| CVE | CVSS | EPSS | Posts | Repos | Nuclei | Updated | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-54068 | 9.8 | 15.97% | 4 | 5 | template | 2026-03-20T16:16:16.323000 | Livewire is a full-stack framework for Laravel. In Livewire v3 up to and includi |
| CVE-2025-43520 | 7.1 | 0.02% | 6 | 0 | 2026-03-20T16:16:15.983000 | A memory corruption issue was addressed with improved memory handling. This issu | |
| CVE-2025-43510 | 7.8 | 0.02% | 4 | 0 | 2026-03-20T16:16:15.743000 | A memory corruption issue was addressed with improved lock state checking. This | |
| CVE-2025-32432 | 10.0 | 79.02% | 4 | 4 | template | 2026-03-20T16:16:15.567000 | Craft is a flexible, user-friendly CMS for creating custom digital experiences o |
| CVE-2025-31277 | 8.8 | 0.13% | 4 | 0 | 2026-03-20T16:16:15.327000 | The issue was addressed with improved memory handling. This issue is fixed in Sa | |
| CVE-2026-22732 | 9.1 | 0.03% | 4 | 0 | 2026-03-20T15:32:13 | When applications specify HTTP response headers for servlet applications using S | |
| CVE-2026-21992 | 9.8 | 0.04% | 2 | 1 | 2026-03-20T15:16:15.317000 | Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware | |
| CVE-2025-69783 | 7.8 | 0.01% | 1 | 0 | 2026-03-20T13:55:32.240000 | A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism by renaming | |
| CVE-2026-22557 | 10.0 | 0.05% | 9 | 0 | 2026-03-20T13:39:46.493000 | A malicious actor with access to the network could exploit a Path Traversal vuln | |
| CVE-2026-32013 | 8.8 | 0.06% | 2 | 0 | 2026-03-20T13:39:46.493000 | OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability i | |
| CVE-2026-32038 | 9.8 | 0.04% | 2 | 0 | 2026-03-20T13:39:46.493000 | OpenClaw before 2026.2.24 contains a sandbox network isolation bypass vulnerabil | |
| CVE-2026-23659 | 8.6 | 0.11% | 1 | 0 | 2026-03-20T13:39:46.493000 | Exposure of sensitive information to an unauthorized actor in Azure Data Factory | |
| CVE-2026-26139 | 8.6 | 0.08% | 1 | 0 | 2026-03-20T13:39:46.493000 | Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized a | |
| CVE-2026-30836 | 10.0 | 0.01% | 1 | 0 | 2026-03-20T13:39:46.493000 | Step CA is an online certificate authority for secure, automated certificate man | |
| CVE-2026-32749 | 7.6 | 0.04% | 1 | 0 | 2026-03-20T13:39:46.493000 | SiYuan is a personal knowledge management system. In versions 3.6.0 and below, P | |
| CVE-2026-30402 | 9.8 | 0.29% | 1 | 0 | 2026-03-20T13:39:46.493000 | An issue in wgcloud v.2.3.7 and before allows a remote attacker to execute arbit | |
| CVE-2026-32865 | 9.8 | 0.04% | 1 | 0 | 2026-03-20T13:39:46.493000 | OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verificat | |
| CVE-2026-4342 | 8.8 | 0.04% | 2 | 1 | 2026-03-20T13:37:50.737000 | A security issue was discovered in ingress-nginx where a combination of Ingress | |
| CVE-2026-4478 | 8.1 | 0.01% | 2 | 0 | 2026-03-20T09:32:16 | A vulnerability was identified in Yi Technology YI Home Camera 2 2.1.1_201710241 | |
| CVE-2026-4038 | 9.8 | 0.06% | 2 | 0 | 2026-03-20T06:31:39 | The Aimogen Pro plugin for WordPress is vulnerable to Arbitrary Function Call th | |
| CVE-2026-32985 | 9.8 | 0.37% | 2 | 0 | 2026-03-20T00:31:34 | Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbit | |
| CVE-2026-22731 | 8.2 | 0.04% | 2 | 0 | 2026-03-20T00:31:34 | Spring Boot applications with Actuator can be vulnerable to an "Authentication B | |
| CVE-2026-32194 | 9.8 | 0.10% | 2 | 0 | 2026-03-20T00:31:34 | Improper neutralization of special elements used in a command ('command injectio | |
| CVE-2026-32025 | None | 0.05% | 2 | 0 | 2026-03-19T22:25:31 | This issue is a browser-origin WebSocket auth chain on local loopback deployment | |
| CVE-2026-32014 | 8.0 | 0.02% | 2 | 0 | 2026-03-19T22:21:10 | ## Summary A paired node device could reconnect with spoofed `platform`/`device | |
| CVE-2026-32011 | None | 0.04% | 2 | 0 | 2026-03-19T22:20:31 | ## Impact OpenClaw webhook handlers for BlueBubbles and Google Chat accepted an | |
| CVE-2026-32191 | 9.8 | 0.10% | 2 | 0 | 2026-03-19T21:30:31 | Improper neutralization of special elements used in an os command ('os command i | |
| CVE-2026-32169 | 10.0 | 0.09% | 2 | 0 | 2026-03-19T21:30:31 | Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized a | |
| CVE-2026-23658 | 8.6 | 0.08% | 1 | 0 | 2026-03-19T21:30:31 | Insufficiently protected credentials in Azure DevOps allows an unauthorized atta | |
| CVE-2026-26138 | 8.6 | 0.08% | 1 | 0 | 2026-03-19T21:30:31 | Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized a | |
| CVE-2026-26137 | 8.9 | 0.07% | 1 | 0 | 2026-03-19T21:30:31 | Server-side request forgery (ssrf) in Microsoft 365 Copilot's Business Chat allo | |
| CVE-2026-3547 | 7.5 | 0.04% | 1 | 0 | 2026-03-19T21:30:31 | Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 a | |
| CVE-2026-32886 | None | 0.05% | 1 | 0 | 2026-03-19T21:12:42 | ### Impact Remote clients can crash the Parse Server process by calling a cloud | |
| CVE-2026-32728 | None | 0.03% | 1 | 0 | 2026-03-19T21:11:37 | ### Impact An attacker who is allowed to upload files can bypass the file exten | |
| CVE-2026-32609 | 7.5 | 0.09% | 1 | 0 | 2026-03-19T21:06:22 | ## Summary The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configu | |
| CVE-2026-4427 | 7.5 | 0.07% | 1 | 0 | 2026-03-19T19:34:30 | A flaw was found in pgproto3. A malicious or compromised PostgreSQL server can e | |
| CVE-2026-29858 | 7.5 | 0.03% | 1 | 0 | 2026-03-19T19:23:51.937000 | A lack of path validation in aaPanel v7.57.0 allows attackers to execute a local | |
| CVE-2026-32703 | 9.0 | 0.03% | 3 | 0 | 2026-03-19T19:23:00.593000 | OpenProject is an open-source, web-based project management software. In version | |
| CVE-2026-31898 | 8.1 | 0.03% | 1 | 1 | 2026-03-19T19:01:36 | ### Impact User control of arguments of the `createAnnotation` method allows us | |
| CVE-2026-31891 | 7.7 | 0.03% | 1 | 1 | 2026-03-19T19:01:19 | ### Impact This is a SQL Injection vulnerability in the MongoLite Aggregation O | |
| CVE-2026-31973 | 7.5 | 0.01% | 1 | 0 | 2026-03-19T18:48:10.830000 | SAMtools is a program for reading, manipulating and writing bioinformatics file | |
| CVE-2006-10003 | 9.8 | 0.07% | 1 | 0 | 2026-03-19T18:32:22 | XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflo | |
| CVE-2006-10002 | 9.8 | 0.06% | 1 | 0 | 2026-03-19T18:31:18 | XML::Parser versions through 2.47 for Perl could overflow the pre-allocated buff | |
| CVE-2026-27979 | None | 0.04% | 1 | 0 | 2026-03-19T18:31:03 | ## Summary A request containing the `next-resume: 1` header (corresponding with | |
| CVE-2026-27811 | 8.8 | 0.78% | 1 | 0 | 2026-03-19T18:00:58.453000 | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived se | |
| CVE-2026-32693 | 8.8 | 0.05% | 1 | 0 | 2026-03-19T17:43:39 | ### Summary Grantee is able to update secret content using the `secret-set` too | |
| CVE-2026-32692 | 7.6 | 0.03% | 1 | 0 | 2026-03-19T17:32:28 | An authorization bypass vulnerability in the Vault secrets back-end implementati | |
| CVE-2026-31968 | 8.1 | 0.01% | 1 | 0 | 2026-03-19T17:31:24.010000 | HTSlib is a library for reading and writing bioinformatics file formats. CRAM is | |
| CVE-2026-32878 | 7.5 | 0.03% | 1 | 0 | 2026-03-19T17:28:32.513000 | Parse Server is an open source backend that can be deployed to any infrastructur | |
| CVE-2026-20643 | 5.4 | 0.03% | 2 | 2 | 2026-03-19T17:16:22.350000 | A cross-origin issue in the Navigation API was addressed with improved input val | |
| CVE-2026-20131 | 10.0 | 5.60% | 10 | 3 | 2026-03-19T17:09:34.303000 | A vulnerability in the web-based management interface of Cisco Secure Firewall M | |
| CVE-2026-32944 | 7.5 | 0.04% | 1 | 0 | 2026-03-19T16:46:28.467000 | Parse Server is an open source backend that can be deployed to any infrastructur | |
| CVE-2025-58112 | 8.8 | 0.07% | 2 | 0 | 2026-03-19T15:32:24 | Microsoft Dynamics 365 Customer Engagement (on-premises) 1612 (9.0.2.3034) allow | |
| CVE-2026-29856 | 7.5 | 0.04% | 2 | 0 | 2026-03-19T15:32:23 | An issue in the VirtualHost configuration handling/parser component of aaPanel v | |
| CVE-2026-29859 | 9.8 | 0.07% | 1 | 0 | 2026-03-19T15:32:23 | An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to ex | |
| CVE-2026-22558 | 7.7 | 0.03% | 1 | 0 | 2026-03-19T15:31:27 | An Authenticated NoSQL Injection vulnerability found in UniFi Network Applicatio | |
| CVE-2026-4424 | 7.5 | 0.14% | 1 | 0 | 2026-03-19T15:31:27 | A flaw was found in libarchive. This heap out-of-bounds read vulnerability exist | |
| CVE-2025-71260 | 8.8 | 0.36% | 1 | 1 | 2026-03-19T15:31:27 | BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserializa | |
| CVE-2026-30704 | 9.1 | 0.04% | 2 | 0 | 2026-03-19T15:16:26.580000 | The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) exposes an unprotecte | |
| CVE-2025-15031 | 8.1 | 0.03% | 1 | 0 | 2026-03-19T15:16:18.053000 | A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file | |
| CVE-2026-22171 | 8.2 | 0.04% | 1 | 0 | 2026-03-19T14:52:49.680000 | OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in t | |
| CVE-2026-31963 | 8.1 | 0.04% | 1 | 0 | 2026-03-19T14:50:54.513000 | HTSlib is a library for reading and writing bioinformatics file formats. CRAM is | |
| CVE-2026-32746 | 9.8 | 0.05% | 11 | 4 | 2026-03-19T14:16:15.103000 | telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMO | |
| CVE-2026-3658 | 7.5 | 0.07% | 1 | 0 | 2026-03-19T13:25:00.570000 | The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin p | |
| CVE-2026-27067 | 9.1 | 0.04% | 2 | 0 | 2026-03-19T13:25:00.570000 | Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile A | |
| CVE-2025-60233 | 9.8 | 0.04% | 1 | 0 | 2026-03-19T13:25:00.570000 | Deserialization of Untrusted Data vulnerability in Themeton Zuut allows Object I | |
| CVE-2026-25312 | 7.5 | 0.03% | 1 | 0 | 2026-03-19T13:25:00.570000 | Missing Authorization vulnerability in EventPrime allows Exploiting Incorrectly | |
| CVE-2026-27540 | 9.0 | 0.04% | 3 | 1 | 2026-03-19T13:25:00.570000 | Unrestricted Upload of File with Dangerous Type vulnerability in Rymera Web Co P | |
| CVE-2026-27093 | 8.1 | 0.11% | 1 | 0 | 2026-03-19T13:25:00.570000 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP | |
| CVE-2026-27542 | 9.8 | 0.04% | 1 | 0 | 2026-03-19T13:25:00.570000 | Incorrect Privilege Assignment vulnerability in Rymera Web Co Pty Ltd. Woocommer | |
| CVE-2026-32731 | 9.9 | 0.06% | 3 | 1 | 2026-03-19T13:25:00.570000 | ApostropheCMS is an open-source content management framework. Prior to version 3 | |
| CVE-2026-32730 | 8.1 | 0.06% | 1 | 0 | 2026-03-19T13:25:00.570000 | ApostropheCMS is an open-source content management framework. Prior to version 4 | |
| CVE-2026-4396 | 8.3 | 0.01% | 1 | 0 | 2026-03-19T13:25:00.570000 | Improper certificate validation in Devolutions Hub Reporting Service 2025.3.1.1 | |
| CVE-2026-25873 | 9.8 | 0.13% | 1 | 0 | 2026-03-19T13:25:00.570000 | OmniGen2-RL contains an unauthenticated remote code execution vulnerability in t | |
| CVE-2026-24062 | 7.8 | 0.01% | 1 | 0 | 2026-03-19T13:25:00.570000 | The "Privileged Helper" component of the Arturia Software Center (MacOS) does no | |
| CVE-2026-27135 | 7.5 | 0.01% | 1 | 0 | 2026-03-19T13:25:00.570000 | nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. | |
| CVE-2026-2991 | 9.8 | 0.16% | 1 | 1 | 2026-03-19T13:25:00.570000 | The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is | |
| CVE-2026-1463 | 8.8 | 0.09% | 1 | 0 | 2026-03-19T13:25:00.570000 | The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for Wor | |
| CVE-2026-32610 | 8.1 | 0.03% | 1 | 0 | 2026-03-19T13:25:00.570000 | Glances is an open-source system cross-platform monitoring tool. Prior to versio | |
| CVE-2026-3511 | 8.6 | 0.04% | 1 | 0 | 2026-03-19T12:30:41 | Improper Restriction of XML External Entity Reference vulnerability in XMLUtils. | |
| CVE-2026-27065 | 9.8 | 0.11% | 3 | 0 | 2026-03-19T09:30:25 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP | |
| CVE-2026-25445 | 8.8 | 0.05% | 2 | 0 | 2026-03-19T09:30:25 | Deserialization of Untrusted Data vulnerability in Membership Software WishList | |
| CVE-2025-60237 | 9.8 | 0.04% | 1 | 0 | 2026-03-19T09:30:25 | Deserialization of Untrusted Data vulnerability in Themeton Finag allows Object | |
| CVE-2026-25443 | 7.5 | 0.04% | 1 | 0 | 2026-03-19T09:30:25 | Missing Authorization vulnerability in Dotstore Fraud Prevention For Woocommerce | |
| CVE-2026-25471 | 8.1 | 0.07% | 1 | 0 | 2026-03-19T09:30:25 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Themep | |
| CVE-2026-27413 | 9.3 | 0.03% | 3 | 0 | 2026-03-19T06:30:33 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti | |
| CVE-2026-27096 | 8.1 | 0.04% | 2 | 0 | 2026-03-19T06:30:33 | Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Fre | |
| CVE-2026-28461 | 7.5 | 0.07% | 1 | 0 | 2026-03-19T03:31:03 | OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth vulnerabi | |
| CVE-2026-32634 | 8.1 | 0.02% | 1 | 0 | 2026-03-18T21:48:54 | ## Summary In Central Browser mode, Glances stores both the Zeroconf-advertised | |
| CVE-2026-32633 | 9.1 | 0.13% | 1 | 0 | 2026-03-18T21:48:49 | ## Summary In Central Browser mode, the `/api/4/serverslist` endpoint returns r | |
| CVE-2025-55040 | 8.8 | 0.02% | 1 | 0 | 2026-03-18T21:34:01 | The import form CSRF vulnerability in MuraCMS through 10.1.10 allows attackers t | |
| CVE-2026-26740 | 8.2 | 0.10% | 1 | 0 | 2026-03-18T21:34:01 | Buffer Overflow vulnerability in giflib v.5.2.2 allows a remote attacker to caus | |
| CVE-2026-20963 | 8.8 | 5.21% | 10 | 0 | 2026-03-18T21:32:58 | Deserialization of untrusted data in Microsoft Office SharePoint allows an autho | |
| CVE-2026-22730 | 8.8 | 0.04% | 1 | 1 | 2026-03-18T20:20:40 | A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionCon | |
| CVE-2026-22729 | 8.6 | 0.05% | 1 | 0 | 2026-03-18T20:20:27 | A JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConver | |
| CVE-2025-66376 | 7.2 | 28.82% | 4 | 0 | 2026-03-18T20:13:37.087000 | Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Clas | |
| CVE-2026-33155 | None | 0.00% | 1 | 0 | 2026-03-18T20:10:09 | ### Summary The pickle unpickler `_RestrictedUnpickler` validates which classes | |
| CVE-2026-27980 | 7.5 | 0.01% | 1 | 0 | 2026-03-18T19:52:54.307000 | Next.js is a React framework for building full-stack web applications. Starting | |
| CVE-2026-29056 | 8.8 | 0.13% | 1 | 0 | 2026-03-18T19:40:48.907000 | Kanboard is project management software focused on Kanban methodology. Prior to | |
| CVE-2026-29112 | 7.5 | 0.04% | 1 | 0 | 2026-03-18T19:34:55.067000 | DiceBear is an avatar library for designers and developers. Prior to version 9.4 | |
| CVE-2026-32596 | 7.5 | 2.76% | 1 | 0 | template | 2026-03-18T18:33:12.503000 | Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, |
| CVE-2026-2992 | 8.2 | 0.04% | 1 | 0 | 2026-03-18T18:31:24 | The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is | |
| CVE-2026-24063 | 8.3 | 0.01% | 1 | 0 | 2026-03-18T18:31:16 | When a plugin is installed using the Arturia Software Center (MacOS), it also in | |
| CVE-2026-25449 | 9.8 | 0.04% | 1 | 0 | 2026-03-18T15:30:51 | Deserialization of Untrusted Data vulnerability in Shinetheme Traveler allows Ob | |
| CVE-2026-30707 | 8.1 | 0.03% | 1 | 0 | 2026-03-18T14:52:44.227000 | An issue was discovered in SpeedExam Online Examination System (SaaS) after v.FE | |
| CVE-2026-30884 | 9.6 | 0.02% | 2 | 0 | 2026-03-18T14:52:44.227000 | mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically gene | |
| CVE-2026-30922 | 7.5 | 0.04% | 1 | 0 | 2026-03-18T14:52:44.227000 | pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` libra | |
| CVE-2026-3888 | 7.9 | 0.01% | 17 | 3 | 2026-03-18T06:31:20 | Local privilege escalation in snapd on Linux allows local attackers to get root | |
| CVE-2026-33017 | None | 0.50% | 2 | 0 | 2026-03-17T20:05:06 | ## Summary The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows b | |
| CVE-2026-28430 | 9.8 | 0.08% | 1 | 0 | 2026-03-17T18:53:49.153000 | Chamilo LMS is a learning management system. Prior to version 1.11.34, there is | |
| CVE-2026-4276 | 7.5 | 0.06% | 1 | 0 | 2026-03-17T18:31:38 | LibreChat RAG API, version 0.7.0, contains a log-injection vulnerability that al | |
| CVE-2026-30405 | 7.5 | 0.11% | 1 | 0 | 2026-03-17T16:16:22.330000 | An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denial of s | |
| CVE-2025-50881 | 8.8 | 0.20% | 1 | 1 | 2026-03-17T15:37:26 | The `flow/admin/moniteur.php` script in Use It Flow administration website befor | |
| CVE-2026-4177 | 9.1 | 0.01% | 1 | 0 | 2026-03-17T15:37:26 | YAML::Syck versions through 1.36 for Perl has several potential security vulnera | |
| CVE-2025-66687 | 7.5 | 0.36% | 1 | 0 | 2026-03-17T15:37:25 | Doom Launcher 3.8.1.0 is vulnerable to Directory Traversal due to missing file p | |
| CVE-2026-3564 | 9.1 | 0.05% | 2 | 0 | 2026-03-17T15:36:34 | A condition in ScreenConnect may allow an actor with access to server-level cryp | |
| CVE-2026-32267 | None | 0.03% | 1 | 0 | 2026-03-17T15:23:52 | ### Summary A low-privilege user (or an unauthenticated user who has been sent a | |
| CVE-2025-69902 | 9.8 | 0.26% | 1 | 0 | 2026-03-17T14:20:01.670000 | A command injection vulnerability in the minimal_wrapper.py component of kubectl | |
| CVE-2026-32640 | None | 0.13% | 1 | 0 | 2026-03-16T22:00:16 | ### Impact If the objects passed in as `names` to SimpleEval have modules or oth | |
| CVE-2026-28498 | None | 0.01% | 1 | 0 | 2026-03-16T21:54:15 | ## 1. Executive Summary A critical library-level vulnerability was identified i | |
| CVE-2026-32767 | 9.8 | 0.05% | 2 | 0 | 2026-03-16T20:44:52 | ## Summary SiYuan Note v3.6.0 (and likely prior versions) contains an authoriza | |
| CVE-2026-3630 | 9.8 | 0.06% | 1 | 0 | 2026-03-10T18:48:52.193000 | Delta Electronics COMMGR2 has Stack-based Buffer Overflow vulnerability. | |
| CVE-2026-3631 | 7.5 | 0.06% | 1 | 0 | 2026-03-09T06:31:19 | Delta Electronics COMMGR2 has Buffer Over-read DoS vulnerability. | |
| CVE-2026-25896 | 9.3 | 0.04% | 2 | 0 | 2026-03-02T14:54:02.760000 | fast-xml-parser allows users to validate XML, parse XML to JS object, or build X | |
| CVE-2026-25554 | 6.5 | 0.07% | 1 | 0 | 2026-02-27T21:31:20 | OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to comm | |
| CVE-2026-20128 | 7.6 | 0.02% | 1 | 0 | 2026-02-25T18:31:45 | A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD- | |
| CVE-2026-20122 | 5.4 | 0.04% | 1 | 0 | 2026-02-25T18:31:45 | A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authe | |
| CVE-2026-20126 | 8.8 | 0.04% | 1 | 0 | 2026-02-25T18:31:44 | A vulnerability in Cisco Catalyst SD-WAN Manager could allow an authenticated, l | |
| CVE-2025-62518 | 8.1 | 0.02% | 1 | 2 | 2026-01-16T22:12:13 | ## Summary Versions of `astral-tokio-tar` prior to 0.5.6 contain a boundary par | |
| CVE-2025-32975 | 10.0 | 0.13% | 2 | 0 | 2025-11-03T21:35:11 | Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x bef | |
| CVE-2025-4517 | 9.4 | 0.11% | 1 | 10 | 2025-06-05T14:15:33.050000 | Allows arbitrary filesystem writes outside the extraction directory during extra | |
| CVE-2026-33307 | 0 | 0.00% | 2 | 0 | N/A | ||
| CVE-2026-33308 | 0 | 0.00% | 2 | 0 | N/A | ||
| CVE-2026-29796 | 0 | 0.00% | 2 | 0 | N/A | ||
| CVE-2026-33075 | 0 | 0.03% | 2 | 0 | N/A | ||
| CVE-2026-24060 | 0 | 0.00% | 2 | 0 | N/A | ||
| CVE-2026-25192 | 0 | 0.00% | 2 | 0 | N/A | ||
| CVE-2026-33024 | 0 | 0.08% | 2 | 0 | N/A | ||
| CVE-2026-4428 | 0 | 0.02% | 2 | 0 | N/A | ||
| CVE-2026-29103 | 0 | 0.20% | 2 | 0 | N/A | ||
| CVE-2026-32721 | 0 | 0.01% | 3 | 0 | N/A | ||
| CVE-2026-32754 | 0 | 0.07% | 1 | 0 | N/A | ||
| CVE-2026-31962 | 0 | 0.05% | 1 | 0 | N/A | ||
| CVE-2026-31965 | 0 | 0.04% | 1 | 0 | N/A | ||
| CVE-2026-31964 | 0 | 0.04% | 1 | 0 | N/A | ||
| CVE-2026-31970 | 0 | 0.04% | 1 | 0 | N/A | ||
| CVE-2026-31969 | 0 | 0.04% | 1 | 0 | N/A | ||
| CVE-2026-33346 | 0 | 0.03% | 1 | 0 | N/A | ||
| CVE-2026-31967 | 0 | 0.02% | 1 | 0 | N/A | ||
| CVE-2026-31966 | 0 | 0.01% | 1 | 0 | N/A | ||
| CVE-2026-31971 | 0 | 0.09% | 1 | 0 | N/A | ||
| CVE-2026-31972 | 0 | 0.01% | 1 | 0 | N/A | ||
| CVE-2026-32238 | 0 | 0.20% | 1 | 1 | N/A | ||
| CVE-2023-4567 | 0 | 0.00% | 1 | 0 | N/A | ||
| CVE-2026-33058 | 0 | 0.02% | 2 | 0 | N/A | ||
| CVE-2026-32698 | 0 | 0.03% | 2 | 0 | N/A | ||
| CVE-2026-32255 | 0 | 0.10% | 1 | 1 | N/A | ||
| CVE-2026-32321 | 0 | 0.03% | 1 | 0 | N/A | ||
| CVE-2026-27894 | 0 | 0.06% | 1 | 0 | N/A |
updated 2026-03-20T16:16:16.323000
4 posts
5 repos
https://github.com/haxorstars/CVE-2025-54068
https://github.com/Jenderal92/livewire-vuln-scanner
https://github.com/flame-11/CVE-2025-54068-livewire
CVE ID: CVE-2025-54068
Vendor: Laravel
Product: Livewire
Date Added: 2026-03-20
Notes: https://github.com/livewire/livewire/security/advisories/GHSA-29cq-5w36-x7w3 ; https://github.com/livewire/livewire/commit/ef04be759da41b14d2d129e670533180a44987dc ; https://nvd.nist.gov/vuln/detail/CVE-2025-54068
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-54068
Looks like CISA has added to the KEV catalogue. Today's winner is Apple.
