CVE-2026-21852

Overview

anthropics
claude-code

21 Jan 2026

Published

21 Jan 2026

Updated

CVSS v4.0

MEDIUM (5.3)

EPSS

0.02%

MITRE

KEV

Description

Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.

Statistics

2 Posts
1 Interaction

Last activity: 6 hours ago

Fediverse

Hacker Noon @HackerNoon

Claude Code Security Analysis: Understanding the CVE-2026-21852 API Key Exfiltration Vulnerability | HackerNoon
https://hackernoon.com/claude-code-security-analysis-understanding-the-cve-2026-21852-api-key-exfiltration-vulnerability?utm_source=flipboard&utm_medium=activitypub

Posted into Hacker Noon @hacker-noon-HackerNoon

1
0
0
6h ago

HackerNoon @hackernoon

VE-2026-21852 exposed a Claude Code flaw that let malicious repositories redirect API traffic and steal Anthropic API keys before trust confirmation. https://hackernoon.com/claude-code-security-analysis-understanding-the-cve-2026-21852-api-key-exfiltration-vulnerability #claudecodevulnerability

0
0
0
6h ago

CVE-2026-3909

Overview

Google
Chrome

12 Mar 2026

Published

14 Mar 2026

Updated

CVSS

Pending

EPSS

27.12%

MITRE

KEV

Description

Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Statistics

3 Posts

Last activity: 7 hours ago

Fediverse

Christoph Schmees @PC_Fluesterer

Google Chrome: Zero-Day Exploits 2 und 3 (2026)

Dritter Monat, dritte bereits angegriffene Zero-Day Schwachstelle in Chrome. Wenn wir das extrapolieren, müssten in diesem Jahr zwölf solcher Fälle auftreten. - Google hat gerade Notfall-Updates für Chrome veröffentlicht und das NIST hat die US-Behörden angewiesen, die Updates bis spätestens zum 27. März zu installieren. Beide Sicherheitslücken können bereits beim Besuch einer präparierten Website eine Infektion auslösen, die schlimmstenfalls zu einer vollständigen Übernahme des Systems durch den Angreifer führt.

Die Lücke CVE-2026-3909 steckt in der Grafik-Komponente von Chrome. Deshalb betrifft sie Chrome auf sämtlichen

https://www.pc-fluesterer.info/wordpress/2026/03/16/google-chrome-zero-day-exploits-2-und-3-2026/

#Empfehlung #Warnung #0day #browser #chrome #exploits #google #sicherheit #zeroday

0
0
0
7h ago

Bluesky

セキュリティ対策Lab @securitylab-jp.bsky.social

Google、Chrome緊急アップデート公開 2件の高深刻度脆弱性を修正、いずれも既に悪用を確認(CVE-2026-3909,CVE-2026-3910) rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #セキュリティ #Security #CybersecurityNews

0
0
0
19h ago

キタきつね @kitafox.bsky.social

CISAが既知の悪用された脆弱性2件をカタログに追加 CISA Adds Two Known Exploited Vulnerabilities to Catalog #CISA (Mar 13) CVE-2026-3909 Google Skia 境界外書き込みの脆弱性 CVE-2026-3910 Google Chromium V8 特定されていない脆弱性 www.cisa.gov/news-events/...

0
0
0
17h ago

CVE-2026-0386

Overview

Microsoft
Windows Server 2008 R2 Service Pack 1

13 Jan 2026

Published

26 Feb 2026

Updated

CVSS v3.1

HIGH (7.5)

EPSS

0.08%

MITRE

KEV

Description

Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network.

Statistics

1 Post
2 Interactions

Last activity: 9 hours ago

Bluesky

Information Security Briefly @infosecbriefly.bsky.social

Microsoft is discontinuing automatic Windows network deployments via WDS and Unattend.xml due to security vulnerability CVE-2026-0386 that allows attackers to execute unauthorized code and steal credentials.

1
1
0
9h ago

CVE-2025-20435

Overview

Pending

Pending

Published

Pending

Updated

CVSS

Pending

EPSS

Pending

MITRE

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

2 Posts
2 Interactions

Last activity: 13 hours ago

Fediverse

geeknik @geeknik

Your phone's "off" switch was never a lock.
CVE-2025-20435: 875M Android devices.
USB in. 60 seconds. PIN cracked, encryption stripped, before the OS even blinks.
Check your MediaTek chip. Patch now. Or hand-deliver your secrets.
https://www.forbes.com/sites/daveywinder/2026/03/15/critical-flaw-875-million-android-phones-at-risk-of-60-second-hack/?streamIndex=0

1
1
1
13h ago

CVE-2026-25253

Overview

OpenClaw
OpenClaw

01 Feb 2026

Published

03 Feb 2026

Updated

CVSS v3.1

HIGH (8.8)

EPSS

0.07%

MITRE

KEV

Description

OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.

