24h | 7d | 30d

Overview

  • Microsoft
  • Microsoft Exchange Server 2016 Cumulative Update 23

14 May 2026
Published
15 May 2026
Updated

CVSS v3.1
HIGH (8.1)
EPSS
0.22%

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

Statistics

  • 27 Posts
  • 10 Interactions

Last activity: Last hour

Fediverse

Profile picture fallback

⚠️Alerte CERT-FR⚠️

La vulnérabilité CVE-2026-42897 affecte Microsoft Exchange et permet une injection de code indirecte à distance (XSS) ainsi qu'un contournement de la politique de sécurité.

Elle est activement exploitée.

cert.ssi.gouv.fr/alerte/CERTFR

  • 1
  • 1
  • 1
  • 7h ago
Profile picture fallback

Microsoft describes this security flaw (CVE-2026-42897) as a spoofing vulnerability affecting up-to-date Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) software. bleepingcomputer.com/news/micr

  • 0
  • 0
  • 1
  • 7h ago
Profile picture fallback

Kritische Sicherheitslücke CVE-2026-42897 bedroht Microsoft Exchange Server 2016, 2019 und Subscription Edition. Angreifer können über OWA JavaScript-Code ausführen. #Microsoft #ITSec winfuture.de/news,158719.html?

  • 0
  • 0
  • 1
  • 5h ago
Profile picture fallback

High critical cross-site scripting (CSS) vuln in Microsoft Exchange Server 2016 being used in the wild

cve.org/CVERecord?id=CVE-2026-

  • 0
  • 0
  • 0
  • 2h ago
Profile picture fallback

📰 Microsoft Exchange Zero-Day Under Active Attack, Mitigations Deployed Automatically

📢 Microsoft confirms a new Exchange Server zero-day (CVE-2026-42897) is actively exploited! The XSS flaw in OWA affects on-prem servers. Mitigations are being deployed automatically via the EM service. Check your systems! 🛡️ #Exchange #Zeroday

🌐 cyber[.]netsecops[.]io

🔗 cyber.netsecops.io/articles/mi

  • 0
  • 0
  • 0
  • 1h ago
Profile picture fallback

Hups, a new exchange Zero Day just dropped.

msrc.microsoft.com/update-guid

Mitigation available. No Patch.

  • 0
  • 0
  • 0
  • Last hour

Bluesky

Profile picture fallback
Unpatched Microsoft Exchange Server vulnerability exploited (CVE-2026-42897) 📖 Read more: www.helpnetsecurity.com/2026/05/15/e... #cybersecurity #cybersecuritynews #MicrosoftExchange #vulnerability
  • 1
  • 1
  • 0
  • 10h ago
Profile picture fallback
Addressing Exchange Server May 2026 vulnerability CVE-2026-42897 #patchmanagement
  • 1
  • 0
  • 1
  • 23h ago
Profile picture fallback
CVE-2026-42897 enables spoofing via cross-site scripting in on-premises Exchange Server, with active exploitation, mitigated by emergency service or EOMT.
  • 1
  • 0
  • 0
  • 13h ago
Profile picture fallback
On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email https://thehackernews.com/2026/05/on-prem-microsoft-exchange-server-cve.html
  • 1
  • 0
  • 0
  • 12h ago
Profile picture fallback
Microsoft warns of CVE-2026-42897, a high-severity Exchange spoofing flaw exploited via crafted emails to run JavaScript in Outlook on the web. Mitigations are available for Exchange Server 2016, 2019, and SE. #Microsoft #ExchangeServer #CVE202642897
  • 1
  • 0
  • 0
  • 8h ago
Profile picture fallback
CISA Issues Urgent Alert: Microsoft Exchange Server Zero-Day (CVE-2026-42897) Under Active Attack – Deploy This Emergency Mitigation Now + Video Introduction: A newly disclosed zero-day spoofing vulnerability, tracked as CVE-2026-42897, is currently being exploited in the wild against on‑premises…
  • 1
  • 0
  • 0
  • 8h ago
Profile picture fallback
#MSXFAQ CVE-2026-42897 EEMS M2.1 OWA CSP www.msxfaq.de/exchange/upd... HTML-Mails mit Schadcode werden beim Zugriff per OWA eventuell ausgeführt. EEMT-Mitigation werden aktiv verteilt. Wer kein EEMT aktiv hat, sollte manuell aktiv werden.
  • 0
  • 1
  • 0
  • 3h ago
Profile picture fallback
CVE-2026-42897 is a spoofing and XSS Exchange zero-day exploited via crafted emails, requiring immediate mitigations until a permanent patch is available.
  • 0
  • 0
  • 0
  • 7h ago
Profile picture fallback
On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email reconbee.com/on-prem-micr... #microsoftexchangeserver #microsoftexchange #microsoft #cybersecurity #cyberattack #Email
  • 0
  • 0
  • 0
  • 7h ago
Profile picture fallback
CVE-2026-42897 in on-prem Exchange OWA can enable arbitrary JavaScript execution via crafted emails, with emergency mitigation potentially breaking inline images and calendar printing.
  • 0
  • 0
  • 0
  • 7h ago
Profile picture fallback
CISA Alerts: Urgent CVE-2026-42897 Zero-Day Exploitation Hits On-Prem Exchange Servers—Patch or Mitigate NOW + Video Introduction: A critical security advisory was issued on May 14, 2026, as Microsoft confirmed active exploitation of a zero-day vulnerability in on-premises Microsoft Exchange…
  • 0
  • 0
  • 0
  • 5h ago
Profile picture fallback
Microsoft disclosed CVE-2026-42897, a zero-day exploited in the wild, affecting Exchange Server Subscription Edition, 2016, and 2019. It can enable spoofing and JavaScript execution in Outlook Web Access. #MicrosoftExchange #ExchangeServer
  • 0
  • 0
  • 0
  • 4h ago
Profile picture fallback
⚠️ Exchange Server – CVE-2026-42897 : cette faille zero-day est déjà exploitée ! Plus d'infos : - www.it-connect.fr/exchange-ser... #microsoft #exchange #infosec
  • 0
  • 0
  • 0
  • 4h ago
Profile picture fallback
On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email #cybersecurity #hacking #news #infosec #security #technology #privacy thehackernews.com/20...
  • 0
  • 0
  • 0
  • 3h ago
Profile picture fallback
~Cisa~ CISA added an actively exploited Microsoft Exchange Server XSS vulnerability to its KEV catalog. - IOCs: CVE-2026-42897 - #CVE202642897 #Exchange #ThreatIntel
  • 0
  • 0
  • 0
  • Last hour
Profile picture fallback
~Cybergcca~ Active exploitation of critical Cisco SD-WAN (CVE-2026-20182) and MS Exchange (CVE-2026-42897) flaws. - IOCs: CVE-2026-20182, CVE-2026-42897 - #CVE202620182 #Exchange #ThreatIntel
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • F5
  • NGINX Plus

13 May 2026
Published
14 May 2026
Updated

CVSS v3.1
HIGH (8.1)
EPSS
0.17%

KEV

Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Statistics

  • 11 Posts
  • 133 Interactions

Last activity: 2 hours ago

Fediverse

Profile picture fallback

Regarding CVE-2026-42945 in nginx - no modern (or even old) Linux distribution runs nginx without ASLR.

The way the PoC exploit works is they spawn nginx like this:

> exec setarch x86_64 -R /nginx-src/build/nginx -p /app -c /app/nginx.conf

Setarch -R disables ASLR. I've had a look through Github and I can't find any other software which actually does this for nginx either.

So, cool, sweet technical vuln - it's valid - but the RCE apocalypse ain't coming.

  • 40
  • 73
  • 0
  • 10h ago
Profile picture fallback

Une faille vieille de 18 ans dans Nginx, un PoC public, beaucoup de bruit… mais qui est vraiment concerné ?

cryptolab.re/posts/2026/nginx-

#nginx #linux #devops #sysadmin #cybersecurity

  • 6
  • 3
  • 0
  • 13h ago
Profile picture fallback

⚠️ NGINX `rewrite` vulnerability

Using unnamed regex captures (`$1`, `$2`) with `?` in replacement strings plus `rewrite`/`if`/`set` can be triggered **without auth**.

Systems with ASLR disabled are at risk of remote code execution. Patch immediately!

my.f5.com/manage/s/article/K00

nvd.nist.gov/vuln/detail/CVE-2

#NGINX #CVE202642945 #ZeroDay #InfoSec #RCE #CyberSecurity

  • 3
  • 2
  • 0
  • 20h ago
Profile picture fallback

🚨 Nouvelle faille critique sur NGINX : CVE-2026-42945 (Z)

Une vulnérabilité dans ngx_http_rewrite_module peut provoquer un crash des workers NGINX, voire une exécution de code si l’ASLR est désactivé.

