24h | 7d | 30d

Overview

  • WordPress
  • WordPress

17 Jul 2026
Published
18 Jul 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
8.95%

KEV

Description

WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the author__not_in WP_Query SQL Injection (CVE-2026-60137), could allow an attacker to perform SQL Injection and achieve Remote Code Execution.

Statistics

  • 8 Posts
  • 12 Interactions

Last activity: 9 hours ago

Fediverse

Profile picture fallback

🤯 wp2shell (CVE-2026-63030): Pre-Auth Chain in Core

“WordPress patched it in 6.9.5 and 7.0.2, touching three files and sixteen lines. This post covers what broke, why the bugs connect, and what teams running WordPress need to do.”

fullhunt.io/blog/2026/07/17/wp

  • 4
  • 4
  • 0
  • 13h ago
Profile picture fallback

‼️ CVE-2026-63030: wp2shell, a critical remote code execution vulnerability in WordPress core

Credit: @hash_kitten // @assetnote

PoC: x.com/DarkWebInformer/status/2

  • 0
  • 2
  • 0
  • 19h ago
Profile picture fallback

⚠️ CRITICAL: WordPress Core "wp2shell" RCE flaws get public exploits, patch now

Critical unauthenticated RCE vulnerabilities in WordPress Core (CVE-2026-63030, CVE-2026-60137) are actively exploited via public PoCs. The wp2shell attack chains REST API and SQL injection flaws to achieve code execution on default installations of WordPress 6.9.x and 7.0.x. All affected WordPress…

threatnoir.com/focus

  • 0
  • 0
  • 0
  • 15h ago

Bluesky

Profile picture fallback
wp2shell (CVE-2026-63030): Pre-Auth RCE Chain in WordPress Core - Analysis and Open-Source Scanner
  • 0
  • 2
  • 0
  • 21h ago
Profile picture fallback
wp2shell (CVE-2026-63030) update: public working exploit now available for the WordPress core pre-auth RCE
  • 0
  • 0
  • 1
  • 11h ago
Profile picture fallback
> WordPress Coreの脆弱性 CVE-2026-63030 / CVE-2026-60137 (通称「wp2shell」)についてまとめてみた https://piyolog.hatenadiary.jp/entry/2026/07/19/181822
  • 0
  • 0
  • 1
  • 9h ago

Overview

  • parisneo
  • parisneo/lollms

18 Jul 2026
Published
18 Jul 2026
Updated

CVSS v3.0
HIGH (8.7)
EPSS
0.26%

KEV

Description

A stored cross-site scripting (XSS) vulnerability exists in the `POST /api/prompts/share` endpoint of parisneo/lollms (latest version). The endpoint stores attacker-controlled `prompt_content` into `DBDirectMessage.content` without server-side sanitization. When a victim opens the direct message (DM) thread, the message is rendered by the DM UI through `MessageContentRenderer`, which uses `v-html` to insert rendered HTML into the DOM. The frontend sanitizer, which is regex-based, fails to comprehensively sanitize attacker-controlled HTML, allowing malicious payloads to execute in the victim's browser context. This vulnerability enables any authenticated user to send a malicious prompt-share message to another user's inbox, leading to arbitrary JavaScript execution, authenticated actions as the victim, exposure of same-origin application data, and potential account takeover.

Statistics

  • 2 Posts
  • 1 Interaction

Last activity: 19 hours ago

Fediverse

Profile picture fallback

🕷 Bugs Alerts
━━━━━━━━━━━━━━━━━━━━━

🚨 New Vulnerability!

🆔 CVE ID:
CVE-2026-12228
📊 Severity: 🟠 HIGH
📈 CVSS Score: 8.7
📅 Published: 2026-07-18 21:17 UTC

📝 Description:
A stored cross-site scripting (XSS) vulnerability exists in the POST /api/prompts/share endpoint of parisneo/lollms (latest version). The endpoint stores attacker-controlled prompt_content into DBDirectMessage.content without server-side sanitization. When a victim opens the direct message (DM) thread, the message is rendered by the DM UI through MessageContentRenderer, which uses v-html...

