Overview
- CISA cited active exploitation and, under BOD 22-01, directed federal civilian agencies to remediate the four CVEs by February 12, 2026.
- CVE-2025-31125 in Vite allows arbitrary file exposure when the dev server is reachable on the network, with fixes available in versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
- CVE-2025-34026 in Versa Concerto enables an authentication bypass via a Traefik proxy misconfiguration in versions 12.1.2–12.2.0, addressed in version 12.2.1 GA.
- CVE-2025-68645 in Zimbra ZCS 10.0–10.1 permits unauthenticated local file inclusion via the /h/rest endpoint, patched in 10.1.13, with exploitation observed since January 14, 2026.
- CVE-2025-54313 documents a supply‑chain compromise in eslint-config-prettier versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 that executes malicious install code attempting to load node-gyp.dll on Windows.