A security bypass vulnerability in pnpm v10+ allows git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval.

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-9 and 6.9.13-34, there is a vulnerability in ImageMagick’s Magick++ layer that manifests when Options::fontFamily is invoked with an empty string.

The Apache Software Foundation has released Apache HTTP Server 2.4.66 to address multiple vulnerabilities in the Apache HTTP Server 2.4 series.

On December 19, 2025, MongoDB disclosed information regarding a vulnerability (CVE-2025-14847) in MongoDB involving information disclosure from uninitialized heap memory. If exploited, an unauthenticated remote third party could send specially crafted communications to read information remaining in uninitialized heap memory, potentially leading to the leakage of confidential information (such as API keys and credentials) stored within MongoDB.

The state of cybersecurity in Japan as of January 11, 2026.

There is a defect in the CPython standard library module “mimetypes” where on Windows the default list of known file locations are writable meaning other users can create invalid files to cause MemoryError to be raised on Python runtime startup or have file extensions be interpreted as the incorrect file type. This defect is caused by the default locations of Linux and macOS platforms also being used on Windows, where they are user-writable locations. To work-around this issue a user can call mimetypes.init() with an empty list (“[]”) on Windows platforms to avoid using the default list of known file locations.

Vulnerability Summary: CVE-2025-68615
This is a critical vulnerability in the Net-SNMP trap reception daemon (snmptrapd), disclosed in late December 2025.

Caught a cold

OpenBlocks series provided by Plat'Home Co.,Ltd. contains an authentication bypass vulnerability.