vulnerability is trending due to its classification as a publicly disclosed zero-day with a CVSS score of 8.8, included in Microsoft's March 2026 Patch Tuesday that addressed 83-84 vulnerabilities across multiple product families. Security researchers and organizations have highlighted this SQL Server elevation of privilege flaw as a notable threat requiring immediate patching.

Vulnerability: A vulnerability in Backup Viewer allows remote code execution (RCE) as the postgres user. This flaw affects Veeam Backup & Replication and related backup systems.

Trending: This vulnerability is trending due to Veeam's release of critical security patches addressing multiple RCE flaws in its widely-used Backup & Replication platform, with security advisories and urgent patching calls from vendors and security researchers across multiple news outlets and social media platforms.

Vulnerability: An out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network. The vulnerability affects Microsoft.NETCore.App.Runtime.linux-x64 in AWS Lambda base images and other .NET deployments.

Trending: CVE-2026-26127 is trending due to its identification as a publicly disclosed zero-day in Microsoft's March 2026 Patch Tuesday release, alongside widespread coverage of the 83+ vulnerabilities addressed that month. The vulnerability has attracted attention from cloud security and serverless infrastructure communities, with multiple social media mentions highlighting its impact on AWS Lambda deployments.

Vulnerability: A critical vulnerability in Veeam Backup & Replication allows authenticated domain users to execute remote code on the Backup Server. The flaw affects the widely-used backup and replication platform across enterprise environments.

Trending: This vulnerability is trending due to Veeam's release of critical security patches addressing multiple severe RCE flaws, with widespread coverage across security news outlets and urgent calls from vendors for immediate patching. The focus on authenticated user exploitation and impact to backup infrastructure has generated significant attention in enterprise security communities.

Vulnerability: OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability that allows arbitrary OS command execution by attackers with administrative privileges.

Trending: The vulnerability is receiving attention on social media as a HIGH-severity issue, with security researchers and vendors recommending immediate action including review of administrative access, log monitoring, and preparation for patches.

Vulnerability: A stack-based buffer overflow vulnerability exists in the Downloads_Schedule_Info function of /cgi-bin/download_mgr.cgi across multiple D-Link NAS models (DNS-120, DNR-202L, DNS-315L, DNS-320 series, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04) up to firmware version 20260205. The vulnerability can be exploited remotely without authentication.

Trending: This vulnerability is trending due to its high severity rating (CVSS 8.7), public disclosure of the exploit, and active exploitation potential affecting a wide range of D-Link NAS devices. Security researchers are actively alerting users to patch or restrict management access to affected systems immediately.

Vulnerability: A command injection vulnerability exists in D-Link DNS series NAS devices (DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-321, DNS-323, DNS-325, DNS-326, DNS-327L, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04) in the /cgi-bin/dsk_mgr.cgi file's disk management functions, allowing unauthenticated remote command execution.

Trending: The vulnerability is trending due to public exploit availability and active reconnaissance for vulnerable devices. Security researchers are highlighting the lack of authentication requirements and recommending immediate isolation of affected NAS devices pending patch availability.

Vulnerability: A stack-based buffer overflow vulnerability exists in D-Link DIR-619L version 2.06B01 within the formSchedule function of the boa component, allowing remote code execution through manipulation of the curTime argument. The affected device is no longer supported by the manufacturer.

Trending: The vulnerability is gaining attention due to the public release of an exploit and reports indicating active exploitation potential, with security researchers emphasizing the HIGH severity rating and lack of available patches, urging users to replace or isolate affected devices.

Vulnerability: A missing authentication vulnerability was identified in Tiandy Easy7 Integrated Management Platform version 7.17.0, specifically in the /WebService/UpdateLocalDevInfo.jsp file's Device Identifier Handler component, which allows manipulation of username and password arguments to bypass authentication. The vulnerability can be exploited remotely.

