Top CVEs of December 2025
This title could be clearer and more informative.Try out Clickbait Shieldfor free (5 uses left this month).
December 2025 saw five critical vulnerabilities requiring immediate attention. React2Shell (CVE-2025-55182) enables unauthenticated remote code execution in React 19 and Next.js through Server Components deserialization flaws. Apache Tika (CVE-2025-66516) suffers from XXE/SSRF vulnerabilities allowing file disclosure and internal network access. SmarterMail (CVE-2025-52691) permits unauthenticated arbitrary file uploads leading to web shell deployment. Windows MSHTML (CVE-2025-36918) contains a use-after-free vulnerability exploitable via malicious documents. Net-SNMP (CVE-2025-68615) has a stack buffer overflow in snmptrapd allowing remote code execution via crafted UDP packets. All vulnerabilities have public exploits and require immediate patching.
Table of contents
1. CVE-2025-55182 | React2Shell: Unauthenticated Remote Code Execution2. CVE-2025-66516 | Apache Tika Unauthenticated XXE and SSRF Vulnerability3. CVE-2025-52691 | SmarterTools SmarterMail Unauthenticated Arbitrary File Upload4. CVE-2025-36918 | Windows MSHTML Platform Remote Code Execution VulnerabilityCVE-2025-68615 | Net-SNMP snmptrapd Remote Stack-Based Buffer OverflowFinal TakeSort: