NVD disclosure day

Published threat advisories for January 20, 2026

CVE advisoryCRITICAL

CVE-2025-55130

Node.js Permissions Bypass Allows Arbitrary File Read Write.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A vulnerability in Node.js's permissions model allows attackers to bypass intended file access restrictions using crafted symbolic link paths, potentially leading to unauthorized reading or writing of sensitive files. This issue breaks isolation guarantees and could result in system compromise. There is uncertainty reg

CVE advisoryCRITICAL

CVE-2025-56005

PLY `yacc()` Undocumented Unsafe Picklefile Parameter Remote Code Execution.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

An undocumented feature in the PLY library's `yacc()` function allows remote code execution via a `picklefile` parameter that deserializes untrusted `.pkl` files. While this could pose a backdoor risk, its exploitability is disputed, and it requires a developer to use the undocumented feature with malicious input.

CVE advisoryCRITICAL

CVE-2026-23876

ImageMagick XBM Decoder Heap Overflow Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A heap buffer overflow vulnerability exists in the ImageMagick XBM image decoder, allowing attackers to write controlled data beyond allocated memory when processing a crafted image file. This could lead to system compromise, as operations that read or identify images can trigger the overflow, making it exploitable thr