24h | 7d | 30d

Overview

  • WordPress
  • WordPress

17 Jul 2026
Published
18 Jul 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
8.95%

KEV

Description

WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the author__not_in WP_Query SQL Injection (CVE-2026-60137), could allow an attacker to perform SQL Injection and achieve Remote Code Execution.

Statistics

  • 16 Posts
  • 52 Interactions

Last activity: Last hour

Fediverse

Profile picture fallback

Update your WordPress to 7.0.2/6.9.5, it's important

discourse.ifin.network/t/cve-2

ETA: the above text is not a call for CMS evangelists, just fucking don't thanks

  • 27
  • 13
  • 0
  • 3h ago
Profile picture fallback

@shellsharks New fodder for vulnerability.garden: wp2shell is CVE-2026-63030 / github.com/WordPress/wordpress

  • 2
  • 3
  • 0
  • 22h ago
Profile picture fallback

WordPress pre-auth RCE CVE-2026-63030 chains a REST batch bug with SQL injection. Details and a public PoC are out. Update to WordPress 7.0.2 now.

securityonline.info/wordpress-

  • 1
  • 1
  • 0
  • 17h ago
Profile picture fallback

‼️🚨 CVE-2026-63030 // wp2shell-poc: Proof-of-concept for an unauthenticated SQL injection in WordPress core that chains to remote code execution, via REST batch route confusion.

PoC: github.com/Icex0/wp2shell-poc

  • 0
  • 2
  • 0
  • 20h ago
Profile picture fallback

📰 Critical Unauthenticated RCE Flaw Found in WordPress Core

Critical unauthenticated RCE vulnerability (CVE-2026-63030) found in WordPress Core. Affects versions 6.9.x and 7.0.x. Allows full site takeover via REST API. Update to 6.9.5 or 7.0.2 now! #WordPress #CVE #RCE #PatchNow

🌐 cyber[.]netsecops[.]io

🔗 cyber.netsecops.io/articles/cr

  • 0
  • 0
  • 0
  • 3h ago
Profile picture fallback

⚡ UPDATE: now has two CVEs, and a working proof-of-concept is public.

> CVE-2026-63030 breaks REST batch routing
> CVE-2026-60137 injects SQL

Chained, they give an anonymous attacker code execution on affected WordPress sites.

How the exploit path works: thehackernews.com/2026/07/new-

  • 0
  • 1
  • 0
  • 10h ago
Profile picture fallback

admins - we got you covered! 🫡 → We've just shipped detection for through our Network Scanner. ⚡️ The fastest way to use it is to:

◉ run a single-CVE scan for CVE-2026-63030 - which also covers CVE-2026-60137 - the SQL injection flaw that chains to give attackers RCE
◉ Based on your scan results, either patch or confirm you're already on 6.8.6, 6.9.5, or 7.0.2.
◉ Re-scan to confirm remediation and rule out residual exposure across your other assets.

Remember: updating your main install doesn't cover *every* WP instance you own. Using Pentest-Tools.com means you can expand visibility across your wider attack surface, not just the site you remember exists.

Technical CVE details below. ↘︎↘︎↘︎

See why an estimated 500+ million websites running WP are vulnerable to this critical vulnerability: pentest-tools.com/vulnerabilit

  • 0
  • 1
  • 0
  • 5h ago
Profile picture fallback

WordPress Core "wp2shell" CRITICAL RCE chain (CVE-2026-63030 & CVE-2026-60137) actively exploited. Affects 6.9.0 – 6.9.4 & 7.0.0 – 7.0.1. Public PoCs out. Patch to 6.9.5/7.0.2 ASAP. Block REST API endpoints as temp mitigation. radar.offseq.com/threat/wordpr