Trending: CVE-2026-4187 is trending due to the public availability of working exploits and active exploitation concerns, with security researchers noting that no vendor fix has been released despite early disclosure attempts. The medium severity authentication bypass is drawing attention as organizations are being advised to review access controls and monitor for suspicious activity.

Vulnerability: A vulnerability in Veeam Backup & Replication allows authenticated domain users to perform remote code execution (RCE) on the Backup Server. Multiple critical RCE flaws were identified in the platform and addressed through security patches.

Trending: This vulnerability is trending due to Veeam's release of urgent security patches addressing seven critical flaws in its widely-used Backup & Replication platform, with multiple security organizations and vendors issuing alerts calling for immediate patching by administrators to prevent exploitation of the RCE vulnerabilities affecting backup infrastructure.

Vulnerability: CVE-2026-21668 is an authenticated file manipulation vulnerability affecting Veeam Backup & Replication that allows domain users to bypass restrictions and manipulate arbitrary files on a Backup Repository. This flaw is part of a broader set of critical vulnerabilities in the platform.

Trending: This vulnerability is trending due to Veeam's release of security patches addressing seven critical flaws in Backup & Replication, including multiple remote code execution vulnerabilities affecting authenticated users. The widespread coverage across security outlets and urgent patching advisories have generated significant attention among enterprise backup administrators.

Vulnerability: CVE-2026-21672 is a local privilege escalation vulnerability affecting Windows-based Veeam Backup & Replication servers. The flaw allows attackers with local access to elevate their privileges on the affected backup platform.

Trending: This vulnerability is trending due to Veeam's release of critical security patches addressing multiple severe flaws in Backup & Replication, with multiple news outlets emphasizing urgent patching requirements and the critical nature of related remote code execution vulnerabilities in the same platform.

Vulnerability: CVE-2026-21385 is a memory corruption vulnerability in a Qualcomm component used in Android devices that allows for buffer over-read attacks. The flaw affects Qualcomm chipsets integrated into Android phones and has been confirmed to impact multiple devices globally.

Trending: This vulnerability is trending due to active exploitation in the wild, with CISA adding it to its Known Exploited Vulnerabilities (KEV) catalog and confirming real-world attacks. Google's release of a critical Android security update addressing this zero-day, combined with multiple security agencies and researchers confirming the availability of working exploit code, has generated significant attention across news outlets and social media platforms.

Vulnerability: A remote authentication bypass vulnerability exists in HPE AutoPass License Server (APLS) that allows attackers to gain access without valid credentials. The vulnerability affects HPE's licensing management system used across enterprise infrastructure.

Trending: CVE-2026-23600 is trending due to active exploitation in the wild, with security researchers from Trend Micro's Zero-Day Initiative discovering the flaw and HPE releasing patches. Multiple security news outlets and social media mentions highlight the critical nature of the vulnerability and recommend immediate updates to version 9.19.

Vulnerability: A file handling vulnerability in the API of Cisco Catalyst SD-WAN Manager allows authenticated remote attackers with read-only API credentials to overwrite arbitrary files on the local file system and potentially gain vmanage user privileges.

Trending: This vulnerability is trending due to active exploitation in the wild by threat actors against recently patched Cisco Catalyst SD-WAN systems, with confirmed exploit code available and Cisco issuing urgent warnings to customers to apply security updates.

Vulnerability: An integer overflow or wraparound vulnerability in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network. The vulnerability affects Windows systems and was addressed in Microsoft's March 2026 Patch Tuesday release.

Trending: The vulnerability is trending due to its inclusion in Microsoft's out-of-band and March Patch Tuesday security updates, which collectively addressed 83-84 vulnerabilities across multiple product families. Security organizations and enterprises are actively discussing the RRAS management tool fixes as part of broader patch deployment guidance for Windows environments.

Vulnerability: A command injection vulnerability exists in Wavlink WL-WN579A3 (firmware 220323) affecting the SetName/GuestWifi function in the /cgi-bin/wireless.cgi POST request handler, allowing remote code execution on affected devices.