━━━━━━━━━━━━━━━━━━━━━
👨‍💻

  • 0
  • 1
  • 0
  • 21h ago
Profile picture fallback

CVE-2026-12228: parisneo/lollms suffers HIGH severity stored XSS (CVSS 8.7) via POST /api/prompts/share. Authenticated users can execute JS in victims' browsers, risking account takeover. Patch status unknown — check vendor updates. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 19h ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 5 Posts

Last activity: 3 hours ago

Fediverse

Profile picture fallback

wacoca.com/news/2887343/ 7-Zip 26.01以下にリモートコード実行の脆弱性『CVE-2026-14266』。26.02以降へアップデートを | ニッチなPCゲーマーの環境構築Z #Science&Technology #ScienceNews #TechnologyNews #テクノロジー #科学 #科学&テクノロジー

  • 0
  • 0
  • 0
  • 4h ago

Bluesky

Profile picture fallback
7-Zip 26.01以下にリモートコード実行の脆弱性『CVE-2026-14266』。26.02以降へアップデートを | ニッチなPCゲーマーの環境構築Z https://www.walknews.com/1346131/ 2026年7月20日セキュリティ 圧縮・解凍アプリケーションである7-Zip バージョン26.01以下に、リモートコード実行(Remote Code Execution / RCE)の脆弱性があることが明らかになりま [...]
  • 0
  • 0
  • 3
  • 3h ago

Overview

  • Oracle Corporation
  • Oracle Payments

28 May 2026
Published
16 Jul 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
1.04%

Description

Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Statistics

  • 2 Posts

Last activity: 11 hours ago

Fediverse

Profile picture fallback

Critical Alert: CVE-2026-46817 is being actively exploited against Oracle E-Business Suite. An unauthenticated attacker can achieve full takeover of the Payments module via HTTP. Get the forensic detection queries and hardening protocols in our latest TSUITE brief. Protect the perimeter. thecybermind.co/g325

  • 0
  • 0
  • 0
  • 11h ago

Bluesky

Profile picture fallback
CVE-2026-46817 – Oracle E-Business Suite Improper Privilege Management Vulnerability
  • 0
  • 0
  • 0
  • 11h ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 2 Interactions

Last activity: 8 hours ago

Fediverse

Profile picture fallback

En las últimas 24 horas se detectó un dropper que oculta AsyncRAT en imágenes bitmap, una peligrosa IA que explota firmware de dispositivos, exploits públicos para vulnerabilidades críticas en WordPress y una falla grave en 7-Zip que permite ejecución remota, además de un parche esencial para OpenSSL y una brecha crítica en Chrome que exige actualización inmediata; todo mientras Facebook e Instagram sufren caídas globales, evidenciando la necesidad de resiliencia y protección constante. Descubre estos y más detalles en el siguiente listado de noticias sobre seguridad informática:

🗞️ ÚLTIMAS NOTICIAS EN SEGURIDAD INFORMÁTICA 🔒
====| 🔥 LO QUE DEBES SABER HOY 19/07/26 📆 |====

🔍 PIXELS TO PAYLOAD: ANÁLISIS DE UN DROPPER DE ESTEGANOGRAFÍA EN BITMAP QUE ENTREGA ASYNCRAT

Descubre cómo un dropper multi-etapa utiliza canales de píxeles en imágenes bitmap para ocultar cargadores maliciosos que entregan el troyano AsyncRAT 0.5.8 sin clave de cifrado, sofisticando el método de infección y evadiendo detección. Este análisis técnico es clave para entender amenazas avanzadas en la cadena de infección. Profundiza en este estudio detallado aquí 👉 djar.co/reszTB