  • 0
  • 0
  • 0
  • 1h ago

Bluesky

Profile picture fallback
WordPress Core 6.9 and 7.0 carry wp2shell (CVE-2026-63030), an unauthenticated remote code execution flaw. Update to 6.9.5 or 7.0.2
  • 0
  • 1
  • 0
  • 11h ago
Profile picture fallback
WordPress wp2shell (CVE-2026-63030): CISO FAQ & Fix
  • 0
  • 0
  • 0
  • 2h ago
Profile picture fallback
⚠️ wp2shell (CVE-2026-63030, CVSS 9.8): pre-auth RCE in WordPress core via the REST batch API (batch/v1), on by default & reachable unauthenticated. Works on a stock install, no plugins. Affects 6.9.0–6.9.4 & 7.0.0–7.0.1. Update to 6.9.5/7.0.2 now. Query: technology="WordPress"
  • 0
  • 0
  • 0
  • Last hour
Profile picture fallback
🚨 wp2shell: RCE crític al nucli de WordPress, no en cap plugin. Una petició anònima pot desembocar en execució de codi al servidor. Afecta: 6.9.0–6.9.4 i 7.0.0–7.0.1. Es soluciona amb les versions: 7.0.2/6.9.5/6.8.6. CVE-2026-63030 i CVE-2026-60137. claude.ai/public/artif...
  • 0
  • 0
  • 0
  • 13h ago
Profile picture fallback
Pokud jste ještě nektualizovali WordPress tak zbystřee, jsou tam dvě závažné chyby přímo v jádře. CVE-2026-60137: SQL injection a CVE-2026-63030: Unauthenticated remote code execution.
  • 0
  • 0
  • 0
  • 13h ago
Profile picture fallback
#Wordpress: Critical Remote Code Execution (#RCE) chain of vulnerabilities CVE-2026-63030 and #SQLi SQL Injection CVE-2026-60137 dubbed #wp2shell in WordPress Core threaten 500+ million of websites. Patch now!: 👇 thehackernews.com/2026/07/new-...
  • 0
  • 0
  • 1
  • 11h ago
Profile picture fallback
Public exploits for WordPress Core wp2shell flaws now enable pre-auth RCE on 6.9.x and 7.0.x. Tracked as CVE-2026-63030 and CVE-2026-60137. WordPress has pushed security updates. #WordPress #RCE #CVE2026
  • 0
  • 0
  • 0
  • 1h ago

Overview

  • WordPress
  • WordPress

17 Jul 2026
Published
18 Jul 2026
Updated

CVSS v3.1
MEDIUM (5.9)
EPSS
4.03%

KEV

Description

WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the author__not_in parameter of WP_Query, which could allow SQL Injection when a plugin or theme passes untrusted input to the parameter.

Statistics

  • 9 Posts
  • 42 Interactions

Last activity: 1 hour ago

Fediverse

Profile picture fallback

Update your WordPress to 7.0.2/6.9.5, it's important

discourse.ifin.network/t/cve-2

ETA: the above text is not a call for CMS evangelists, just fucking don't thanks

  • 27
  • 13
  • 0
  • 3h ago
Profile picture fallback

⚡ UPDATE: now has two CVEs, and a working proof-of-concept is public.

> CVE-2026-63030 breaks REST batch routing
> CVE-2026-60137 injects SQL

Chained, they give an anonymous attacker code execution on affected WordPress sites.

How the exploit path works: thehackernews.com/2026/07/new-

  • 0
  • 1
  • 0
  • 10h ago
Profile picture fallback

admins - we got you covered! 🫡 → We've just shipped detection for through our Network Scanner. ⚡️ The fastest way to use it is to:

◉ run a single-CVE scan for CVE-2026-63030 - which also covers CVE-2026-60137 - the SQL injection flaw that chains to give attackers RCE
◉ Based on your scan results, either patch or confirm you're already on 6.8.6, 6.9.5, or 7.0.2.
◉ Re-scan to confirm remediation and rule out residual exposure across your other assets.

Remember: updating your main install doesn't cover *every* WP instance you own. Using Pentest-Tools.com means you can expand visibility across your wider attack surface, not just the site you remember exists.

Technical CVE details below. ↘︎↘︎↘︎

See why an estimated 500+ million websites running WP are vulnerable to this critical vulnerability: pentest-tools.com/vulnerabilit

  • 0
  • 1
  • 0
  • 5h ago
Profile picture fallback

WordPress Core "wp2shell" CRITICAL RCE chain (CVE-2026-63030 & CVE-2026-60137) actively exploited. Affects 6.9.0 – 6.9.4 & 7.0.0 – 7.0.1. Public PoCs out. Patch to 6.9.5/7.0.2 ASAP. Block REST API endpoints as temp mitigation. radar.offseq.com/threat/wordpr

