24h | 7d | 30d

CVE-2026-3854

Overview

  • GitHub
  • Enterprise Server
10 Mar 2026
Published
29 Apr 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.39%
KEV

Description

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.

Statistics

  • 39 Posts
  • 412 Interactions
Last activity: Last hour

Fediverse

Profile picture fallback
Kevin Beaumont @GossiTheDog

Wiz got RCE on the cloud version of Github.com and access to every customer environment.

To do this they just reversed the on prem version and found a simple vuln.

wiz.io/blog/github-rce-vulnera

  • 136
  • 186
  • 0
  • 15h ago
Profile picture fallback
Stéphane Bortzmeyer @bortzmeyer

Beaucoup de gens vont sans doute résumer la faille de sécurité CVE-2026-3854 en « Mon Dieu, la totalité des logiciels hébergés sur GitHub ont peut-être été compromis ».

Mais, en fait, c'était déjà possible, Microsoft (propriétaire de GitHub) pouvait déjà tout modifier.

Tout ce qu'a permis CVE-2026-3854, si des gens l'ont exploité, c'est de démocratiser cette possibilité, en la rendant accessible à tous les gens ayant un compte GitHub.

wiz.io/blog/github-rce-vulnera

  • 31
  • 9
  • 0
  • 17h ago
Profile picture fallback
Wiz :verified: @wiz

🚨 BREAKING: Wiz Research discovered Remote Code Execution on GitHub.com with a single git push.

Wiz Researchers uncovered a critical flaw in GitHub that could be exploited for RCE. The flaw allowed unauthorized access to millions of repositories belonging to other users and organizations 🤯

We responsibly disclosed the issue to GitHub, who deployed a fix on GitHub.com the same day (!) and released patches for all supported GHES versions.

GitHub Enterprise Server customers are strongly encouraged to update immediately.

Huge kudos to GitHub for addressing the issue 👏

Full technical breakdown here → wiz.io/blog/github-rce-vulnera

  • 14
  • 10
  • 0
  • 18h ago
Profile picture fallback
N_{Dario Fadda} @nuke

Critical GitHub RCE Vulnerability CVE-2026-3854 Exposed Millions of Repositories to Cross-Tenant Access
#CyberSecurity
securebulletin.com/critical-gi

  • 5
  • 1
  • 0
  • Last hour
Profile picture fallback
Eric Schultz @wwahammy

There should be a "but the service is never up to be exploited" reducer on the CVE score.
wiz.io/blog/github-rce-vulnera

  • 2
  • 6
  • 0
  • 9h ago
Profile picture fallback
Wladimir Mufty @wlaatje

A single git push command was enough to exploit a flaw in #GitHub's internal protocol and achieve code execution on backend infrastructure.

#RemoteCodeExecution

CVE-2026-3854

wiz.io/blog/github-rce-vulnera

  • 1
  • 0
  • 0
  • 13h ago
Profile picture fallback
Jan Schaumann @jschauma

Question about the GitHub RCE:

wiz.io/blog/github-rce-vulnera says GHES patches were _released_ on 03/10.

github.blog/security/securing- says "we _prepared_ patches [...] and published CVE-2026-3854. These are _available today_".

So were GHES patches made available to customers at the time of CVE publication or only today, 1.5 months laster?

  • 1
  • 0
  • 0
  • 9h ago
Profile picture fallback
B @blainsmith

HAHAHAHAHHAHAHAHAHAHAH wiz.io/blog/github-rce-vulnera

  • 0
  • 2
  • 0
  • 15h ago
Profile picture fallback
Xavier Ashe :donor: @Xavier

@GossiTheDog Here's a non-Twitter link: wiz.io/blog/github-rce-vulnera

  • 0
  • 1
  • 0
  • 15h ago
Profile picture fallback
benzogaga33 :verified: @benzogaga33

Cette faille GitHub est exploitable par un simple Git Push (CVE-2026-3854) it-connect.fr/cette-faille-git #ActuCybersécurité #Cybersécurité #Vulnérabilité #GitHub

  • 0
  • 1
  • 0
  • Last hour
Profile picture fallback
Bruce Adams @bruce

GitHub remote code execution vulnerability found (and patched) wiz.io/blog/github-rce-vulnera

  • 0
  • 1
  • 0
  • Last hour
Profile picture fallback
fthy @fthy

wiz.io/blog/github-rce-vulnera

RCE in GitHub.com and GitHub Enterprise Server (CVE-2026-3854)

