01/07/2026-01/14/2026 Gogs Vulnerability, Microsoft Fixes 114 Windows Flaws, Critical Node.js Vulnerability And More

1. CISA Flags Actively Exploited Gogs Vulnerability With No Patch

A high-severity vulnerability in the self-hosted Git service Gogs is being actively exploited, prompting an alert from CISA. The flaw is tracked as CVE-2025-8110 and carries a CVSS v4.0 score of 8.7. The issue stems from improper handling of symbolic links in Gogs’ PutContents API, allowing authenticated attackers to overwrite files outside a repository and achieve remote code execution. Wiz researchers uncovered the flaw while investigating malware infections and found it was exploited as a zero-day, bypassing earlier protections. More than 700 Gogs instances have already been compromised, and about 1,600 servers remain internet-exposed. No official patch is available yet, though fixes are pending. Until updates are released, organizations are urged to restrict access, disable open registration, and closely monitor for suspicious activity.

2. Microsoft Fixes 114 Windows Flaws in January 2026 Patch, One Actively Exploited

Microsoft has released its first Patch Tuesday update of 2026, fixing 114 security vulnerabilities, including one actively exploited in the wild. Eight flaws are rated Critical and 106 Important, with privilege escalation issues making up the largest category. The update ranks as the third-largest January Patch Tuesday on record.

The actively exploited flaw, CVE-2026-20805 (CVSS 5.5), is an information disclosure vulnerability in the Desktop Window Manager (DWM) that could help attackers undermine protections like ASLR. While exploitation details remain limited, CISA has added it to its KEV catalog, requiring U.S. federal agencies to patch by February 3, 2026.

Microsoft also addressed Edge browser flaws, removed vulnerable legacy Agere modem drivers, and fixed a Secure Boot certificate expiration bypass that could weaken firmware trust. Another high-priority issue is a privilege escalation flaw in Windows Virtualization-Based Security Enclave that could allow attackers to compromise core system protections.

3. Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow

Node.js has released security updates to fix a critical denial-of-service (DoS) issue that could impact “virtually every production Node.js app.” Tracked as CVE-2025-59466 (CVSS 7.5), the flaw occurs when stack space is exhausted in user code while async_hooks is enabled. Instead of throwing a catchable error, Node.js may abruptly exit with code 7, allowing attackers to crash applications using unsanitized, recursion-based input. The issue affects many popular frameworks and monitoring tools that rely on AsyncLocalStorage, including React Server Components, Next.js, and major APM platforms such as Datadog and New Relic. All Node.js versions from 8.x through 18.x are impacted, though only supported releases have been patched.

Fixes are available in Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0. Node.js also addressed three additional high-severity vulnerabilities involving data leakage, file access via symlinks, and remote DoS. Users are strongly urged to update promptly.

4. Trend Micro Fixed a Remote Code Execution in Apex Central

Trend Micro has patched three security vulnerabilities in its Apex Central on-premise management console that could enable remote code execution (RCE) or denial-of-service (DoS) attacks. The flaws, discovered by Tenable in August 2025 and tracked as CVE-2025-69258, CVE-2025-69259, and CVE-2025-69260, affect Windows installations running Apex Central versions prior to Build 7190.

The most critical issue, CVE-2025-69258 (CVSS 9.8), is a LoadLibraryEx RCE vulnerability that allows an unauthenticated attacker to load a malicious DLL and execute code with SYSTEM privileges. Tenable released proof-of-concept exploit code demonstrating the attack. The other two flaws, both rated 7.5, are DoS vulnerabilities caused by an unchecked NULL return value and an out-of-bounds read, respectively.
Trend Micro addressed all three issues in Critical Patch Build 7190 and urges customers to apply updates promptly and restrict remote access.