  • 0
  • 0
  • 0
  • 1h ago

Bluesky

Profile picture fallback
🚨 wp2shell: RCE crític al nucli de WordPress, no en cap plugin. Una petició anònima pot desembocar en execució de codi al servidor. Afecta: 6.9.0–6.9.4 i 7.0.0–7.0.1. Es soluciona amb les versions: 7.0.2/6.9.5/6.8.6. CVE-2026-63030 i CVE-2026-60137. claude.ai/public/artif...
  • 0
  • 0
  • 0
  • 13h ago
Profile picture fallback
Pokud jste ještě nektualizovali WordPress tak zbystřee, jsou tam dvě závažné chyby přímo v jádře. CVE-2026-60137: SQL injection a CVE-2026-63030: Unauthenticated remote code execution.
  • 0
  • 0
  • 0
  • 13h ago
Profile picture fallback
#Wordpress: Critical Remote Code Execution (#RCE) chain of vulnerabilities CVE-2026-63030 and #SQLi SQL Injection CVE-2026-60137 dubbed #wp2shell in WordPress Core threaten 500+ million of websites. Patch now!: 👇 thehackernews.com/2026/07/new-...
  • 0
  • 0
  • 1
  • 11h ago
Profile picture fallback
Public exploits for WordPress Core wp2shell flaws now enable pre-auth RCE on 6.9.x and 7.0.x. Tracked as CVE-2026-63030 and CVE-2026-60137. WordPress has pushed security updates. #WordPress #RCE #CVE2026
  • 0
  • 0
  • 0
  • 1h ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 5 Interactions

Last activity: 1 hour ago

Fediverse

Profile picture fallback

Hollo security updates: 0.8.9 and 0.9.9

If you run Hollo, update to a patched release now. CVE-2026-62857 affects Fedify's NodeInfo client, which Hollo uses to identify the software running on remote ActivityPub servers.

A NodeInfo lookup starts by fetching a remote server's /.well-known/nodeinfo document, then follows the NodeInfo document URL advertised in that response. The vulnerable getNodeInfo() path fetched both URLs without validating that they resolved to public network destinations. Because the second URL comes directly from a response controlled by the remote server, it could point to a loopback address, a link-local cloud metadata endpoint, an RFC 1918 private address, or even a data: URL.

An attacker who controls a remote server that Hollo discovers could therefore make the Hollo instance initiate requests to non-public network destinations, depending on the deployment environment and network routing.

The fix applies Fedify's public-address validation to both NodeInfo requests and every redirect hop. It also caps redirects, refuses cross-protocol redirects, and rejects non-HTTP(S) URLs. As a result, NodeInfo lookups for private or intranet addresses are now refused.

For full technical details of the underlying vulnerability, see the Fedify security advisory and the Fedify security announcement.

All Hollo versions in the supported 0.8.x and 0.9.x release lines up to and including 0.8.8 and 0.9.8 are affected. Patched releases are 0.8.9 for the 0.8.x series and 0.9.9 for the 0.9.x series.

Hollo 0.7.x is also affected. It and earlier release lines are no longer supported under the Hollo security policy. Upgrade to a supported release series rather than remaining on an older version.

For 0.8.x deployments, update to 0.8.9:

docker pull ghcr.io/fedify-dev/hollo:0.8.9

For 0.9.x deployments, update to 0.9.9:

docker pull ghcr.io/fedify-dev/hollo:0.9.9

After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.

Thanks to @rvzsec and @manus-use for the report and responsible disclosure to the Fedify project.

If anything is unclear, ask below.

  • 5
  • 0
  • 0
  • 1h ago

Overview

  • Canonical
  • ubuntu-pro-client (ubuntu-advantage-tools)
  • ubuntu-pro-client

16 Jul 2026
Published
16 Jul 2026
Updated

CVSS v3.1
CRITICAL (9.0)
EPSS
0.32%

KEV

Description

An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field—which is passed positionally into a root-executed apt-get install command—an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.

Statistics

  • 1 Post
  • 5 Interactions

Last activity: 10 hours ago

Fediverse

Profile picture fallback

Ubuntu Pro Client vulnerability CVE-2026-11386 (CVSS 9.0) lets a spoofed contract server inject APT sources and run code with root privileges.

securityonline.info/ubuntu-pro

  • 3
  • 2
  • 0
  • 10h ago

Overview

  • @fastify/http-proxy
  • @fastify/http-proxy

18 Jul 2026
Published
18 Jul 2026
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
Pending

KEV

Description

Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string replace against the decoded prefix. A request that encodes one or more characters of the configured prefix therefore matches the route but skips the rewrite, so the raw encoded path is forwarded to the upstream unchanged. The upstream then decodes the path and serves it, letting an attacker reach upstream paths that the proxy was configured to hide via rewritePrefix, including internal or administrative endpoints. Patches: upgrade to @fastify/http-proxy 11.6.0. Workarounds: none.

Statistics

  • 2 Posts
  • 2 Interactions

Last activity: 6 hours ago

Fediverse

Profile picture fallback

🚨 Critical-severity security fix in @fastify/http-proxy@11.6.0 just released!

