Overview
Description
Issue summary: Parsing CMS AuthEnvelopedData message with maliciously
crafted AEAD parameters can trigger a stack buffer overflow.
Impact summary: A stack buffer overflow may lead to a crash, causing Denial
of Service, or potentially remote code execution.
When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as
AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is
copied into a fixed-size stack buffer without verifying that its length fits
the destination. An attacker can supply a crafted CMS message with an
oversized IV, causing a stack-based out-of-bounds write before any
authentication or tag verification occurs.
Applications and services that parse untrusted CMS or PKCS#7 content using
AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable.
Because the overflow occurs prior to authentication, no valid key material
is required to trigger it. While exploitability to remote code execution
depends on platform and toolchain mitigations, the stack-based write
primitive represents a severe risk.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
issue, as the CMS implementation is outside the OpenSSL FIPS module
boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Statistics
- 2 Posts
Last activity: 8 hours ago
Fediverse
Diese Woche hatte ich großen Spaß mit #CVE-2025-15467 - beruflich, privat und im Ehrenamt. Ich hoffe, die wichtigsten Stellen mittlerweile erwischt zu haben - oder zumindest mitigiert.
Ein Sorgenkind war #NginxProxyManager, welchen ich von meinem Vorgänger geerbt habe. Ich hadere etwas mit dieser Wahl, aber scheinbar haben die auch zum Ende der Woche sauber geliefert.
Vorher:
$ sudo podman exec -it proxymanager dpkg -l --no-pager | grep openssl
ii openssl 3.0.18-1~deb12u1 amd64 Secure Sockets Layer toolkit - cryptographic utilityNachher:
$ sudo podman exec -it proxymanager dpkg -l --no-pager | grep openssl
ii openssl 3.0.18-1~deb12u2 amd64 Secure Sockets Layer toolkit - cryptographic utilityOverview
Description
n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2.
Statistics
- 2 Posts
Last activity: Last hour
Overview
- D-Link
- DIR-615
08 Feb 2026
Published
08 Feb 2026
Updated
CVSS v4.0
HIGH (8.6)
EPSS
Pending
KEV
Description
A vulnerability has been found in D-Link DIR-615 4.10. This affects an unknown part of the file adv_firewall.php of the component DMZ Host Feature. Such manipulation of the argument dmz_ipaddr leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Statistics
- 1 Post
- 1 Interaction
Last activity: 2 hours ago
Fediverse
⚠️ CVE-2026-2151: HIGH severity OS command injection in D-Link DIR-615 v4.10 (DMZ Host/adv_firewall.php) enables unauthenticated remote code execution. No patch — replace or isolate affected routers ASAP. https://radar.offseq.com/threat/cve-2026-2151-os-command-injection-in-d-link-dir-6-3276f328 #OffSeq #DLink #CVE20262151 #Infosec
Overview
- D-Link
- DIR-823X
08 Feb 2026
Published
08 Feb 2026
Updated
CVSS v4.0
HIGH (8.6)
EPSS
Pending
KEV
Description
A weakness has been identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_420618 of the file /goform/set_upnp. This manipulation of the argument upnp_enable causes os command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Statistics
- 1 Post
Last activity: 1 hour ago
Fediverse
🛡️ CVE-2026-2175: HIGH severity OS command injection in D-Link DIR-823X (v250416) via /goform/set_upnp. No auth needed; public exploit out. Patch ASAP or disable UPnP & segment networks. https://radar.offseq.com/threat/cve-2026-2175-os-command-injection-in-d-link-dir-8-2593454d #OffSeq #DLink #Vuln #RouterAlert
Overview
- macrozheng
- mall
07 Feb 2026
Published
07 Feb 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.16%
KEV
Description
macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.
Statistics
- 2 Posts
Last activity: 20 hours ago
Fediverse
⚠️ CRITICAL: CVE-2026-25858 in macrozheng mall ≤1.0.3 lets attackers reset any user’s password by exploiting a weak OTP process tied only to phone numbers. Disable reset, require MFA, and patch ASAP. https://radar.offseq.com/threat/cve-2026-25858-cwe-640-weak-password-recovery-mech-3ff06a38 #OffSeq #macrozhenmall #CVE202625858 #infosec
Overview
- Red Hat
- Red Hat Enterprise Linux 10
- libxml2
15 Jan 2026
Published
15 Jan 2026
Updated
CVSS
Pending
EPSS
0.06%
KEV
Description
A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.
Statistics
- 1 Post
Last activity: 8 hours ago
Overview
- Go standard library
- archive/zip
- archive/zip
28 Jan 2026
Published
29 Jan 2026
Updated
CVSS
Pending
EPSS
0.02%
KEV
Description
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
Statistics
- 1 Post
Last activity: 8 hours ago
Overview
- Go standard library
- crypto/tls
- crypto/tls
05 Feb 2026
Published
06 Feb 2026
Updated
CVSS
Pending
EPSS
0.01%
KEV
Description
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
Statistics
- 1 Post
Last activity: 8 hours ago
Overview
- Go standard library
- net/url
- net/url
28 Jan 2026
Published
29 Jan 2026
Updated
CVSS
Pending
EPSS
0.02%
KEV
Description
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
Statistics
- 1 Post
Last activity: 8 hours ago
Overview
Description
Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. In Zabbix 5.0 this allows for remote code execution.
Statistics
- 1 Post
Last activity: 1 hour ago