| CVE | CVSS | EPSS | Posts | Repos | Nuclei | Updated | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41433 | 8.4 | 0.00% | 2 | 0 | 2026-04-25T03:16:04.950000 | OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the Op | |
| CVE-2026-41266 | 7.5 | 0.05% | 2 | 0 | 2026-04-25T02:16:02.477000 | Flowise is a drag & drop user interface to build a customized large language mod | |
| CVE-2026-42171 | 7.8 | 0.00% | 2 | 0 | 2026-04-24T22:16:01.540000 | NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the | |
| CVE-2024-7399 | 8.8 | 71.00% | 6 | 1 | template | 2026-04-24T21:33:00 | Improper limitation of a pathname to a restricted directory vulnerability in Sam |
| CVE-2026-41044 | 8.8 | 0.06% | 2 | 0 | 2026-04-24T21:32:00 | Improper Input Validation, Improper Control of Generation of Code ('Code Injecti | |
| CVE-2026-40466 | 8.8 | 0.06% | 2 | 0 | 2026-04-24T21:32:00 | Improper Input Validation, Improper Control of Generation of Code ('Code Injecti | |
| CVE-2026-23902 | 8.1 | 0.02% | 2 | 0 | 2026-04-24T21:32:00 | Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenti | |
| CVE-2026-34415 | 9.8 | 0.19% | 2 | 0 | 2026-04-24T21:32:00 | Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input vali | |
| CVE-2026-41478 | 9.9 | 0.00% | 2 | 0 | 2026-04-24T21:16:19.353000 | Saltcorn is an extensible, open source, no-code database application builder. Pr | |
| CVE-2026-41428 | 9.1 | 0.00% | 2 | 0 | 2026-04-24T21:16:18.860000 | Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated | |
| CVE-2026-40575 | 9.1 | 0.08% | 1 | 0 | 2026-04-24T21:11:10 | ### Impact A configuration-dependent authentication bypass exists in OAuth2 Pro | |
| CVE-2026-41324 | 7.5 | 0.04% | 1 | 0 | 2026-04-24T21:02:13 | ### Summary `basic-ftp@5.2.2` is vulnerable to denial of service through unbound | |
| CVE-2026-41323 | 8.1 | 0.02% | 1 | 0 | 2026-04-24T21:02:12 | ## Summary Kyverno's apiCall feature in ClusterPolicy automatically attaches th | |
| CVE-2026-41275 | 7.5 | 0.03% | 2 | 0 | 2026-04-24T21:01:15 | **Summary:** The password reset functionality on [cloud.flowiseai.com](http://cl | |
| CVE-2026-41276 | 9.8 | 0.15% | 2 | 0 | 2026-04-24T21:01:10 | ZDI-CAN-28762: Flowise AccountService resetPassword Authentication Bypass Vulner | |
| CVE-2026-41277 | 8.8 | 0.05% | 2 | 0 | 2026-04-24T21:01:05 | ### Summary A Mass Assignment vulnerability in the DocumentStore creation endpoi | |
| CVE-2026-41278 | 7.5 | 0.04% | 2 | 0 | 2026-04-24T21:00:59 | ### Summary The `GET /api/v1/public-chatflows/:id` endpoint returns the full ch | |
| CVE-2026-41268 | 7.7 | 0.17% | 1 | 0 | 2026-04-24T20:58:07 | ### Summary Flowise is vulnerable to a critical unauthenticated remote command | |
| CVE-2026-41241 | 8.7 | 0.03% | 1 | 0 | 2026-04-24T20:54:43 | The organiser search in the pretalx backend rendered submission titles, speaker | |
| CVE-2026-41230 | 8.5 | 0.04% | 1 | 0 | 2026-04-24T20:54:08 | ## Summary `DomainZones::add()` accepts arbitrary DNS record types without a wh | |
| CVE-2026-41228 | 10.0 | 0.06% | 1 | 0 | 2026-04-24T20:53:54 | ## Summary The Froxlor API endpoint `Customers.update` (and `Admins.update`) do | |
| CVE-2026-41175 | 8.1 | 0.05% | 1 | 0 | 2026-04-24T20:52:07 | ### Impact Manipulating query parameters on Control Panel and REST API endpoint | |
| CVE-2026-41138 | 8.3 | 0.43% | 1 | 0 | 2026-04-24T20:45:21 | ## Description ### Summary “AirtableAgent” is an agent function provided by Fl | |
| CVE-2026-41133 | 8.8 | 0.03% | 1 | 0 | 2026-04-24T20:42:30 | ### Summary pyLoad caches `role` and `permission` in the session at login and co | |
| CVE-2026-41064 | 9.3 | 0.03% | 1 | 0 | 2026-04-24T20:41:24 | ### Summary The incomplete fix for AVideo's `test.php` adds `escapeshellarg` fo | |
| CVE-2026-41059 | 8.2 | 0.13% | 1 | 0 | 2026-04-24T20:40:59 | ### Impact A configuration-dependent authentication bypass exists in OAuth2 Pro | |
| CVE-2026-41492 | 9.8 | 0.00% | 4 | 0 | 2026-04-24T20:16:28.470000 | Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl | |
| CVE-2024-57726 | 9.9 | 0.31% | 6 | 0 | 2026-04-24T19:26:52.160000 | SimpleHelp remote support software v5.5.7 and before has a vulnerability that al | |
| CVE-2026-41327 | 9.1 | 0.00% | 6 | 0 | 2026-04-24T19:17:12.407000 | Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulner | |
| CVE-2026-41273 | 8.2 | 0.09% | 2 | 0 | 2026-04-24T19:17:11.530000 | Flowise is a drag & drop user interface to build a customized large language mod | |
| CVE-2026-33524 | 7.5 | 0.00% | 2 | 0 | 2026-04-24T19:17:09.850000 | Zserio is a framework for serializing structured data with a compact and efficie | |
| CVE-2024-57728 | 7.2 | 1.17% | 6 | 0 | 2026-04-24T18:31:38 | SimpleHelp remote support software v5.5.7 and before allows admin users to uploa | |
| CVE-2026-39920 | 9.8 | 0.00% | 2 | 0 | 2026-04-24T18:31:18 | BridgeHead FileStore versions prior to 24A (released in early 2024) expose the A | |
| CVE-2025-29635 | 8.8 | 1.25% | 7 | 0 | 2026-04-24T18:30:36 | A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an | |
| CVE-2026-41066 | 7.5 | 0.00% | 2 | 0 | 2026-04-24T17:56:41.280000 | lxml is a library for processing XML and HTML in the Python language. Prior to 6 | |
| CVE-2026-6912 | 8.8 | 0.00% | 4 | 0 | 2026-04-24T17:56:41.280000 | Improperly controlled modification of dynamically-determined object attributes i | |
| CVE-2026-41068 | 7.7 | 0.03% | 1 | 0 | 2026-04-24T17:16:21.240000 | Kyverno is a policy engine designed for cloud native platform engineering teams. | |
| CVE-2026-34063 | 7.5 | 0.04% | 1 | 0 | 2026-04-24T17:12:23.350000 | Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior | |
| CVE-2026-33471 | 9.6 | 0.03% | 2 | 0 | 2026-04-24T17:11:40.037000 | nimiq-block contains block primitives to be used in Nimiq's Rust implementation. | |
| CVE-2026-6919 | 9.6 | 0.03% | 2 | 0 | 2026-04-24T16:39:50.947000 | Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a re | |
| CVE-2026-6920 | 9.6 | 0.07% | 2 | 0 | 2026-04-24T16:39:41.147000 | Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 al | |
| CVE-2026-41271 | 8.3 | 0.05% | 2 | 0 | 2026-04-24T16:37:54.877000 | Flowise is a drag & drop user interface to build a customized large language mod | |
| CVE-2026-41279 | 7.5 | 0.04% | 2 | 0 | 2026-04-24T16:31:36.040000 | Flowise is a drag & drop user interface to build a customized large language mod | |
| CVE-2026-41328 | 9.1 | 0.00% | 2 | 0 | 2026-04-24T15:41:45 | ## 1. Executive Summary A vulnerability has been found in Dgraph that gives an | |
| CVE-2026-21728 | 7.5 | 0.01% | 2 | 0 | 2026-04-24T15:33:39 | Tempo queries with large limits can cause large memory allocations which can imp | |
| CVE-2026-21515 | 10.0 | 0.00% | 2 | 0 | 2026-04-24T15:32:39 | Exposure of sensitive information to an unauthorized actor in Azure IOT Central | |
| CVE-2026-41246 | 8.1 | 0.07% | 1 | 0 | 2026-04-24T15:19:50 | ### Impact Contour's [Cookie Rewriting](https://projectcontour.io/docs/1.33/con | |
| CVE-2026-41137 | 8.8 | 0.62% | 2 | 0 | 2026-04-24T15:15:47.703000 | Flowise is a drag & drop user interface to build a customized large language mod | |
| CVE-2026-41264 | 9.8 | 0.11% | 2 | 0 | 2026-04-24T15:15:17.923000 | Flowise is a drag & drop user interface to build a customized large language mod | |
| CVE-2026-41265 | 9.8 | 0.06% | 2 | 0 | 2026-04-24T15:15:09.260000 | Flowise is a drag & drop user interface to build a customized large language mod | |
| CVE-2026-41267 | 8.1 | 0.04% | 1 | 0 | 2026-04-24T15:14:48.233000 | Flowise is a drag & drop user interface to build a customized large language mod | |
| CVE-2026-31952 | 7.6 | 0.06% | 2 | 0 | 2026-04-24T14:50:56.203000 | Xibo is an open source digital signage platform with a web content management sy | |
| CVE-2026-33694 | 0 | 0.01% | 1 | 0 | 2026-04-24T14:50:56.203000 | This vulnerability allows an attacker to create a junction, enabling the deletio | |
| CVE-2026-41316 | 8.1 | 0.08% | 1 | 0 | 2026-04-24T14:50:56.203000 | ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published | |
| CVE-2026-41679 | 10.0 | 0.17% | 2 | 1 | 2026-04-24T14:50:56.203000 | Paperclip is a Node.js server and React UI that orchestrates a team of AI agents | |
| CVE-2026-41229 | 9.1 | 0.04% | 1 | 0 | 2026-04-24T14:50:56.203000 | Froxlor is open source server administration software. Prior to version 2.3.6, ` | |
| CVE-2026-6887 | 9.8 | 0.08% | 3 | 0 | 2026-04-24T14:50:56.203000 | Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has | |
| CVE-2025-62373 | 9.8 | 0.30% | 1 | 0 | 2026-04-24T14:50:56.203000 | Pipecat is an open-source Python framework for building real-time voice and mult | |
| CVE-2026-40517 | 7.8 | 0.02% | 1 | 0 | 2026-04-24T14:50:56.203000 | radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB par | |
| CVE-2026-34003 | 7.8 | 0.01% | 2 | 0 | 2026-04-24T14:41:55.890000 | A flaw was found in the X.Org X server's XKB key types request validation. A loc | |
| CVE-2026-39087 | 9.8 | 0.25% | 1 | 0 | 2026-04-24T14:41:55.890000 | An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbit | |
| CVE-2026-31178 | 9.8 | 0.06% | 1 | 0 | 2026-04-24T14:41:55.890000 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allo | |
| CVE-2026-32210 | 9.3 | 0.04% | 1 | 0 | 2026-04-24T14:41:16.553000 | Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an | |
| CVE-2026-41336 | 7.8 | 0.01% | 1 | 0 | 2026-04-24T14:40:53.523000 | OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_B | |
| CVE-2026-40630 | 9.8 | 0.09% | 3 | 0 | 2026-04-24T14:40:12.517000 | A vulnerability in SenseLive X3050’s web management interface allows unauthor | |
| CVE-2026-5367 | 8.6 | 0.00% | 2 | 0 | 2026-04-24T14:39:28.770000 | A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending cr | |
| CVE-2026-34310 | 7.5 | 0.03% | 1 | 0 | 2026-04-24T14:25:32.370000 | Vulnerability in the Oracle Financial Services Analytical Applications Infrastru | |
| CVE-2026-22753 | 7.5 | 0.05% | 1 | 0 | 2026-04-24T14:17:02.280000 | Vulnerability in Spring Spring Security. If an application is using securityMatc | |
| CVE-2026-40937 | 8.3 | 0.05% | 1 | 0 | 2026-04-24T13:12:29.780000 | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alph | |
| CVE-2026-1950 | 9.8 | 0.04% | 2 | 0 | 2026-04-24T09:30:36 | Delta Electronics AS320T has No checking of the length of the buffer with the f | |
| CVE-2026-1952 | 9.8 | 0.04% | 3 | 0 | 2026-04-24T09:30:36 | Delta Electronics AS320T has denial of service via the undocumented subfunction | |
| CVE-2026-1951 | 9.8 | 0.01% | 2 | 0 | 2026-04-24T09:30:36 | Delta Electronics AS320T has no checking of the length of the buffer with the di | |
| CVE-2026-1949 | 9.8 | 0.02% | 1 | 0 | 2026-04-24T06:31:23 | Delta Electronics AS320T has incorrect calculation of the buffer size on the sta | |
| CVE-2026-5364 | 8.1 | 0.11% | 1 | 0 | 2026-04-24T06:31:23 | The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnera | |
| CVE-2026-27841 | 8.1 | 0.01% | 2 | 0 | 2026-04-24T00:32:04 | A vulnerability in SenseLive X3050's web management interface allows state-chang | |
| CVE-2026-35064 | 7.5 | 0.05% | 2 | 0 | 2026-04-24T00:32:04 | A vulnerability in SenseLive X3050’s management ecosystem allows unauthenticated | |
| CVE-2026-39462 | 8.1 | 0.04% | 3 | 0 | 2026-04-24T00:32:04 | A vulnerability exists in SenseLive X3050’s web management interface in which pa | |
| CVE-2026-35503 | 9.8 | 0.06% | 2 | 0 | 2026-04-24T00:32:04 | A vulnerability in SenseLive X3050’s web management interface allows authenticat | |
| CVE-2026-25775 | 9.8 | 0.07% | 3 | 0 | 2026-04-24T00:32:03 | A vulnerability in SenseLive X3050’s remote management service allows firmware r | |
| CVE-2026-27843 | 9.1 | 0.07% | 3 | 0 | 2026-04-24T00:32:03 | A vulnerability exists in SenseLive X3050's web management interface that allows | |
| CVE-2026-40623 | 8.1 | 0.03% | 2 | 0 | 2026-04-24T00:32:03 | A vulnerability in SenseLive X3050's web management interface allows critical sy | |
| CVE-2026-40620 | 9.8 | 0.07% | 3 | 0 | 2026-04-24T00:32:03 | A vulnerability in SenseLive X3050’s embedded management service allows full adm | |
| CVE-2026-41349 | 8.8 | 0.11% | 1 | 0 | 2026-04-24T00:32:03 | OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allow | |
| CVE-2026-41353 | 8.1 | 0.04% | 1 | 0 | 2026-04-24T00:32:03 | OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the | |
| CVE-2026-41352 | 8.8 | 0.37% | 1 | 0 | 2026-04-24T00:32:03 | OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a | |
| CVE-2026-24303 | 9.6 | 0.04% | 2 | 0 | 2026-04-24T00:31:58 | Improper access control in Microsoft Partner Center allows an authorized attacke | |
| CVE-2026-26150 | 8.6 | 0.06% | 2 | 0 | 2026-04-24T00:31:58 | Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized a | |