- CVE-2025-31277: Apple Multiple Products Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31277
- CVE-2025-43520: Apple Multiple Products Classic Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43520
- CVE-2025-43510: Apple Multiple Products Improper Locking Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43510
- CVE-2025-54068: Laravel Livewire Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-54068
- CVE-2025-32432: Craft CMS Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-32432 #CISA #Apple #infosec #vulnerability
##CVE ID: CVE-2025-54068
Vendor: Laravel
Product: Livewire
Date Added: 2026-03-20
Notes: https://github.com/livewire/livewire/security/advisories/GHSA-29cq-5w36-x7w3 ; https://github.com/livewire/livewire/commit/ef04be759da41b14d2d129e670533180a44987dc ; https://nvd.nist.gov/vuln/detail/CVE-2025-54068
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-54068
Looks like CISA has added to the KEV catalogue. Today's winner is Apple.
- CVE-2025-31277: Apple Multiple Products Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31277
- CVE-2025-43520: Apple Multiple Products Classic Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43520
- CVE-2025-43510: Apple Multiple Products Improper Locking Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43510
- CVE-2025-54068: Laravel Livewire Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-54068
- CVE-2025-32432: Craft CMS Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-32432 #CISA #Apple #infosec #vulnerability
##updated 2026-03-20T16:16:15.983000
6 posts
CVE ID: CVE-2025-43520
Vendor: Apple
Product: Multiple Products
Date Added: 2026-03-20
Notes: https://support.apple.com/en-us/125632 ; https://support.apple.com/en-us/125633 ; https://support.apple.com/en-us/125634 ; https://support.apple.com/en-us/125635 ; https://support.apple.com/en-us/125636 ; https://support.apple.com/en-us/125637 ; https://support.apple.com/en-us/125638 ; https://support.apple.com/en-us/125639 ; https://nvd.nist.gov/vuln/detail/CVE-2025-43520
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-43520
Looks like CISA has added to the KEV catalogue. Today's winner is Apple.
- CVE-2025-31277: Apple Multiple Products Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31277
- CVE-2025-43520: Apple Multiple Products Classic Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43520
- CVE-2025-43510: Apple Multiple Products Improper Locking Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43510
- CVE-2025-54068: Laravel Livewire Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-54068
- CVE-2025-32432: Craft CMS Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-32432 #CISA #Apple #infosec #vulnerability
##CVE ID: CVE-2025-43520
Vendor: Apple
Product: Multiple Products
Date Added: 2026-03-20
Notes: https://support.apple.com/en-us/125632 ; https://support.apple.com/en-us/125633 ; https://support.apple.com/en-us/125634 ; https://support.apple.com/en-us/125635 ; https://support.apple.com/en-us/125636 ; https://support.apple.com/en-us/125637 ; https://support.apple.com/en-us/125638 ; https://support.apple.com/en-us/125639 ; https://nvd.nist.gov/vuln/detail/CVE-2025-43520
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-43520
Looks like CISA has added to the KEV catalogue. Today's winner is Apple.
- CVE-2025-31277: Apple Multiple Products Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31277
- CVE-2025-43520: Apple Multiple Products Classic Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43520
- CVE-2025-43510: Apple Multiple Products Improper Locking Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43510
- CVE-2025-54068: Laravel Livewire Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-54068
- CVE-2025-32432: Craft CMS Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-32432 #CISA #Apple #infosec #vulnerability
##As usual, Wired is… not great 🙄
Regarding DarkSword, the latest objectively bad exploit affecting iOS and Safari, Google has a more in depth analysis, with a lot more information on the specific versions of iOS that are affected.
TL;DR It doesn’t seem to affect 18.7.3 at least (might also not work on 18.7.2 given that CVE-2025-43520, which DarkSword uses, has been patched in .2).
##@agreenberg more in depth analysis from Google.
It doesn’t seem to affect 18.7.3 at least (might also not work on 18.7.2 given that CVE-2025-43520, which DarkSword uses, has been patched in .2).
##updated 2026-03-20T16:16:15.743000
4 posts
CVE ID: CVE-2025-43510
Vendor: Apple
Product: Multiple Products
Date Added: 2026-03-20
Notes: https://support.apple.com/en-us/125632 ; https://support.apple.com/en-us/125633 ; https://support.apple.com/en-us/125634 ; https://support.apple.com/en-us/125635 ; https://support.apple.com/en-us/125636 ; https://support.apple.com/en-us/125637 ; https://support.apple.com/en-us/125638 ; https://support.apple.com/en-us/125639 ; https://nvd.nist.gov/vuln/detail/CVE-2025-43510
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-43510
Looks like CISA has added to the KEV catalogue. Today's winner is Apple.
- CVE-2025-31277: Apple Multiple Products Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31277
- CVE-2025-43520: Apple Multiple Products Classic Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43520
- CVE-2025-43510: Apple Multiple Products Improper Locking Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43510
- CVE-2025-54068: Laravel Livewire Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-54068
- CVE-2025-32432: Craft CMS Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-32432 #CISA #Apple #infosec #vulnerability
##CVE ID: CVE-2025-43510
Vendor: Apple
Product: Multiple Products
Date Added: 2026-03-20
Notes: https://support.apple.com/en-us/125632 ; https://support.apple.com/en-us/125633 ; https://support.apple.com/en-us/125634 ; https://support.apple.com/en-us/125635 ; https://support.apple.com/en-us/125636 ; https://support.apple.com/en-us/125637 ; https://support.apple.com/en-us/125638 ; https://support.apple.com/en-us/125639 ; https://nvd.nist.gov/vuln/detail/CVE-2025-43510
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-43510
Looks like CISA has added to the KEV catalogue. Today's winner is Apple.
- CVE-2025-31277: Apple Multiple Products Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31277
- CVE-2025-43520: Apple Multiple Products Classic Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43520
- CVE-2025-43510: Apple Multiple Products Improper Locking Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43510
- CVE-2025-54068: Laravel Livewire Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-54068
- CVE-2025-32432: Craft CMS Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-32432 #CISA #Apple #infosec #vulnerability
##updated 2026-03-20T16:16:15.567000
4 posts
4 repos
https://github.com/Chocapikk/CVE-2025-32432
https://github.com/Sachinart/CVE-2025-32432
Looks like CISA has added to the KEV catalogue. Today's winner is Apple.
- CVE-2025-31277: Apple Multiple Products Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31277
- CVE-2025-43520: Apple Multiple Products Classic Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43520
- CVE-2025-43510: Apple Multiple Products Improper Locking Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43510
- CVE-2025-54068: Laravel Livewire Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-54068
- CVE-2025-32432: Craft CMS Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-32432 #CISA #Apple #infosec #vulnerability
##CVE ID: CVE-2025-32432
Vendor: Craft CMS
Product: Craft CMS
Date Added: 2026-03-20
Notes: https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432 ; https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32432
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-32432
Looks like CISA has added to the KEV catalogue. Today's winner is Apple.
- CVE-2025-31277: Apple Multiple Products Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31277
- CVE-2025-43520: Apple Multiple Products Classic Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43520
- CVE-2025-43510: Apple Multiple Products Improper Locking Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43510
- CVE-2025-54068: Laravel Livewire Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-54068
- CVE-2025-32432: Craft CMS Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-32432 #CISA #Apple #infosec #vulnerability
##CVE ID: CVE-2025-32432
Vendor: Craft CMS
Product: Craft CMS
Date Added: 2026-03-20
Notes: https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432 ; https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32432
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-32432
updated 2026-03-20T16:16:15.327000
4 posts
CVE ID: CVE-2025-31277
Vendor: Apple
Product: Multiple Products
Date Added: 2026-03-20
Notes: https://support.apple.com/en-us/124147 ; https://support.apple.com/en-us/124149 ; https://support.apple.com/en-us/124152 ; https://support.apple.com/en-us/124153 ; https://support.apple.com/en-us/124155 ; https://nvd.nist.gov/vuln/detail/CVE-2025-31277
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-31277
Looks like CISA has added to the KEV catalogue. Today's winner is Apple.
- CVE-2025-31277: Apple Multiple Products Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31277
- CVE-2025-43520: Apple Multiple Products Classic Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43520
- CVE-2025-43510: Apple Multiple Products Improper Locking Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43510
- CVE-2025-54068: Laravel Livewire Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-54068
- CVE-2025-32432: Craft CMS Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-32432 #CISA #Apple #infosec #vulnerability
##CVE ID: CVE-2025-31277
Vendor: Apple
Product: Multiple Products
Date Added: 2026-03-20
Notes: https://support.apple.com/en-us/124147 ; https://support.apple.com/en-us/124149 ; https://support.apple.com/en-us/124152 ; https://support.apple.com/en-us/124153 ; https://support.apple.com/en-us/124155 ; https://nvd.nist.gov/vuln/detail/CVE-2025-31277
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-31277
Looks like CISA has added to the KEV catalogue. Today's winner is Apple.
- CVE-2025-31277: Apple Multiple Products Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31277
- CVE-2025-43520: Apple Multiple Products Classic Buffer Overflow Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43520
- CVE-2025-43510: Apple Multiple Products Improper Locking Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-43510
- CVE-2025-54068: Laravel Livewire Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-54068
- CVE-2025-32432: Craft CMS Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-32432 #CISA #Apple #infosec #vulnerability
##updated 2026-03-20T15:32:13
4 posts
🚨 CVE-2026-22732 (CRITICAL, CVSS 9.1): Spring Security 5.7.0 – 7.0.3 vulnerability lets HTTP headers go unwritten, risking CSP/HSTS bypass. No auth needed, remote exploit possible. Upgrade urgently & enforce headers via WAF/CDN! https://radar.offseq.com/threat/cve-2026-22732-vulnerability-in-spring-spring-secu-2c8fbdd8 #OffSeq #SpringSecurity #CVE202622732
##🔴 CVE-2026-22732 - Critical (9.1)
When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.
This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-22732/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🚨 CVE-2026-22732 (CRITICAL, CVSS 9.1): Spring Security 5.7.0 – 7.0.3 vulnerability lets HTTP headers go unwritten, risking CSP/HSTS bypass. No auth needed, remote exploit possible. Upgrade urgently & enforce headers via WAF/CDN! https://radar.offseq.com/threat/cve-2026-22732-vulnerability-in-spring-spring-secu-2c8fbdd8 #OffSeq #SpringSecurity #CVE202622732
##🔴 CVE-2026-22732 - Critical (9.1)
When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.
This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-22732/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-20T15:16:15.317000
2 posts
1 repos
Oracle issues an out-of-band security update for a pre-auth RCE in Oracle Identity Manager
https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
##Oracle issues an out-of-band security update for a pre-auth RCE in Oracle Identity Manager
https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
##updated 2026-03-20T13:55:32.240000
1 posts
🟠 CVE-2025-69783 - High (7.8)
A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism by renaming a malicious executable to match a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe). This allows unauthorized interaction with the OpenEDR kernel driver,...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-69783/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-20T13:39:46.493000
9 posts
Ubiquiti – CVE-2026-22557 : cette faille critique menace votre réseau UniFi https://www.it-connect.fr/ubiquiti-cve-2026-22557-cette-faille-critique-menace-votre-reseau-unifi/ #ActuCybersécurité #Cybersécurité #Vulnérabilité
##Ubiquiti Patches Critical Account Takeover Flaw in UniFi Network Application
Ubiquiti patched a critical path traversal vulnerability (CVE-2026-22557) and a high-severity NoSQL injection flaw in its UniFi Network Application. These bugs allow attackers to hijack accounts or escalate privileges, potentially compromising entire networking environments.
**If you are using Ubiquiti products, update your UniFi Network Application and UniFi Express firmware ASAP. As usual, first make sure all management interfaces are not exposed to the public internet and are accessible only from trusted networks.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/ubiquiti-patches-critical-account-takeover-flaw-in-unifi-network-application-0-3-2-q-p/gD2P6Ple2L
Geopolitical tensions surged as Iran targeted Gulf energy after Israeli strikes, spiking oil prices to $118/barrel (March 18-19). In cybersecurity, CISA warned of actively exploited SharePoint flaws (CVE-2026-20963), critical Ubiquiti UniFi (CVE-2026-22557), and Telnetd root-access vulnerabilities (CVE-2026-32746). NVIDIA forecasts $1T AI demand by 2027.
#AnonNews_irc #Cybersecurity #News
Ubiquiti – CVE-2026-22557 : cette faille critique menace votre réseau UniFi https://www.it-connect.fr/ubiquiti-cve-2026-22557-cette-faille-critique-menace-votre-reseau-unifi/ #ActuCybersécurité #Cybersécurité #Vulnérabilité
##Ubiquiti Patches Critical Account Takeover Flaw in UniFi Network Application
Ubiquiti patched a critical path traversal vulnerability (CVE-2026-22557) and a high-severity NoSQL injection flaw in its UniFi Network Application. These bugs allow attackers to hijack accounts or escalate privileges, potentially compromising entire networking environments.
**If you are using Ubiquiti products, update your UniFi Network Application and UniFi Express firmware ASAP. As usual, first make sure all management interfaces are not exposed to the public internet and are accessible only from trusted networks.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/ubiquiti-patches-critical-account-takeover-flaw-in-unifi-network-application-0-3-2-q-p/gD2P6Ple2L
Geopolitical tensions surged as Iran targeted Gulf energy after Israeli strikes, spiking oil prices to $118/barrel (March 18-19). In cybersecurity, CISA warned of actively exploited SharePoint flaws (CVE-2026-20963), critical Ubiquiti UniFi (CVE-2026-22557), and Telnetd root-access vulnerabilities (CVE-2026-32746). NVIDIA forecasts $1T AI demand by 2027.
