In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between December 27-28, 2025.
During this period, The National Vulnerability Database published 20, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 2
High: 1
Medium: 9
Low: 0
Severity Not Assigned: 8
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2025-66203
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126.
References: https://github.com/lemon8866/StreamVault/releases/tag/251226
https://github.com/lemon8866/StreamVault/security/advisories/GHSA-c747-q388-3v6m
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
2. CVE-2025-59946
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: NanoMQ MQTT Broker (NanoMQ) is an Edge Messaging Platform. Prior to version 0.24.2, there is a classical data racing issue about sub info list which could result in heap use after free crash. This issue has been patched in version 0.24.2.
References: https://github.com/nanomq/nanomq/issues/1863
https://github.com/nanomq/nanomq/security/advisories/GHSA-xg37-23w7-72p5
CWE-ID: CWE-416
Common Platform Enumerations (CPE): Not Found
3. CVE-2025-54322
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.
References: https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticated-root-rce-affecting-70-000-hosts
https://www.xspeeder.com
CWE-ID: CWE-95
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between December 27-28, 2025.
During this period, The National Vulnerability Database published 20, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 2
High: 1
Medium: 9
Low: 0
Severity Not Assigned: 8
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2025-66203
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126.
References: https://github.com/lemon8866/StreamVault/releases/tag/251226
https://github.com/lemon8866/StreamVault/security/advisories/GHSA-c747-q388-3v6m
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
2. CVE-2025-59946
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: NanoMQ MQTT Broker (NanoMQ) is an Edge Messaging Platform. Prior to version 0.24.2, there is a classical data racing issue about sub info list which could result in heap use after free crash. This issue has been patched in version 0.24.2.
References: https://github.com/nanomq/nanomq/issues/1863
https://github.com/nanomq/nanomq/security/advisories/GHSA-xg37-23w7-72p5
CWE-ID: CWE-416
Common Platform Enumerations (CPE): Not Found
3. CVE-2025-54322
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.
References: https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticated-root-rce-affecting-70-000-hosts
https://www.xspeeder.com
CWE-ID: CWE-95
Common Platform Enumerations (CPE): Not Found