24h | 7d | 30d

CVE-2026-3909

Overview

  • Google
  • Chrome
12 Mar 2026
Published
14 Mar 2026
Updated
CVSS
Pending
EPSS
27.12%
KEV

Description

Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Statistics

  • 6 Posts
  • 7 Interactions
Last activity: 5 hours ago

Fediverse

Profile picture fallback
Deskmodder @Deskmodder

Google Chrome 146.0.7680.80 schließt CVE-2026-3909 als weiteren Exploit

deskmodder.de/blog/2026/03/14/

  • 4
  • 1
  • 1
  • 9h ago
Profile picture fallback
Ruarí Ødegaard @ruario

@browserversiontracker For the curious, this includes security fixes for CVE-2026-3909 & CVE-2026-3910 from Chromium 146.0.7680.80.

And yes, we somehow beat the Chrome team getting this out even though they did the fix. 😂

  • 1
  • 0
  • 0
  • 5h ago
Profile picture fallback
Ruarí Ødegaard @ruario

@vivaldiversiontracker This includes security fixes for CVE-2026-3909 & CVE-2026-3910 from Chromium 146.0.7680.80.

  • 0
  • 0
  • 0
  • 5h ago

Bluesky

Profile picture fallback
News Analysis @newsanalysis.com
Emergency Chrome update! Google patched two zero-day vulnerabilities (CVE-2026-3909 & CVE-2026-3910) actively exploited in attacks. Update your browser now to version 146.0.7680.75/.76. #Cybersecurity #News
  • 0
  • 1
  • 0
  • 18h ago
Profile picture fallback
piggo @pigondrugs.bsky.social
~Cisa~ CISA added two actively exploited Google vulnerabilities (Skia and Chromium V8) to its KEV catalog, urging immediate patching. - IOCs: CVE-2026-3909, CVE-2026-3910 - #CISA #KEV #ThreatIntel
  • 0
  • 0
  • 0
  • 22h ago

CVE-2026-28356

Overview

  • defnull
  • multipart
12 Mar 2026
Published
13 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.54%
KEV

Description

multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for denial of service (DoS) attacks against web applications using this library to parse request headers or multipart/form-data streams. The issue is fixed in 1.2.2, 1.3.1 and 1.4.0-dev.

Statistics

  • 1 Post
  • 35 Interactions
Last activity: 10 hours ago

Fediverse

Profile picture fallback
defnull @defnull

The 'multipart' #python library got an independent #security audit and I only know about that because they found something -> CVE-2026-28356

This is great, actually! Someone looked into it so thoroughly that they found an obscure single-character issue in a regular expression ... and didn't find anything else! Which means I can now be really confident about the security of this library. Nice!

#cve #infosec #sansio

  • 17
  • 18
  • 0
  • 10h ago

CVE-2026-21536

Overview

  • Microsoft
  • Microsoft Devices Pricing Program
05 Mar 2026
Published
13 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.38%
KEV

Description

Microsoft Devices Pricing Program Remote Code Execution Vulnerability

Statistics

  • 3 Posts
  • 4 Interactions
Last activity: 14 hours ago

Bluesky

Profile picture fallback
Undercode Testing @undercode.bsky.social
Microsoft’s March 2026 Patch Tuesday: Critical CVE-2026-21536 Exposed – How AI-Powered Offensive Security is Changing the Game + Video Introduction In March 2026, Microsoft released its monthly Patch Tuesday update, addressing over 100 vulnerabilities, including a critical flaw in the Microsoft…
  • 1
  • 2
  • 0
  • 14h ago
Profile picture fallback
XBOW @xbow.com
In a historic first for Microsoft, XBOW, an autonomous pentesting system, discovered and reported a critical unauthenticated remote code execution vulnerability in the Microsoft Devices Pricing Program (CVE-2026-21536). https://bit.ly/4s2u8vq
  • 0
  • 1
  • 0
  • 23h ago
Profile picture fallback
piggo @pigondrugs.bsky.social
~Sophos~ Microsoft patched 84 CVEs, including 8 Critical flaws and 2 publicly disclosed issues. - IOCs: CVE-2026-21536, CVE-2026-21262, CVE-2026-23668 - #PatchTuesday #ThreatIntel #Vulnerability
  • 0
  • 0
  • 0
  • 22h ago

CVE-2026-26123

Overview

  • Microsoft
  • Microsoft Authenticator for Android
10 Mar 2026
Published
13 Mar 2026
Updated
CVSS v3.1
MEDIUM (5.5)
EPSS
0.04%
KEV

Description

Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally.

Statistics

  • 1 Post
  • 8 Interactions
Last activity: 3 hours ago

Fediverse

Profile picture fallback
informapirata ⁂ :privacypride: @informapirata

Microsoft Authenticator potrebbe divulgare i codici di accesso: se lo stai usando, aggiorna subito l'app

Una vulnerabilità in Microsoft Authenticator per iOS e Android ( CVE-2026-26123 ) potrebbe far trapelare i codici di accesso monouso o i deep link di autenticazione a un'app dannosa sullo stesso dispositivo.

malwarebytes.com/blog/news/202

@informatica

  • 7
  • 1
  • 0
  • 3h ago

CVE-2025-69985

Overview

  • Pending
24 Feb 2026
Published
25 Feb 2026
Updated
CVSS
Pending
EPSS
0.64%
KEV

Description

FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.