#AnonNews_irc #Cybersecurity #News
🔴 CVE-2026-22557 - Critical (10)
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-22557/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##just like cve-2026-22557, i think you're a 10/10 :neocat_sillycat_kisser:
##CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE: CVE-2026-22557 (n00r3(@izn0u))
##updated 2026-03-20T13:39:46.493000
2 posts
🟠 CVE-2026-32013 - High (8.8)
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and writing files outside the agent workspace. Attackers can exploit symlinked allowlisted file...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32013/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-32013 - High (8.8)
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and writing files outside the agent workspace. Attackers can exploit symlinked allowlisted file...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32013/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-20T13:39:46.493000
2 posts
🔴 CVE-2026-32038 - Critical (9.8)
OpenClaw before 2026.2.24 contains a sandbox network isolation bypass vulnerability that allows trusted operators to join another container's network namespace. Attackers can configure the docker.network parameter with container: values to reach s...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32038/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-32038 - Critical (9.8)
OpenClaw before 2026.2.24 contains a sandbox network isolation bypass vulnerability that allows trusted operators to join another container's network namespace. Attackers can configure the docker.network parameter with container: values to reach s...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32038/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-20T13:39:46.493000
1 posts
🟠 CVE-2026-23659 - High (8.6)
Exposure of sensitive information to an unauthorized actor in Azure Data Factory allows an unauthorized attacker to disclose information over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-23659/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-20T13:39:46.493000
1 posts
🟠 CVE-2026-26139 - High (8.6)
Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26139/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-20T13:39:46.493000
1 posts
🔴 CVE-2026-30836 - Critical (10)
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed i...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30836/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-20T13:39:46.493000
1 posts
🟠 CVE-2026-32749 - High (7.6)
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importSY and POST /api/import/importZipMd write uploaded archives to a path derived from the multipart filename field without sanitization, allowing an...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32749/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-20T13:39:46.493000
1 posts
🔴 CVE-2026-30402 - Critical (9.8)
An issue in wgcloud v.2.3.7 and before allows a remote attacker to execute arbitrary code via the test connection function
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30402/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-20T13:39:46.493000
1 posts
🔴 CVE-2026-32865 - Critical (9.8)
OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32865/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-20T13:37:50.737000
2 posts
1 repos
🟠 CVE-2026-4342 - High (8.8)
A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-4342/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-4342 - High (8.8)
A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-4342/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-20T09:32:16
2 posts
⚠️ CVE-2026-4478 (CRITICAL, CVSS 9.2) hits Yi Home Camera 2 (2.1.1_20171024151200): Improper signature verification in HTTP firmware update handler. Public exploit, no vendor response. Monitor & segment affected devices. https://radar.offseq.com/threat/cve-2026-4478-improper-verification-of-cryptograph-dd0fa87f #OffSeq #IoTSecurity #Vuln
##⚠️ CVE-2026-4478 (CRITICAL, CVSS 9.2) hits Yi Home Camera 2 (2.1.1_20171024151200): Improper signature verification in HTTP firmware update handler. Public exploit, no vendor response. Monitor & segment affected devices. https://radar.offseq.com/threat/cve-2026-4478-improper-verification-of-cryptograph-dd0fa87f #OffSeq #IoTSecurity #Vuln
##updated 2026-03-20T06:31:39
2 posts
⚠️ CVE-2026-4038 (CRITICAL): Aimogen Pro WP plugin lets unauthenticated attackers gain admin via missing auth in aiomatic_call_ai_function_realtime. All versions affected. Disable plugin & monitor site integrity! https://radar.offseq.com/threat/cve-2026-4038-cwe-862-missing-authorization-in-cod-c5151216 #OffSeq #WordPress #CVE20264038
##⚠️ CVE-2026-4038 (CRITICAL): Aimogen Pro WP plugin lets unauthenticated attackers gain admin via missing auth in aiomatic_call_ai_function_realtime. All versions affected. Disable plugin & monitor site integrity! https://radar.offseq.com/threat/cve-2026-4038-cwe-862-missing-authorization-in-cod-c5151216 #OffSeq #WordPress #CVE20264038
##updated 2026-03-20T00:31:34
2 posts
🔴 CRITICAL: CVE-2026-32985 in Xerte Online Toolkits ≤3.14 lets attackers upload PHP via import.php and gain RCE — no auth needed! Patch ASAP or restrict access, disable PHP in user dirs. Details: https://radar.offseq.com/threat/cve-2026-32985-cwe-306-missing-authentication-for--04629a96 #OffSeq #CVE202632985 #infosec #RCE
##🔴 CRITICAL: CVE-2026-32985 in Xerte Online Toolkits ≤3.14 lets attackers upload PHP via import.php and gain RCE — no auth needed! Patch ASAP or restrict access, disable PHP in user dirs. Details: https://radar.offseq.com/threat/cve-2026-32985-cwe-306-missing-authentication-for--04629a96 #OffSeq #CVE202632985 #infosec #RCE
##updated 2026-03-20T00:31:34
2 posts
🟠 CVE-2026-22731 - High (8.2)
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-22731/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-22731 - High (8.2)
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-22731/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-20T00:31:34
2 posts
🔴 CVE-2026-32194 - Critical (9.8)
Improper neutralization of special elements used in a command ('command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32194/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-32194 - Critical (9.8)
Improper neutralization of special elements used in a command ('command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32194/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T22:25:31
2 posts
🟠 CVE-2026-32025 - High (7.5)
OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32025/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-32025 - High (7.5)
OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32025/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T22:21:10
2 posts
🟠 CVE-2026-32014 - High (8)
OpenClaw versions prior to 2026.2.26 contain a metadata spoofing vulnerability where reconnect platform and deviceFamily fields are accepted from the client without being bound into the device-auth signature. An attacker with a paired node identit...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32014/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-32014 - High (8)
OpenClaw versions prior to 2026.2.26 contain a metadata spoofing vulnerability where reconnect platform and deviceFamily fields are accepted from the client without being bound into the device-auth signature. An attacker with a paired node identit...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32014/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T22:20:31
2 posts
🟠 CVE-2026-32011 - High (7.5)
OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signature validation. Unauthenticated attackers can ex...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32011/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-32011 - High (7.5)
OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signature validation. Unauthenticated attackers can ex...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32011/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T21:30:31
2 posts
🔴 New security advisory:
CVE-2026-32191 affects multiple systems.
• Impact: Remote code execution or complete system compromise possible
• Risk: Attackers can gain full control of affected systems
• Mitigation: Patch immediately or isolate affected systems
Full breakdown:
https://www.yazoul.net/advisory/cve/cve-2026-32191-microsoft-bing-images-os-command-injection
🔴 CVE-2026-32191 - Critical (9.8)
Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32191/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T21:30:31
2 posts
🔴 New security advisory:
CVE-2026-32169 affects multiple systems.
• Impact: Remote code execution or complete system compromise possible
• Risk: Attackers can gain full control of affected systems
• Mitigation: Patch immediately or isolate affected systems
Full breakdown:
https://www.yazoul.net/advisory/cve/cve-2026-32169-azure-cloud-shell-ssrf-vulnerability
🔴 CVE-2026-32169 - Critical (10)
Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32169/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T21:30:31
1 posts
🟠 CVE-2026-23658 - High (8.6)
Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-23658/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T21:30:31
1 posts
🟠 CVE-2026-26138 - High (8.6)
Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26138/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T21:30:31
1 posts
🟠 CVE-2026-26137 - High (8.9)
Server-side request forgery (ssrf) in Microsoft 365 Copilot's Business Chat allows an authorized attacker to elevate privileges over a network.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26137/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T21:30:31
1 posts
🟠 CVE-2026-3547 - High (7.5)
Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 and earlier contained an out-of-bounds read in ALPN handling when built with ALPN enabled (HAVE_ALPN / --enable-alpn). A crafted ALPN protocol list could trigger an out...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-3547/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T21:12:42
1 posts
🟠 CVE-2026-32886 - High (7.5)
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted funct...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32886/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T21:11:37
1 posts
🟠 CVE-2026-32728 - High (7.6)
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.15 and 8.6.41, an attacker who is allowed to upload files can bypass the file extension filter by appending a MIME paramet...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32728/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T21:06:22
1 posts
🟠 CVE-2026-32609 - High (7.5)
Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, th...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32609/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T19:34:30
1 posts
🟠 CVE-2026-4427 - High (7.5)
A flaw was found in pgproto3. A malicious or compromised PostgreSQL server can exploit this by sending a DataRow message with a negative field length. This input validation vulnerability can lead to a denial of service (DoS) due to a slice bounds ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-4427/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T19:23:51.937000
1 posts
🟠 CVE-2026-29858 - High (7.5)
A lack of path validation in aaPanel v7.57.0 allows attackers to execute a local file inclusion (LFI), leadingot sensitive information exposure.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-29858/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T19:23:00.593000
3 posts
🚨 OpenProject CRITICAL XSS (CVE-2026-32703): Attackers with repo push access can inject persistent scripts via filenames, impacting all users viewing affected pages. Patch to 16.6.9/17.0.6/17.1.3/17.2.1+ now! https://radar.offseq.com/threat/cve-2026-32703-cwe-79-improper-neutralization-of-i-f2afc489 #OffSeq #XSS #OpenProject #infosec
##⚠️ CRITICAL: CVE-2026-32703 in OpenProject (<16.6.9, <17.0.6, <17.1.3, <17.2.1) enables persistent XSS via repo filenames. Attackers w/ push access can inject scripts — risk: session hijack, data theft. Patch now! https://radar.offseq.com/threat/cve-2026-32703-cwe-79-improper-neutralization-of-i-f2afc489 #OffSeq #XSS #OpenProject #Vuln
##🔴 CVE-2026-32703 - Critical (9)
OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with pus...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32703/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T19:01:36
1 posts
1 repos
🟠 CVE-2026-31898 - High (8.1)
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsani...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31898/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T19:01:19
1 posts
1 repos
🟠 CVE-2026-31891 - High (7.7)
Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment w...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31891/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T18:48:10.830000
1 posts
🟠 CVE-2026-31973 - High (7.5)
SAMtools is a program for reading, manipulating and writing bioinformatics file formats. Starting in version 1.17, in the cram-size command, used to write information about how well CRAM files are compressed, a check to see if the `cram_decode_com...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31973/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T18:32:22
1 posts
Two 20-year-old vulnerabilities fixed in XML::Parser 2.48:
- CVE-2006-10002: XML::Parser versions through 2.47 for Perl could
overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes https://www.openwall.com/lists/oss-security/2026/03/19/1
- CVE-2006-10003: XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack https://www.openwall.com/lists/oss-security/2026/03/19/2
The patch fixing these has been available since 2006 but it's nice to see the fix in actual release, too.
##updated 2026-03-19T18:31:18
1 posts
Two 20-year-old vulnerabilities fixed in XML::Parser 2.48:
- CVE-2006-10002: XML::Parser versions through 2.47 for Perl could
overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes https://www.openwall.com/lists/oss-security/2026/03/19/1
- CVE-2006-10003: XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack https://www.openwall.com/lists/oss-security/2026/03/19/2
The patch fixing these has been available since 2006 but it's nice to see the fix in actual release, too.
##updated 2026-03-19T18:31:03
1 posts
🟠 CVE-2026-27979 - High (7.5)
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies w...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27979/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T18:00:58.453000
1 posts
🟠 CVE-2026-27811 - High (8.8)
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare///show` endpoint, allowed authenticated users to execute arbitrary sy...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27811/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T17:43:39
1 posts
🟠 CVE-2026-32693 - High (8.8)
In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool lo...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32693/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T17:32:28
1 posts
🟠 CVE-2026-32692 - High (7.6)
An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attack...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32692/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T17:31:24.010000
1 posts
🟠 CVE-2026-31968 - High (8.1)
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. For the `VARINT` and `CONST` encodings, incomplete ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31968/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T17:28:32.513000
1 posts
🟠 CVE-2026-32878 - High (7.5)
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for a...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32878/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T17:16:22.350000
2 posts
2 repos
This was the first use of "Background Security Improvement", the successor to Rapid Security Responses. It was used to fixe a WebKit vulnerability (CVE-2026-20643) where maliciously crafted web content could bypass the Same Origin Policy via a cross-origin issue in the Navigation API.
##Apple Patches WebKit Vulnerability CVE-2026-20643 Across iOS, macOS
Apple has released a new security update to address a critical WebKit vulnerability tracked as CVE-2026-20643. The vulnerability was identified
🔗️ [Thecyberexpress] https://link.is.it/lPLEWn
##updated 2026-03-19T17:09:34.303000
10 posts
3 repos
https://github.com/Sushilsin/CVE-2026-20131
The campaign is exploiting "critical vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center (FMC), enabling unauthenticated remote code execution as root. The campaign combines edge-device exploitation, custom malware tooling, and double extortion tactics, indicating a mature and targeted ransomware operation."
FortiGuard's outbreak alerts listed a critical Interlock ransomware attack yesterday: https://fortiguard.fortinet.com/outbreak-alert/interlock-ransomware @FortiGuardLabs #infosec #ransomware #Cisco #cyberattack
##CISA orders feds to patch max-severity Cisco flaw by Sunday
The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a maximum-severity vulnerability, CVE-2026-20131,...