| CVE-2026-26210 | 9.8 | 0.04% | 1 | 0 | 2026-04-24T00:31:58 | KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in | |
| CVE-2026-32172 | 8.0 | 0.04% | 1 | 0 | 2026-04-24T00:31:58 | Uncontrolled search path element in Microsoft Power Apps allows an unauthorized | |
| CVE-2026-33819 | 10.0 | 0.27% | 1 | 0 | 2026-04-24T00:31:58 | Deserialization of untrusted data in Microsoft Bing allows an unauthorized attac | |
| CVE-2026-33102 | 9.3 | 0.04% | 1 | 0 | 2026-04-24T00:31:58 | Url redirection to untrusted site ('open redirect') in M365 Copilot allows an un | |
| CVE-2026-40886 | 7.7 | 0.04% | 1 | 0 | 2026-04-23T21:39:22 | ### Summary An unchecked array index in the pod informer's `podGCFromPod()` fun | |
| CVE-2026-31181 | 9.8 | 0.06% | 1 | 0 | 2026-04-23T21:32:27 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allo | |
| CVE-2026-6942 | 9.8 | 0.27% | 1 | 0 | 2026-04-23T21:31:30 | radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerabi | |
| CVE-2026-31177 | 9.8 | 0.06% | 1 | 0 | 2026-04-23T21:31:22 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allo | |
| CVE-2026-28950 | 6.2 | 0.01% | 4 | 0 | 2026-04-23T21:31:21 | A logging issue was addressed with improved data redaction. This issue is fixed | |
| CVE-2026-33318 | 8.8 | 0.07% | 2 | 0 | 2026-04-23T21:23:40 | ### Summary Any authenticated user (including `BASIC` role) can escalate to `AD | |
| CVE-2026-41135 | 7.5 | 0.10% | 1 | 0 | 2026-04-23T19:41:18.127000 | free5GC UDR is the Policy Control Function (PCF) for free5GC, an an open-source | |
| CVE-2026-41461 | 8.5 | 0.04% | 1 | 0 | 2026-04-23T18:33:26 | SocialEngine versions 7.8.0 and prior contain a blind server-side request forger | |
| CVE-2026-33999 | 7.8 | 0.01% | 2 | 0 | 2026-04-23T18:33:25 | A flaw was found in the X.Org X server. This integer underflow vulnerability, sp | |
| CVE-2026-23751 | 9.8 | 0.16% | 1 | 0 | 2026-04-23T18:33:25 | Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versi | |
| CVE-2026-40471 | 9.6 | 0.02% | 1 | 0 | 2026-04-23T18:33:25 | hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its en | |
| CVE-2026-40470 | 9.9 | 0.05% | 1 | 0 | 2026-04-23T18:33:25 | A critical XSS vulnerability affected hackage-server and hackage.haskell.org. H | |
| CVE-2026-40472 | 9.9 | 0.05% | 1 | 0 | 2026-04-23T18:33:23 | In hackage-server, user-controlled metadata from .cabal files are rendered into | |
| CVE-2026-35225 | None | 0.14% | 1 | 0 | 2026-04-23T18:33:23 | An unauthenticated remote attacker is able to exhaust all available TCP connecti | |
| CVE-2026-34001 | 7.8 | 0.01% | 2 | 0 | 2026-04-23T18:33:21 | A flaw was found in the X.Org X server. This use-after-free vulnerability occurs | |
| CVE-2026-41460 | 9.8 | 0.17% | 1 | 0 | 2026-04-23T18:33:20 | SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in t | |
| CVE-2026-3844 | 9.8 | 0.06% | 4 | 3 | 2026-04-23T14:28:55.557000 | The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads du | |
| CVE-2026-39440 | 9.9 | 0.02% | 1 | 0 | 2026-04-23T14:28:55.557000 | Improper Control of Generation of Code ('Code Injection') vulnerability in Funne | |
| CVE-2026-6903 | 7.5 | 0.03% | 1 | 0 | 2026-04-23T12:31:45 | The LabOne Web Server, backing the LabOne User Interface, contains insufficient | |
| CVE-2026-6886 | 9.8 | 0.16% | 1 | 0 | 2026-04-23T12:31:45 | Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has | |
| CVE-2026-6885 | 9.8 | 0.19% | 1 | 0 | 2026-04-23T12:31:45 | Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has | |
| CVE-2026-34286 | 9.1 | 0.05% | 2 | 0 | 2026-04-23T12:07:46.893000 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion | |
| CVE-2026-34287 | 9.1 | 0.05% | 1 | 0 | 2026-04-23T12:07:28.307000 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion | |
| CVE-2026-41040 | 7.5 | 0.04% | 2 | 0 | 2026-04-23T09:33:05 | GROWI provided by GROWI, Inc. is vulnerable to a regular expression denial of se | |
| CVE-2026-41455 | 8.5 | 0.03% | 1 | 0 | 2026-04-23T00:31:19 | WeKan before 8.35 contains a server-side request forgery vulnerability in webhoo | |
| CVE-2026-41454 | 8.3 | 0.04% | 1 | 0 | 2026-04-23T00:31:19 | WeKan before 8.35 contains a missing authorization vulnerability in the Integrat | |
| CVE-2026-33825 | 7.8 | 3.82% | 3 | 3 | 2026-04-23T00:31:18 | Insufficient granularity of access control in Microsoft Defender allows an autho | |
| CVE-2026-41468 | 8.7 | 0.07% | 1 | 0 | 2026-04-22T21:32:18 | Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component con | |
| CVE-2026-40372 | 9.1 | 0.04% | 1 | 0 | 2026-04-22T21:24:26.997000 | Improper verification of cryptographic signature in ASP.NET Core allows an unaut | |
| CVE-2026-35231 | 7.5 | 0.03% | 1 | 0 | 2026-04-22T21:24:26.997000 | Vulnerability in the Oracle Financial Services Transaction Filtering product of | |
| CVE-2026-34065 | 7.5 | 0.04% | 1 | 0 | 2026-04-22T19:19:28 | ### Impact An untrusted p2p peer can cause a node to panic by announcing an elec | |
| CVE-2026-22754 | 7.5 | 0.03% | 1 | 0 | 2026-04-22T18:32:53 | Vulnerability in Spring Spring Security. If an application uses <sec:intercept-u | |
| CVE-2026-35344 | 3.3 | 0.01% | 1 | 0 | 2026-04-22T18:31:54 | The dd utility in uutils coreutils suppresses errors during file truncation oper | |
| CVE-2026-34309 | 8.1 | 0.03% | 1 | 0 | 2026-04-22T18:31:42 | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleS | |
| CVE-2026-34291 | 8.7 | 0.05% | 1 | 0 | 2026-04-22T15:32:43 | Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (com | |
| CVE-2026-34320 | 7.5 | 0.03% | 1 | 0 | 2026-04-22T15:32:43 | Vulnerability in the Oracle Financial Services Customer Screening product of Ora | |
| CVE-2026-5398 | 8.4 | 0.01% | 1 | 0 | 2026-04-22T15:32:43 | The implementation of TIOCNOTTY failed to clear a back-pointer from the structur | |
| CVE-2026-34290 | 7.5 | 0.04% | 1 | 0 | 2026-04-22T15:32:42 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion | |
| CVE-2026-34305 | 7.5 | 0.03% | 2 | 0 | 2026-04-22T15:31:41 | Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware | |
| CVE-2026-34279 | 9.1 | 0.04% | 1 | 0 | 2026-04-22T15:31:40 | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle E | |
| CVE-2026-34297 | 7.5 | 0.04% | 2 | 0 | 2026-04-22T15:31:40 | Vulnerability in the Oracle HCM Common Architecture product of Oracle E-Business | |
| CVE-2026-34285 | 9.1 | 0.05% | 1 | 0 | 2026-04-22T15:31:39 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion | |
| CVE-2026-6022 | 7.5 | 0.04% | 1 | 0 | 2026-04-22T09:31:40 | In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains a | |
| CVE-2026-6023 | 8.1 | 0.34% | 1 | 0 | 2026-04-22T09:31:40 | In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the R | |
| CVE-2026-6784 | 7.5 | 0.04% | 1 | 0 | 2026-04-22T00:32:48 | Memory safety bugs present in Firefox 149 and Thunderbird 149. Some of these bug | |
| CVE-2026-41197 | None | 0.04% | 1 | 0 | 2026-04-21T20:16:10 | ## Description Noir programs can invoke external functions through foreign call | |
| CVE-2026-40050 | 9.8 | 0.27% | 4 | 0 | 2026-04-21T18:32:04 | CrowdStrike has released security updates to address a critical unauthenticated | |
| CVE-2026-5752 | 9.4 | 0.02% | 2 | 0 | 2026-04-21T15:33:24 | Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with r | |
| CVE-2026-33626 | 7.5 | 0.03% | 6 | 0 | 2026-04-21T15:04:13 | ## Summary A Server-Side Request Forgery (SSRF) vulnerability exists in LMDeplo | |
| CVE-2025-48700 | 6.1 | 20.00% | 1 | 0 | 2026-04-21T13:00:03.373000 | An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 an | |
| CVE-2026-40897 | 8.8 | 0.00% | 2 | 0 | 2026-04-16T22:38:44 | ### Impact This security vulnerability allowed executing arbitrary JavaScript vi | |
| CVE-2026-34197 | 8.8 | 59.42% | 2 | 9 | template | 2026-04-16T19:59:38.107000 | Improper Input Validation, Improper Control of Generation of Code ('Code Injecti |
| CVE-2026-40882 | 7.6 | 0.06% | 1 | 0 | 2026-04-15T21:17:56 | ### Summary The Velbus asset import path parses attacker-controlled XML without | |
| CVE-2026-32201 | 6.5 | 7.94% | 1 | 1 | 2026-04-14T18:30:55 | Improper input validation in Microsoft Office SharePoint allows an unauthorized | |
| CVE-2026-33824 | 9.8 | 0.10% | 1 | 2 | 2026-04-14T18:30:52 | Double free in Windows IKE Extension allows an unauthorized attacker to execute | |
| CVE-2026-34621 | 8.6 | 7.60% | 1 | 5 | 2026-04-13T21:23:27 | Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by a | |
| CVE-2026-39987 | None | 45.53% | 2 | 5 | template | 2026-04-09T19:06:18 | ## Summary Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal |
| CVE-2025-15467 | 8.8 | 0.70% | 1 | 6 | 2026-03-19T19:16:19.230000 | Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with malic | |
| CVE-2026-30869 | 9.3 | 0.68% | 1 | 0 | 2026-03-10T18:43:20 | ### Summary A path traversal vulnerability in the `/export` endpoint allows an a | |
| CVE-2018-25193 | 7.5 | 0.14% | 1 | 0 | 2026-03-06T15:31:37 | Mongoose Web Server 6.9 contains a denial of service vulnerability that allows r | |
| CVE-2026-27966 | 9.8 | 0.23% | 2 | 1 | 2026-02-27T15:47:29 | # 1. Summary The CSV Agent node in Langflow hardcodes `allow_dangerous_code=Tr | |
| CVE-2026-22039 | 10.0 | 0.02% | 1 | 0 | 2026-01-29T03:31:32 | ### Summary A critical authorization boundary bypass in namespaced Kyverno Poli | |
| CVE-2024-21887 | 9.1 | 94.41% | 1 | 12 | template | 2025-10-31T21:56:55.430000 | A command injection vulnerability in web components of Ivanti Connect Secure (9. |
| CVE-2023-46805 | 8.2 | 94.37% | 1 | 9 | template | 2025-10-22T00:34:00 | An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 2 |
| CVE-2025-59532 | None | 0.05% | 1 | 1 | 2025-09-22T22:00:37 | Due to a bug in the sandbox configuration logic, Codex CLI could treat a model-g | |
| CVE-2023-20185 | 7.4 | 0.17% | 2 | 0 | 2024-02-03T05:06:20 | A vulnerability in the Cisco ACI Multi-Site CloudSec encryption feature of Cisco | |
| CVE-2026-41248 | 0 | 0.00% | 4 | 0 | N/A | ||
| CVE-2026-34078 | 0 | 0.04% | 1 | 0 | N/A | ||
| CVE-2026-41651 | 0 | 0.03% | 8 | 5 | N/A | ||
| CVE-2026-41429 | 0 | 0.00% | 2 | 0 | N/A | ||
| CVE-2026-41477 | 0 | 0.00% | 2 | 0 | N/A | ||
| CVE-2026-33662 | 0 | 0.00% | 4 | 0 | N/A | ||
| CVE-2026-33666 | 0 | 0.00% | 4 | 0 | N/A | ||
| CVE-2026-41421 | 0 | 0.00% | 4 | 0 | N/A | ||
| CVE-2026-6911 | 0 | 0.00% | 4 | 0 | N/A | ||
| CVE-2026-41419 | 0 | 0.00% | 2 | 0 | N/A | ||
| CVE-2026-41309 | 0 | 0.06% | 1 | 0 | N/A | ||
| CVE-2026-41564 | 0 | 0.03% | 2 | 0 | N/A | ||
| CVE-2026-41196 | 0 | 0.07% | 1 | 0 | N/A | ||
| CVE-2026-34002 | 0 | 0.00% | 1 | 0 | N/A | ||
| CVE-2026-34000 | 0 | 0.00% | 1 | 0 | N/A | ||
| CVE-2026-6786 | 0 | 0.05% | 1 | 0 | N/A | ||
| CVE-2026-6785 | 0 | 0.06% | 1 | 0 | N/A | ||
| CVE-2026-41167 | 0 | 0.08% | 2 | 0 | N/A | ||
| CVE-2026-33656 | 0 | 0.05% | 1 | 1 | N/A |
updated 2026-04-25T03:16:04.950000
2 posts
🟠 CVE-2026-41433 - High (8.4)
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From 0.4.0 to before 0.8.0, a flaw in the Java agent injection path allows a local attacker controlling a Java workload to overwrite arbitrary ho...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41433/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41433 - High (8.4)
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From 0.4.0 to before 0.8.0, a flaw in the Java agent injection path allows a local attacker controlling a Java workload to overwrite arbitrary ho...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41433/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-25T02:16:02.477000
2 posts
🟠 CVE-2026-41266 - High (7.5)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without a...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41266/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41266 - High (7.5)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without a...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41266/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T22:16:01.540000
2 posts
🟠 CVE-2026-42171 - High (7.8)
NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the referenc...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-42171/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-42171 - High (7.8)
NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the referenc...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-42171/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T21:33:00
6 posts
1 repos
🚨 [CISA-2026:0424] CISA Adds 4 Known Exploited Vulnerabilities to Catalog (https://secdb.nttzen.cloud/security-advisory/detail/CISA-2026:0424)
CISA has added 4 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.