👉 security-tracker.debian.org/tr

  • 2
  • 1
  • 1
  • 11h ago
Profile picture fallback

I don't wanna ruin your Friday, but nginx has a serious CVE with a rating of 9.2, and you should patch or mitigate it asap.

The CVE is an unauthenticated http request that can lead to a deterministic buffer overflow and remote code execution.

depthfirst.com/nginx-rift

#nginx #cve_2026_42945 #cve202642945

  • 1
  • 0
  • 0
  • 11h ago
Profile picture fallback

@beyondmachines1
Meanwhile, not completely off the hook people, you can check the vul updates via: security-tracker.debian.org/tr

  • 0
  • 0
  • 1
  • 2h ago
Profile picture fallback

CVE-2026-42945 + CVE-2026-43284 = full compromise, hope you guys are patching ;)

#infosec #cybersecurity

  • 0
  • 2
  • 0
  • 13h ago

Bluesky

Profile picture fallback
💡 Summary: NGINXのngx_http_rewrite_moduleに起因する深刻なヒープバッファオーバーフローの RCE PoCが公開され、rewriteとsetディレクティブを利用する未認証リモートコード実行が可能となる脆弱性(CVE-2026-42945)の他、同様のメモリ破壊問題が計4件報告された。脆弱性は、2-passのスクリプトエンジンの長さ計算とコピー処理の間でis_argsの扱いが不整合になることで、攻撃者制御のURIデータを用いたヒープ領域の破壊を招き、ngx_pool_cleanup_sを介してsystem()を実行させる流れを利用する。 (1/2)
  • 0
  • 0
  • 0
  • 12h ago
Profile picture fallback
NGINX Rift: il bug rimasto nascosto 18 anni che porta all’esecuzione di codice da remoto La vulnerabilità CVE-2026-42945 è presente in NGINX dal 2008 ma è venuta a galla soltanto o... https://www.ilsoftware.it/nginx-rift-exploit-vulnerabilita-critica/
  • 0
  • 0
  • 0
  • 10h ago

Overview

  • Cisco
  • Cisco Catalyst SD-WAN Manager

14 May 2026
Published
15 May 2026
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
1.56%

Description

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.  A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.

Statistics

  • 24 Posts
  • 12 Interactions

Last activity: 1 hour ago

Fediverse

Profile picture fallback

CISA said all federal agencies have until Sunday to patch CVE-2026-20182, the latest Cisco SD-WAN bug exploited by nation-state actors.

It was discovered by Rapid7, which said it "behaves like a master key."

therecord.media/cisa-orders-al

  • 0
  • 0
  • 1
  • 5h ago
Profile picture fallback

📰 Cisco Scrambles to Patch Critical 10.0 CVSS Zero-Day in SD-WAN Under Active Attack

🚨 CRITICAL ZERO-DAY: Cisco warns of active exploitation of a 10.0 CVSS auth bypass flaw (CVE-2026-20182) in Catalyst SD-WAN. Attackers can gain full admin access. CISA has issued a directive to patch immediately! ⚠️ #CyberSecurity #ZeroDay #Cisco