🔗️ [Bleepingcomputer] https://link.is.it/eSynqa
##The campaign is exploiting "critical vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center (FMC), enabling unauthenticated remote code execution as root. The campaign combines edge-device exploitation, custom malware tooling, and double extortion tactics, indicating a mature and targeted ransomware operation."
FortiGuard's outbreak alerts listed a critical Interlock ransomware attack yesterday: https://fortiguard.fortinet.com/outbreak-alert/interlock-ransomware @FortiGuardLabs #infosec #ransomware #Cisco #cyberattack
##CISA orders feds to patch max-severity Cisco flaw by Sunday
The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a maximum-severity vulnerability, CVE-2026-20131,...
🔗️ [Bleepingcomputer] https://link.is.it/eSynqa
##⚠️ Ransomware crims abused Cisco 0-day weeks before disclosure
「 Ransomware criminals exploited CVE-2026-20131, a maximum-severity bug in Cisco Secure Firewall Management Center software, as a zero-day vulnerability more than a month before Cisco patched the hole, according to Amazon security boss CJ Moses 」
https://www.theregister.com/2026/03/18/amazon_cisco_firewall_0_day_ransomware/
🚨 [CISA-2026:0319] CISA Adds One Known Exploited Vulnerability to Catalog (https://secdb.nttzen.cloud/security-advisory/detail/CISA-2026:0319)
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.
⚠️ CVE-2026-20131 (https://secdb.nttzen.cloud/cve/detail/CVE-2026-20131)
- Name: Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Known
- Vendor: Cisco
- Product: Secure Firewall Management Center (FMC)
- Notes: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh ; https://nvd.nist.gov/vuln/detail/CVE-2026-20131
#SecDB #InfoSec #CVE #CISA_KEV #cisa_20260319 #cisa20260319 #cve_2026_20131 #cve202620131
##CVE ID: CVE-2026-20131
Vendor: Cisco
Product: Secure Firewall Management Center (FMC)
Date Added: 2026-03-19
Notes: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh ; https://nvd.nist.gov/vuln/detail/CVE-2026-20131
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2026-20131
Interlock group exploiting the CISCO FMC flaw CVE-2026-20131 36 days before disclosure https://securityaffairs.com/189636/malware/interlock-group-exploiting-the-cisco-fmc-flaw-cve-2026-20131-36-days-before-disclosure.html
##Interlock ransomware exploited Cisco firewall zero-day (CVE-2026-20131) before disclosure.
• Unauth RCE → root
• Memory webshells
• WebSocket C2
https://www.technadu.com/interlock-ransomware-campaign-exploited-cisco-firewall-vulnerability-cve-2026-20131-weeks-before-disclosure/623700/
Cybersecurity: Interlock ransomware is exploiting a critical Cisco FMC zero-day (CVE-2026-20131, CVSS 10.0) for root access, active since January 2026. CISA added a Microsoft SharePoint vulnerability (CVE-2026-20963) to its Known Exploited Vulnerabilities Catalog. Geopolitical: Tensions in the Gulf region are escalating, with Iran reportedly targeting energy sites, leading to a sharp spike in oil prices. These events underscore the urgent need for enhanced digital resilience and geopolitical stability.
##updated 2026-03-19T16:46:28.467000
1 posts
🟠 CVE-2026-32944 - High (7.5)
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nest...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32944/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T15:32:24
2 posts
🟠 CVE-2025-58112 - High (8.8)
Microsoft Dynamics 365 Customer Engagement (on-premises) 1612 (9.0.2.3034) allows the generation of customized reports via raw SQL queries in an upload of a .rdl (Report Definition Language) file; this is then processed by the SQL Server Reporting...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-58112/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2025-58112 - High (8.8)
Microsoft Dynamics 365 Customer Engagement (on-premises) 1612 (9.0.2.3034) allows the generation of customized reports via raw SQL queries in an upload of a .rdl (Report Definition Language) file; this is then processed by the SQL Server Reporting...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-58112/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T15:32:23
2 posts
🟠 CVE-2026-29856 - High (7.5)
An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows attackers to cause a Regular Expression Denial of Service (ReDoS) via a crafted input.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-29856/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-29856 - High (7.5)
An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows attackers to cause a Regular Expression Denial of Service (ReDoS) via a crafted input.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-29856/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T15:32:23
1 posts
🔴 CVE-2026-29859 - Critical (9.8)
An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to execute arbitrary code via uploading a crafted file.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-29859/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T15:31:27
1 posts
🟠 CVE-2026-22558 - High (7.7)
An Authenticated NoSQL Injection vulnerability found in UniFi Network Application could allow a malicious actor with authenticated access to the network to escalate privileges.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-22558/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T15:31:27
1 posts
🟠 CVE-2026-4424 - High (7.5)
A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can e...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-4424/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T15:31:27
1 posts
1 repos
https://github.com/watchtowrlabs/watchTowr-vs-BMC-Footprints-RCE-CVE-2025-71257-CVE-2025-71260
🟠 CVE-2025-71260 - High (8.8)
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply cr...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-71260/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T15:16:26.580000
2 posts
🔴 CVE-2026-30704 - Critical (9.1)
The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) exposes an unprotected UART interface through accessible hardware pads on the PCB
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30704/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-30704 - Critical (9.1)
The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) exposes an unprotected UART interface through accessible hardware pads on the PCB
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30704/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T15:16:18.053000
1 posts
🟠 CVE-2025-15031 - High (8.1)
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path validation enables crafted tar.gz files containing `...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-15031/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T14:52:49.680000
1 posts
🟠 CVE-2026-22171 - High (8.2)
OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can con...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-22171/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T14:50:54.513000
1 posts
🟠 CVE-2026-31963 - High (8.1)
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses reference-based compression so that instead of stori...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31963/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T14:16:15.103000
11 posts
4 repos
https://github.com/chosenonehacks/CVE-2026-32746
https://github.com/jeffaf/cve-2026-32746
https://github.com/watchtowrlabs/watchtowr-vs-telnetd-CVE-2026-32746
Posted yesterday, if you missed it:
WatchTower: A 32-Year-Old Bug Walks Into A Telnet Server (GNU inetutils Telnetd CVE-2026-32746 Pre-Auth RCE) https://labs.watchtowr.com/a-32-year-old-bug-walks-into-a-telnet-server-gnu-inetutils-telnetd-cve-2026-32746/ #infosec #threatresearch
##📢 CVE-2026-32746 : débordement de tampon pré-auth dans GNU InetUtils telnetd (PoC disponible)
📝 Source: pwn.guide — Publication technique présentant une vulnérabilité critique dans GNU InetUtils telnetd, avec explications dét...
📖 cyberveille : https://cyberveille.ch/posts/2026-03-19-cve-2026-32746-debordement-de-tampon-pre-auth-dans-gnu-inetutils-telnetd-poc-disponible/
🌐 source : https://pwn.guide/free/other/cve-2026-32746
#CVE_2026_32746 #GNU_InetUtils_telnetd #Cyberveille
Geopolitical tensions surged as Iran targeted Gulf energy after Israeli strikes, spiking oil prices to $118/barrel (March 18-19). In cybersecurity, CISA warned of actively exploited SharePoint flaws (CVE-2026-20963), critical Ubiquiti UniFi (CVE-2026-22557), and Telnetd root-access vulnerabilities (CVE-2026-32746). NVIDIA forecasts $1T AI demand by 2027.
#AnonNews_irc #Cybersecurity #News
A 32-Year-Old Bug Walks Into A Telnet Server (GNU inetutils Telnetd CVE-2026-32746 Pre-Auth RCE) https://labs.watchtowr.com/a-32-year-old-bug-walks-into-a-telnet-server-gnu-inetutils-telnetd-cve-2026-32746/
##Posted yesterday, if you missed it:
WatchTower: A 32-Year-Old Bug Walks Into A Telnet Server (GNU inetutils Telnetd CVE-2026-32746 Pre-Auth RCE) https://labs.watchtowr.com/a-32-year-old-bug-walks-into-a-telnet-server-gnu-inetutils-telnetd-cve-2026-32746/ #infosec #threatresearch
##Geopolitical tensions surged as Iran targeted Gulf energy after Israeli strikes, spiking oil prices to $118/barrel (March 18-19). In cybersecurity, CISA warned of actively exploited SharePoint flaws (CVE-2026-20963), critical Ubiquiti UniFi (CVE-2026-22557), and Telnetd root-access vulnerabilities (CVE-2026-32746). NVIDIA forecasts $1T AI demand by 2027.
#AnonNews_irc #Cybersecurity #News
A 32-Year-Old Bug Walks Into A Telnet Server (GNU inetutils Telnetd CVE-2026-32746) - watchTowr Labs https://labs.watchtowr.com/a-32-year-old-bug-walks-into-a-telnet-server-gnu-inetutils-telnetd-cve-2026-32746/
##CVE-2026-32746 GNU telnetd Buffer Overflow PoC - Critical (9.8) https://pwn.guide/free/other/cve-2026-32746
##Critical Unpatched Telnetd Flaw Enables Unauthenticated Root Remote Code Execution
GNU InetUtils telnetd contains a critical unpatched buffer overflow (CVE-2026-32746) that allow unauthenticated remote code execution.
**Another critical and trivial flaw in Telnet. Check if you are using Telnet anywhere in your network. It's urgent. Stop using Telnet and switch to SSH. Naturally, as a first step make sure to isolate the Telnet interface to trusted networks. But that's not a good long term approach, Telnet is inherently a lot less secure than SSH.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-unpatched-telnetd-flaw-enables-unauthenticated-root-remote-code-execution-1-g-5-5-g/gD2P6Ple2L
Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE https://thehackernews.com/2026/03/critical-telnetd-flaw-cve-2026-32746.html
##updated 2026-03-19T13:25:00.570000
1 posts
🟠 CVE-2026-3658 - High (7.5)
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the 'fields' parameter in all versions up to, and including, 1.6.10.0 due to insufficient escaping on the user...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-3658/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T13:25:00.570000
2 posts
🚨 CRITICAL (CVSS 9.1): Syarif Mobile App Editor ≤1.3.1 hit by CWE-434 unrestricted file upload (CVE-2026-27067). Allows web shell deployment & full compromise. Enforce strict validation, monitor uploads, patch ASAP! https://radar.offseq.com/threat/cve-2026-27067-cwe-434-unrestricted-upload-of-file-001b9b9d #OffSeq #CVE202627067 #Infosec
##🔴 CVE-2026-27067 - Critical (9.1)
Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor allows Upload a Web Shell to a Web Server.This issue affects Mobile App Editor: from n/a through 1.3.1.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27067/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T13:25:00.570000
1 posts
🔴 CVE-2025-60233 - Critical (9.8)
Deserialization of Untrusted Data vulnerability in Themeton Zuut allows Object Injection.This issue affects Zuut: from n/a through 1.4.2.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-60233/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T13:25:00.570000
1 posts
🟠 CVE-2026-25312 - High (7.5)
Missing Authorization vulnerability in EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through 4.2.8.3.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25312/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T13:25:00.570000
3 posts
1 repos
https://github.com/DeadExpl0it/CVE-2026-27540-WordPress-Exploit-PoC
🚨 CVE-2026-27540 (CVSS 9.0): Woocommerce Wholesale Lead Capture plugin lets unauthenticated attackers upload malicious files — remote code execution & full compromise possible. Disable plugin, enforce file type restrictions! https://radar.offseq.com/threat/cve-2026-27540-cwe-434-unrestricted-upload-of-file-64999286 #OffSeq #WordPress #Vuln
##🔴 CVE-2026-27540 - Critical (9)
Unrestricted Upload of File with Dangerous Type vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture allows Using Malicious Files.This issue affects Woocommerce Wholesale Lead Capture: from n/a through 2.0.3.1.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27540/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-27540 - Critical (9)
Unrestricted Upload of File with Dangerous Type vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture allows Using Malicious Files.This issue affects Woocommerce Wholesale Lead Capture: from n/a through 2.0.3.1.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27540/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T13:25:00.570000
1 posts
🟠 CVE-2026-27093 - High (8.1)
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ovatheme Tripgo allows PHP Local File Inclusion.This issue affects Tripgo: from n/a before 1.5.6.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27093/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T13:25:00.570000
1 posts
🔴 CVE-2026-27542 - Critical (9.8)
Incorrect Privilege Assignment vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture allows Privilege Escalation.This issue affects Woocommerce Wholesale Lead Capture: from n/a through 2.0.3.1.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27542/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T13:25:00.570000
3 posts
1 repos
🔎 CVE-2026-32731 (CRITICAL, CVSS 10): Path traversal in ApostropheCMS import-export <3.5.3 lets attackers write files as Node.js user via crafted archives. Upgrade to 3.5.3+ and restrict permissions now! Details: https://radar.offseq.com/threat/cve-2026-32731-cwe-22-improper-limitation-of-a-pat-efa014e1 #OffSeq #CVE202632731 #infosec #cms
##🚨 CRITICAL: CVE-2026-32731 in ApostropheCMS import-export (<3.5.3) allows path traversal via crafted .tar.gz uploads — attackers can write files anywhere the Node.js process can. Upgrade to 3.5.3+ ASAP! https://radar.offseq.com/threat/cve-2026-32731-cwe-22-improper-limitation-of-a-pat-efa014e1 #OffSeq #CVE202632731 #ApostropheCMS #infosec
##🔴 CVE-2026-32731 - Critical (9.9)
ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`,
The `extract()` function in `gzip.js` constructs file-write paths using `fs.createWriteStream(path.join(exportPath, header.name...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32731/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T13:25:00.570000
1 posts
🟠 CVE-2026-32730 - High (8.1)
ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32730/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T13:25:00.570000
1 posts
🟠 CVE-2026-4396 - High (8.3)
Improper certificate validation in Devolutions Hub Reporting Service
2025.3.1.1 and earlier allows a network attacker to perform a
man-in-the-middle attack via disabled TLS certificate verification.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-4396/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T13:25:00.570000
1 posts
🔴 CVE-2026-25873 - Critical (9.8)
OmniGen2-RL contains an unauthenticated remote code execution vulnerability in the reward server component that allows remote attackers to execute arbitrary commands by sending malicious HTTP POST requests. Attackers can exploit insecure pickle de...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25873/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T13:25:00.570000
1 posts
🟠 CVE-2026-24062 - High (7.8)
The "Privileged Helper" component of the Arturia Software Center (MacOS) does not perform sufficient client code signature validation when a client connects. This leads to an attacker being able to connect to the helper and execute privileged act...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24062/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T13:25:00.570000