⚠️ CVE-2024-57726 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-57726)
- Name: SimpleHelp Missing Authorization Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: SimpleHelp
- Product: SimpleHelp
- Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57726
⚠️ CVE-2024-57728 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-57728)
- Name: SimpleHelp Path Traversal Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: SimpleHelp
- Product: SimpleHelp
- Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57728
⚠️ CVE-2024-7399 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-7399)
- Name: Samsung MagicINFO 9 Server Path Traversal Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: Samsung
- Product: MagicINFO 9 Server
- Notes: https://security.samsungtv.com/securityUpdates ; https://nvd.nist.gov/vuln/detail/CVE-2024-7399
⚠️ CVE-2025-29635 (https://secdb.nttzen.cloud/cve/detail/CVE-2025-29635)
- Name: D-Link DIR-823X Command Injection Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: D-Link
- Product: DIR-823X
- Notes: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10469 ; https://nvd.nist.gov/vuln/detail/CVE-2025-29635
#SecDB #InfoSec #CVE #CISA_KEV #cisa_20260424 #cisa20260424 #cve_2024_57726 #cve_2024_57728 #cve_2024_7399 #cve_2025_29635 #cve202457726 #cve202457728 #cve20247399 #cve202529635
##CVE ID: CVE-2024-7399
Vendor: Samsung
Product: MagicINFO 9 Server
Date Added: 2026-04-24
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2024-7399
Broadcom has a new advisory for a critical vulnerability:
Common Components and Services for z/OS 15.0 Vulnerability in CCS Apache Tomcat https://support.broadcom.com/web/ecx/security-advisory #Broadcom #Apache
CISA has updated the KEV catalogue:
- CVE-2024-57726: SimpleHelp Missing Authorization Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57726
- CVE-2024-57728: SimpleHelp Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57728
- CVE-2024-7399: Samsung MagicINFO 9 Server Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-7399
- CVE-2025-29635: D-Link DIR-823X Command Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-29635 #CISA #Samsung #DLink
Cisco has two advisories for high-severity vulnerabilities:
- CVE-2023-20185: Cisco ACI Multi-Site CloudSec Encryption Information Disclosure Vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-cloudsec-enc-Vs5Wn2sX
- Informational, updated today: Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03 @TalosSecurity #Cisco #infosec #vulnerability
##🚨 [CISA-2026:0424] CISA Adds 4 Known Exploited Vulnerabilities to Catalog (https://secdb.nttzen.cloud/security-advisory/detail/CISA-2026:0424)
CISA has added 4 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.
⚠️ CVE-2024-57726 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-57726)
- Name: SimpleHelp Missing Authorization Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: SimpleHelp
- Product: SimpleHelp
- Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57726
⚠️ CVE-2024-57728 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-57728)
- Name: SimpleHelp Path Traversal Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: SimpleHelp
- Product: SimpleHelp
- Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57728
⚠️ CVE-2024-7399 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-7399)
- Name: Samsung MagicINFO 9 Server Path Traversal Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: Samsung
- Product: MagicINFO 9 Server
- Notes: https://security.samsungtv.com/securityUpdates ; https://nvd.nist.gov/vuln/detail/CVE-2024-7399
⚠️ CVE-2025-29635 (https://secdb.nttzen.cloud/cve/detail/CVE-2025-29635)
- Name: D-Link DIR-823X Command Injection Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: D-Link
- Product: DIR-823X
- Notes: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10469 ; https://nvd.nist.gov/vuln/detail/CVE-2025-29635
#SecDB #InfoSec #CVE #CISA_KEV #cisa_20260424 #cisa20260424 #cve_2024_57726 #cve_2024_57728 #cve_2024_7399 #cve_2025_29635 #cve202457726 #cve202457728 #cve20247399 #cve202529635
##CVE ID: CVE-2024-7399
Vendor: Samsung
Product: MagicINFO 9 Server
Date Added: 2026-04-24
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2024-7399
Broadcom has a new advisory for a critical vulnerability:
Common Components and Services for z/OS 15.0 Vulnerability in CCS Apache Tomcat https://support.broadcom.com/web/ecx/security-advisory #Broadcom #Apache
CISA has updated the KEV catalogue:
- CVE-2024-57726: SimpleHelp Missing Authorization Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57726
- CVE-2024-57728: SimpleHelp Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57728
- CVE-2024-7399: Samsung MagicINFO 9 Server Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-7399
- CVE-2025-29635: D-Link DIR-823X Command Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-29635 #CISA #Samsung #DLink
Cisco has two advisories for high-severity vulnerabilities:
- CVE-2023-20185: Cisco ACI Multi-Site CloudSec Encryption Information Disclosure Vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-cloudsec-enc-Vs5Wn2sX
- Informational, updated today: Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03 @TalosSecurity #Cisco #infosec #vulnerability
##updated 2026-04-24T21:32:00
2 posts
🟠 CVE-2026-41044 - High (8.8)
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All.
An authenticated attacker can use the admin web console page to construct a malici...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41044/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41044 - High (8.8)
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All.
An authenticated attacker can use the admin web console page to construct a malici...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41044/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T21:32:00
2 posts
🟠 CVE-2026-40466 - High (8.8)
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.
An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a conne...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40466/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-40466 - High (8.8)
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.
An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a conne...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40466/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T21:32:00
2 posts
🟠 CVE-2026-23902 - High (8.1)
Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.
This issue affects Apache DolphinScheduler ve...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-23902/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-23902 - High (8.1)
Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.
This issue affects Apache DolphinScheduler ve...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-23902/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T21:32:00
2 posts
🚨 New security advisory:
CVE-2026-34415 affects multiple systems.
• Impact: Remote code execution or complete system compromise possible
• Risk: Attackers can gain full control of affected systems
• Mitigation: Patch immediately or isolate affected systems
Full breakdown:
https://www.yazoul.net/advisory/cve/cve-2026-34415-xerte-online-toolkit-unauth-rce-via-file-upload
⚠️ CRITICAL: xerteonlinetoolkits ≤3.15 has incomplete input validation in elFinder — .php4 files can be uploaded & executed, enabling unauth RCE. Restrict endpoint, monitor uploads, apply custom filters. Patch status unknown. CVE-2026-34415 https://radar.offseq.com/threat/cve-2026-34415-cwe-184-incomplete-list-of-disallow-f774ae94 #OffSeq #Vuln #RCE
##updated 2026-04-24T21:16:19.353000
2 posts
🔴 CVE-2026-41478 - Critical (9.9)
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41478/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-41478 - Critical (9.9)
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41478/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T21:16:18.860000
2 posts
🔴 CVE-2026-41428 - Critical (9.1)
Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query st...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41428/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-41428 - Critical (9.1)
Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query st...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41428/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T21:11:10
1 posts
🔴 CVE-2026-40575 - Critical (9.1)
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied `X-Forwarded-Uri` header when `--reverse-proxy` is enabled and `--skip-auth-regex` or `--skip-auth-route...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40575/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T21:02:13
1 posts
🟠 CVE-2026-41324 - High (7.5)
basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extreme...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41324/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T21:02:12
1 posts
🟠 CVE-2026-41323 - High (8.1)
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount toke...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41323/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T21:01:15
2 posts
🟠 CVE-2026-41275 - High (7.5)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the unsecured HTTP protocol instead of HTTPS. This be...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41275/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41275 - High (7.5)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the unsecured HTTP protocol instead of HTTPS. This be...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41275/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T21:01:10
2 posts
🔴 CVE-2026-41276 - Critical (9.8)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not requ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41276/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-41276 - Critical (9.8)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not requ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41276/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T21:01:05
2 posts
🟠 CVE-2026-41277 - High (8.8)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and internal...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41277/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41277 - High (8.8)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and internal...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41277/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T21:00:59
2 posts
🟠 CVE-2026-41278 - High (7.5)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation re...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41278/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41278 - High (7.5)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation re...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41278/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T20:58:07
1 posts
🟠 CVE-2026-41268 - High (7.7)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41268/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T20:54:43
1 posts
🟠 CVE-2026-41241 - High (8.7)
pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41241/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T20:54:08
1 posts
🟠 CVE-2026-41230 - High (8.5)
Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41230/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T20:53:54
1 posts
🔴 CVE-2026-41228 - Critical (9.9)
Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authen...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41228/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T20:52:07
1 posts
🟠 CVE-2026-41175 - High (8.1)
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of conten...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41175/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T20:45:21
1 posts
🟠 CVE-2026-41138 - High (8.3)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. The user’s input ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41138/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T20:42:30
1 posts
🟠 CVE-2026-41133 - High (8.8)
pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admi...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41133/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T20:41:24
1 posts
🔴 CVE-2026-41064 - Critical (9.3)
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validati...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41064/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T20:40:59
1 posts
🟠 CVE-2026-41059 - High (8.2)
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when all of the following are true: Use of `skip_auth...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41059/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T20:16:28.470000
4 posts
⚠️ CRITICAL: dgraph-io Dgraph (< 25.3.3) leaks admin tokens via unauthenticated /debug/vars endpoint. Attackers can gain admin access! Patch to 25.3.3+ ASAP. CVE-2026-41492 | More: https://radar.offseq.com/threat/cve-2026-41492-cwe-200-exposure-of-sensitive-infor-932f1edf #OffSeq #CVE202641492 #Dgraph #Vulnerability
##🔴 CVE-2026-41492 - Critical (9.8)
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..."...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41492/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##⚠️ CRITICAL: dgraph-io Dgraph (< 25.3.3) leaks admin tokens via unauthenticated /debug/vars endpoint. Attackers can gain admin access! Patch to 25.3.3+ ASAP. CVE-2026-41492 | More: https://radar.offseq.com/threat/cve-2026-41492-cwe-200-exposure-of-sensitive-infor-932f1edf #OffSeq #CVE202641492 #Dgraph #Vulnerability
##🔴 CVE-2026-41492 - Critical (9.8)
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..."...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41492/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T19:26:52.160000
6 posts
🚨 [CISA-2026:0424] CISA Adds 4 Known Exploited Vulnerabilities to Catalog (https://secdb.nttzen.cloud/security-advisory/detail/CISA-2026:0424)
CISA has added 4 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.
⚠️ CVE-2024-57726 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-57726)
- Name: SimpleHelp Missing Authorization Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: SimpleHelp
- Product: SimpleHelp
- Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57726
⚠️ CVE-2024-57728 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-57728)
- Name: SimpleHelp Path Traversal Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: SimpleHelp
- Product: SimpleHelp
- Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57728
⚠️ CVE-2024-7399 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-7399)
- Name: Samsung MagicINFO 9 Server Path Traversal Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: Samsung
- Product: MagicINFO 9 Server
- Notes: https://security.samsungtv.com/securityUpdates ; https://nvd.nist.gov/vuln/detail/CVE-2024-7399
⚠️ CVE-2025-29635 (https://secdb.nttzen.cloud/cve/detail/CVE-2025-29635)
- Name: D-Link DIR-823X Command Injection Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: D-Link
- Product: DIR-823X
- Notes: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10469 ; https://nvd.nist.gov/vuln/detail/CVE-2025-29635
#SecDB #InfoSec #CVE #CISA_KEV #cisa_20260424 #cisa20260424 #cve_2024_57726 #cve_2024_57728 #cve_2024_7399 #cve_2025_29635 #cve202457726 #cve202457728 #cve20247399 #cve202529635
##CVE ID: CVE-2024-57726
Vendor: SimpleHelp
Product: SimpleHelp
Date Added: 2026-04-24
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2024-57726
Broadcom has a new advisory for a critical vulnerability:
Common Components and Services for z/OS 15.0 Vulnerability in CCS Apache Tomcat https://support.broadcom.com/web/ecx/security-advisory #Broadcom #Apache
CISA has updated the KEV catalogue:
- CVE-2024-57726: SimpleHelp Missing Authorization Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57726
- CVE-2024-57728: SimpleHelp Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57728
- CVE-2024-7399: Samsung MagicINFO 9 Server Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-7399
- CVE-2025-29635: D-Link DIR-823X Command Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-29635 #CISA #Samsung #DLink
Cisco has two advisories for high-severity vulnerabilities:
- CVE-2023-20185: Cisco ACI Multi-Site CloudSec Encryption Information Disclosure Vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-cloudsec-enc-Vs5Wn2sX
- Informational, updated today: Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03 @TalosSecurity #Cisco #infosec #vulnerability
##🚨 [CISA-2026:0424] CISA Adds 4 Known Exploited Vulnerabilities to Catalog (https://secdb.nttzen.cloud/security-advisory/detail/CISA-2026:0424)
CISA has added 4 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.