🌐 cyber[.]netsecops[.]io

🔗 cyber.netsecops.io/articles/ci

  • 0
  • 0
  • 0
  • 1h ago

Bluesky

Profile picture fallback
CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits #cybersecurity #hacking #news #infosec #security #technology #privacy thehackernews.com/20...
  • 1
  • 1
  • 0
  • 8h ago
Profile picture fallback
CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits reconbee.com/cisa-adds-ci... #CISA #unitedstates #KEV #vulnerabilities #cisco #cyberattack
  • 0
  • 2
  • 0
  • 7h ago
Profile picture fallback
Cisco Catalyst SD-WAN Controller auth bypass in vdaemon DTLS via spoofed vHub device type (CVE-2026-20182) www.rapid7.com/blog/post/ve... #infosec
  • 0
  • 2
  • 0
  • 6h ago
Profile picture fallback
CISAが既知の悪用された脆弱性を1件カタログに追加 CISA Adds One Known Exploited Vulnerability to Catalog #CISA (May 14) CVE-2026-20182 Cisco Catalyst SD-WANコントローラ認証バイパスの脆弱性 www.cisa.gov/news-events/...
  • 0
  • 0
  • 0
  • 20h ago
Profile picture fallback
CVE-2026-20182 Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
  • 0
  • 0
  • 1
  • 17h ago
Profile picture fallback
CVE-2026-20182 in Cisco Catalyst SD-WAN Controller enables unauthenticated remote authentication bypass and administrative access, added to CISA KEV with FCEB remediation by May 17, 2026.
  • 0
  • 0
  • 0
  • 14h ago
Profile picture fallback
Cisco Catalyst SD-WANの重大な脆弱性、ゼロデイ攻撃で悪用される(CVE-2026-20182) | Codebook|Security News https://codebook.machinarecord.com/threatreport/silobreaker-cyber-alert/45603/
  • 0
  • 0
  • 0
  • 13h ago
Profile picture fallback
Cisco released patches for CVE-2026-20182, an exploited SD-WAN authentication bypass that can grant remote attackers admin privileges via crafted packets.
  • 0
  • 0
  • 0
  • 13h ago
Profile picture fallback
Cisco SD-WAN CVE-2026-20182, a CVSS 10.0 auth bypass, is being exploited in the wild. Attackers linked to UAT-8616 have gained admin access, added SSH keys, and altered NETCONF settings. #Cisco #SDWAN #UAT8616
  • 0
  • 0
  • 0
  • 13h ago
Profile picture fallback
Cisco fixed CVE-2026-20182 in Catalyst SD-WAN Controller and Manager after active exploitation of an auth bypass that can grant admin access and let attackers alter network configs. #Cisco #CVE2026 #SDWAN
  • 0
  • 0
  • 0
  • 13h ago
Profile picture fallback
CISA added CVE-2026-20182 to KEV after active exploitation of Cisco Catalyst SD-WAN. The 10.0 auth bypass is linked to UAT-8616, with attacks using web shells, miners, backdoors, and stealers. #Cisco #UAT8616 #KEV
  • 0
  • 0
  • 0
  • 12h ago
Profile picture fallback
🚨Sicherheitslücke CVE-2026-20182 in Cisco Catalyst SD-WAN Controller (früher SD-WAN vSmart) und des Cisco Catalyst SD-WAN Manager (früher SD-WAN vManage) CVSS 10! UND: Die Schwachstelle wird bereits in freier Wildbahn ausgenutzt. 👉 jetzt Handeln: www.cisa.gov/news-events/...
  • 0
  • 0
  • 0
  • 8h ago
Profile picture fallback
The zero-day, tracked as CVE-2026-20182, has been exploited in targeted attacks by a sophisticated threat actor identified as UAT-8616. www.securityweek.com/cisco-patche...
  • 0
  • 0
  • 2
  • 8h ago
Profile picture fallback
CVE-2026-20182 is a max-severity, actively exploited Cisco Catalyst SD-WAN Controller/Manager flaw enabling unauthenticated admin access and NETCONF manipulation.
  • 0
  • 0
  • 0
  • 7h ago
Profile picture fallback
Cisco patches another actively exploited SD-WAN zero-day (CVE-2026-20182) 📖 Read more: www.helpnetsecurity.com/2026/05/15/c... #cybersecurity #cybersecuritynews #0day #APT #SDWAN @cisco.com @talosintelligence.com @rapid7.com
  • 0
  • 0
  • 0
  • 7h ago
Profile picture fallback
Cisco disclosed CVE-2026-20182, a max-severity auth bypass in Catalyst SD-WAN Controller and Manager. Cisco and Rapid7 say limited exploitation is underway, with UAT-8616 linked to admin-level access. #Cisco #CVE2026 #UAT8616
  • 0
  • 0
  • 0
  • 5h ago
Profile picture fallback
~Cybergcca~ Active exploitation of critical Cisco SD-WAN (CVE-2026-20182) and MS Exchange (CVE-2026-42897) flaws. - IOCs: CVE-2026-20182, CVE-2026-42897 - #CVE202620182 #Exchange #ThreatIntel
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • Linux
  • Linux

15 May 2026
Published
15 May 2026
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.

Statistics

  • 4 Posts
  • 81 Interactions

Last activity: 1 hour ago

Fediverse

Profile picture fallback

ssh-keysign-pwn is the fourth local-root Linux kernel disclosure in roughly two weeks. (But who's counting?)

AlmaLinux 9 and 10 are both vulnerable. AlmaLinux 8 is not exploitable with the current public PoCs, but is getting the patch as well.

Patched kernel versions are available for testing now: almalinux.org/blog/2026-05-15-

  • 17
  • 12
  • 0
  • 4h ago
Profile picture fallback

Local file exposure in linux kernels (CVE-2026-46333):

github.com/0xdeadbeefnetwork/s

Apparently this issue was already identified in 2020 but wasn't fixed back then.