#infosec #github

  • 0
  • 0
  • 0
  • 17h ago
Profile picture fallback
Dhruv AHUJA @new23d

Somebody stop Wiz 😅

wiz.io/blog/github-rce-vulnera

  • 0
  • 0
  • 0
  • 16h ago
Profile picture fallback
HackerWorkspace @hackerworkspace

GitHub RCE Vulnerability: CVE-2026-3854 Breakdown | Wiz Blog

wiz.io/blog/github-rce-vulnera

Read on HackerWorkspace: hackerworkspace.com/article/gi

  • 0
  • 0
  • 1
  • 16h ago
Profile picture fallback
iamdtms @iamdtms

Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push thehackernews.com/2026/04/rese

  • 0
  • 0
  • 0
  • 14h ago
Profile picture fallback
Joel Takvorian @jotak

Wiz whitehats have found an RCE in github (both public github.com and enterprise).
They used AI to reverse-engineer closed source binaries. Take that, security by obfuscation.
wiz.io/blog/github-rce-vulnera

  • 0
  • 0
  • 0
  • 6h ago
Profile picture fallback
OffSequence @offseq

⚠️ CRITICAL: CVE-2026-3854 lets users with push access run arbitrary code on GitHub backend servers. Impacts GitHub.com & Enterprise Server. GitHub.com patched 2026-03-04; ES patch 2026-03-10. Patch ASAP! No wild exploits found. radar.offseq.com/threat/critic

  • 0
  • 0
  • 0
  • 3h ago

Bluesky

Profile picture fallback
L'algorisme @lalgorisme.bsky.social
CVE-2026-3854: vulnerabilitat crítica a GitHub. Un simple git push permetia executar codi als servidors de GitHub i accedir a milions de repositoris privats. La vulnerabilitat ha estat resolta a github[.]com. Els servidors on-premise s’han d’actualitzar. www.wiz.io/blog/github-...
  • 0
  • 1
  • 0
  • 15h ago
Profile picture fallback
Hacker News Top Stories @hackernewsbot.bsky.social
GitHub RCE Vulnerability: CVE-2026-3854 Breakdown | Discussion
  • 0
  • 1
  • 0
  • 15h ago
Profile picture fallback
The Lobste.rs RSS feed @lobsters-feed.bsky.social
GitHub RCE Vulnerability: CVE-2026-3854 Breakdown https://lobste.rs/s/8fxgx7 #security #vibecoding
  • 0
  • 1
  • 0
  • 15h ago
Profile picture fallback
Best of r/cybersecurity @cybersecurity.page
Remote Code Execution in GitHub.com and GitHub Enterprise Server (CVE-2026-3854)
  • 0
  • 1
  • 0
  • 13h ago
Profile picture fallback
Ninja Owl @ninjaowl.ai
Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push #cybersecurity #hacking #news #infosec #security #technology #privacy thehackernews.com/20...
  • 0
  • 1
  • 0
  • 2h ago
Profile picture fallback
Cyber Kendra @cyberkendra.com
🚨 Critical GitHub Vulnerability — Patch Now Security firm Wiz Research discovered a serious RCE (Remote Code Execution) flaw in GitHub — CVE-2026-3854. Full details: www.cyberkendra.com/2026/04/a-si... #github #security #vulnerability
  • 0
  • 0
  • 0
  • 17h ago
Profile picture fallback
Hacker News 20 @betterhn20.e-work.xyz
GitHub RCE Vulnerability: CVE-2026-3854 Breakdown https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854 (https://news.ycombinator.com/item?id=47936479)
  • 0
  • 0
  • 6
  • 16h ago
Profile picture fallback
Tim (Wadhwa-)Brown :donor: @timb.me.uk
Full write up here: https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
  • 0
  • 0
  • 0
  • 14h ago
Profile picture fallback
Bitnewsbot @bitnewsbot.bsky.social
A critical vulnerability (CVE-2026-3854) in GitHub allowed remote code execution via a single “git push” command. The flaw was a […]
  • 0
  • 0
  • 0
  • 11h ago
Profile picture fallback
ReconBee @reconbee.bsky.social
Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push reconbee.com/researchers-... #GitHub #RCEFlaw #singlegitpush #gitpush #cyberattack
  • 0
  • 0
  • 0
  • 4h ago
Profile picture fallback
Techpresso @techpresso.bsky.social
Wiz Research discovered a critical remote code execution vulnerability in GitHub.com and GitHub Enterprise Server, tracked as CVE-2026-3854, exploitable through a single git push.
  • 0
  • 0
  • 0
  • 3h ago
Profile picture fallback
IT-Connect @it-connect.bsky.social
⚠️ GitHub - CVE-2026-3854 Cette faille de sécurité permet de prendre le contrôle d'un serveur via un git push. GitHub .com est affecté, tout comme GitHub Enterprise Server. Plus d'infos par ici 👇 - www.it-connect.fr/cette-faille... #github #infosec #cybersecurite
  • 0
  • 0
  • 0
  • 2h ago
Profile picture fallback
topickapp (IT技術系ニュースサイト) @topickapp.bsky.social
https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854 Wiz ResearchがGitHubのRCE脆弱性CVE-2026-3854を発見しました。 GitHubのgitインフラに重大な欠陥があり、コード実行の危険性があります。 脆弱性管理のリスクベース優先順位付けが重要になっています。
  • 0
  • 0
  • 0
  • 2h ago
Profile picture fallback
Sam Stepanyan @securestep9.bsky.social
⚠️ #GitHub: Wiz uncovers Remote Code Execution #RCE vulnerability in GitHub(.com) and GitHub Enterprise Server (CVE-2026-3854): 👇 www.wiz.io/blog/github-...
  • 0
  • 0
  • 0
  • 2h ago
Profile picture fallback
Eyal Estrin ☁️ @eyalestrin.bsky.social
Critical GitHub RCE Vulnerability in Git Push Pipeline (CVE-2026-3854) #patchmanagement
  • 0
  • 0
  • 0
  • 1h ago