⚠️ CVE-2024-57726 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-57726)
- Name: SimpleHelp Missing Authorization Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: SimpleHelp
- Product: SimpleHelp
- Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57726
⚠️ CVE-2024-57728 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-57728)
- Name: SimpleHelp Path Traversal Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: SimpleHelp
- Product: SimpleHelp
- Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57728
⚠️ CVE-2024-7399 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-7399)
- Name: Samsung MagicINFO 9 Server Path Traversal Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: Samsung
- Product: MagicINFO 9 Server
- Notes: https://security.samsungtv.com/securityUpdates ; https://nvd.nist.gov/vuln/detail/CVE-2024-7399
⚠️ CVE-2025-29635 (https://secdb.nttzen.cloud/cve/detail/CVE-2025-29635)
- Name: D-Link DIR-823X Command Injection Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: D-Link
- Product: DIR-823X
- Notes: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10469 ; https://nvd.nist.gov/vuln/detail/CVE-2025-29635
#SecDB #InfoSec #CVE #CISA_KEV #cisa_20260424 #cisa20260424 #cve_2024_57726 #cve_2024_57728 #cve_2024_7399 #cve_2025_29635 #cve202457726 #cve202457728 #cve20247399 #cve202529635
##CVE ID: CVE-2024-57726
Vendor: SimpleHelp
Product: SimpleHelp
Date Added: 2026-04-24
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2024-57726
Broadcom has a new advisory for a critical vulnerability:
Common Components and Services for z/OS 15.0 Vulnerability in CCS Apache Tomcat https://support.broadcom.com/web/ecx/security-advisory #Broadcom #Apache
CISA has updated the KEV catalogue:
- CVE-2024-57726: SimpleHelp Missing Authorization Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57726
- CVE-2024-57728: SimpleHelp Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57728
- CVE-2024-7399: Samsung MagicINFO 9 Server Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-7399
- CVE-2025-29635: D-Link DIR-823X Command Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-29635 #CISA #Samsung #DLink
Cisco has two advisories for high-severity vulnerabilities:
- CVE-2023-20185: Cisco ACI Multi-Site CloudSec Encryption Information Disclosure Vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-cloudsec-enc-Vs5Wn2sX
- Informational, updated today: Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03 @TalosSecurity #Cisco #infosec #vulnerability
##updated 2026-04-24T19:17:12.407000
6 posts
🚨 CRITICAL vuln: CVE-2026-41327 in dgraph-io dgraph (<25.3.3). Unauthenticated attacker can exfiltrate all DB data with a crafted POST via upsert mutation. Upgrade to 25.3.3+ or enable ACL ASAP! https://radar.offseq.com/threat/cve-2026-41327-cwe-943-improper-neutralization-of--8885efbe #OffSeq #Vuln #GraphQL #DataLeak
##🔴 CVE-2026-41327 - Critical (9.1)
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configur...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41327/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-41327 - Critical (9.1)
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configur...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41327/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🚨 CRITICAL vuln: CVE-2026-41327 in dgraph-io dgraph (<25.3.3). Unauthenticated attacker can exfiltrate all DB data with a crafted POST via upsert mutation. Upgrade to 25.3.3+ or enable ACL ASAP! https://radar.offseq.com/threat/cve-2026-41327-cwe-943-improper-neutralization-of--8885efbe #OffSeq #Vuln #GraphQL #DataLeak
##🔴 CVE-2026-41327 - Critical (9.1)
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configur...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41327/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-41327 - Critical (9.1)
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configur...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41327/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T19:17:11.530000
2 posts
🟠 CVE-2026-41273 - High (8.2)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated w...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41273/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41273 - High (8.2)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated w...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41273/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T19:17:09.850000
2 posts
🟠 CVE-2026-33524 - High (7.5)
Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33524/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-33524 - High (7.5)
Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33524/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T18:31:38
6 posts
🚨 [CISA-2026:0424] CISA Adds 4 Known Exploited Vulnerabilities to Catalog (https://secdb.nttzen.cloud/security-advisory/detail/CISA-2026:0424)
CISA has added 4 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.
⚠️ CVE-2024-57726 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-57726)
- Name: SimpleHelp Missing Authorization Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: SimpleHelp
- Product: SimpleHelp
- Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57726
⚠️ CVE-2024-57728 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-57728)
- Name: SimpleHelp Path Traversal Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: SimpleHelp
- Product: SimpleHelp
- Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57728
⚠️ CVE-2024-7399 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-7399)
- Name: Samsung MagicINFO 9 Server Path Traversal Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: Samsung
- Product: MagicINFO 9 Server
- Notes: https://security.samsungtv.com/securityUpdates ; https://nvd.nist.gov/vuln/detail/CVE-2024-7399
⚠️ CVE-2025-29635 (https://secdb.nttzen.cloud/cve/detail/CVE-2025-29635)
- Name: D-Link DIR-823X Command Injection Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: D-Link
- Product: DIR-823X
- Notes: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10469 ; https://nvd.nist.gov/vuln/detail/CVE-2025-29635
#SecDB #InfoSec #CVE #CISA_KEV #cisa_20260424 #cisa20260424 #cve_2024_57726 #cve_2024_57728 #cve_2024_7399 #cve_2025_29635 #cve202457726 #cve202457728 #cve20247399 #cve202529635
##CVE ID: CVE-2024-57728
Vendor: SimpleHelp
Product: SimpleHelp
Date Added: 2026-04-24
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2024-57728
Broadcom has a new advisory for a critical vulnerability:
Common Components and Services for z/OS 15.0 Vulnerability in CCS Apache Tomcat https://support.broadcom.com/web/ecx/security-advisory #Broadcom #Apache
CISA has updated the KEV catalogue:
- CVE-2024-57726: SimpleHelp Missing Authorization Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57726
- CVE-2024-57728: SimpleHelp Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57728
- CVE-2024-7399: Samsung MagicINFO 9 Server Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-7399
- CVE-2025-29635: D-Link DIR-823X Command Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-29635 #CISA #Samsung #DLink
Cisco has two advisories for high-severity vulnerabilities:
- CVE-2023-20185: Cisco ACI Multi-Site CloudSec Encryption Information Disclosure Vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-cloudsec-enc-Vs5Wn2sX
- Informational, updated today: Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03 @TalosSecurity #Cisco #infosec #vulnerability
##🚨 [CISA-2026:0424] CISA Adds 4 Known Exploited Vulnerabilities to Catalog (https://secdb.nttzen.cloud/security-advisory/detail/CISA-2026:0424)
CISA has added 4 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.
⚠️ CVE-2024-57726 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-57726)
- Name: SimpleHelp Missing Authorization Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: SimpleHelp
- Product: SimpleHelp
- Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57726
⚠️ CVE-2024-57728 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-57728)
- Name: SimpleHelp Path Traversal Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: SimpleHelp
- Product: SimpleHelp
- Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57728
⚠️ CVE-2024-7399 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-7399)
- Name: Samsung MagicINFO 9 Server Path Traversal Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: Samsung
- Product: MagicINFO 9 Server
- Notes: https://security.samsungtv.com/securityUpdates ; https://nvd.nist.gov/vuln/detail/CVE-2024-7399
⚠️ CVE-2025-29635 (https://secdb.nttzen.cloud/cve/detail/CVE-2025-29635)
- Name: D-Link DIR-823X Command Injection Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: D-Link
- Product: DIR-823X
- Notes: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10469 ; https://nvd.nist.gov/vuln/detail/CVE-2025-29635
#SecDB #InfoSec #CVE #CISA_KEV #cisa_20260424 #cisa20260424 #cve_2024_57726 #cve_2024_57728 #cve_2024_7399 #cve_2025_29635 #cve202457726 #cve202457728 #cve20247399 #cve202529635
##CVE ID: CVE-2024-57728
Vendor: SimpleHelp
Product: SimpleHelp
Date Added: 2026-04-24
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2024-57728
Broadcom has a new advisory for a critical vulnerability:
Common Components and Services for z/OS 15.0 Vulnerability in CCS Apache Tomcat https://support.broadcom.com/web/ecx/security-advisory #Broadcom #Apache
CISA has updated the KEV catalogue:
- CVE-2024-57726: SimpleHelp Missing Authorization Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57726
- CVE-2024-57728: SimpleHelp Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57728
- CVE-2024-7399: Samsung MagicINFO 9 Server Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-7399
- CVE-2025-29635: D-Link DIR-823X Command Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-29635 #CISA #Samsung #DLink
Cisco has two advisories for high-severity vulnerabilities:
- CVE-2023-20185: Cisco ACI Multi-Site CloudSec Encryption Information Disclosure Vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-cloudsec-enc-Vs5Wn2sX
- Informational, updated today: Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03 @TalosSecurity #Cisco #infosec #vulnerability
##updated 2026-04-24T18:31:18
2 posts
🔴 CVE-2026-39920 - Critical (9.8)
BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS command...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-39920/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-39920 - Critical (9.8)
BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS command...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-39920/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T18:30:36
7 posts
🚨 [CISA-2026:0424] CISA Adds 4 Known Exploited Vulnerabilities to Catalog (https://secdb.nttzen.cloud/security-advisory/detail/CISA-2026:0424)
CISA has added 4 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.
⚠️ CVE-2024-57726 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-57726)
- Name: SimpleHelp Missing Authorization Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: SimpleHelp
- Product: SimpleHelp
- Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57726
⚠️ CVE-2024-57728 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-57728)
- Name: SimpleHelp Path Traversal Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: SimpleHelp
- Product: SimpleHelp
- Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57728
⚠️ CVE-2024-7399 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-7399)
- Name: Samsung MagicINFO 9 Server Path Traversal Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: Samsung
- Product: MagicINFO 9 Server
- Notes: https://security.samsungtv.com/securityUpdates ; https://nvd.nist.gov/vuln/detail/CVE-2024-7399
⚠️ CVE-2025-29635 (https://secdb.nttzen.cloud/cve/detail/CVE-2025-29635)
- Name: D-Link DIR-823X Command Injection Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: D-Link
- Product: DIR-823X
- Notes: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10469 ; https://nvd.nist.gov/vuln/detail/CVE-2025-29635
#SecDB #InfoSec #CVE #CISA_KEV #cisa_20260424 #cisa20260424 #cve_2024_57726 #cve_2024_57728 #cve_2024_7399 #cve_2025_29635 #cve202457726 #cve202457728 #cve20247399 #cve202529635
##CVE ID: CVE-2025-29635
Vendor: D-Link
Product: DIR-823X
Date Added: 2026-04-24
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-29635
📰 Mirai Botnet Exploits Critical Flaw in Discontinued D-Link Routers for DDoS Attacks
🚨 A new Mirai botnet campaign is exploiting a critical RCE flaw (CVE-2025-29635) in discontinued D-Link routers. The devices are EoL and will not be patched. Disconnect them now to prevent them from joining a DDoS botnet! #Mirai #Botnet #IoT #DLink
##Broadcom has a new advisory for a critical vulnerability:
Common Components and Services for z/OS 15.0 Vulnerability in CCS Apache Tomcat https://support.broadcom.com/web/ecx/security-advisory #Broadcom #Apache
CISA has updated the KEV catalogue:
- CVE-2024-57726: SimpleHelp Missing Authorization Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57726
- CVE-2024-57728: SimpleHelp Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57728
- CVE-2024-7399: Samsung MagicINFO 9 Server Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-7399
- CVE-2025-29635: D-Link DIR-823X Command Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-29635 #CISA #Samsung #DLink
Cisco has two advisories for high-severity vulnerabilities:
- CVE-2023-20185: Cisco ACI Multi-Site CloudSec Encryption Information Disclosure Vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-cloudsec-enc-Vs5Wn2sX
- Informational, updated today: Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03 @TalosSecurity #Cisco #infosec #vulnerability
##🚨 [CISA-2026:0424] CISA Adds 4 Known Exploited Vulnerabilities to Catalog (https://secdb.nttzen.cloud/security-advisory/detail/CISA-2026:0424)
CISA has added 4 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.