Mitigation:
- runtime:
sudo sysctl -w kernel.yama.ptrace_scope=2
- To make the mitigation persistent:
echo "kernel.yama.ptrace_scope=2" | sudo tee /etc/sysctl.d/01-harden-ptrace.conf

WARNING: This mitigation may break existing functionality. Test before deploying.

WARNING 2: While this mitigation does block the currently existing PoC, it may not prevent other attack vectors exploiting this vulnerability.

  • 16
  • 19
  • 0
  • 11h ago
Profile picture fallback

Seven new stable kernels with patches for CVE-2026-46333

lwn.net/Articles/1073060/ #LWN #Linux #kernel

  • 12
  • 3
  • 0
  • 6h ago
Profile picture fallback

What a week… #Linux ssh-keysign-pwn (CVE-2026-46333):

Mitigation (breaks strace, gdb etc)

$ sudo sysctl -w kernel.yama.ptrace_scope=3
$ echo 'kernel.yama.ptrace_scope = 3' | sudo tee /etc/sysctl.d/99-ssh-keysign-pwn.conf

https://nvd.nist.gov/vuln/detail/CVE-2026-46333

  • 2
  • 0
  • 0
  • 1h ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 8 Posts
  • 3 Interactions

Last activity: 1 hour ago

Fediverse

Profile picture fallback

Fragnesia: una nuova vulnerabilità di escalation dei privilegi nel kernel Linux

Scoperta una nuova falla di sicurezza nel kernel Linux, chiamata Fragnesia (CVE-2026-46300), che consente a un utente locale non privilegiato di ottenere i privilegi di amministratore (root) su una distribuzione GNU/Linux.

@linux #UnoLinux #gnulinux #linux

#kernellinux #gnulinuxitalia #linuxitalia #fragnesia

#vulnerabilitalinux

laseroffice.it/blog/2026/05/14

  • 1
  • 1
  • 0
  • 1h ago
Profile picture fallback

Una nuova falla di Fragnesia su Linux consente agli attaccanti di ottenere privilegi di root

Le distribuzioni Linux stanno rilasciando patch per una nuova vulnerabilità di escalation dei privilegi del kernel di alta gravità (nota come Fragnesia e tracciata come CVE-2026-46300) che permette agli attaccanti di eseguire codice dannoso come root

bleepingcomputer.com/news/secu…

@gnulinuxitalia

  • 1
  • 0
  • 0
  • 23h ago
Profile picture fallback

Beep!

sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/fragnesia.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

tuxcare.com/blog/fragnesia-cve

  • 0
  • 0
  • 0
  • 20h ago
Profile picture fallback

Oh and while we are here, Linux fans, please tell me you have updated your machine for "Fragnesia (CVE-2026-46300)", right… right!?

github.com/v12-security/pocs/t

  • 0
  • 0
  • 0
  • 14h ago
Profile picture fallback

Linux distributions are alerting users to a newly disclosed kernel vulnerability that could allow local attackers to escalate privileges to root.

The flaw, dubbed Fragnesia and tracked as CVE-2026-46300, enables unprivileged users to obtain root access by overwriting critical system files.

Most Linux distributions are impacted, and vendors have begun rolling out security patches.

  • 0
  • 0
  • 0
  • 12h ago

Bluesky

Profile picture fallback
Fragnesia: New Linux kernel LPE bug was spawned by Dirty Frag patch (CVE-2026-46300) 📖 Read more: www.helpnetsecurity.com/2026/05/14/f... #cybersecurity #cybersecuritynews #containers #Linux #exploit #PoC #vulnerability @vakzz.bsky.social
  • 0
  • 0
  • 0
  • 14h ago
Profile picture fallback
A third major Linux kernel vulnerability has been disclosed in just two weeks, with the new flaw dubbed "Fragnesia" (CVE-2026-46300) allowing local attackers to escalate privileges to root.
  • 0
  • 0
  • 0
  • 13h ago
Profile picture fallback
Fragnesia Linux LPE: One Line Roots Your Kernel—Patch Now Before the Page Cache Betrays You + Video Introduction A newly disclosed Linux kernel local privilege escalation (LPE) vulnerability, tracked as CVE-2026-46300 and dubbed “Fragnesia,” allows an unprivileged local attacker to gain immediate…
  • 0
  • 0
  • 0
  • 11h ago

Overview

  • Fortinet
  • FortiSandbox Cloud

12 May 2026
Published
13 May 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
0.04%

KEV

Description

A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions, FortiSandbox PaaS 22.2 all versions, FortiSandbox PaaS 22.1 all versions, FortiSandbox PaaS 21.4 all versions, FortiSandbox PaaS 21.3 all versions, FortiSandbox PaaS 5.0.0 through 5.0.1, FortiSandbox PaaS 4.4.5 through 4.4.8 may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.