Trending: The vulnerability is trending due to public exploit code being released and active discussion on security platforms, with multiple sources highlighting the critical severity and the ability for unauthenticated remote exploitation of WL-WN579A3 routers.

Vulnerability: An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.

Trending: CISA has warned that this vulnerability is actively being exploited in the wild, adding it to its Known Exploited Vulnerabilities Catalog. Public exploit code has been confirmed to exist in multiple sources including CISA KEV, Nuclei, and VulnCheck KEV, contributing to significant social media attention with 14 interactions in the past week.

Vulnerability: CVE-2025-68613 is a critical Remote Code Execution vulnerability in n8n, an open source workflow automation platform affecting versions 0.211.0 through 1.122.0. Authenticated attackers can exploit insufficient isolation in the workflow expression evaluation system to execute arbitrary code with the privileges of the n8n process, potentially compromising the entire instance.

Trending: The vulnerability is trending due to active exploitation in the wild, with CISA adding it to its Known Exploited Vulnerabilities catalog and confirming exploit code availability across multiple sources including Metasploit and Nuclei. Reports indicate approximately 24,700 instances remain exposed despite patches being available since January, with an EPSS score exceeding 40%.

Vulnerability: An untrusted pointer dereference vulnerability in Microsoft Office allows an unauthorized attacker to execute code locally. This flaw affects Microsoft Office products and was patched as part of Microsoft's March 2026 Patch Tuesday release.

Trending: CVE-2026-26113 is trending as part of Microsoft's March 2026 Patch Tuesday announcement, where it is highlighted alongside CVE-2026-26110 as a critical Office remote code execution vulnerability with a CVSS score of 8.4 that can be exploited through the preview pane. Multiple security publications and researchers are calling attention to these Office vulnerabilities as requiring urgent patching due to their severity and the widespread use of Office products.

Vulnerability: CVE-2026-21669 is an authenticated remote code execution vulnerability affecting Veeam Backup & Replication that allows a domain user to execute arbitrary code on the Backup Server.

Trending: This vulnerability is gaining attention as part of a critical security update from Veeam addressing seven severe RCE flaws in Backup & Replication. Multiple security outlets have reported on the patches released to remediate these critical code execution vulnerabilities.

Vulnerability: CVE-2026-21671 is a remote code execution vulnerability in Veeam Backup & Replication's high availability deployments that allows authenticated users with the Backup Administrator role to execute arbitrary code.

Trending: The vulnerability is trending due to Veeam releasing critical security patches addressing seven severe RCE flaws in its Backup & Replication platform, with multiple security outlets reporting on the patches as part of a coordinated disclosure effort.

Vulnerability: An integer overflow or wraparound vulnerability exists in Windows Routing and Remote Access Service (RRAS) that allows an authorized attacker to execute code over a network. The vulnerability affects Windows systems running RRAS.

Trending: The vulnerability is trending due to Microsoft's out-of-band security update for Windows 11 Enterprise environments with hotpatching enabled, along with its inclusion in the March Patch Tuesday release addressing 83-84 vulnerabilities across multiple Microsoft product families.

Vulnerability: An integer overflow or wraparound vulnerability exists in Windows Routing and Remote Access Service (RRAS) that allows an authorized attacker to execute code over a network. The vulnerability affects Windows systems with RRAS functionality enabled.

Trending: The vulnerability is trending due to its inclusion in Microsoft's March Patch Tuesday release, where it was addressed alongside 83-84 other vulnerabilities across multiple product families. The out-of-band hotpatch released by Microsoft for Windows 11 Enterprise environments underscores the severity and active attention being given to RRAS security issues.

Vulnerability: A stack-based buffer overflow vulnerability exists in Belkin F9K1122 version 1.00.33 in the formReboot function of the /goform/formReboot file, triggered through manipulation of the webpage argument. The vulnerability allows remote code execution and has been publicly disclosed, with no vendor patch available.