Statistics

1 Post
2 Interactions

Last activity: 16 hours ago

Bluesky

AI & ML News @ai-news.at.thenote.app

AWS Launches Managed Openclaw on Lightsail Amid Critical Security Vulnerabilities AWS launched managed OpenClaw on Lightsail for AI agent deployment while security concerns mount. The 250k-star GitHub project is affected by CVE-2026-25253, which enables one-click RCE,… Telegram AI Digest #ai #news

0
2
0
16h ago

CVE-2026-25646

Overview

pnggroup
libpng

10 Feb 2026

Published

11 Feb 2026

Updated

CVSS v4.0

HIGH (8.3)

EPSS

0.07%

MITRE

KEV

Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

Statistics

1 Post
2 Interactions

Last activity: 2 hours ago

Fediverse

DD9JN @DD9JN

An update of #gpg4win has been released: Version 5.0.2. See https://gpg4win.org

An update to this version is recommended due to the following security fixes:

- A security bug in GpgOL has been fixed which could result in no warning shown to the user when a signed mail contained a not signed attachment after a signed one. (T8110)

- The libpng component has been updated to version 1.6.55 to fix a security issue (CVE-2026-25646). This is only exploitable in our software if a mail is opened via Kleopatra.

0
2
0
2h ago

CVE-2026-4187

Overview

Tiandy
Easy7 Integrated Management Platform

15 Mar 2026

Published

15 Mar 2026

Updated

CVSS v4.0

MEDIUM (6.9)

EPSS

0.06%

MITRE

KEV

Description

A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Impacted is an unknown function of the file /WebService/UpdateLocalDevInfo.jsp of the component Device Identifier Handler. Such manipulation of the argument username/password leads to missing authentication. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

1 Post
1 Interaction

Last activity: 22 hours ago

Fediverse

Offensive Sequence @offseq

⚠️ MEDIUM severity: Tiandy Easy7 Integrated Management Platform 7.17.0 has a missing authentication bug (CVE-2026-4187) in Device Identifier Handler. Public exploit exists. No vendor fix yet — review exposure & restrict access. https://radar.offseq.com/threat/cve-2026-4187-missing-authentication-in-tiandy-eas-d0083b25 #OffSeq #Vuln #Tiandy #Cybersecurity

0
1
0
22h ago

CVE-2026-23660

Overview

Microsoft
Windows Admin Center in Azure Portal

10 Mar 2026

Published

13 Mar 2026

Updated

CVSS v3.1

HIGH (7.8)

EPSS

0.04%

MITRE

KEV

Description

Improper access control in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally.

Statistics

1 Post

Last activity: 6 hours ago

Bluesky

Undercode Testing @undercode.bsky.social

CVE-2026-23660: Azure-Bound Windows Admin Center Flaw Opens Door to Privilege Escalation—Patch Now + Video Introduction: A newly disclosed high-severity vulnerability, CVE-2026-23660, has been identified in the Azure-deployed version of Windows Admin Center (WAC), exposing cloud-managed…

0
0
0
6h ago

CVE-2025-41766

Overview

MBS
UBR-01 Mk II

09 Mar 2026

Published

09 Mar 2026

Updated

CVSS v3.1

HIGH (8.8)

EPSS

0.15%

MITRE

KEV

Description

A low-privileged remote attacker can trigger a stack-based buffer overflow via a crafted HTTP POST request using the ubr-network method resulting in full device compromise.

Statistics

1 Post

Last activity: 7 hours ago

Bluesky

SecQube | Harvey | AI Platform for MS Graph @secqube.com

CVE-2025-41766 - Stack buffer overflow on parsing web request scq.ms/3N4ly07

0
0
0
7h ago

CVE-2025-12084

Overview

Python Software Foundation
CPython

03 Dec 2025

Published

03 Mar 2026

Updated

CVSS v4.0

MEDIUM (6.3)

EPSS

0.05%

MITRE

KEV

Description

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

Statistics

1 Post

Last activity: 7 hours ago

Bluesky

ferramentaslinux.bsky.social @ferramentaslinux.bsky.social

Just published a deep dive on the #Fedora 42 patch for CVE-2025-12084. It's fascinating (and a little scary) how a quadratic algorithm in xml.dom.minidom can be weaponized into a full-on DoS attack. Read more: 👉 tinyurl.com/2s49zsh6 #Security

0
0
0
7h ago