⚠️ CVE-2024-57726 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-57726)
- Name: SimpleHelp Missing Authorization Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: SimpleHelp
- Product: SimpleHelp
- Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57726
⚠️ CVE-2024-57728 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-57728)
- Name: SimpleHelp Path Traversal Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: SimpleHelp
- Product: SimpleHelp
- Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57728
⚠️ CVE-2024-7399 (https://secdb.nttzen.cloud/cve/detail/CVE-2024-7399)
- Name: Samsung MagicINFO 9 Server Path Traversal Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: Samsung
- Product: MagicINFO 9 Server
- Notes: https://security.samsungtv.com/securityUpdates ; https://nvd.nist.gov/vuln/detail/CVE-2024-7399
⚠️ CVE-2025-29635 (https://secdb.nttzen.cloud/cve/detail/CVE-2025-29635)
- Name: D-Link DIR-823X Command Injection Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: D-Link
- Product: DIR-823X
- Notes: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10469 ; https://nvd.nist.gov/vuln/detail/CVE-2025-29635
#SecDB #InfoSec #CVE #CISA_KEV #cisa_20260424 #cisa20260424 #cve_2024_57726 #cve_2024_57728 #cve_2024_7399 #cve_2025_29635 #cve202457726 #cve202457728 #cve20247399 #cve202529635
##CVE ID: CVE-2025-29635
Vendor: D-Link
Product: DIR-823X
Date Added: 2026-04-24
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-29635
Broadcom has a new advisory for a critical vulnerability:
Common Components and Services for z/OS 15.0 Vulnerability in CCS Apache Tomcat https://support.broadcom.com/web/ecx/security-advisory #Broadcom #Apache
CISA has updated the KEV catalogue:
- CVE-2024-57726: SimpleHelp Missing Authorization Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57726
- CVE-2024-57728: SimpleHelp Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57728
- CVE-2024-7399: Samsung MagicINFO 9 Server Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-7399
- CVE-2025-29635: D-Link DIR-823X Command Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-29635 #CISA #Samsung #DLink
Cisco has two advisories for high-severity vulnerabilities:
- CVE-2023-20185: Cisco ACI Multi-Site CloudSec Encryption Information Disclosure Vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-cloudsec-enc-Vs5Wn2sX
- Informational, updated today: Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03 @TalosSecurity #Cisco #infosec #vulnerability
##updated 2026-04-24T17:56:41.280000
2 posts
🟠 CVE-2026-41066 - High (7.5)
lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_ent...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41066/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41066 - High (7.5)
lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_ent...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41066/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T17:56:41.280000
4 posts
🟠 CVE-2026-6912 - High (8.8)
Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito u...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6912/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##Issue with AWS Ops Wheel (CVE-2026-6911 and CVE-2026-6912
Bulletin ID: 2026-018-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/24 09:15 AM PDT
Description:
AWS Ops Wheel is an open-source tool that helps teams make random selections using a virtua...
https://aws.amazon.com/security/security-bulletins/rss/2026-018-aws/
##🟠 CVE-2026-6912 - High (8.8)
Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito u...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6912/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##Issue with AWS Ops Wheel (CVE-2026-6911 and CVE-2026-6912
Bulletin ID: 2026-018-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/24 09:15 AM PDT
Description:
AWS Ops Wheel is an open-source tool that helps teams make random selections using a virtua...
https://aws.amazon.com/security/security-bulletins/rss/2026-018-aws/
##updated 2026-04-24T17:16:21.240000
1 posts
🟠 CVE-2026-41068 - High (7.7)
Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigMap conte...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41068/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T17:12:23.350000
1 posts
🟠 CVE-2026-34063 - High (7.5)
Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `network-libp2p` discovery uses a libp2p `ConnectionHandler` state machine. the handler assumes there is at most one inbound and one outbound discove...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34063/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T17:11:40.037000
2 posts
🔥 CRITICAL vuln in nimiq-block (<1.3.0): Flawed input validation in SkipBlockProof::verify lets attackers bypass PoS quorum using crafted indices. Patch in v1.3.0 — upgrade ASAP! CVE-2026-33471 https://radar.offseq.com/threat/cve-2026-33471-cwe-20-improper-input-validation-in-2bd8708b #OffSeq #Rust #Security #Blockchain
##🔴 CVE-2026-33471 - Critical (9.6)
nimiq-block contains block primitives to be used in Nimiq's Rust implementation. `SkipBlockProof::verify` computes its quorum check using `BitSet.len()`, then iterates `BitSet` indices and casts each `usize` index to `u16` (`slot as u16`) for slot...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33471/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T16:39:50.947000
2 posts
🔴 CVE-2026-6919 - Critical (9.6)
Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6919/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-6919 - Critical (9.6)
Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6919/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T16:39:41.147000
2 posts
🔴 New security advisory:
CVE-2026-6920 affects multiple systems.
• Impact: Remote code execution or complete system compromise possible
• Risk: Attackers can gain full control of affected systems
• Mitigation: Patch immediately or isolate affected systems
Full breakdown:
https://www.yazoul.net/advisory/cve/cve-2026-6920-chrome-android-gpu-sandbox-escape
🟠 CVE-2026-6920 - High (7.5)
Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6920/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T16:37:54.877000
2 posts
🟠 CVE-2026-41271 - High (8.3)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers t...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41271/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41271 - High (8.3)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers t...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41271/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T16:31:36.040000
2 posts
🟠 CVE-2026-41279 - High (7.5)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41279/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41279 - High (7.5)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41279/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T15:41:45
2 posts
🔴 CVE-2026-41328 - Critical (9.1)
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configur...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41328/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-41328 - Critical (9.1)
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configur...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41328/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T15:33:39
2 posts
🟠 CVE-2026-21728 - High (7.5)
Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.
Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-21728/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-21728 - High (7.5)
Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.
Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-21728/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T15:32:39
2 posts
🔴 CVE-2026-21515 - Critical (9.9)
Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-21515/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-21515 - Critical (9.9)
Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-21515/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T15:19:50
1 posts
🟠 CVE-2026-41246 - High (8.1)
Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPP...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41246/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T15:15:47.703000
2 posts
🟠 CVE-2026-41137 - High (8.8)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41137/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41137 - High (8.8)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41137/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T15:15:17.923000
2 posts
🔴 CVE-2026-41264 - Critical (9.8)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing when evaluating a...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41264/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-41264 - Critical (9.8)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing when evaluating a...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41264/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T15:15:09.260000
2 posts
🔴 CVE-2026-41265 - Critical (9.8)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluat...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41265/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-41265 - Critical (9.8)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluat...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41265/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T15:14:48.233000
1 posts
🟠 CVE-2026-41267 - High (8.1)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attack...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41267/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T14:50:56.203000
2 posts
🟠 CVE-2026-31952 - High (7.6)
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering Dat...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31952/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-31952 - High (7.6)
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering Dat...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31952/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T14:50:56.203000
1 posts
🛡️ CrowdStrike LogScale CRITICAL vuln (CVE-2026-40050): unauth path traversal — remote file read risk for self-hosted users. Tenable Nessus for Windows: HIGH vuln (CVE-2026-33694), file deletion & privilege escalation. Patch ASAP! https://radar.offseq.com/threat/vulnerabilities-patched-in-crowdstrike-tenable-pro-da7dee84 #OffSeq #Vuln #CrowdStrike #Tenable
##updated 2026-04-24T14:50:56.203000
1 posts
🟠 CVE-2026-41316 - High (8.1)
ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marsha...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41316/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T14:50:56.203000
2 posts
1 repos
🔴 CVE-2026-41679 - Critical (10)
Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance runnin...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41679/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🚨 CRITICAL: CVE-2026-41679 in Paperclip (<2026.416.0) enables unauthenticated remote code execution via API chain — no user creds needed. Upgrade to 2026.416.0+ ASAP! Full details: https://radar.offseq.com/threat/cve-2026-41679-cwe-287-improper-authentication-in--09e9d7e4 #OffSeq #CVE202641679 #infosec #rce
##updated 2026-04-24T14:50:56.203000
1 posts
🔴 CVE-2026-41229 - Critical (9.1)
Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings`...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41229/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T14:50:56.203000
3 posts
🔴 CVE-2026-6887 - Critical (9.8)
Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6887/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-6887 - Critical (9.8)
Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6887/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🚨 CRITICAL SQL Injection (CVE-2026-6887) in BorG SPM 2007: unauthenticated remote attackers can manipulate databases. No patch, product EOL. Isolate or discontinue use ASAP. Details: https://radar.offseq.com/threat/cve-2026-6887-cwe-89-improper-neutralization-of-sp-f0a62364 #OffSeq #SQLInjection #Vuln #InfoSec
##updated 2026-04-24T14:50:56.203000
1 posts
🔴 CVE-2025-62373 - Critical (9.8)
Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Versions 0.0.41 through 0.0.93 have a vulnerability in `LivekitFrameSerializer` – an optional, non-default, undocumented frame serializ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-62373/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T14:50:56.203000
1 posts
🟠 CVE-2026-40517 - High (7.8)
radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with newline characters in symbol names. Attackers ca...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40517/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T14:41:55.890000
2 posts
🟠 CVE-2026-34003 - High (7.8)
A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerability. This could result in the disclosure of sen...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34003/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##We released the #XLibre Xserver 25.0.0.22 and 25.1.4 on Apr 21 containing #security fixes for CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, and CVE-2026-34003 of the X.Org Server. We recommend everyone update ASAP. #CVE https://github.com/X11Libre/xserver/releases/tag/xlibre-xserver-25.1.4
##updated 2026-04-24T14:41:55.890000
1 posts
🔴 CVE-2026-39087 - Critical (9.8)
An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-39087/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T14:41:55.890000
1 posts
🔴 CVE-2026-31178 - Critical (9.8)
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMaxAlive parameter to /cgi-bin/cstecgi.cgi.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31178/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T14:41:16.553000
1 posts
🔴 CVE-2026-32210 - Critical (9.3)
Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32210/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T14:40:53.523000
1 posts
🟠 CVE-2026-41336 - High (7.8)
OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted default-on bundled hooks from untrusted workspa...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41336/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T14:40:12.517000
3 posts
🔴 CVE-2026-40630 - Critical (9.8)
A vulnerability in
SenseLive
X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the device may be able to bypass the i...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40630/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-40630 - Critical (9.8)
A vulnerability in
SenseLive
X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the device may be able to bypass the i...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40630/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🚨 CRITICAL: SenseLive X3050 v1.523 is vulnerable to authentication bypass (CVE-2026-40630) via alternate paths. No fix yet — restrict device network access and monitor closely. https://radar.offseq.com/threat/cve-2026-40630-cwe-288-authentication-bypass-using-b2eedf7d #OffSeq #CVE202640630 #IoTSecurity #VulnAlert
##updated 2026-04-24T14:39:28.770000
2 posts
🟠 CVE-2026-5367 - High (8.6)
A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-5367/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-5367 - High (8.6)
A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-5367/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T14:25:32.370000
1 posts
🟠 CVE-2026-34310 - High (7.5)
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploita...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34310/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T14:17:02.280000
1 posts
🟠 CVE-2026-22753 - High (7.5)
Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security compo...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-22753/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T13:12:29.780000
1 posts
🟠 CVE-2026-40937 - High (8.3)
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (acc...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40937/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T09:30:36
2 posts
🔴 CVE-2026-1950 - Critical (9.8)
Delta Electronics AS320T has
No checking of the length of the buffer with the file name vulnerability.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1950/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-1950 - Critical (9.8)
Delta Electronics AS320T has
No checking of the length of the buffer with the file name vulnerability.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1950/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T09:30:36
3 posts
🔴 CVE-2026-1952 - Critical (9.8)
Delta Electronics AS320T has denial of service via the undocumented subfunction vulnerability.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1952/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-1952 - Critical (9.8)
Delta Electronics AS320T has denial of service via the undocumented subfunction vulnerability.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1952/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##⚠️ CRITICAL: CVE-2026-1952 in DeltaWW AS320T (CVSS 9.8) enables denial of service via hidden subfunction (CWE-912). Vendor patch is available for this cloud-hosted service — confirm your instance is protected. https://radar.offseq.com/threat/cve-2026-1952-cwe-912-hidden-functionality-in-delt-72d86c2b #OffSeq #DeltaWW #Vuln #CloudSecurity
##updated 2026-04-24T09:30:36
2 posts
🔴 CVE-2026-1951 - Critical (9.8)
Delta Electronics AS320T has no checking of the length of the buffer with the directory name
vulnerability.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1951/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CRITICAL: CVE-2026-1951 stack-based buffer overflow in DeltaWW AS320T cloud service (CVSS 9.8). Remote attackers can gain full system control. Patch available — no exploits in the wild yet. Update now! https://radar.offseq.com/threat/cve-2026-1951-cwe-121-stack-based-buffer-overflow--c6177746 #OffSeq #Cybersecurity #Vuln
##updated 2026-04-24T06:31:23
1 posts
🔴 CVE-2026-1949 - Critical (9.8)
Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1949/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T06:31:23
1 posts
🟠 CVE-2026-5364 - High (8.1)
The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing t...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-5364/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T00:32:04
2 posts
🟠 CVE-2026-27841 - High (8.1)
A vulnerability in SenseLive X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery (CSRF) protections. Because the application does not enforce server-side validation of reque...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27841/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-27841 - High (8.1)
A vulnerability in SenseLive X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery (CSRF) protections. Because the application does not enforce server-side validation of reque...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27841/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T00:32:04
2 posts
🟠 CVE-2026-35064 - High (7.5)
A vulnerability in SenseLive X3050’s management ecosystem allows unauthenticated discovery of deployed units through the vendor’s management protocol, enabling identification of device presence, identifiers, and management interfaces without...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-35064/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-35064 - High (7.5)
A vulnerability in SenseLive X3050’s management ecosystem allows unauthenticated discovery of deployed units through the vendor’s management protocol, enabling identification of device presence, identifiers, and management interfaces without...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-35064/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T00:32:04
3 posts
🟠 CVE-2026-39462 - High (8.1)
A vulnerability exists in SenseLive X3050’s web management interface in which password updates are not reliably applied due to improper handling of credential changes on the backend. After the device undergoes a factory restore using the SenseL...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-39462/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-39462 - High (8.1)
A vulnerability exists in SenseLive X3050’s web management interface in which password updates are not reliably applied due to improper handling of credential changes on the backend. After the device undergoes a factory restore using the SenseL...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-39462/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##CVE-2026-39462 (CRITICAL): SenseLive X3050 V1.523 lets attackers bypass password changes after factory reset — device may accept old or default creds. No fix yet. Limit reliance on resets and monitor for updates. https://radar.offseq.com/threat/cve-2026-39462-cwe-522-insufficiently-protected-cr-cedf02e1 #OffSeq #IoTSecurity #CVE202639462
##updated 2026-04-24T00:32:04
2 posts
🔴 CVE-2026-35503 - Critical (9.8)
A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-35503/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-35503 - Critical (9.8)
A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-35503/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T00:32:03
3 posts
🔴 CVE-2026-25775 - Critical (9.8)
A vulnerability in SenseLive X3050’s remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-related requests from any reachable host and d...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25775/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-25775 - Critical (9.8)
A vulnerability in SenseLive X3050’s remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-related requests from any reachable host and d...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25775/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔍 CVE-2026-25775: SenseLive X3050 (V1.523) critical vuln — remote firmware updates possible without auth! Patch unavailable. Restrict access & monitor for unauthorized firmware actions. https://radar.offseq.com/threat/cve-2026-25775-cwe-306-missing-authentication-for--773ccfcd #OffSeq #IoTSecurity #CVE202625775
##updated 2026-04-24T00:32:03
3 posts
🔴 CVE-2026-27843 - Critical (9.1)
A vulnerability exists in SenseLive X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentication or server-side validation. By applying unsupported or disruptive values to recover...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27843/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-27843 - Critical (9.1)
A vulnerability exists in SenseLive X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentication or server-side validation. By applying unsupported or disruptive values to recover...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27843/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🚨 CVE-2026-27843: SenseLive X3050 (V1.523) CRITICAL vuln — missing auth lets attackers lock out users, causing full denial-of-service. No reset button; recovery needs console access. Restrict mgmt access & monitor configs. https://radar.offseq.com/threat/cve-2026-27843-cwe-306-missing-authentication-for--e4fcb515 #OffSeq #IoTSecurity #Vuln
##updated 2026-04-24T00:32:03
2 posts
🟠 CVE-2026-40623 - High (8.1)
A vulnerability in SenseLive X3050's web management interface allows critical system and network configuration parameters to be modified without sufficient validation and safety controls. Due to inadequate enforcement of constraints on sensitive...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40623/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-40623 - High (8.1)
A vulnerability in SenseLive X3050's web management interface allows critical system and network configuration parameters to be modified without sufficient validation and safety controls. Due to inadequate enforcement of constraints on sensitive...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40623/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T00:32:03
3 posts
🔴 CVE-2026-40620 - Critical (9.8)
A vulnerability in SenseLive X3050’s embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config application. The service accepts management conne...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40620/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-40620 - Critical (9.8)
A vulnerability in SenseLive X3050’s embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config application. The service accepts management conne...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40620/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##SenseLive X3050 V1.523 is at CRITICAL risk (CVE-2026-40620, CVSS 9.3): missing auth lets remote attackers gain admin access. No patch yet — restrict management access, monitor logs, and follow vendor updates. https://radar.offseq.com/threat/cve-2026-40620-cwe-306-missing-authentication-for--0af2786c #OffSeq #CVE202640620 #IoTSecurity
##updated 2026-04-24T00:32:03
1 posts
🟠 CVE-2026-41349 - High (8.8)
OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute unauthorize...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41349/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T00:32:03
1 posts
🟠 CVE-2026-41353 - High (8.1)
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attackers can...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41353/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T00:32:03
1 posts
🟠 CVE-2026-41352 - High (8.8)
OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute arbitrary node commands on the host ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41352/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T00:31:58
2 posts
🔴 CVE-2026-24303 - Critical (9.6)
Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24303/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-24303 - Critical (9.6)
Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24303/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T00:31:58
2 posts
🟠 CVE-2026-26150 - High (8.6)
Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26150/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-26150 - High (8.6)
Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26150/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T00:31:58
1 posts
🔴 CVE-2026-26210 - Critical (9.8)
KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages usi...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26210/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T00:31:58
1 posts
🟠 CVE-2026-32172 - High (8)
Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32172/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T00:31:58
1 posts
🔴 CVE-2026-33819 - Critical (10)
Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33819/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-24T00:31:58
1 posts
🔴 CVE-2026-33102 - Critical (9.3)
Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33102/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T21:39:22
1 posts
🟠 CVE-2026-40886 - High (7.7)
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a work...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40886/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T21:32:27
1 posts
🔴 CVE-2026-31181 - Critical (9.8)
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunServerAddr parameter to /cgi-bin/cstecgi.cgi.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31181/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T21:31:30
1 posts
🔴 CVE-2026-6942 - Critical (9.8)
radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2_cmd_...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6942/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T21:31:22
1 posts
🔴 CVE-2026-31177 - Critical (9.8)
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMinAlive parameter to /cgi-bin/cstecgi.cgi.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31177/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T21:31:21
4 posts
📰 Apple Rushes Fix for iOS Flaw That Let FBI Recover Deleted Signal Messages
🚨 Apple issues emergency patch for iOS flaw (CVE-2026-28950) that let the FBI recover deleted Signal message notifications. The bug improperly stored notification data, undermining user privacy. Update your iPhone & iPad now! 📱🔒 #iOS #Privacy #In...