Trending: The vulnerability is trending due to the public availability of exploit code and active remote exploitation potential. Security researchers are urging immediate action to restrict remote access and monitor endpoints, with emphasis on the lack of vendor response or available patches.

Vulnerability: The NEX-Forms – Ultimate Forms Plugin for WordPress plugin is vulnerable to Insecure Direct Object Reference in all versions up to and including 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This allows unauthenticated attackers to overwrite arbitrary form entries via the 'nf_set_entry_update_id' parameter.

Trending: The vulnerability is trending due to its HIGH severity rating and the fact that it can be exploited by unauthenticated attackers to modify form data without authentication. Security researchers are actively warning WordPress administrators to disable or restrict access to the plugin until a patch is released, as no fix is currently available.

Vulnerability: A credential exposure vulnerability in Cisco Catalyst SD-WAN Manager's Data Collection Agent (DCA) feature allows authenticated local attackers to gain DCA user privileges by reading a credential file from the filesystem. Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected.

Trending: CVE-2026-20128 is trending due to active exploitation in the wild by threat actors against recently patched Catalyst SD-WAN systems, with confirmed exploit code publicly available. Cisco has issued multiple advisory updates warning customers and urging immediate patching to mitigate the risk.

Vulnerability: A type confusion vulnerability in Microsoft Office allows an unauthorized attacker to execute code locally through incompatible type access of resources.

Trending: CVE-2026-26110 is trending as part of Microsoft's March 2026 Patch Tuesday release addressing 83 vulnerabilities, including eight Critical severity flaws. The vulnerability gained attention as one of several Office-related RCE issues flagged by security researchers and media outlets as requiring urgent patching, with multiple security organizations highlighting it alongside related Office preview pane vulnerabilities.

Vulnerability: CVE-2026-26144 is a cross-site scripting (XSS) vulnerability in Microsoft Office Excel that allows unauthorized attackers to disclose information over a network through improper neutralization of input during web page generation.

Trending: The vulnerability is trending as part of Microsoft's March 2026 Patch Tuesday release, which addressed 80+ vulnerabilities across multiple product families. News coverage highlights this Excel flaw as a critical issue, with some reports noting it involves a zero-click information disclosure attack leveraging Copilot Agent functionality.

Vulnerability: A Server-Side Template Injection (SSTI) vulnerability exists in Agenta versions prior to 0.86.8, an open-source LLMOps platform. The vulnerability affects self-hosted or managed Agenta platform deployments where the vulnerable template rendering code in the SDK is executed server-side within the API process during evaluator operations, potentially allowing remote code execution.

Trending: The vulnerability is gaining attention on security-focused social media platforms, with multiple posts highlighting it as a HIGH severity issue affecting Agenta deployments. Security monitoring accounts are actively reporting on the SSTI vulnerability and its potential for remote code execution through custom evaluator Jinja2 templates.

Vulnerability: Agenta-API prior to version 0.48.1 contains a Python sandbox escape vulnerability in its custom code evaluator that allows authenticated users to achieve arbitrary code execution on the API server. The flaw stems from incorrectly whitelisting the numpy package in the RestrictedPython sandbox, enabling access to system-level functionality through numpy.ma.core.inspect.

Trending: The vulnerability is receiving security alert coverage across social media platforms, with multiple posts highlighting it as a HIGH severity issue affecting the Agenta self-hosted LLMOps platform. The alerts emphasize the remote code execution risk and direct users to detailed vulnerability information.

Vulnerability: CVE-2026-21536 is a critical remote code execution vulnerability in Microsoft's Devices Pricing Program that allows attackers to execute arbitrary code on affected systems.

Trending: The vulnerability is gaining attention as part of Microsoft's March 2026 Patch Tuesday release, which addressed 82-93 vulnerabilities including eight critical issues. Security researchers and cybersecurity news outlets are highlighting this RCE flaw as a priority patch for organizations using the Microsoft Devices Pricing Program.