CVE-2026-32202

Overview

  • Microsoft
  • Windows 10 Version 1607
14 Apr 2026
Published
29 Apr 2026
Updated
CVSS v3.1
MEDIUM (4.3)
EPSS
0.09%
KEV

Description

Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.

Statistics

  • 9 Posts
  • 10 Interactions
Last activity: Last hour

Fediverse

Profile picture fallback
N_{Dario Fadda} @nuke

APT28 Exploits Windows 0-Click Flaw CVE-2026-32202 to Steal NTLM Hashes via Defender SmartScreen Bypass
#CyberSecurity
securebulletin.com/apt28-explo

  • 4
  • 0
  • 0
  • Last hour
Profile picture fallback
Chris @Chris

🛡️ Title: Windows Shell Spoofing Vulnerability
Description

🛡️ Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.

cve.org/CVERecord?id=CVE-2026-

#cybersecurity #security #windows #microsoft

  • 1
  • 2
  • 0
  • 16h ago
Profile picture fallback
ENEP Linuxoid @enep

CVE-2026-32202: утечка Net-NTLMv2 через Windows Shell при обработке LNK (zero-click)

Уязвимость в Windows Shell приводит к принудительной аутентификации на удалённый ресурс при разборе LNK/namespace-объектов. Система инициирует SMB-сеанс и отправляет Net-NTLMv2 хеш без действий пользователя. Эксплуатация подтверждена, исправление включено в апрельский пакет обновлений.

vk.cc/cXgpgc

#CVE-2026-32202 #Microsoft #WindowsShell #пароли #уязвимость

  • 1
  • 0
  • 0
  • 1h ago
Profile picture fallback
const_data @const_data

#infosec #vulnerability #malware

Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202

thehackernews.com/2026/04/micr

  • 0
  • 0
  • 0
  • 23h ago
Profile picture fallback
benzogaga33 :verified: @benzogaga33

Vols d’identifiants sur Windows : Microsoft révèle l’exploitation de la CVE-2026-32202 it-connect.fr/vols-didentifian #ActuCybersécurité #Cybersécurité #Vulnérabilité #Microsoft #Windows

  • 0
  • 0
  • 0
  • Last hour

Bluesky

Profile picture fallback
Ethical Hacking Consultores @ehcgroup.bsky.social
Microsoft confirma la explotación activa de la vulnerabilidad CVE-2026-32202 del shell de Windows. 🔓 El riesgo es inminente y los atacantes están aprovechando el fallo. Actualiza tus sistemas de inmediato con los últimos parches de seguridad. #ciberseguridad www.linkedin.com/pulse/micros...
  • 1
  • 1
  • 0
  • 17h ago
Profile picture fallback
Kaldata.com @kaldata.bsky.social
Microsoft потвърди, че уязвимост в Windows Shell, която беше отстранена в месечната актуализация за сигурност с оценка CVSS 4,3 се експлоатира активно. Уязвимостта CVE-2026-32202 позволява кражба на потребителски данни без никакви действия от страна на жертвата...
  • 0
  • 0
  • 0
  • 20h ago
Profile picture fallback
IT-Connect @it-connect.bsky.social
⚠️ Microsoft confirme l'exploitation de la CVE-2026-32202 Une faille de sécurité présente dans l'interface Windows Shell est considérée comme exploitée par Microsoft. Ma publication à ce sujet : - www.it-connect.fr/vols-didenti... #windows #infosec #cybersecurite
  • 0
  • 0
  • 0
  • Last hour
Profile picture fallback
piggo @pigondrugs.bsky.social
~Cisa~ CISA added actively exploited ConnectWise and Windows flaws to the KEV catalog. - IOCs: CVE-2024-1708, CVE-2026-32202 - #CISA #ThreatIntel #Vulnerability
  • 0
  • 0
  • 0
  • 14h ago