##Apple issues iOS/iPadOS 26.4.2 to fix a Notification Services bug (CVE-2026-28950) that could retain deleted-app notification previews — Signal says preserved fragments will be removed after users update. Install now: https://cyberinsider.com/apple-fixes-ios-privacy-flaw-that-allowed-signal-message-retrieval/ 🔒📱 #iOS #Privacy #Security
##Apple fixes iOS flaw exposing deleted messages via notification logs (CVE-2026-28950).
Even encrypted apps were impacted.
Patch now.
https://support.apple.com/en-us/127002
Impact: Notifications marked for deletion could be unexpectedly retained on the device
Description: A logging issue was addressed with improved data redaction.
CVE-2026-28950
<3
##updated 2026-04-23T21:23:40
2 posts
🟠 CVE-2026-33318 - High (8.8)
Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: `POST /ac...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33318/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-33318 - High (8.8)
Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: `POST /ac...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33318/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T19:41:18.127000
1 posts
🟠 CVE-2026-41135 - High (7.5)
free5GC UDR is the Policy Control Function (PCF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. A memory leak vulnerability in versions prior to 1.4.3 allows any unauthenticated attacker with network access to...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41135/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T18:33:26
1 posts
🟠 CVE-2026-41461 - High (8.5)
SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbo...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41461/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T18:33:25
2 posts
🟠 CVE-2026-33999 - High (7.8)
A flaw was found in the X.Org X server. This integer underflow vulnerability, specifically in the XKB compatibility map handling, allows an attacker with local or remote X11 server access to trigger a buffer read overrun. This can lead to memory-s...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33999/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##We released the #XLibre Xserver 25.0.0.22 and 25.1.4 on Apr 21 containing #security fixes for CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, and CVE-2026-34003 of the X.Org Server. We recommend everyone update ASAP. #CVE https://github.com/X11Libre/xserver/releases/tag/xlibre-xserver-25.1.4
##updated 2026-04-23T18:33:25
1 posts
🔴 CVE-2026-23751 - Critical (9.8)
Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a d...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-23751/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T18:33:25
1 posts
🔴 CVE-2026-40471 - Critical (9.6)
hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative acti...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40471/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T18:33:25
1 posts
🔴 CVE-2026-40470 - Critical (9.9)
A critical XSS vulnerability affected hackage-server and
hackage.haskell.org. HTML and JavaScript files provided in source
packages or via the documentation upload facility were served
as-is on the main hackage.haskell.org domain. As a consequen...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40470/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T18:33:23
1 posts
🔴 CVE-2026-40472 - Critical (9.9)
In hackage-server, user-controlled metadata from .cabal files are rendered into HTML
href attributes without proper sanitization, enabling stored
Cross-Site Scripting (XSS) attacks.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40472/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T18:33:23
1 posts
#OT #Advisory VDE-2026-040
CODESYS EtherNetIP - Improper timeout handling
CODESYS EtherNet/IP is an add‑on for the CODESYS Development System that provides a fully integrated EtherNet/IP protocol stack along with diagnostic capabilities. A flaw in the EtherNet/IP adapter protocol stack library results in a vulnerability within the generated application code. When an EtherNet/IP adapter is configured, this vulnerable protocol stack is downloaded to and executed by CODESYS Control runtime systems.
#CVE CVE-2026-35225
https://certvde.com/en/advisories/vde-2026-040/
#oCSAF
#CSAF https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2026/advisory2026-04_vde-2026-040.json
updated 2026-04-23T18:33:21
2 posts
🟠 CVE-2026-34001 - High (7.8)
A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to the X11 server can exploit this without user in...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34001/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##We released the #XLibre Xserver 25.0.0.22 and 25.1.4 on Apr 21 containing #security fixes for CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, and CVE-2026-34003 of the X.Org Server. We recommend everyone update ASAP. #CVE https://github.com/X11Libre/xserver/releases/tag/xlibre-xserver-25.1.4
##updated 2026-04-23T18:33:20
1 posts
🔴 CVE-2026-41460 - Critical (9.8)
SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unaut...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41460/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T14:28:55.557000
4 posts
3 repos
https://github.com/im-hanzou/CVE-2026-3844
Hackers Take Advantage of File Upload Vulnerability in Breeze Cache Plugin for WordPress #wordpress
Urgent security update: Hackers are exploiting a file upload vulnerability in Breeze Cache for WordPress (CVE-2026-3844), risking remote code execution. Upgrade to Breeze Cache 2.4.5 now or disable the Host Files Locally – Gravatars option to mitigate. Details: https://ift.tt/ZoIb1XJ
Source: https://ift.tt/ZoIb1XJ | Image: https://ift.tt/dtFh1AJ
##Cloudways Patches Actively Exploited File Upload Flaw in Breeze Cache Plugin
Cloudways patched a critical vulnerability in the Breeze Cache WordPress plugin (CVE-2026-3844) that allows unauthenticated attackers to upload malicious files and execute remote code. The flaw is currently under active exploitation, but it requires a non-default setting to be enabled in order to be exploited.
**If you use the Breeze Cache WordPress plugin, update it to version 2.4.5 ASAP. If you can't update right away, disable the "Host Files Locally - Gravatars" setting as a temporary workaround until you can apply the update.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cloudways-patches-actively-exploited-file-upload-flaw-in-breeze-cache-plugin-e-w-c-7-u/gD2P6Ple2L
🔴 CVE-2026-3844 - Critical (9.8)
The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-3844/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🚩 CVE-2026-3844 (CRITICAL): Breeze Cache ≤2.4.4 lets unauthenticated attackers upload arbitrary files via 'fetch_gravatar_from_remote' if "Host Files Locally - Gravatars" is enabled. RCE possible. Check settings & update! https://radar.offseq.com/threat/cve-2026-3844-cwe-434-unrestricted-upload-of-file--8e6074b3 #OffSeq #WordPress #infosec
##updated 2026-04-23T14:28:55.557000
1 posts
🔴 CVE-2026-39440 - Critical (9.9)
Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-39440/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T12:31:45
1 posts
🟠 CVE-2026-6903 - High (7.5)
The LabOne Web Server, backing the LabOne User Interface, contains insufficient input validation in its file access functionality. An unauthenticated attacker could exploit this vulnerability to read arbitrary files on the host system that are acc...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6903/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T12:31:45
1 posts
🔴 CVE-2026-6886 - Critical (9.8)
Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a Authentication Bypass vulnerability, allowing unauthenticated remote attackers to log into the system as any user.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6886/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T12:31:45
1 posts
🔴 CVE-2026-6885 - Critical (9.8)
Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6885/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T12:07:46.893000
2 posts
🔴 CVE-2026-34286 - Critical (9.1)
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network acc...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34286/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-34286 - Critical (9.1)
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network acc...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34286/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T12:07:28.307000
1 posts
🔴 CVE-2026-34287 - Critical (9.1)
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network acc...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34287/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T09:33:05
2 posts
🟠 CVE-2026-41040 - High (7.5)
GROWI provided by GROWI, Inc. is vulnerable to a regular expression denial of service (ReDoS) via a crafted input string.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41040/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41040 - High (7.5)
GROWI provided by GROWI, Inc. is vulnerable to a regular expression denial of service (ReDoS) via a crafted input string.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41040/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T00:31:19
1 posts
🟠 CVE-2026-41455 - High (8.5)
WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify in...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41455/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T00:31:19
1 posts
🟠 CVE-2026-41454 - High (8.3)
WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integr...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41454/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-23T00:31:18
3 posts
3 repos
https://github.com/Letlaka/redsun-bluehammer-undefend-detection-pack
🛡️ Microsoft Defender Elevation of Privilege Vulnerability
Description
🛡️ Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.
##Just in: CVE-2026-33825 "BlueHammer" just hit the CISA KEV. Meanwhile, I'm not near my Windows PC, so I'm not sure if the Red Sun still prevails.
##🚨 [CISA-2026:0422] CISA Adds One Known Exploited Vulnerability to Catalog (https://secdb.nttzen.cloud/security-advisory/detail/CISA-2026:0422)
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.