Patches CVE-2026-16117, prefix escape via URL-encoded characters.

github.com/fastify/fastify-htt

  • 1
  • 1
  • 1
  • 6h ago

Overview

  • IBM
  • Langflow OSS

17 Jul 2026
Published
18 Jul 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.29%

KEV

Description

IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to create unlimited user accounts on any Langflow instance; when NEW_USER_IS_ACTIVE=true (documented deployment option), newly created accounts are immediately active and can authenticate to reach RCE endpoints, bypassing the need for AUTO_LOGIN.

Statistics

  • 1 Post
  • 2 Interactions

Last activity: 2 hours ago

Fediverse

Profile picture fallback

CVE-2026-9202 - Critical RCE in IBM Langflow. Unauthenticated account creation bypass leads to RCE. CVSS 9.8. No patch available. Mitigate by disabling NEW_USER_IS_ACTIVE. #CVE #IBM #infosec

valtersit.com/cve/CVE-2026-920

  • 1
  • 1
  • 0
  • 2h ago

Overview

  • ServiceNow
  • ServiceNow AI Platform

13 Jul 2026
Published
14 Jul 2026
Updated

CVSS v4.0
CRITICAL (9.5)
EPSS
0.51%

KEV

Description

ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability could enable an unauthenticated user, in certain circumstances, to execute code within the ServiceNow platform. ServiceNow addressed this vulnerability by deploying a security update to hosted instances. Relevant security updates have also been provided to ServiceNow self-hosted customers and partners. Further, the vulnerability is addressed in the listed patches and family releases, which have been made available to hosted and self-hosted customers, as well as partners. We are not currently aware of exploitation against ServiceNow instances. We recommend customers promptly apply appropriate updates or upgrade to a patched release if they have not already done so.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 8 hours ago

Fediverse

Profile picture fallback

Active Exploitation and Public PoC Disclosed for CVE-2026-6875 ServiceNow Sandbox Escape Remote Code Execution

securityonline.info/cve-2026-6

  • 1
  • 0
  • 0
  • 8h ago

Overview

  • scikit-hep
  • uproot

18 Jul 2026
Published
18 Jul 2026
Updated

CVSS v4.0
HIGH (8.5)
EPSS
Pending

KEV

Description

uproot dynamically generates Python class source code from ROOT TStreamerInfo records in a file and compiles it at runtime. Some file-controlled streamer metadata fields (for example, streamer element names) are interpolated into the generated Python source without safe quoting via repr() or the !r format specifier. An attacker who can supply a crafted ROOT file can place Python expression-breaking content into a streamer metadata field. When uproot generates and invokes the corresponding reader method, the injected Python expression is evaluated in the context of the process opening the file, resulting in arbitrary Python code execution in applications that open or process attacker-controlled ROOT files with affected uproot code paths.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 5 hours ago

Fediverse

Profile picture fallback

scikit-hep uproot has a HIGH-severity code injection flaw (CVE-2026-9147, CVSS 8.5). Malicious ROOT files can trigger arbitrary Python code execution. Avoid untrusted files until fixed. Full details: radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 5h ago

Overview

  • ruby
  • net-imap

09 May 2026
Published
12 May 2026
Updated

CVSS v4.0
LOW (2.3)
EPSS
0.41%

KEV

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 7 hours ago

Bluesky

Profile picture fallback
🔍 Lambda Watchdog detected that CVE-2026-42245 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/518 #AWS #Lambda #Security #CVE #DevOps #SecOps
  • 0
  • 1
  • 0
  • 7h ago

Overview

  • codeigniter4
  • CodeIgniter4

17 Jul 2026
Published
17 Jul 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.44%

KEV

Description

CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in upload validation rule in system/Validation/StrictRules/FileRules.php checked the MIME-derived guessed extension instead of the client-provided filename extension. As a result, an uploaded file named shell.php containing GIF-like content could pass validation such as uploaded[avatar]|is_image[avatar]|mime_in[avatar,image/gif]|ext_in[avatar,gif] because the detected MIME type maps to gif, even though the uploaded filename extension is php. Applications are impacted if they accept user-controlled uploads, rely on ext_in to validate the uploaded filename extension, save uploaded files using the original client filename with $file->move($path), store uploads in a web-accessible directory, and allow PHP or other executable files to run from that directory. In those conditions, this may lead to arbitrary code execution. This issue is fixed in version 4.7.3.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 5 hours ago

Fediverse

Profile picture fallback

CVE-2026-48062 - Unpatched Code Execution in CodeIgniter. MIME validation bypass allows PHP file upload with GIF content. CVSS 9.8. Update to 4.7.3 immediately. #CVE #CodeIgniter #infosec

valtersit.com/cve/CVE-2026-480

  • 0
  • 1
  • 0
  • 5h ago
Showing 1 to 10 of 35 CVEs