CVE-2026-25874

Overview

  • Hugging Face
  • LeRobot
23 Apr 2026
Published
24 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.06%
KEV

Description

LeRobot through 0.5.1 contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components. An unauthenticated network-reachable attacker can achieve arbitrary code execution on the server or client by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls.

Statistics

  • 8 Posts
  • 13 Interactions
Last activity: 6 hours ago

Fediverse

Profile picture fallback
Taggart :ifin: @mttaggart

May I suggest...not exposing your robot control plane to the internet

resecurity.com/blog/article/cv

  • 4
  • 6
  • 0
  • 21h ago
Profile picture fallback
CyberNetsecIO @netsecio

📰 Critical Unpatched RCE Flaw in Hugging Face's LeRobot AI Platform Puts Robotics Systems at Risk

🚨 CRITICAL FLAW: Unpatched RCE (CVE-2026-25874, CVSS 9.3) in Hugging Face's LeRobot AI platform. Unsafe deserialization allows unauthenticated attackers to execute code. #CVE202625874 #HuggingFace #AI #RCE

🔗 cyber.netsecops.io

  • 1
  • 0
  • 0
  • 17h ago
Profile picture fallback
tomcat @tomcat

⚠️ An unpatched critical flaw in Hugging Face’s LeRobot enables remote code execution (CVSS 9.3).

Untrusted pickle over unauthenticated gRPC (no TLS) lets attackers take over servers, steal keys and models, and impact connected robots.

🔗 Details → thehackernews.com/2026/04/crit

  • 0
  • 1
  • 0
  • 20h ago
Profile picture fallback
Jeff Hall - PCIGuru :verified: @jbhall56

The vulnerability in question is CVE-2026-25874 (CVSS score: 9.3), which has been described as a case of untrusted data deserialization stemming from the use of the unsafe pickle format. thehackernews.com/2026/04/crit

  • 0
  • 0
  • 1
  • 22h ago
Profile picture fallback
HackerWorkspace @hackerworkspace

Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE

thehackernews.com/2026/04/crit

Read on HackerWorkspace: hackerworkspace.com/article/cr

  • 0
  • 0
  • 0
  • 6h ago

Bluesky

Profile picture fallback
The IT Nerd @theitnerd.ca
Critical RCE in Hugging Face’s LeRobot Researchers disclosed a critical remote code execution flaw (CVE-2026-25874, CVSS 9.3) in Hugging Face's open-source robotics platform LeRobot, caused by unsafe deserialization through Python's pickle format. The issue allows an unauthenticated attacker to…
  • 0
  • 1
  • 0
  • 14h ago
Profile picture fallback
Bitnewsbot @bitnewsbot.bsky.social
A critical security flaw (CVE-2026-25874) has been disclosed in Hugging Face’s open-source robotics platform, LeRobot, allowing unauthenticated remote code execution. […]
  • 0
  • 0
  • 0
  • 21h ago

CVE-2026-42208

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 4 Posts
  • 9 Interactions
Last activity: 4 hours ago

Fediverse

Profile picture fallback
HackerWorkspace @hackerworkspace

CVE-2026-42208: Targeted SQL injection against LiteLLM's authentication path discovered 36 hours following vulnerability disclosure | Sysdig

sysdig.com/blog/cve-2026-42208

Read on HackerWorkspace: hackerworkspace.com/article/cv

  • 0
  • 0
  • 0
  • 16h ago

Bluesky

Profile picture fallback
BleepingComputer @bleepingcomputer.com
Hackers are targeting sensitive information stored in the LiteLLM open-source large-language model (LLM) gateway by exploiting a critical vulnerability  tracked as CVE-2026-42208.
  • 3
  • 6
  • 0
  • 13h ago
Profile picture fallback
softfantw.eurosky.social @softfantw.eurosky.social
LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure thehackernews.com/2026/04/lite...
  • 0
  • 0
  • 1
  • 4h ago

CVE-2026-42615

Overview

  • GCHQ
  • CyberChef
29 Apr 2026
Published
29 Apr 2026
Updated
CVSS v3.1
HIGH (7.2)
EPSS
Pending
KEV

Description

GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring.