Statistics

  • 2 Posts
  • 5 Interactions

Last activity: 11 hours ago

Fediverse

Profile picture fallback

CVE-2026-26083: Critical Fortinet FortiSandbox Flaw Allows Unauthenticated Remote Code Execution — Patch Now
#CyberSecurity
securebulletin.com/cve-2026-26

  • 4
  • 0
  • 0
  • 11h ago

Bluesky

Profile picture fallback
Fortinetが複数製品の脆弱性を修正、FortiSandboxの認可不備は未認証でコード実行の恐れ(CVE-2026-26083 他) rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #security #securitynews
  • 0
  • 1
  • 0
  • 21h ago

Overview

  • Microsoft
  • Microsoft 365 Apps for Enterprise

12 May 2026
Published
15 May 2026
Updated

CVSS v3.1
HIGH (8.4)
EPSS
0.06%

KEV

Description

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Statistics

  • 2 Posts

Last activity: 21 hours ago

Bluesky

Profile picture fallback
Microsoft Wordの脆弱性 CVE-2026-40361に注意、Outlookでゼロクリック型サイバー攻撃への悪用の恐れ rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #security #securitynews #cyberattack
  • 0
  • 0
  • 0
  • 21h ago
Profile picture fallback
Microsoft Wordの脆弱性 CVE-2026-40361に注意、Outlookでゼロクリック型サイバー攻撃への悪用の恐れ|セキュリティニュースのセキュリティ対策Lab https://rocket-boys.co.jp/security-measures-lab/microsoft-word-zero-click-outlook-cve-2026-40361/ 更新適用は早急に
  • 0
  • 0
  • 0
  • 21h ago

Overview

  • langflow-ai
  • langflow

20 Mar 2026
Published
26 Mar 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
43.64%

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

Statistics

  • 2 Posts

Last activity: 13 hours ago

Bluesky

Profile picture fallback
Langflow CVE-2026-33017 Exploited to Steal AWS Keys, Deploy NATS Worker https://gbhackers.com/langflow-cve-2026-33017-exploited/
  • 0
  • 0
  • 0
  • 16h ago
Profile picture fallback
Langflow CVE-2026-33017 exploited to steal AWS Keys and deploy NATS Worker: cybersecuritynews.com/langflow-cve...
  • 0
  • 0
  • 0
  • 13h ago

Overview

  • Microsoft
  • Windows 11 version 22H3

12 May 2026
Published
15 May 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.07%

KEV

Description

Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network.

Statistics

  • 2 Posts

Last activity: 11 hours ago

Fediverse

Profile picture fallback

CVE-2026-41096 普通に刺さりそうで怖いな
msrc.microsoft.com/update-guid

  • 0
  • 0
  • 0
  • 18h ago

Bluesky

Profile picture fallback
Breaking Down CVE-2026-41096: The DNS-Based RCE That Turns svchostexe into a LOLBin Launcher + Video Introduction: A newly disclosed critical vulnerability, CVE-2026-41096, exploits a heap-based buffer overflow in the Windows DNS Client (DNSAPI.dll), enabling remote code execution (RCE) with a…
  • 0
  • 0
  • 0
  • 11h ago

Overview

  • Apple
  • iOS and iPadOS

11 May 2026
Published
12 May 2026
Updated

CVSS
Pending
EPSS
0.01%

KEV

Description

This issue was addressed by adding an additional prompt for user consent. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An app may be able to access user-sensitive data.

Statistics

  • 1 Post
  • 21 Interactions

Last activity: 5 hours ago

Fediverse

Profile picture fallback

NOTICE: Shortcuts broke its x-callback-url implementation.

Seems to be part of the security fix for CVE-2026-28993 included in iOS 26.5/18.7.9, macOS 26.5/15.7.7/14.8.7. On these OSes, it’s no longer possible to get a result from a Shortcut call via `x-success` callback, you will *always* get an x-error.

In theory, per the CVE, Shortcuts should offer a permissions prompt, not just fail.

Apple Folks: FB22785648

  • 8
  • 13
  • 0
  • 5h ago
Showing 1 to 10 of 64 CVEs