Vulnerability: CVE-2026-3823 is a stack-based buffer overflow vulnerability in Atop Technologies' EHG2408 series switches that allows unauthenticated remote attackers to control program execution flow and execute arbitrary code.

Trending: The vulnerability is receiving attention on security-focused social media platforms due to its critical severity, unauthenticated remote exploitability, and the lack of an available patch, with security researchers recommending immediate network segmentation and access restrictions for affected switches.

Vulnerability: A code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allows unauthenticated attackers to achieve remote code execution through unsafe legacy script handling. The flaw affects enterprise mobile device management infrastructure.

Trending: CVE-2026-1281 is trending due to active exploitation in the wild by threat actors who are leveraging it to gain unauthenticated access to MDM servers, deploy persistent backdoors, and compromise enterprise mobile fleets. Security agencies including Germany's BSI have issued warnings about widespread attacks, with exploitation originating as early as July 2025.

Vulnerability: CVE-2026-0386 is an improper access control flaw in Windows Deployment Services that allows unauthorized attackers to execute code over an adjacent network. The vulnerability affects Windows network deployment functionality including WDS and Unattend.xml.

Trending: The vulnerability is trending due to Microsoft's decision to discontinue automatic Windows network deployments via WDS and Unattend.xml in response to the security flaw, along with concerns about attackers being able to steal credentials through code execution.

Vulnerability: CVE-2026-21670 is a vulnerability allowing a low-privileged user to extract saved SSH credentials. The flaw affects Veeam Backup & Replication.

Trending: The vulnerability is trending due to Veeam's recent release of critical security patches addressing multiple severe flaws in Veeam Backup & Replication, including remote code execution vulnerabilities that have drawn significant attention from security researchers and IT professionals monitoring backup infrastructure threats.

Vulnerability: The User Registration & Membership plugin for WordPress (versions up to 5.1.2) contains an improper privilege management flaw that allows unauthenticated attackers to create administrator accounts by supplying an arbitrary role value during membership registration without server-side validation.

Trending: CVE-2026-1492 is trending due to confirmed exploit code availability in public repositories (nuclei, VulnCheck KEV) and active exploitation affecting over 60,000 WordPress sites, enabling unauthorized administrative access to vulnerable installations.

Vulnerability: LibreChat versions 0.8.2 to 0.8.2-rc3 contain an OAuth callback endpoint vulnerability in the Model Context Protocol (MCP) that stores OAuth tokens without verifying the logged-in user matches the authorization initiator, allowing attackers to steal victim OAuth tokens and take over accounts linked to MCP services like Atlassian and Outlook.

Trending: Security researchers and cybersecurity accounts are actively alerting the community about this vulnerability with urgency, emphasizing the account takeover impact and recommending immediate patching within 24-48 hours; the vulnerability has been assigned a high severity rating (7.6) and is receiving widespread coverage across security-focused social media platforms.

Vulnerability: Roo Code versions 3.25.23 and below contain a vulnerability where VS Code workspace configuration files (.code-workspace) lack the same protections as the .vscode folder. An attacker able to influence prompts through injection could cause malicious workspace settings or tasks to be written, leading to arbitrary code execution when the workspace is reopened if auto-approve file writes is enabled.

Trending: The vulnerability is being flagged as HIGH severity across security monitoring platforms, with alerts highlighting that multiple agents may be affected through shared dependencies.

Vulnerability: Roo Code versions 3.25.23 and below contain a vulnerability where npm install is included in the default list of auto-approved commands. Since npm install executes lifecycle scripts, a malicious postinstall script in a repository's package.json file would be executed automatically without user approval, potentially resulting in arbitrary code execution.

Trending: The vulnerability is being flagged as HIGH severity by security monitoring services on social media, with alerts highlighting that AI agents using the affected versions of Roo Code may be compromised through shared dependencies when opening malicious repositories.