Critical React, Next.js flaw lets hackers execute code on servers

A maximum severity vulnerability, dubbed 'React2Shell', in the React Server Components (RSC) 'Flight' protocol allows remote code execution without authentication in React and Next.js applications.
CSO Online

December Patch Tuesday: Windows Cloud Files Mini Filter Driver hole already being exploited

Attacker with local access could escalate privileges, Microsoft warns; analyst calls it ‘the most urgent concern’ this month.