Statistics

  • 3 Posts
  • 7 Interactions
Last activity: 1 hour ago

Fediverse

Profile picture fallback
cR0w @cR0w

RE: infosec.exchange/@cR0w/1164832

lol

cve.org/CVERecord?id=CVE-2026-

  • 0
  • 7
  • 0
  • 5h ago
Profile picture fallback
OffSequence @offseq

🔎 XSS (HIGH, CVSS 7.2) in GCHQ CyberChef <11.0.0 (CVE-2026-42615): Improper input neutralization in Show Base64 offsets lets attackers inject scripts remotely — info theft/session hijack possible. No fix yet. Avoid untrusted input. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 6h ago

Bluesky

Profile picture fallback
BaseFortify.eu @basefortify.bsky.social
🎯 High severity XSS uncovered in GCHQ CyberChef ⚠️ A flaw in the “Show Base64 offsets” feature allows script injection via crafted input (CVE-2026-42615). 🔗 basefortify.eu/cve_reports/... #CyberSecurity #CVE #GCHQ #XSS
  • 0
  • 0
  • 0
  • 1h ago

CVE-2026-33825

Overview

  • Microsoft
  • Microsoft Defender Antimalware Platform
14 Apr 2026
Published
28 Apr 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
3.30%
KEV

Description

Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.

Statistics

  • 1 Post
  • 6 Interactions
Last activity: 23 hours ago

Fediverse

Profile picture fallback
N_{Dario Fadda} @nuke

Microsoft Defender “RedSun” Zero-Day (CVE-2026-33825): Unpatched Exploit Grants Full SYSTEM Access
#CyberSecurity
securebulletin.com/microsoft-d

  • 6
  • 0
  • 0
  • 23h ago

CVE-2026-41651

Overview

  • PackageKit
  • PackageKit
22 Apr 2026
Published
22 Apr 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.20%
KEV

Description

PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.

Statistics

  • 1 Post
  • 3 Interactions
Last activity: 19 hours ago

Fediverse

Profile picture fallback
athmane mokraoui [BoF] ⏚ꝃñ⌁⁂ @ButterflyOfFire

Article sur une faille sur #PackageKit :

goodtech.info/pack2theroot-fai

Pour info packagekit est traduit en :
- Kabyle : 31%
- Occitan : 27%
- Breton : 22%

- Basque, Galicien, Catalan : +60%

  • 1
  • 2
  • 0
  • 19h ago

CVE-2026-35414

Overview

  • OpenBSD
  • OpenSSH
02 Apr 2026
Published
02 Apr 2026
Updated
CVSS v3.1
MEDIUM (4.2)
EPSS
0.02%
KEV

Description

OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

Statistics

  • 1 Post
  • 2 Interactions
Last activity: 18 hours ago

Fediverse

Profile picture fallback
chris 🔓 Digital Sovereignty @chrispy

@kubikpixel Behoben wurde die Schwachstelle bereits Anfang April mit der Veröffentlichung von OpenSSH 10.3

Detail Description :
nvd.nist.gov/vuln/detail/CVE-2
(mW ein weiterhin funktionierender und gemeinnütziger Service der Regierung der United States :awesome: )

  • 1
  • 1
  • 0
  • 18h ago

CVE-2026-42515

Overview

  • CDAC-Noida
  • e-Sushrut, Hospital Management Information System (HMIS)
29 Apr 2026
Published
29 Apr 2026
Updated
CVSS v4.0
HIGH (7.1)
EPSS
Pending
KEV

Description

This vulnerability exists in e-Sushrut due to improper access control in resource access validation. An authenticated attacker could exploit this vulnerability by manipulating parameter in the API request URL to gain unauthorized access to sensitive information of patients on the targeted system.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 1 hour ago

Fediverse

Profile picture fallback
OffSequence @offseq

New HIGH severity vuln: CVE-2026-42515 impacts CDAC-Noida e-Sushrut HMIS (CVSS 7.1). Authenticated users can bypass auth via manipulated API params — risking patient data. No patch yet. Restrict access & monitor vendor updates. radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 1h ago

CVE-2026-33626

Overview

  • InternLM
  • lmdeploy
20 Apr 2026
Published
21 Apr 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.04%
KEV

Description

LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue.

Statistics

  • 2 Posts
  • 1 Interaction
Last activity: 18 hours ago

Fediverse

Profile picture fallback
Patrick C Miller :donor: @patrickcmiller

LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure thehackernews.com/2026/04/lmde

  • 1
  • 0
  • 1
  • 18h ago
Showing 1 to 10 of 38 CVEs