⚠️ CVE-2026-33825 (https://secdb.nttzen.cloud/cve/detail/CVE-2026-33825)
- Name: Microsoft Defender Insufficient Granularity of Access Control Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: Microsoft
- Product: Defender
- Notes: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825 ; https://nvd.nist.gov/vuln/detail/CVE-2026-33825
#SecDB #InfoSec #CVE #CISA_KEV #cisa_20260422 #cisa20260422 #cve_2026_33825 #cve202633825
##updated 2026-04-22T21:32:18
1 posts
🛑 CVE-2026-41468: Beghelli SicuroWeb (Sicuro24) uses unmaintained AngularJS 1.5.2, allowing network-adjacent attackers to hijack sessions via MITM and template injection. Enforce HTTPS, monitor activity. No patch yet. More: https://radar.offseq.com/threat/cve-2026-41468-cwe-1104-use-of-unmaintained-third--1563ff90 #OffSeq #CVE202641468 #infosec
##updated 2026-04-22T21:24:26.997000
1 posts
Microsoft a publié un patch pour une faille critique dans ASP.NET : CVE-2026-40372 https://www.it-connect.fr/microsoft-a-publie-un-patch-pour-une-faille-critique-dans-asp-net-cve-2026-40372/ #ActuCybersécurité #Cybersécurité #Vulnérabilité #Microsoft
##updated 2026-04-22T21:24:26.997000
1 posts
🟠 CVE-2026-35231 - High (7.5)
Vulnerability in the Oracle Financial Services Transaction Filtering product of Oracle Financial Services Applications (component: User Interface). The supported version that is affected is 8.1.2.8.0. Easily exploitable vulnerability allows unau...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-35231/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-22T19:19:28
1 posts
🟠 CVE-2026-34065 - High (7.5)
nimiq-primitives contains primitives (e.g., block, account, transaction) to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a node to panic by announcing an election macro block whose `validators` se...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34065/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-22T18:32:53
1 posts
🟠 CVE-2026-22754 - High (7.5)
Vulnerability in Spring Spring Security. If an application uses to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorizat...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-22754/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-22T18:31:54
1 posts
updated 2026-04-22T18:31:42
1 posts
🟠 CVE-2026-34309 - High (8.1)
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Security). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34309/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-22T15:32:43
1 posts
🟠 CVE-2026-34291 - High (8.7)
Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network ac...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34291/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-22T15:32:43
1 posts
🟠 CVE-2026-34320 - High (7.5)
Vulnerability in the Oracle Financial Services Customer Screening product of Oracle Financial Services Applications (component: User Interface). The supported version that is affected is 8.1.2.8.0. Easily exploitable vulnerability allows unauthe...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34320/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-22T15:32:43
1 posts
🟠 CVE-2026-5398 - High (8.4)
The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-5398/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-22T15:32:42
1 posts
🟠 CVE-2026-34290 - High (7.5)
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network acc...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34290/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-22T15:31:41
2 posts
🟠 CVE-2026-34305 - High (7.5)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauth...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34305/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-34305 - High (7.5)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauth...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34305/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-22T15:31:40
1 posts
🔴 CVE-2026-34279 - Critical (9.1)
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged atta...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34279/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-22T15:31:40
2 posts
🟠 CVE-2026-34297 - High (7.5)
Vulnerability in the Oracle HCM Common Architecture product of Oracle E-Business Suite (component: Knowledge Integration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker w...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34297/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-34297 - High (7.5)
Vulnerability in the Oracle HCM Common Architecture product of Oracle E-Business Suite (component: Knowledge Integration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker w...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34297/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-22T15:31:39
1 posts
🔴 CVE-2026-34285 - Critical (9.1)
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network acc...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34285/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-22T09:31:40
1 posts
🟠 CVE-2026-6022 - High (7.5)
In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during ch...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6022/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-22T09:31:40
1 posts
🟠 CVE-2026-6023 - High (8.1)
In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state,...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6023/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-22T00:32:48
1 posts
I just asked Mozilla about this. Someone responded that internally found bugs like the 271 go into “roll-up” advisories with, each rollup providing a link to the bug list covered.
The 3 rollups are:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6784
https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6785
https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6786
When you look at these rollups they say that "Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code."
With no way of knowing how many vulnerabilities were truly severe and exploitable, I think Mozilla, like others gushing ab out LLM-assisted vuln finding, is denying us the data to assess the true value of Mythos.
##updated 2026-04-21T20:16:10
1 posts
🚩 CRITICAL: CVE-2026-41197 in noir-lang noir (<1.0.0-beta.19). Incorrect buffer allocation for nested arrays can corrupt Brillig VM heap. Memory safety risk! Upgrade to 1.0.0-beta.19+ ASAP. https://radar.offseq.com/threat/cve-2026-41197-cwe-131-incorrect-calculation-of-bu-282b810c #OffSeq #NoirLang #CVE202641197 #AppSec
##updated 2026-04-21T18:32:04
4 posts
CrowdStrike Patches Critical Path Traversal Vulnerability in LogScale
CrowdStrike patched a critical unauthenticated path traversal vulnerability (CVE-2026-40050) in LogScale that allows remote attackers to read arbitrary files from self-hosted server filesystems.
**If you use self-hosted LogScale, plan a quick update to a patched version ASAP. Always keep your cluster API endpoints behind a firewall or VPN to limit exposure to attackers.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/crowdstrike-patches-critical-path-traversal-vulnerability-in-logscale-b-w-e-5-i/gD2P6Ple2L
CrowdStrike Patches Critical Path Traversal Vulnerability in LogScale
CrowdStrike patched a critical unauthenticated path traversal vulnerability (CVE-2026-40050) in LogScale that allows remote attackers to read arbitrary files from self-hosted server filesystems.
**If you use self-hosted LogScale, plan a quick update to a patched version ASAP. Always keep your cluster API endpoints behind a firewall or VPN to limit exposure to attackers.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/crowdstrike-patches-critical-path-traversal-vulnerability-in-logscale-b-w-e-5-i/gD2P6Ple2L
🛡️ CrowdStrike LogScale CRITICAL vuln (CVE-2026-40050): unauth path traversal — remote file read risk for self-hosted users. Tenable Nessus for Windows: HIGH vuln (CVE-2026-33694), file deletion & privilege escalation. Patch ASAP! https://radar.offseq.com/threat/vulnerabilities-patched-in-crowdstrike-tenable-pro-da7dee84 #OffSeq #Vuln #CrowdStrike #Tenable
##@reverseics I went to the Crowdstrike site to see if there was a new advisory and found this instead. Obviously better than any advisory. Even a ../ in CVE-2026-40050.
##updated 2026-04-21T15:33:24
2 posts
Cohere Terrarium (CVE-2026-5752) and OpenAI Codex CLI (CVE-2025-59532): a cross-CVE analysis of AI code sandbox escapes https://blog.barrack.ai/pyodide-sandbox-escape-cohere-terrarium-openai-codex/
##Projekt Terrarium, który miał uruchamiać kod generowany przez modele AI w bezpiecznej piaskownicy, okazał się śmiertelną pułapką. Luka CVE-2026-5752 pozwala napastnikom na przejęcie pełnej kontroli nad systemem, a najgorsze jest to, że projekt nie jest już rozwijany.
#si #ai #sztucznainteligencja #wiadomości #informacje #technologia
##updated 2026-04-21T15:04:13
6 posts
LMDeploy AI Inference Engine Exploited Hours After SSRF Disclosure
LMDeploy's vision-language module contains a high-severity SSRF vulnerability (CVE-2026-33626) that attackers exploited within 13 hours to scan internal networks and target cloud metadata. The flaw allows unauthenticated users to bypass network restrictions by providing malicious image URLs to the inference server.
**If you're running LMDeploy, immediately update to version 0.12.3 or later to patch the SSRF vulnerability (CVE-2026-33626). Also, enforce IMDSv2 with required session tokens on your cloud instances and restrict outbound network traffic from inference servers to block credential theft and internal scanning.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/lmdeploy-ai-inference-engine-exploited-hours-after-ssrf-disclosure-i-a-y-c-t/gD2P6Ple2L
Exploit su LMDeploy CVE-2026-33626: attacco SSRF immediato dopo disclosure https://deafnews.it/article/exploit-su-lmdeploy-cve-2026-33626-attacco-ssrf-immediato-dopo-disclosure
##LMDeploy AI Inference Engine Exploited Hours After SSRF Disclosure
LMDeploy's vision-language module contains a high-severity SSRF vulnerability (CVE-2026-33626) that attackers exploited within 13 hours to scan internal networks and target cloud metadata. The flaw allows unauthenticated users to bypass network restrictions by providing malicious image URLs to the inference server.
**If you're running LMDeploy, immediately update to version 0.12.3 or later to patch the SSRF vulnerability (CVE-2026-33626). Also, enforce IMDSv2 with required session tokens on your cloud instances and restrict outbound network traffic from inference servers to block credential theft and internal scanning.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/lmdeploy-ai-inference-engine-exploited-hours-after-ssrf-disclosure-i-a-y-c-t/gD2P6Ple2L
Exploit su LMDeploy CVE-2026-33626: attacco SSRF immediato dopo disclosure https://deafnews.it/article/exploit-su-lmdeploy-cve-2026-33626-attacco-ssrf-immediato-dopo-disclosure
##An SSRF bug in an LLM deployment server got exploited 12 hours after it was patched
##updated 2026-04-21T13:00:03.373000
1 posts
Zimbra Servers Still Exposed as APT28 and APT29 Exploit Critical XSS Flaw While AI Reshapes Global Cybersecurity Response
Introduction A major cybersecurity warning has emerged involving thousands of exposed Zimbra email servers still vulnerable to a critical cross site scripting flaw tracked as CVE-2025-48700. Security agencies confirm that advanced persistent threat groups, including APT28 and APT29, have already exploited the weakness in real world phishing…
##updated 2026-04-16T22:38:44
2 posts
🟠 CVE-2026-40897 - High (8.8)
Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40897/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-40897 - High (8.8)
Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40897/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-16T19:59:38.107000
2 posts
9 repos
https://github.com/xshysjhq/CVE-2026-34197-payload-Apache-ActiveMQ-
https://github.com/Catherines77/ActiveMQ-EXPtools
https://github.com/keraattin/CVE-2026-34197
https://github.com/0xBlackash/CVE-2026-34197
https://github.com/DEVSECURITYSPRO/CVE-2026-34197
https://github.com/KONDORDEVSECURITYCORP/CVE-2026-34197
https://github.com/dinosn/CVE-2026-34197
https://github.com/hg0434hongzh0/CVE-2026-34197
https://github.com/AtoposX-J/CVE-2026-34197-Apache-ActiveMQ-RCE
🟠 CVE-2026-40466 - High (8.8)
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.
An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a conne...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40466/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-40466 - High (8.8)
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.
An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a conne...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40466/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-15T21:17:56
1 posts
🟠 CVE-2026-40882 - High (7.6)
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML e...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40882/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-04-14T18:30:55
1 posts
1 repos
🖲️ #Noticia de #CiberSeguridad #CiberGuerra #CiberAtaque #CiberNoticia
⚫ Más de 1.300 servidores SharePoint expuestos a la vulnerabilidad CVE-2026-32201 de abril
🔗 http://blog.segu-info.com.ar/2026/04/mas-de-1300-servidores-sharepoint.html
Más de 1.370 servidores SharePoint con acceso a Internet siguen sin parchearse
contra la vulnerabilidad CVE-2026-32201, una falla de suplantación de
identidad que, según Microsoft, fue explotada como una vulnerabilidad de día
cero.
"Una
##updated 2026-04-14T18:30:52
1 posts
2 repos
CVE-2026-33824: Remote Code Execution in Windows IKEv2 - the folks from TrendAI Research break down this wormable bug that was patched last week. The show root cause & offer detection guidance. Read the details as https://www.zerodayinitiative.com/blog/2026/4/22/cve-2026-33824-remote-code-execution-in-windows-ikev2
##updated 2026-04-13T21:23:27
1 posts
5 repos
https://github.com/eduardorossi84/CVE-2026-34621-POC
https://github.com/ercihan/CVE-2026-34621
https://github.com/NULL200OK/cve_2026_34621_advanced
https://github.com/KeulenR01/Remediate-AdobeAcrobat-CVE-2026-34621
CVE-2026-34621: Adobe Acrobat Reader zero-day was on VirusTotal for 136 days before Adobe named it a CVE https://nefariousplan.com/posts/adobe-acrobat-cve-2026-34621-detection-lie
##updated 2026-04-09T19:06:18
2 posts
5 repos
https://github.com/mki9/CVE-2026-39987_exploit
https://github.com/keraattin/CVE-2026-39987
https://github.com/Nxploited/CVE-2026-39987
🚨 [CISA-2026:0423] CISA Adds One Known Exploited Vulnerability to Catalog (https://secdb.nttzen.cloud/security-advisory/detail/CISA-2026:0423)
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.
⚠️ CVE-2026-39987 (https://secdb.nttzen.cloud/cve/detail/CVE-2026-39987)
- Name: Marimo Remote Code Execution Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: Marimo
- Product: Marimo
- Notes: https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc ; https://nvd.nist.gov/vuln/detail/CVE-2026-39987
#SecDB #InfoSec #CVE #CISA_KEV #cisa_20260423 #cisa20260423 #cve_2026_39987 #cve202639987
##CVE ID: CVE-2026-39987
Vendor: Marimo
Product: Marimo
Date Added: 2026-04-23
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2026-39987
updated 2026-03-19T19:16:19.230000
1 posts
6 repos
https://github.com/materaj2/cve-2025-15467
https://github.com/balgan/CVE-2025-15467
https://github.com/WostGit/cve-2025-15467-crash
https://github.com/mr-r3b00t/CVE-2025-15467
#OT #Advisory VDE-2026-029
METTLER TOLEDO: OpenSSL vulnerability in MX and MR balances
MX/MR firmware V2.0.0 or earlier is affected by the OpenSSL vulnerability CVE-2025-15467.
#CVE CVE-2025-15467
https://certvde.com/en/advisories/vde-2026-029/
#oCSAF
#CSAF https://mettler-toledo.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-029.json
updated 2026-03-10T18:43:20
1 posts
🚨 EUVD-2026-25626
📊 Score: 7.1/10 (CVSS v3.1)
📦 Product: SiYuan
🏢 Vendor: siyuan-note
📅 Updated: 2026-04-24
📝 SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check (IsSensitivePath) but did not address the root cause — a redundant url.PathUnescape() call in serveExport(). An authentic...
🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-25626
##updated 2026-03-06T15:31:37
1 posts
#OT #Advisory VDE-2026-019
Pilz: Vulnerability affecting PASvisu Runtime
The PASvisu Runtime is affected by a vulnerability in a third-party component which can be exploited by malicious web requests.
#CVE CVE-2018-25193
https://certvde.com/en/advisories/vde-2026-019/
#CSAF https://pilz.csaf-tp.certvde.com/.well-known/csaf/white/2026/ppsa-2026-002.json
##updated 2026-02-27T15:47:29
2 posts
1 repos
https://github.com/Anon-Cyber-Team/CVE-2026-27966--RCE-in-Langflow
The latest Metasploit Weekly Wrapup is here! Highlights include a new RCE exploit for Langflow (CVE-2026-27966), improved check method visibility with detailed reasoning, and updates for legacy SMB targets. Plus 3 other new modules!
Read more: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-04-25-2026/
##The latest Metasploit Weekly Wrapup is here! Highlights include a new RCE exploit for Langflow (CVE-2026-27966), improved check method visibility with detailed reasoning, and updates for legacy SMB targets. Plus 3 other new modules!
