Advisories

HP DeskJet 2855e
- CVE-2026-4682 ‒ HP DeskJet 2855e JobStatusEvent Stack-based Buffer Overflow RCE
  
  A stack buffer overflow vulnerability in SOAP request handling on the JobStatusEvent endpoint allows remote code execution.
  
  Reported by: Alain, Felipe
  
  Apr 17, 2026
Canon imageCLASS MF654Cdw
- CVE-2025-14237 ‒ Canon imageCLASS MF654Cdw TTF Parsing Integer Overflow RCE
  
  An integer overflow in the TTF parser leads to a heap under allocation, resulting in remote code execution.
  
  Reported by: Alain, Florian
  
  Apr 15, 2026
PDF-XChange Editor
- CVE-2026-2040 ‒ PDF-XChange Editor TrackerUpdate Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
  
  The TrackerUpdate process loads libraries from an unsecured location, leading to privilege escalation.
  
  Reported by: Kolja
  
  Mar 23, 2026
Wazuh
- CVE-2025-59938 ‒ Heap Buffer Overflow in wazuh-analysisd
  
  Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions >=3.8.0 through <4.11.0, wazuh-analysisd is vulnerable to a heap buffer overflow when parsing XML elements from Windows EventChannel messages.
  
  Reported by: Konstantin
  
  Sep 26, 2025
Parallels Client
- CVE-2025-6812 ‒ Parallels Client Local Privilege Escalation Vulnerability
  
  The AppServer service installed with Parallel Client searches for an OpenSSL config file in an unsecured location, which allowed low privileged users to escalate their privileges.
  
  Reported by: Kolja
  
  Jul 7, 2025
Windows SDK
- CVE-2025-47962 ‒ Improper Access Control in Windows SDK
  
  The service `IpOverUsbSvc` installed with the Windows SDK had weak permissions on it's installation folder, which allowed low privileged users to escalate their privileges to `SYSTEM`.
  
  Reported by: Kolja
  
  Jun 10, 2025
Virtual CloneDrive
- CVE-2025-1865 ‒ Local Privilege Escalation in Virtual CloneDrive Kernel Driver
  
  Virtual CloneDrive allows users to mount ISO files and other disk image formats as virtual drives on their computer. Its kernel driver, accessible to low-privileged users, exposes a function that fails to properly validate the privileges of the calling process. This allows creating files at arbitrary locations with full user control, ultimately allowing for privilege escalation to `SYSTEM`.
  
  Reported by: Kolja
  
  Apr 4, 2025
Woodpecker
- CVE-2024-41121 ‒ Privilege Escalation via Custom Workspace
  
  Woodpecker is a simple yet powerful CI/CD engine with great extensibility. However, a vulnerability was identified that allows any user with permission to create workflows and trigger pipeline runs to takeover the host. This vulnerability poses two potential risks: 1. Malicious workflows could lead to a host takeover of the agent executing the workflow. 2. Attackers could extract sensitive secrets that are typically to the plugins, by overwriting their entry points. These issues have been addressed in release version 2.7.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
  
  Reported by: Daniel, Felipe
  
  Jul 19, 2024

Newer advisories

1 / 2

Disclosure Policy

We take responsible disclosure seriously.

We adhere to an industry-standard 90+30 disclosure policy. This means once we notify the vendor about a security vulnerability, they have 90 days to create a patch and make it available for users. Neodyme will publicly disclose vulnerability details 30 days after the patch has been made available to users. If the vendor does not patch an issue within the initial 90 days, Neodyme reserves the right to publicize details of the vulnerability at the end of the 90-day period. However, the vendor has the option to receive an additional 14 day grace period to release a patch upon request. In such a case, Neodyme will publicize vulnerability details 120 days after the initial disclosure. This policy is inspired by the Google Project Zero disclosure policy.

HP DeskJet 2855e

Canon imageCLASS MF654Cdw

PDF-XChange Editor

Wazuh

Parallels Client

Windows SDK

Virtual CloneDrive

Woodpecker

Disclosure Policy