1 posts
🟠 CVE-2026-27135 - High (7.5)
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_termin...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27135/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T13:25:00.570000
1 posts
1 repos
🔴 CVE-2026-2991 - Critical (9.8)
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.1.2. This is due to the `patientSocialLogin()` function not verifying the social provider...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-2991/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T13:25:00.570000
1 posts
🟠 CVE-2026-1463 - High (8.8)
The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.3 via the 'template' parameter in gallery shortcodes. This makes it possible f...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1463/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T13:25:00.570000
1 posts
🟠 CVE-2026-32610 - High (8.1)
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of t...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32610/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T12:30:41
1 posts
🟠 CVE-2026-3511 - High (8.6)
Improper Restriction of XML External Entity Reference vulnerability in XMLUtils.java in Slovensko.Digital Autogram allows remote unauthenticated attacker to conduct SSRF (Server Side Request Forgery) attacks and obtain unauthorized access to local...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-3511/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T09:30:25
3 posts
🚨 CRITICAL: CVE-2026-27065 in ThimPress BuilderPress (≤2.0.1) lets attackers perform unauthenticated RFI, risking full WordPress compromise. Disable plugin & harden PHP configs immediately! https://radar.offseq.com/threat/cve-2026-27065-cwe-98-improper-control-of-filename-c54e685b #OffSeq #WordPress #Vuln #RFI #CVE202627065
##🔴 CVE-2026-27065 - Critical (9.8)
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress allows PHP Local File Inclusion.This issue affects BuilderPress: from n/a through 2.0.1.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27065/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-27065 - Critical (9.8)
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress allows PHP Local File Inclusion.This issue affects BuilderPress: from n/a through 2.0.1.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27065/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T09:30:25
2 posts
🟠 CVE-2026-25445 - High (8.8)
Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X allows Object Injection.This issue affects WishList Member X: from n/a through 3.29.0.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25445/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-25445 - High (8.8)
Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X allows Object Injection.This issue affects WishList Member X: from n/a through 3.29.0.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25445/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T09:30:25
1 posts
🔴 CVE-2025-60237 - Critical (9.8)
Deserialization of Untrusted Data vulnerability in Themeton Finag allows Object Injection.This issue affects Finag: from n/a through 1.5.0.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-60237/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T09:30:25
1 posts
🟠 CVE-2026-25443 - High (7.5)
Missing Authorization vulnerability in Dotstore Fraud Prevention For Woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fraud Prevention For Woocommerce: from n/a through 2.3.3.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25443/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T09:30:25
1 posts
🟠 CVE-2026-25471 - High (8.1)
Authentication Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard allows Password Recovery Exploitation.This issue affects Admin Safety Guard: from n/a through 1.2.6.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25471/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T06:30:33
3 posts
🔴 CVE-2026-27413 - Critical (9.3)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro allows Blind SQL Injection.This issue affects Profile Builder Pro: from n/a through 3.13.9.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27413/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-27413 - Critical (9.3)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro allows Blind SQL Injection.This issue affects Profile Builder Pro: from n/a through 3.13.9.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27413/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-27413: CRITICAL Blind SQL Injection in Cozmoslabs Profile Builder Pro (≤3.13.9) allows unauthenticated data exfiltration. No patch yet — restrict access, monitor logs. Details: https://radar.offseq.com/threat/cve-2026-27413-cwe-89-improper-neutralization-of-s-2b17e884 #OffSeq #WordPress #SQLi #Infosec
##updated 2026-03-19T06:30:33
2 posts
🟠 CVE-2026-27096 - High (8.1)
Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through 1.3.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27096/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-27096 - High (8.1)
Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through 1.3.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27096/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-19T03:31:03
1 posts
🟠 CVE-2026-28461 - High (7.5)
OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth vulnerability in the Zalo webhook endpoint that allows unauthenticated attackers to trigger in-memory key accumulation by varying query strings. Remote attackers can exploit th...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28461/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-18T21:48:54
1 posts
🟠 CVE-2026-32634 - High (8.1)
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connectio...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32634/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-18T21:48:49
1 posts
🔴 CVE-2026-32633 - Critical (9.1)
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32633/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-18T21:34:01
1 posts
🟠 CVE-2025-55040 - High (8.8)
The import form CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to upload and install malicious form definitions through a CSRF attack. The vulnerable cForm.importform function lacks CSRF token validation, enabling malicious website...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-55040/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-18T21:34:01
1 posts
🟠 CVE-2026-26740 - High (8.2)
Buffer Overflow vulnerability in giflib v.5.2.2 allows a remote attacker to cause a denial of service via the EGifGCBToExtension overwriting an existing Graphic Control Extension block without validating its allocated size.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26740/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-18T21:32:58
10 posts
CVE-2026-20963 Sharepoint Insecure Deserialization 8.8/10
Weekend soon. Where @watchTowr blog? Need lolz. I can has?
##Critical Microsoft SharePoint RCE Vulnerability CVE-2026-20963 Under Active Exploitation
Microsoft SharePoint is under active exploitation of a critical RCE vulnerability (CVE-2026-20963) that allows unauthenticated attackers to take over servers via a deserialization flaw.
**Your SharePoint servers are under attack. Ideally, isolate them from the internet and make them accessible only from internal networks. Them apply the January 2026 patch ASAP. If you are still using SharePoint 2013 or older, isolate them and upgrade to a newer version. Those old systems are permanently vulnerable.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-microsoft-sharepoint-rce-vulnerability-cve-2026-20963-under-active-exploitation-l-r-5-d-h/gD2P6Ple2L
Geopolitical tensions surged as Iran targeted Gulf energy after Israeli strikes, spiking oil prices to $118/barrel (March 18-19). In cybersecurity, CISA warned of actively exploited SharePoint flaws (CVE-2026-20963), critical Ubiquiti UniFi (CVE-2026-22557), and Telnetd root-access vulnerabilities (CVE-2026-32746). NVIDIA forecasts $1T AI demand by 2027.
#AnonNews_irc #Cybersecurity #News
CVE-2026-20963 Sharepoint Insecure Deserialization 8.8/10
Weekend soon. Where @watchTowr blog? Need lolz. I can has?
##Critical Microsoft SharePoint RCE Vulnerability CVE-2026-20963 Under Active Exploitation
Microsoft SharePoint is under active exploitation of a critical RCE vulnerability (CVE-2026-20963) that allows unauthenticated attackers to take over servers via a deserialization flaw.
**Your SharePoint servers are under attack. Ideally, isolate them from the internet and make them accessible only from internal networks. Them apply the January 2026 patch ASAP. If you are still using SharePoint 2013 or older, isolate them and upgrade to a newer version. Those old systems are permanently vulnerable.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-microsoft-sharepoint-rce-vulnerability-cve-2026-20963-under-active-exploitation-l-r-5-d-h/gD2P6Ple2L
Geopolitical tensions surged as Iran targeted Gulf energy after Israeli strikes, spiking oil prices to $118/barrel (March 18-19). In cybersecurity, CISA warned of actively exploited SharePoint flaws (CVE-2026-20963), critical Ubiquiti UniFi (CVE-2026-22557), and Telnetd root-access vulnerabilities (CVE-2026-32746). NVIDIA forecasts $1T AI demand by 2027.
#AnonNews_irc #Cybersecurity #News
If you missed this yesterday, CISA added two vulnerabilities to the KEV catalogue.
- CVE-2026-20963: Microsoft SharePoint Deserialization of Untrusted Data Vulnerability https://www.cve.org/CVERecord?id=CVE-2026-20963
- CVE-2025-66376: Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-66376 #CISA #infosec #Zimbra #Microsoft #vulnerability
##⚠️ CRITICAL: CISA reports active exploits of CVE-2026-20963 in Microsoft SharePoint. Remote code execution allows full server compromise. Patch now, monitor logs, segment networks! https://radar.offseq.com/threat/cisa-warns-of-attacks-exploiting-recent-sharepoint-171abc90 #OffSeq #SharePoint #Vuln #RCE
##Cybersecurity: Interlock ransomware is exploiting a critical Cisco FMC zero-day (CVE-2026-20131, CVSS 10.0) for root access, active since January 2026. CISA added a Microsoft SharePoint vulnerability (CVE-2026-20963) to its Known Exploited Vulnerabilities Catalog. Geopolitical: Tensions in the Gulf region are escalating, with Iran reportedly targeting energy sites, leading to a sharp spike in oil prices. These events underscore the urgent need for enhanced digital resilience and geopolitical stability.
##CVE ID: CVE-2026-20963
Vendor: Microsoft
Product: SharePoint
Date Added: 2026-03-18
Notes: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963 ; https://nvd.nist.gov/vuln/detail/CVE-2026-20963
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2026-20963
updated 2026-03-18T20:20:40
1 posts
1 repos
CVE-2026-22730: SQL Injection in Spring AI’s MariaDB Vector Store https://blog.securelayer7.net/cve-2026-22730-sql-injection-spring-ai-mariadb/
##updated 2026-03-18T20:20:27
1 posts
CVE-2026-22729: JSONPath Injection in Spring AI’s PgVectorStore https://blog.securelayer7.net/cve-2026-22729-jsonpath-injection-spring-ai-pgvectorstore/
##updated 2026-03-18T20:13:37.087000
4 posts
CISA adds Zimbra XSS (CVE-2025-66376) to KEV.
Actively exploited.
Patch immediately.
Follow TechNadu.
##If you missed this yesterday, CISA added two vulnerabilities to the KEV catalogue.
- CVE-2026-20963: Microsoft SharePoint Deserialization of Untrusted Data Vulnerability https://www.cve.org/CVERecord?id=CVE-2026-20963
- CVE-2025-66376: Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-66376 #CISA #infosec #Zimbra #Microsoft #vulnerability
##🚨 [CISA-2026:0318] CISA Adds One Known Exploited Vulnerability to Catalog (https://secdb.nttzen.cloud/security-advisory/detail/CISA-2026:0318)
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.
⚠️ CVE-2025-66376 (https://secdb.nttzen.cloud/cve/detail/CVE-2025-66376)
- Name: Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability
- Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: Synacor
- Product: Zimbra Collaboration Suite (ZCS)
- Notes: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories ; https://nvd.nist.gov/vuln/detail/CVE-2025-66376
#SecDB #InfoSec #CVE #CISA_KEV #cisa_20260318 #cisa20260318 #cve_2025_66376 #cve202566376
##CVE ID: CVE-2025-66376
Vendor: Synacor
Product: Zimbra Collaboration Suite (ZCS)
Date Added: 2026-03-18
Notes: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories ; https://nvd.nist.gov/vuln/detail/CVE-2025-66376
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-66376
updated 2026-03-18T20:10:09
1 posts
we found a memory exhaustion CVE in a library downloaded 29 million times a month. AWS, DataHub, and Lightning AI are in the blast radius. https://www.periphery.security/blog/cve-2026-33155---40-bytes-to-chaos
##updated 2026-03-18T19:52:54.307000
1 posts
🟠 CVE-2026-27980 - High (7.5)
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unb...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27980/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-18T19:40:48.907000
1 posts
🟠 CVE-2026-29056 - High (8.8)
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.51, Kanboard's user invite registration endpoint (`UserInviteController::register()`) accepts all POST parameters and passes them to `UserModel::create()` without ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-29056/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-18T19:34:55.067000
1 posts
🟠 CVE-2026-29112 - High (7.5)
DiceBear is an avatar library for designers and developers. Prior to version 9.4.0, the `ensureSize()` function in `@dicebear/converter` read the `width` and `height` attributes from the input SVG to determine the output canvas size for rasterizat...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-29112/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-18T18:33:12.503000
1 posts
🟠 CVE-2026-32596 - High (7.5)
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process comman...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32596/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-18T18:31:24
1 posts
🟠 CVE-2026-2992 - High (8.2)
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the `/wp-json/kivicare/v1/setup-wizard/clinic` REST API endpoint in all versions up to, and includ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-2992/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-18T18:31:16
1 posts
🟠 CVE-2026-24063 - High (8.2)
When a plugin is installed using the Arturia Software Center (MacOS), it also installs an uninstall.sh bash script in a root owned path. This script is written to disk with the file permissions 777, meaning it is writable by any user. When uninsta...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24063/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-18T15:30:51
1 posts
🔴 CVE-2026-25449 - Critical (9.8)
Deserialization of Untrusted Data vulnerability in Shinetheme Traveler allows Object Injection.This issue affects Traveler: from n/a before 3.2.8.1.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25449/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-18T14:52:44.227000
1 posts
🟠 CVE-2026-30707 - High (8.1)
An issue was discovered in SpeedExam Online Examination System (SaaS) after v.FEV2026. It allows Broken Access Control via the ReviewAnswerDetails ASP.NET PageMethod. Authenticated attackers can bypass client-side restrictions and invoke this meth...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30707/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-18T14:52:44.227000
2 posts
🔴 CVE-2026-30884 - Critical (9.6)
mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds `mod/customcert:manage` in any single course...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30884/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-30884 - Critical (9.6)
mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds `mod/customcert:manage` in any single course...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30884/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-18T14:52:44.227000
1 posts
🟠 CVE-2026-30922 - High (7.5)
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30922/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-18T06:31:20
17 posts
3 repos
https://github.com/Many-Hat-Group/Ubuntu-CVE-2026-3888-patcher
https://github.com/netw0rk7/CVE-2026-3888-PoC
https://github.com/fevar54/CVE-2026-3888-POC-all-from-the-Qualys-platform.
Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit https://thehackernews.com/2026/03/ubuntu-cve-2026-3888-bug-lets-attackers.html
##Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit https://thehackernews.com/2026/03/ubuntu-cve-2026-3888-bug-lets-attackers.html
##Ubuntu a rischio: bug di Snap permette accesso root (CVE-2026-3888)
#Ubuntu
Scoperta una vulnerabilità critica in Ubuntu (CVE-2026-3888): il sistema Snap permette escalation a root.
https://www.marcosbox.com/2026/03/19/ubuntu-vulnerabilita-snap-cve-2026-3888-root/
##「 Local Privilege Escalation (LPE) vulnerability affecting default installations of Ubuntu Desktop version 24.04 and later. This flaw (CVE-2026-3888) allows an unprivileged local attacker to escalate privileges to full root access through the interaction of two standard system components: snap-confine and systemd-tmpfiles. 」
https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root
snap-confine + systemd-tmpfiles = root (CVE-2026-3888) https://lobste.rs/s/deodzu #linux #security
https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt
Qualys, posted yesterday: CVE-2026-3888: Important Snap Flaw Enables Local Privilege Escalation to Root https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root
More:
Infosesecurity-Magazine: New Flaw Affecting Ubuntu Enables Local Attackers to Gain Root Access https://www.infosecurity-magazine.com/news/ubuntu-flaw-enables-root-access/ #Ubuntu #Linux #infosec #vulnerability
##Found yet another high severity #systemd bug in Ubuntu: local root privilege escalation (CVE-2026-3888)
Let us wish all #Devuan users a wonderful day out with their family for a merry father's day, instead of shoveling unicorn shit.
##CVE-2026-3888: Snap Flaw, Local Privilege Escalation to Root via @RunxiYu https://lobste.rs/s/ccys1t #security
https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root
CVE-2026-3888: Important Snap Flaw Enables Local Privilege Escalation to Root
Link: https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root
Discussion: https://news.ycombinator.com/item?id=47427208
Ubtuntu 24.04+ Snapd Local Privilege Escalation (CVE-2026-3888) https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root
##CVE-2026-3888: Important Snap Flaw Enables Local Privilege Escalation to Root
Link: https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root
Discussion: https://news.ycombinator.com/item?id=47427208
Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit
https://thehackernews.com/2026/03/ubuntu-cve-2026-3888-bug-lets-attackers.html
Short summary: https://hackerworkspace.com/article/ubuntu-cve-2026-3888-bug-lets-attackers-gain-root-via-systemd-cleanup-timing-exploit
##CVE-2026-3888: Important Snap Flaw Enables Local Privilege Escalation to Root
#CVE_2026_3888
https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root
Global tensions heighten as the US-Iran conflict escalates, impacting oil markets via the Strait of Hormuz (March 18). Technology sees continued rapid AI advancement, with OpenAI's GPT-5.4 and Anthropic's Claude Sonnet 4.6 released (March 17). In cybersecurity, the EU sanctioned private cyber offensive groups (March 17), and a critical Ubuntu privilege escalation flaw (CVE-2026-3888) was discovered (March 18). AI-driven threats also increasingly impact M&A security.
##Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit https://thehackernews.com/2026/03/ubuntu-cve-2026-3888-bug-lets-attackers.html
##Critical Ubuntu flaw (CVE-2026-3888) enables local root escalation via Snap.
Delayed exploit (10–30 days) makes detection harder.
Patch snapd immediately.
https://www.technadu.com/critical-cve-2026-3888-vulnerability-exposes-ubuntu-to-root-escalation/623670/
updated 2026-03-17T20:05:06
2 posts
From yesterday. Langflow is "an open-source visual framework for building AI agents and retrieval-augmented generation (RAG) pipelines."
Sysdig: CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours
More:
Infosecurity-Magazine: https://www.infosecurity-magazine.com/news/hackers-exploit-critical-langflow/ #infosec
##From yesterday. Langflow is "an open-source visual framework for building AI agents and retrieval-augmented generation (RAG) pipelines."
Sysdig: CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours
More:
Infosecurity-Magazine: https://www.infosecurity-magazine.com/news/hackers-exploit-critical-langflow/ #infosec
##updated 2026-03-17T18:53:49.153000
1 posts
🔴 CVE-2026-28430 - Critical (9.8)
Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the custom_dates parameter. By chaining this with a ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28430/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-17T18:31:38
1 posts
🟠 CVE-2026-4276 - High (7.5)
LibreChat RAG API, version 0.7.0, contains a log-injection vulnerability that allows attackers to forge log entries.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-4276/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-17T16:16:22.330000
1 posts
🟠 CVE-2026-30405 - High (7.5)
An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denial of service via the NEXT_HOP path attribute
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30405/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-17T15:37:26
1 posts
1 repos
🟠 CVE-2025-50881 - High (8.8)
The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution. When handling GET requests, the script takes user-supplied input from the `action` URL parameter, performs insufficien...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-50881/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-17T15:37:26
1 posts
🔴 CVE-2026-4177 - Critical (9.1)
YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter.
The heap overflow occurs when class names exceed the initial 512-byte allocation.
The ba...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-4177/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-17T15:37:25
1 posts
🟠 CVE-2025-66687 - High (7.5)
Doom Launcher 3.8.1.0 is vulnerable to Directory Traversal due to missing file path validation during the extraction of game files
🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-66687/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-17T15:36:34
2 posts
ConnectWise Patches Critical ScreenConnect Cryptographic Flaw
ConnectWise patched a critical vulnerability (CVE-2026-3564) in ScreenConnect that allows attackers to extract cryptographic machine keys and bypass session authentication. The flaw enables unauthorized access and privilege escalation, which is a significant risk to MSPs and their downstream clients.
**Treat this update as an emergency change because remote access tools are primary targets for lateral movement and supply chain attacks. If you run on-premises ScreenConnect, verify your version immediately, patch ASAP.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/connectwise-patches-critical-screenconnect-cryptographic-flaw-i-v-k-f-7/gD2P6Ple2L
ConnectWise Patches Critical ScreenConnect Cryptographic Flaw
ConnectWise patched a critical vulnerability (CVE-2026-3564) in ScreenConnect that allows attackers to extract cryptographic machine keys and bypass session authentication. The flaw enables unauthorized access and privilege escalation, which is a significant risk to MSPs and their downstream clients.
**Treat this update as an emergency change because remote access tools are primary targets for lateral movement and supply chain attacks. If you run on-premises ScreenConnect, verify your version immediately, patch ASAP.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/connectwise-patches-critical-screenconnect-cryptographic-flaw-i-v-k-f-7/gD2P6Ple2L
updated 2026-03-17T15:23:52
1 posts
🔴 CVE-2026-32267 - Critical (9.8)
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate thei...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32267/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-17T14:20:01.670000
1 posts
🔴 CVE-2025-69902 - Critical (9.8)
A command injection vulnerability in the minimal_wrapper.py component of kubectl-mcp-server v1.2.0 allows attackers to execute arbitrary commands via injecting arbitrary shell metacharacters.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-69902/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-16T22:00:16
1 posts
🔴 CVE-2026-32640 - Critical (9.8)
SimpleEval is a library for adding evaluatable expressions into python projects. Prior to 1.0.5, objects (including modules) can leak dangerous modules through to direct access inside the sandbox. If the objects you've passed in as names to Simple...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32640/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-16T21:54:15
1 posts
🟠 CVE-2026-28498 - High (7.5)
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specificall...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28498/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##updated 2026-03-16T20:44:52
2 posts
⚠️ CVE-2026-32767: SiYuan (<3.6.1) has a CRITICAL SQL injection flaw in /api/search/fullTextSearchBlock. Any authenticated user can run SQL, risking full data compromise. Upgrade to 3.6.1+ ASAP. https://radar.offseq.com/threat/cve-2026-32767-cwe-89-improper-neutralization-of-s-8a5766fd #OffSeq #SiYuan #SQLInjection #Vuln
##⚠️ CVE-2026-32767: SiYuan (<3.6.1) has a CRITICAL SQL injection flaw in /api/search/fullTextSearchBlock. Any authenticated user can run SQL, risking full data compromise. Upgrade to 3.6.1+ ASAP. https://radar.offseq.com/threat/cve-2026-32767-cwe-89-improper-neutralization-of-s-8a5766fd #OffSeq #SiYuan #SQLInjection #Vuln
##updated 2026-03-10T18:48:52.193000
1 posts
Critical RCE Vulnerability Patched in Delta Electronics COMMGR 2
Delta Electronics patched a critical stack-based buffer overflow (CVE-2026-3630) and an out-of-bounds read (CVE-2026-3631) in its COMMGR 2 software that could allow unauthenticated attackers to execute remote code or leak sensitive data.
**Make sure all industrial devices are isolated from the internet and accessible from trusted networks only. Update Delta Electronics COMMGR 2 software to version 2.11.1 as soon as possible. In the meantime make sure they are isolated from the internet.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-rce-vulnerability-patched-in-delta-electronics-commgr-2-l-p-i-8-y/gD2P6Ple2L
updated 2026-03-09T06:31:19
1 posts
Critical RCE Vulnerability Patched in Delta Electronics COMMGR 2
Delta Electronics patched a critical stack-based buffer overflow (CVE-2026-3630) and an out-of-bounds read (CVE-2026-3631) in its COMMGR 2 software that could allow unauthenticated attackers to execute remote code or leak sensitive data.
**Make sure all industrial devices are isolated from the internet and accessible from trusted networks only. Update Delta Electronics COMMGR 2 software to version 2.11.1 as soon as possible. In the meantime make sure they are isolated from the internet.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-rce-vulnerability-patched-in-delta-electronics-commgr-2-l-p-i-8-y/gD2P6Ple2L
updated 2026-03-02T14:54:02.760000
2 posts
New advisory. Login is needed for details.
Broadcom: Critical: Software Toolkit Plugin for z/OSMF 1.0 - Vulnerability in fast-xml-parser (CVE-2026-25896) https://support.broadcom.com/web/ecx/security-advisory #infosec #vulnerability #Broadcom
##New advisory. Login is needed for details.
Broadcom: Critical: Software Toolkit Plugin for z/OSMF 1.0 - Vulnerability in fast-xml-parser (CVE-2026-25896) https://support.broadcom.com/web/ecx/security-advisory #infosec #vulnerability #Broadcom
##updated 2026-02-27T21:31:20
1 posts
OpenSIPS SQL Injection to Authentication Bypass (CVE-2026-25554) https://aisle.com/blog/opensips-sql-injection-aisle-deep-dive-sql-injection-authentication-bypass
##updated 2026-02-25T18:31:45
1 posts
New advisory from Cisco addressing critical February 25 vulnerabilities:
"There are no workarounds that address these vulnerabilities. Cisco strongly recommends that customers upgrade to the fixed software indicated in this advisory."
CVE-2026-20122; CVE-2026-20126; CVE-2026-20128: Cisco Catalyst SD-WAN Vulnerabilities https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v @TalosSecurity #Cisco #infosec #vulnerability
##updated 2026-02-25T18:31:45
1 posts
New advisory from Cisco addressing critical February 25 vulnerabilities:
"There are no workarounds that address these vulnerabilities. Cisco strongly recommends that customers upgrade to the fixed software indicated in this advisory."
CVE-2026-20122; CVE-2026-20126; CVE-2026-20128: Cisco Catalyst SD-WAN Vulnerabilities https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v @TalosSecurity #Cisco #infosec #vulnerability
##updated 2026-02-25T18:31:44
1 posts
New advisory from Cisco addressing critical February 25 vulnerabilities:
"There are no workarounds that address these vulnerabilities. Cisco strongly recommends that customers upgrade to the fixed software indicated in this advisory."