🤖 INVESTIGACIÓN DE VULNERABILIDADES ASISTIDA POR IA EN DISPOSITIVOS INTEGRADOS

Un agente de inteligencia artificial ha sido empleado para identificar y explotar vulnerabilidades en firmware de dispositivos críticos como módems y consolas, revelando tanto fallos conocidos como nuevas brechas de seguridad. La amenaza es mayor por la masiva exposición de millones de dispositivos sin soluciones inmediatas. Conoce el impacto y posibles mitigaciones visitando 👉 djar.co/HMPo0P

⚠️ VULNERABILIDADES CRÍTICAS "WP2SHELL" EN WORDPRESS CORE YA CUENTAN CON EXPLOITS PÚBLICOS

Se han hecho públicos exploits para vulnerabilidades de ejecución remota de código en WordPress Core, denominadas “wp2shell”, que pueden comprometer la integridad de sitios web. La recomendación urgente para administradores es aplicar los parches de seguridad disponibles para evitar ataques inmediatos. Actualízate y protege tu instalación en 👉 djar.co/SKOiuj

🛡️ ACTUALIZACIÓN DE 7-ZIP PARA CORREGIR VULNERABILIDAD DE EJECUCIÓN REMOTA DE CÓDIGO

Se lanzó la versión 26.02 de 7-Zip, que soluciona un fallo grave que permitía la ejecución de código malicioso a través de archivos comprimidos manipulados. Mantener esta herramienta actualizada es fundamental para evitar la explotación de este vector. Descarga la actualización oficial aquí 👉 djar.co/597y

🔐 OPENSSL CORRIGE FALLA DE AGOTAMIENTO DE MEMORIA HOLLOWBYTE

OpenSSL ha publicado un parche para la vulnerabilidad HollowByte que permitía a atacantes remotos provocar denegación de servicio mediante agotamiento de memoria en servidores. Esta falla podría impactar la disponibilidad de servicios críticos, por lo que es vital actualizar los sistemas que utilizan esta biblioteca. Más detalles y parche disponible en 👉 djar.co/LGuGFB

📉 REPORTE DE CAÍDAS EN FACEBOOK E INSTAGRAM AFECTA A USUARIOS INTERNACIONALES

Usuarios alrededor del mundo han experimentado interrupciones en Facebook e Instagram, impidiendo el acceso a sus feeds y afectando la comunicación global. Aunque no se reporta compromiso de datos, esta situación resalta la importancia de la resiliencia en plataformas sociales clave. Sigue la evolución del incidente en 👉 djar.co/9NJbKE

🌐 VULNERABILIDAD CRÍTICA EN CHROME CVE-2026-15903 AFECTA MOTOR V8

Google identificó una vulnerabilidad en su navegador Chrome, CVE-2026-15903, relacionada con escritura fuera de límites en el motor JavaScript V8, que puede ser explotada para ejecutar código arbitrario. Es imprescindible que los usuarios actualicen a la última versión para protegerse contra posibles ataques. Actualiza tu navegador ahora aquí 👉 djar.co/x8hO

  • 1
  • 1
  • 0
  • 8h ago

Overview

  • Shibby
  • Tomato

18 Jul 2026
Published
18 Jul 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.44%

KEV

Description

A vulnerability has been found in Shibby Tomato 1.28 RT-N5x MIPSR2 Build 124. This affects the function sub_40BB50 of the file /proc/webmon_recent_domains. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. This project is superseded by FreshTomato.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 16 hours ago

Fediverse

Profile picture fallback

CVE-2026-16096: HIGH severity stack buffer overflow in Shibby Tomato 1.28 RT-N5x MIPSR2 Build 124 (/proc/webmon_recent_domains). Remote exploit possible, no official patch. Migrate to FreshTomato. radar.offseq.com/threat/a-vuln