Read more: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-04-25-2026/
##updated 2026-01-29T03:31:32
1 posts
🟠 CVE-2026-41068 - High (7.7)
Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigMap conte...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41068/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2025-10-31T21:56:55.430000
1 posts
12 repos
https://github.com/seajaysec/Ivanti-Connect-Around-Scan
https://github.com/gobysec/Goby
https://github.com/raminkarimkhani1996/CVE-2023-46805_CVE-2024-21887
https://github.com/oways/ivanti-CVE-2024-21887
https://github.com/Hexastrike/Ivanti-Connect-Secure-Logs-Parser
https://github.com/pwniel/ivanti_shell
https://github.com/rxwx/pulse-meter
https://github.com/duy-31/CVE-2023-46805_CVE-2024-21887
https://github.com/gobysec/GobyVuls
https://github.com/yoryio/CVE-2023-46805
https://github.com/Chocapikk/CVE-2024-21893-to-CVE-2024-21887
CVE-2023-46805 is actively exploited in Ivanti Connect Secure and Policy Secure gateways. When chained with CVE-2024-21887, attackers gain unauthenticated RCE and full VPN appliance compromise, posing critical enterprise perimeter risk.
Read the full threat brief:
https://thecybermind.co/i1n8
updated 2025-10-22T00:34:00
1 posts
9 repos
https://github.com/seajaysec/Ivanti-Connect-Around-Scan
https://github.com/Chocapikk/CVE-2023-46805
https://github.com/raminkarimkhani1996/CVE-2023-46805_CVE-2024-21887
https://github.com/w2xim3/CVE-2023-46805
https://github.com/Hexastrike/Ivanti-Connect-Secure-Logs-Parser
https://github.com/rxwx/pulse-meter
https://github.com/duy-31/CVE-2023-46805_CVE-2024-21887
CVE-2023-46805 is actively exploited in Ivanti Connect Secure and Policy Secure gateways. When chained with CVE-2024-21887, attackers gain unauthenticated RCE and full VPN appliance compromise, posing critical enterprise perimeter risk.
Read the full threat brief:
https://thecybermind.co/i1n8
updated 2025-09-22T22:00:37
1 posts
1 repos
Cohere Terrarium (CVE-2026-5752) and OpenAI Codex CLI (CVE-2025-59532): a cross-CVE analysis of AI code sandbox escapes https://blog.barrack.ai/pyodide-sandbox-escape-cohere-terrarium-openai-codex/
##updated 2024-02-03T05:06:20
2 posts
Broadcom has a new advisory for a critical vulnerability:
Common Components and Services for z/OS 15.0 Vulnerability in CCS Apache Tomcat https://support.broadcom.com/web/ecx/security-advisory #Broadcom #Apache
CISA has updated the KEV catalogue:
- CVE-2024-57726: SimpleHelp Missing Authorization Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57726
- CVE-2024-57728: SimpleHelp Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57728
- CVE-2024-7399: Samsung MagicINFO 9 Server Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-7399
- CVE-2025-29635: D-Link DIR-823X Command Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-29635 #CISA #Samsung #DLink
Cisco has two advisories for high-severity vulnerabilities:
- CVE-2023-20185: Cisco ACI Multi-Site CloudSec Encryption Information Disclosure Vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-cloudsec-enc-Vs5Wn2sX
- Informational, updated today: Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03 @TalosSecurity #Cisco #infosec #vulnerability
##Broadcom has a new advisory for a critical vulnerability:
Common Components and Services for z/OS 15.0 Vulnerability in CCS Apache Tomcat https://support.broadcom.com/web/ecx/security-advisory #Broadcom #Apache
CISA has updated the KEV catalogue:
- CVE-2024-57726: SimpleHelp Missing Authorization Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57726
- CVE-2024-57728: SimpleHelp Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-57728
- CVE-2024-7399: Samsung MagicINFO 9 Server Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2024-7399
- CVE-2025-29635: D-Link DIR-823X Command Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-29635 #CISA #Samsung #DLink
Cisco has two advisories for high-severity vulnerabilities:
- CVE-2023-20185: Cisco ACI Multi-Site CloudSec Encryption Information Disclosure Vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-cloudsec-enc-Vs5Wn2sX
- Informational, updated today: Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03 @TalosSecurity #Cisco #infosec #vulnerability
##🚨 CRITICAL: CVE-2026-41248 affects clerk astro, nextjs, nuxt — lets attackers bypass middleware in affected JS libs. Update to fixed versions ASAP to prevent unauthorized access. Patches available now. https://radar.offseq.com/threat/cve-2026-41248-cwe-436-interpretation-conflict-in--1e1431c1 #OffSeq #Vulnerability #ClerkJS
##🔴 CVE-2026-41248 - Critical (9.1)
Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach down...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41248/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🚨 CRITICAL: CVE-2026-41248 affects clerk astro, nextjs, nuxt — lets attackers bypass middleware in affected JS libs. Update to fixed versions ASAP to prevent unauthorized access. Patches available now. https://radar.offseq.com/threat/cve-2026-41248-cwe-436-interpretation-conflict-in--1e1431c1 #OffSeq #Vulnerability #ClerkJS
##🔴 CVE-2026-41248 - Critical (9.1)
Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach down...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41248/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##📢 CVE-2026-34078 : Sandbox escape dans Flatpak via injection de chemins non fiables
📝 ## 🗓️ Contexte
Article publié le 23 avril 2026 par Sebastian Wick (mainteneur de Flatpak) sur son blog personnel.
📖 cyberveille : https://cyberveille.ch/posts/2026-04-24-cve-2026-34078-sandbox-escape-dans-flatpak-via-injection-de-chemins-non-fiables/
🌐 source : https://blog.sebastianwick.net/posts/how-hard-is-it-to-open-a-file/
#CVE_2026_34078 #Flatpak #Cyberveille
8 posts
5 repos
https://github.com/CipherCloak/CVE-2026-41651
https://github.com/0xBlackash/CVE-2026-41651
https://github.com/dinosn/pack2theroot-lab
🚨 CVE-2026-41651 (Pack2TheRoot)
PackageKit vulnerable to TOCTOU Race on Transaction Flags leads to arbitrary package installation as root
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5.
ℹ️ Additional info on ZEN SecDB https://secdb.nttzen.cloud/cve/detail/CVE-2026-41651
#nttdata #zen #secdb #infosec
#pack2theroot #cve2026411651 #packagekit #toctou
Pack2TheRoot (CVE-2026-41651): Cross-Distro Local Privilege Escalation Vulnerability
https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
Read on HackerWorkspace: https://hackerworkspace.com/article/pack2theroot-cve-2026-41651-cross-distro-local-privilege-escalation-vulnerability
##🚨 CVE-2026-41651 (Pack2TheRoot)
PackageKit vulnerable to TOCTOU Race on Transaction Flags leads to arbitrary package installation as root
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5.
ℹ️ Additional info on ZEN SecDB https://secdb.nttzen.cloud/cve/detail/CVE-2026-41651
#nttdata #zen #secdb #infosec
#pack2theroot #cve2026411651 #packagekit #toctou
Pack2TheRoot (CVE-2026-41651): Cross-Distro Local Privilege Escalation Vulnerability
https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
Read on HackerWorkspace: https://hackerworkspace.com/article/pack2theroot-cve-2026-41651-cross-distro-local-privilege-escalation-vulnerability
##Here's a harmless little #PoC for the #PackageKit LPE vulnerability (CVE-2026-41651), by @br3zel and myself: https://codeberg.org/hillu/cve-2026-41651-poc
It was a lot of fun to piece together.
📢 CVE-2026-41651 : Élévation de privilèges locale cross-distro via PackageKit (Pack2TheRoot)
📝 ## 🔍 Contexte
Publié le 22 avril 2026 par l'équipe Red Team de Deutsche Telekom sur leur blog séc...
📖 cyberveille : https://cyberveille.ch/posts/2026-04-23-cve-2026-41651-elevation-de-privileges-locale-cross-distro-via-packagekit-pack2theroot/
🌐 source : https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
#CVE_2026_41651 #IOC #Cyberveille
Pack2TheRoot (CVE-2026-41651): Cross-Distro Local Privilege Escalation Vulnerability https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
##🟠 CVE-2026-41429 - High (8.8)
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, there is a remotely reachable memory corruption issue in the NBNS packet handling path. When NetBIOS is enabled b...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41429/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41429 - High (8.8)
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, there is a remotely reachable memory corruption issue in the NBNS packet handling path. When NetBIOS is enabled b...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41429/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41477 - High (7.8)
Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication, allowi...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41477/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41477 - High (7.8)
Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication, allowi...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41477/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-33662 - High (7.5)
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. From 3.8.0 to 4.10, in the function emsa_pkcs1_v1_5_encode() in core/drivers/crypto/c...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33662/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-33662 - High (7.5)
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. From 3.8.0 to 4.10, in the function emsa_pkcs1_v1_5_encode() in core/drivers/crypto/c...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33662/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-33662 - High (7.5)
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. From 3.8.0 to 4.10, in the function emsa_pkcs1_v1_5_encode() in core/drivers/crypto/c...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33662/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-33662 - High (7.5)
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. From 3.8.0 to 4.10, in the function emsa_pkcs1_v1_5_encode() in core/drivers/crypto/c...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33662/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-33666 - High (7.5)
Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is comp...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33666/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-33666 - High (7.5)
Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is comp...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33666/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-33666 - High (7.5)
Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is comp...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33666/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-33666 - High (7.5)
Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is comp...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33666/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41421 - High (8.8)
SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification route POST /api/notification/pushMsg accepts a user-controlled ms...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41421/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41421 - High (8.8)
SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification route POST /api/notification/pushMsg accepts a user-controlled ms...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41421/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41421 - High (8.8)
SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification route POST /api/notification/pushMsg accepts a user-controlled ms...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41421/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41421 - High (8.8)
SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification route POST /api/notification/pushMsg accepts a user-controlled ms...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41421/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-6911 - Critical (9.8)
Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across te...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6911/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##Issue with AWS Ops Wheel (CVE-2026-6911 and CVE-2026-6912
Bulletin ID: 2026-018-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/24 09:15 AM PDT
Description:
AWS Ops Wheel is an open-source tool that helps teams make random selections using a virtua...
https://aws.amazon.com/security/security-bulletins/rss/2026-018-aws/
##🔴 CVE-2026-6911 - Critical (9.8)
Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across te...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6911/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##Issue with AWS Ops Wheel (CVE-2026-6911 and CVE-2026-6912
Bulletin ID: 2026-018-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/24 09:15 AM PDT
Description:
AWS Ops Wheel is an open-source tool that helps teams make random selections using a virtua...
https://aws.amazon.com/security/security-bulletins/rss/2026-018-aws/
##🟠 CVE-2026-41419 - High (7.6)
4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board import privileges to make the server ingest arbitrary host files as board attachments during BOAR...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41419/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41419 - High (7.6)
4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board import privileges to make the server ingest arbitrary host files as board attachments during BOAR...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41419/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41309 - High (8.2)
Open Source Social Network (OSSN) is open-source social networking software developed in PHP. Versions prior to 9.0 are vulnerable to resource exhaustion. An attacker can upload a specially crafted image with extreme pixel dimensions (e.g., $10000...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41309/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41564 - High (7.5)
CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking.
The Crypt::PK::RSA, Crypt::PK::DSA, Crypt::PK::DH, Crypt::PK::ECC, Crypt::PK::Ed25519 and Crypt::PK::X25519 modules seed a per-object PRNG state in their ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41564/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-41564 - High (7.5)
CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking.
The Crypt::PK::RSA, Crypt::PK::DSA, Crypt::PK::DH, Crypt::PK::ECC, Crypt::PK::Ed25519 and Crypt::PK::X25519 modules seed a per-object PRNG state in their ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41564/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-41196: luanti 5.0.0 – 5.15.1 has a CRITICAL code injection vuln (CVSS 9.0). Malicious mods can break Lua sandbox with LuaJIT, gaining full filesystem access. Patch: upgrade to 5.15.2 or mitigate via getfenv = nil. https://radar.offseq.com/threat/cve-2026-41196-cwe-94-improper-control-of-generati-70ec6155 #OffSeq #CVE202641196 #vuln
##We released the #XLibre Xserver 25.0.0.22 and 25.1.4 on Apr 21 containing #security fixes for CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, and CVE-2026-34003 of the X.Org Server. We recommend everyone update ASAP. #CVE https://github.com/X11Libre/xserver/releases/tag/xlibre-xserver-25.1.4
##We released the #XLibre Xserver 25.0.0.22 and 25.1.4 on Apr 21 containing #security fixes for CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, and CVE-2026-34003 of the X.Org Server. We recommend everyone update ASAP. #CVE https://github.com/X11Libre/xserver/releases/tag/xlibre-xserver-25.1.4
##I just asked Mozilla about this. Someone responded that internally found bugs like the 271 go into “roll-up” advisories with, each rollup providing a link to the bug list covered.
The 3 rollups are:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6784
https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6785
https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6786
When you look at these rollups they say that "Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code."
With no way of knowing how many vulnerabilities were truly severe and exploitable, I think Mozilla, like others gushing ab out LLM-assisted vuln finding, is denying us the data to assess the true value of Mythos.
##I just asked Mozilla about this. Someone responded that internally found bugs like the 271 go into “roll-up” advisories with, each rollup providing a link to the bug list covered.
The 3 rollups are:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6784
https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6785
https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6786
When you look at these rollups they say that "Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code."
With no way of knowing how many vulnerabilities were truly severe and exploitable, I think Mozilla, like others gushing ab out LLM-assisted vuln finding, is denying us the data to assess the true value of Mythos.
##🚨 CRITICAL: CyferShepard Jellystat <1.1.10 vulnerable to SQL injection (CVE-2026-41167). Auth’d users can read any DB table & execute commands on the PostgreSQL host. Upgrade to 1.1.10 ASAP! https://radar.offseq.com/threat/cve-2026-41167-cwe-89-improper-neutralization-of-s-51b08aed #OffSeq #Jellystat #SQLi #Infosec
##🔴 CVE-2026-41167 - Critical (9.1)
Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user c...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41167/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##1 posts
1 repos
https://github.com/JivaSecurity/ESPOCRM-RCE-POC-CVE-2026-33656
🔴 CVE-2026-33656 - Critical (9.1)
EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` fi...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33656/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##