CVE-2026-20122; CVE-2026-20126; CVE-2026-20128: Cisco Catalyst SD-WAN Vulnerabilities https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v @TalosSecurity #Cisco #infosec #vulnerability
##updated 2026-01-16T22:12:13
1 posts
2 repos
https://github.com/AirineiAndrei/Tarmageddon-CVE-2025-62518-
🚨 EUVD-2026-13596
📊 Score: 5.1/10 (CVSS v3.1)
📦 Product: tar-rs
🏢 Vendor: alexcrichton
📅 Updated: 2026-03-20
📝 tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed ...
🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-13596
##updated 2025-11-03T21:35:11
2 posts
Attackers Exploit Critical Quest KACE SMA Authentication Bypass
Arctic Wolf reports attacks exploiting a critical authentication bypass (CVE-2025-32975) in Quest KACE SMA to gain administrative control and move laterally into domain controllers and backup systems.
**If you are using Quest KACE SMA, this is urgent. Make sure your Quest KACE SMA is off the public internet and behind a VPN immediately. Check your logs for new unknown admin accounts, as these are signs that attackers have already taken over your management system. Then patch ASAP.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/attackers-exploit-critical-quest-kace-sma-authentication-bypass-z-3-u-b-2/gD2P6Ple2L
Attackers Exploit Critical Quest KACE SMA Authentication Bypass
Arctic Wolf reports attacks exploiting a critical authentication bypass (CVE-2025-32975) in Quest KACE SMA to gain administrative control and move laterally into domain controllers and backup systems.
**If you are using Quest KACE SMA, this is urgent. Make sure your Quest KACE SMA is off the public internet and behind a VPN immediately. Check your logs for new unknown admin accounts, as these are signs that attackers have already taken over your management system. Then patch ASAP.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/attackers-exploit-critical-quest-kace-sma-authentication-bypass-z-3-u-b-2/gD2P6Ple2L
updated 2025-06-05T14:15:33.050000
1 posts
10 repos
https://github.com/AnimePrincess420/CVE-2025-4517-PoC
https://github.com/Rohitberiwala/PyPath-Escape-CVE-2025-4517-Exploit-Research
https://github.com/AzureADTrent/CVE-2025-4517-POC
https://github.com/bgutowski/CVE-2025-4517-POC-Sudoers
https://github.com/kerburenthusiasm/CVE-2025-4517-PoC
https://github.com/0xDTC/CVE-2025-4517-tarfile-PATH_MAX-bypass
https://github.com/kyakei/CVE-2025-4138-poc
https://github.com/StealthByte0/CVE-2025-4517-poc
https://github.com/estebanzarate/CVE-2025-4517-Python-tarfile-filter-data-Bypass-PoC
The dizzying exercise of trying to wrap my head around the escape in CVE-2025-4517 made WingData an interesting box for me. 16 layers of symlinks just to read the root flag! https://labs.hackthebox.com/achievement/machine/1069235/835
##New.
Tenable research advisories: High-severity CVE-2026-33307 and CVE-2026-33308: mod_gnutls Multiple Vulnerabilities https://www.tenable.com/security/research/tra-2026-20 @tenable #infosec #vulnerability
##New.
Tenable research advisories: High-severity CVE-2026-33307 and CVE-2026-33308: mod_gnutls Multiple Vulnerabilities https://www.tenable.com/security/research/tra-2026-20 @tenable #infosec #vulnerability
##New.
Tenable research advisories: High-severity CVE-2026-33307 and CVE-2026-33308: mod_gnutls Multiple Vulnerabilities https://www.tenable.com/security/research/tra-2026-20 @tenable #infosec #vulnerability
##New.
Tenable research advisories: High-severity CVE-2026-33307 and CVE-2026-33308: mod_gnutls Multiple Vulnerabilities https://www.tenable.com/security/research/tra-2026-20 @tenable #infosec #vulnerability
##IGL-Technologies Patches Critical Authentication Bypass in eParking.fi Platform
IGL-Technologies patched four vulnerabilities in its eParking.fi platform, including a critical authentication bypass (CVE-2026-29796) that allows attackers to impersonate EV charging stations and gain administrative control.
**Isolate your EV charging infrastructure as much as possible from the public internet and public network access. Verify that your hardware supports the vendor's new security profiles. Since station identifiers were leaked on public maps, you should treat existing IDs as compromised and implement device whitelisting.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/igl-technologies-patches-critical-authentication-bypass-in-eparking-fi-platform-a-5-9-c-q/gD2P6Ple2L
IGL-Technologies Patches Critical Authentication Bypass in eParking.fi Platform
IGL-Technologies patched four vulnerabilities in its eParking.fi platform, including a critical authentication bypass (CVE-2026-29796) that allows attackers to impersonate EV charging stations and gain administrative control.
**Isolate your EV charging infrastructure as much as possible from the public internet and public network access. Verify that your hardware supports the vendor's new security profiles. Since station identifiers were leaked on public maps, you should treat existing IDs as compromised and implement device whitelisting.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/igl-technologies-patches-critical-authentication-bypass-in-eparking-fi-platform-a-5-9-c-q/gD2P6Ple2L
🚨 CRITICAL: CVE-2026-33075 affects labring FastGPT ≤4.14.8.3. GitHub Actions workflow flaw enables attackers to run code & steal secrets, risking supply chain compromise. No patch — audit workflows & restrict secrets now! https://radar.offseq.com/threat/cve-2026-33075-cwe-494-download-of-code-without-in-52a1ff21 #OffSeq #Infosec #SupplyChain
##🚨 CRITICAL: CVE-2026-33075 affects labring FastGPT ≤4.14.8.3. GitHub Actions workflow flaw enables attackers to run code & steal secrets, risking supply chain compromise. No patch — audit workflows & restrict secrets now! https://radar.offseq.com/threat/cve-2026-33075-cwe-494-download-of-code-without-in-52a1ff21 #OffSeq #Infosec #SupplyChain
##Multiple Flaws Reported in Automated Logic WebCTRL Premium Server
Automated Logic patched three vulnerabilities in its WebCTRL Premium Server, including a critical cleartext flaw (CVE-2026-24060), that allow attackers to intercept sensitive data and spoof commands in building automation systems.
**If you are using Automated Logic WebCTRL, make sure it's isolated from the internet and your office network. Then plan a patch. Legacy versions 7.x will not be updated so plan an upgrade.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/multiple-flaws-reported-in-automated-logic-webctrl-premium-server-m-r-3-3-r/gD2P6Ple2L
Multiple Flaws Reported in Automated Logic WebCTRL Premium Server
Automated Logic patched three vulnerabilities in its WebCTRL Premium Server, including a critical cleartext flaw (CVE-2026-24060), that allow attackers to intercept sensitive data and spoof commands in building automation systems.
**If you are using Automated Logic WebCTRL, make sure it's isolated from the internet and your office network. Then plan a patch. Legacy versions 7.x will not be updated so plan an upgrade.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/multiple-flaws-reported-in-automated-logic-webctrl-premium-server-m-r-3-3-r/gD2P6Ple2L
CTEK Chargeportal Vulnerabilities Enable Unauthorized Control of EV Infrastructure
CISA reports four vulnerabilities in the Chargeportal platform by CTEK, including a critical authentication bypass (CVE-2026-25192), that allow attackers to impersonate charging stations and gain unauthorized control. The product is scheduled for sunset in April 2026, leaving network isolation as the primary defense for current users.
**Since CTEK is sunsetting Chargeportal without a patch, make sure you isolate the systems as much as possible from public access and the public internet. Then planning a migration to a supported charging management platform.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/ctek-chargeportal-vulnerabilities-enable-unauthorized-control-of-ev-infrastructure-q-m-c-l-x/gD2P6Ple2L
CTEK Chargeportal Vulnerabilities Enable Unauthorized Control of EV Infrastructure
CISA reports four vulnerabilities in the Chargeportal platform by CTEK, including a critical authentication bypass (CVE-2026-25192), that allow attackers to impersonate charging stations and gain unauthorized control. The product is scheduled for sunset in April 2026, leaving network isolation as the primary defense for current users.
**Since CTEK is sunsetting Chargeportal without a patch, make sure you isolate the systems as much as possible from public access and the public internet. Then planning a migration to a supported charging management platform.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/ctek-chargeportal-vulnerabilities-enable-unauthorized-control-of-ev-infrastructure-q-m-c-l-x/gD2P6Ple2L
🚨 CVE-2026-33024: CRITICAL SSRF in WWBN AVideo-Encoder <8.0. Public API allows blind SSRF, risking internal/cloud data exposure. Upgrade to v8.0 or restrict outbound traffic now! https://radar.offseq.com/threat/cve-2026-33024-cwe-918-server-side-request-forgery-82e88a08 #OffSeq #SSRF #Vulnerability #InfoSec
##🚨 CVE-2026-33024: CRITICAL SSRF in WWBN AVideo-Encoder <8.0. Public API allows blind SSRF, risking internal/cloud data exposure. Upgrade to v8.0 or restrict outbound traffic now! https://radar.offseq.com/threat/cve-2026-33024-cwe-918-server-side-request-forgery-82e88a08 #OffSeq #SSRF #Vulnerability #InfoSec
##CVE-2026-4428: Issues with AWS-LC - CRL Distribution Point Scope Check Logic Error
https://aws.amazon.com/security/security-bulletins/rss/2026-010-aws/
Short summary: https://hackerworkspace.com/article/cve-2026-4428-issues-with-aws-lc-crl-distribution-point-scope-check-logic-error
##CVE-2026-4428: Issues with AWS-LC - CRL Distribution Point Scope Check Logic Error
https://aws.amazon.com/security/security-bulletins/rss/2026-010-aws/
Short summary: https://hackerworkspace.com/article/cve-2026-4428-issues-with-aws-lc-crl-distribution-point-scope-check-logic-error
##🔴 CVE-2026-29103 - Critical (9.1)
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Critical Remote Code Execution (RCE) vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allowing authenticated administrators to execute ar...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-29103/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-29103 - Critical (9.1)
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Critical Remote Code Execution (RCE) vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allowing authenticated administrators to execute ar...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-29103/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-32721 - High (8.6)
LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wire...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32721/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-32721 - High (8.6)
LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wire...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32721/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##Root from the parking lot: OpenWRT XSS through SSID scanning (CVE-2026-32721) https://lobste.rs/s/vteijd #security
https://mxsasha.eu/posts/openwrt-ssid-xss-to-root/
🔴 CVE-2026-32754 - Critical (9.3)
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting (XSS) through FreeScout's email notification templates. Incoming email bodies are stored in...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32754/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-31962 - High (8.8)
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. While most alignment records store DNA sequence and quality values, the format also allows them to omit ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31962/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-31965 - High (8.2)
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. In the `cram_decode_slice()` function called while reading CRAM records, validation of the reference id ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31965/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-31964 - High (7.5)
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. While most alignment records store DNA sequence an...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31964/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-31970 - High (8.1)
HTSlib is a library for reading and writing bioinformatics file formats. GZI files are used to index block-compressed GZIP [BGZF] files. In the GZI loading function, `bgzf_index_load_hfile()`, it was possible to trigger an integer overflow, leadi...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31970/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-31969 - High (8.1)
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the `BYTE_ARRAY_ST...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31969/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-33346 - High (8.7)
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, a stored cross-site scripting (XSS) vulnerability in the patient portal payment flow allows a patient portal user to persist...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33346/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-31967 - Critical (9.1)
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. In the `cram_decode_slice()` function called while reading CRAM records, the value of the mate reference...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31967/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-31966 - Critical (9.1)
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses reference-based compression so that instead of stori...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31966/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-31971 - High (8.1)
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the `BYTE_ARRAY_LEN...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31971/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🔴 CVE-2026-31972 - Critical (9.8)
SAMtools is a program for reading, manipulating and writing bioinformatics file formats. The `mpileup` command outputs DNA sequences that have been aligned against a known reference. On each output line it writes the reference position, optionally...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31972/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##1 posts
1 repos
https://github.com/ChrisSub08/CVE-2026-32238_RemoteCodeExecutionOpenEMR8.0.0
🔴 CVE-2026-32238 - Critical (9.1)
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 contain a Command injection vulnerability in the backup functionality that can be exploited by authenticated attacke...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32238/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##Kanboard Authenticated SQL Injection CVE-2026-33058 Writeup https://0dave.ch/posts/cve-2026-33058/
##Published the writeup for the authenticated SQL injection vulnerability in Kanboard - CVE-2026-33058.
https://0dave.ch/posts/cve-2026-33058/
https://www.cve.org/CVERecord?id=CVE-2026-33058
https://github.com/kanboard/kanboard/security/advisories/GHSA-f62r-m4mr-2xhh
🚨 CRITICAL: CVE-2026-32698 in OpenProject (CVSS 9.1) enables SQL injection via admin-created custom fields, leading to potential RCE if chained with repo module bug. Patch to 16.6.9/17.0.6/17.1.3/17.2.1+ now! https://radar.offseq.com/threat/cve-2026-32698-cwe-89-improper-neutralization-of-s-a9afd70e #OffSeq #SQLInjection #OpenProject #InfoSec
##🔴 CVE-2026-32698 - Critical (9.1)
OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the c...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32698/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-32255 - High (8.6)
Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32255/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-32321 - High (8.8)
ClipBucket v5 is an open source video sharing platform. An authenticated time-based blind SQL injection vulnerability exists in ClipBucket prior to 5.5.3 #80 within the `actions/ajax.php` endpoint. Due to insufficient input sanitization of the `us...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32321/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##🟠 CVE-2026-27894 - High (8.8)
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP fi...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27894/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
##