  • 1
  • 0
  • 0
  • 16h ago

Overview

  • Microsoft
  • Microsoft SharePoint Enterprise Server 2016

14 Jul 2026
Published
17 Jul 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
1.46%

Description

Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 14 hours ago

Fediverse

Profile picture fallback

⚠️ CRITICAL: Fresh SharePoint Vulnerability Exploited Soon After Disclosure

Microsoft SharePoint RCE vulnerability CVE-2026-58644 (CVSS 9.8) is actively exploited in the wild following July 2026 Patch Tuesday disclosure. Authenticated attackers with Site Owner privileges can execute arbitrary code via deserialization flaws. All organizations running affected SharePoint ver…

threatnoir.com/focus

  • 1
  • 0
  • 0
  • 14h ago

Overview

  • zevorn
  • rt-claw

18 Jul 2026
Published
18 Jul 2026
Updated

CVSS v4.0
MEDIUM (6.9)
EPSS
0.29%

KEV

Description

A vulnerability was found in zevorn rt-claw up to 0.2.0. The affected element is the function claw_net_get/claw_net_post of the file claw/services/tools/net.c of the component http_request. The manipulation of the argument url results in server-side request forgery. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

Statistics

  • 2 Posts
  • 2 Interactions

Last activity: 2 hours ago

Fediverse

Profile picture fallback

CVE-2026-16125 - SSRF in Zevorn rt-claw up to 0.2.0. Remote exploitation via http_request argument manipulation. CVSS 7.3. Public exploit available. Unpatched. Update or mitigate immediately. #CVE #infosec #Zevorn

valtersit.com/cve/CVE-2026-161

  • 0
  • 1
  • 0
  • 7h ago
Profile picture fallback

CVE-2026-16125 - SSRF in Zevorn rt-claw up to 0.2.0. Remote exploitation via url argument in claw_net_get/claw_net_post. CVSS 7.3. Exploit public, no patch available. Monitor or isolate affected systems. #CVE #Zevorn #infosec

valtersit.com/cve/CVE-2026-161

  • 0
  • 1
  • 0
  • 2h ago

Overview

  • fast-uri
  • fast-uri

19 Jul 2026
Published
19 Jul 2026
Updated

CVSS v3.1
HIGH (7.5)
EPSS
Pending

KEV

Description

Impact: fast-uri versions from 2.3.1 through 4.1.0 (including the 3.x line up to 3.1.3 and the 2.x line up to 2.4.2) do not treat a literal backslash character (U+005C) as an authority delimiter. Node's native WHATWG URL parser, used by fetch, undici, and Node's http and https clients, normalizes the backslash to a forward slash for special schemes such as http, https, ws, wss, ftp, and file. As a result, the two parsers extract different hosts from the same input string. Applications that use fast-uri to enforce host-based policy such as allowlists, denylists, loopback or SSRF filtering, redirect validation, or outbound proxy routing before passing the same URL into Node's URL or fetch consumers can be steered to an unintended destination, including cloud metadata endpoints, loopback, or internal hosts. Patches: upgrade to fast-uri 4.1.1, 3.1.4, or 2.4.3. Workarounds: none.

Statistics

  • 2 Posts
  • 1 Interaction

Last activity: 5 hours ago

Fediverse

Profile picture fallback

🚨 High-severity security fix in fast-uri@4.1.1 (also 3.1.4 and 2.4.3 backports) just released!

Patches CVE-2026-16221, host confusion via literal backslash authority delimiter.

github.com/fastify/fast-uri/se

  • 0
  • 1
  • 1
  • 5h ago

Overview

  • IBM
  • Langflow OSS

17 Jul 2026
Published
17 Jul 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.21%

KEV

Description

IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 10 hours ago

Fediverse

Profile picture fallback

CVE-2026-13446 - Critical hardcoded credentials in IBM Langflow OSS 1.0.0-1.10.1. CVSS 9.8. Risk of unauthorized access & data compromise. No patch available. Isolate affected systems immediately. #CVE #IBM #infosec

valtersit.com/cve/CVE-2026-134

  • 0
  • 1
  • 0
  • 10h ago
Showing 1 to 10 of 24 CVEs