Statistics

  • 1 Post
  • 13 Interactions
Last activity: 21 hours ago

Fediverse

Profile picture fallback
Dio9sys @Dio9sys

Today's CVE stinker: github.com/joshuavanderpoll/CV

You can get auth bypass on a SCADA HMI that already doesn't require auth, and then run a script by sending the script to `api/runscript`

Is this still a useful CVE? Perhaps! I am not an expert on FUXA HMIs specifically, and I'm sure they didn't intend for their runscript endpoint to be used to run *anything*

but still.

"you can run scripts by sending them to /api/runscript" sure is a funny CVE description.

  • 6
  • 7
  • 0
  • 21h ago

CVE-2026-3910

Overview

  • Google
  • Chrome
12 Mar 2026
Published
14 Mar 2026
Updated
CVSS
Pending
EPSS
21.89%
KEV

Description

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Statistics

  • 4 Posts
  • 2 Interactions
Last activity: 5 hours ago

Fediverse

Profile picture fallback
Ruarí Ødegaard @ruario

@browserversiontracker For the curious, this includes security fixes for CVE-2026-3909 & CVE-2026-3910 from Chromium 146.0.7680.80.

And yes, we somehow beat the Chrome team getting this out even though they did the fix. 😂

  • 1
  • 0
  • 0
  • 5h ago
Profile picture fallback
Ruarí Ødegaard @ruario

@vivaldiversiontracker This includes security fixes for CVE-2026-3909 & CVE-2026-3910 from Chromium 146.0.7680.80.

  • 0
  • 0
  • 0
  • 5h ago

Bluesky

Profile picture fallback
News Analysis @newsanalysis.com
Emergency Chrome update! Google patched two zero-day vulnerabilities (CVE-2026-3909 & CVE-2026-3910) actively exploited in attacks. Update your browser now to version 146.0.7680.75/.76. #Cybersecurity #News
  • 0
  • 1
  • 0
  • 18h ago
Profile picture fallback
piggo @pigondrugs.bsky.social
~Cisa~ CISA added two actively exploited Google vulnerabilities (Skia and Chromium V8) to its KEV catalog, urging immediate patching. - IOCs: CVE-2026-3909, CVE-2026-3910 - #CISA #KEV #ThreatIntel
  • 0
  • 0
  • 0
  • 22h ago

CVE-2026-21262

Overview

  • Microsoft
  • Microsoft SQL Server 2016 Service Pack 3 (GDR)
10 Mar 2026
Published
13 Mar 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.09%
KEV

Description

Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.

Statistics

  • 2 Posts
Last activity: 8 hours ago

Bluesky

Profile picture fallback
NEWSTECNICAS | Tecnología , IA y Gaming @newstecnicas.info.ve
#Microsoft corrige Zero-Day crítico en #SQL Server que permite a atacantes tomar el control total como admin | CVE-2026-21262 www.newstecnicas.info.ve/2026/03/micr...
  • 0
  • 0
  • 0
  • 8h ago
Profile picture fallback
piggo @pigondrugs.bsky.social
~Sophos~ Microsoft patched 84 CVEs, including 8 Critical flaws and 2 publicly disclosed issues. - IOCs: CVE-2026-21536, CVE-2026-21262, CVE-2026-23668 - #PatchTuesday #ThreatIntel #Vulnerability
  • 0
  • 0
  • 0
  • 22h ago

CVE-2026-31886

Overview

  • dagu-org
  • dagu
13 Mar 2026
Published
13 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.08%
KEV

Description

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves .. segments lexically, so a caller can supply a value such as ".." to redirect the computed directory outside the intended /tmp/<name>/<id> path. A deferred cleanup function that calls os.RemoveAll on that directory then runs unconditionally when the HTTP handler returns, deleting whatever directory the traversal resolved to. With dagRunId set to "..", the resolved directory is the system temporary directory (/tmp on Linux). On non-root deployments, os.RemoveAll("/tmp") removes all files in /tmp owned by the dagu process user, disrupting every concurrent dagu run that has live temp files. On root or Docker deployments, the call removes the entire contents of /tmp, causing a system-wide denial of service. This vulnerability is fixed in 2.2.4.

Statistics

  • 1 Post
  • 2 Interactions
Last activity: 15 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CRITICAL vuln: dagu <2.2.4 suffers from path traversal (CVE-2026-31886). Exploit allows deletion of /tmp, causing system-wide DoS. Upgrade to 2.2.4+ or enforce input validation now! radar.offseq.com/threat/cve-20

  • 1
  • 1
  • 0
  • 15h ago

CVE-2026-32720

Overview

  • ctfer-io
  • monitoring
13 Mar 2026
Published
13 Mar 2026
Updated
CVSS v4.0
HIGH (7.1)
EPSS
0.04%
KEV

Description

The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). Prior to 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from a component to any other namespace. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. This vulnerability is fixed in 0.2.1.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 9 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

CVE-2026-32720 (HIGH): ctfer-io monitoring <0.2.1 has improper access control, allowing lateral movement across Kubernetes namespaces — risks sensitive logs/metrics. Patch to 0.2.1+ ASAP! 🔒 radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 9h ago

CVE-2026-26954

Overview

  • nyariv
  • SandboxJS
13 Mar 2026
Published
13 Mar 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.05%
KEV

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 12 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🔥 CRITICAL: CVE-2026-26954 in SandboxJS (< 0.8.34) enables sandbox escape via Function & Object.fromEntries. Attackers can run arbitrary code remotely! Upgrade to v0.8.34+ now. Full details: radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 12h ago
Showing 1 to 10 of 49 CVEs