Overview
- Adobe
- Acrobat Reader
11 Apr 2026
Published
12 Apr 2026
Updated
CVSS v3.1
HIGH (8.6)
EPSS
0.04%
KEV
Description
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Statistics
- 13 Posts
- 4 Interactions
Last activity: 1 hour ago
Fediverse
Bluesky
Adobe has released a security update for Adobe Acrobat and Reader for Windows and macOS. This update addresses a critical vulnerability. Successful exploitation could lead to arbitrary code execution. Adobe is aware of CVE-2026-34621 being exploited in the wild.
Adobe Acrobat Zero-Day Under Attack: CVE-2026-34621 Prototype Pollution Leads to RCE – Patch Now! + Video
Introduction: A prototype pollution vulnerability in Adobe Acrobat and Reader (CVE-2026-34621, CVSS 9.6) is being actively exploited in the wild, allowing attackers to execute arbitrary code…
Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 thehackernews.com/2026/04/adob...
The flaw, tracked as CVE-2026-34621, carries a CVSS severity score of 9.6 and affects both Windows and Mac users, with Adobe urging updates within 72 hours.
Source: SecurityWeek
怖い((((;゚Д゚))) 最近はPDFは他のアプリで表示することが多いから影響あるのかどうか。
「アドビ(Adobe)は、WindowsおよびmacOSの両プラットフォームでAdobe AcrobatおよびReaderを使用しているユーザーに影響を与える深刻な脆弱性「CVE-2026-34621」が、すでに攻撃者に悪用されていることを正式に認めた(APSB26-43)」
72時間以内の更新を推奨──「PDFを開くだけで乗っ取られる」アドビリーダーのゼロデイ攻撃が進行(Forbes JAPAN) - Yahoo!ニュース news.yahoo.co.jp/articles/6b7...
Zero-Day Alert: CVE-2026-34621 Adobe Acrobat Reader Exploit – Patch NOW or Get Hacked! + Video
Introduction: Adobe recently patched CVE-2026-34621, a zero-day vulnerability in Acrobat Reader that has been actively exploited in the wild for at least four months. This flaw allows attackers to…
Overview
- marimo-team
- marimo
09 Apr 2026
Published
09 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
2.70%
KEV
Description
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.
Statistics
- 3 Posts
Last activity: Last hour
Fediverse
🚨 Pre-Auth RCE vuln tagged as CVE-2026-39987 (CVSS 9.3) seeing active exploitation in the wild as reported by Vulncheck and Bleeping Computer.
Passively scan infrastructure to find potentially vulnerable instances:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-39987.yaml
An unauthenticated attacker can obtain a full interactive root shell on the server via a single WebSocket connection. No user interaction or authentication token is required, even when authentication is enabled on the marimo instance
https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc
Bluesky
Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure thehackernews.com/2026/04/mari...
Overview
- Apache Software Foundation
- Apache ActiveMQ Broker
- org.apache.activemq:activemq-broker
07 Apr 2026
Published
08 Apr 2026
Updated
CVSS
Pending
EPSS
5.60%
KEV
Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ.
Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including
BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).
An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext.
Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().
This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3.
Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue
Statistics
- 2 Posts
Last activity: 1 hour ago
Description
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Statistics
- 1 Post
- 4 Interactions
Last activity: 8 hours ago
Fediverse
Google Patches Actively Exploited Chrome Zero-Day CVE-2026-5281 — Update Now
#CyberSecurity
https://securebulletin.com/google-patches-actively-exploited-chrome-zero-day-cve-2026-5281-update-now/
Overview
- axios
- axios
10 Apr 2026
Published
10 Apr 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.24%
KEV
Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0.
Statistics
- 1 Post
- 1 Interaction
Last activity: 10 hours ago
Overview
- Totolink
- A7100RU
12 Apr 2026
Published
12 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.89%
KEV
Description
A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setRadvdCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument maxRtrAdvInterval causes os command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
Statistics
- 1 Post
Last activity: 8 hours ago
Fediverse
🚨 CVE-2026-6112 (CRITICAL, CVSS 9.3): Totolink A7100RU (fw 7.4cu.2313_b20191024) is vulnerable to unauthenticated OS command injection via /cgi-bin/cstecgi.cgi. No patch yet — restrict access & monitor activity. https://radar.offseq.com/threat/cve-2026-6112-os-command-injection-in-totolink-a71-83c5f182 #OffSeq #Vuln #Infosec #CVE20266112
Overview
- 1Panel-dev
- MaxKB
11 Apr 2026
Published
11 Apr 2026
Updated
CVSS v4.0
MEDIUM (5.1)
EPSS
0.03%
KEV
Description
A vulnerability was detected in 1Panel-dev MaxKB up to 2.2.1. This vulnerability affects the function StaticHeadersMiddleware of the file apps/common/middleware/static_headers_middleware.py of the component Public Chat Interface. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. Upgrading to version 2.8.0 is able to resolve this issue. The patch is identified as 026a2d623e2aa5efa67c4834651e79d5d7cab1da. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Statistics
- 1 Post
Last activity: 17 hours ago
Fediverse
🔎 CVE-2026-6106: 1Panel-dev MaxKB v2.2.0/2.2.1 impacted by MEDIUM XSS via Public Chat Interface (Name arg). Patch to v2.8.0 to mitigate. No in-the-wild exploits yet. Full details: https://radar.offseq.com/threat/cve-2026-6106-cross-site-scripting-in-1panel-dev-m-cd592a06 #OffSeq #XSS #Vuln
Overview
Description
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.
Statistics
- 1 Post
Last activity: 8 hours ago
Fediverse
Microsoft Update causing Print Spooler Problems - CVE-2019-1367 | https://techygeekshome.info/cve-2019-1367/?fsp_sid=27678 | #Guide #Microsoft #News #security #Updates #Windows
https://techygeekshome.info/cve-2019-1367/?fsp_sid=27678
Overview
- boonebgorges
- BuddyPress Groupblog
11 Apr 2026
Published
11 Apr 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.05%
KEV
Description
The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-silent-add` parameters from user input without proper authorization checks. The `groupblog-blogid` parameter allows any group admin (including Subscribers who create their own group) to associate their group with any blog on the Multisite network, including the main site (blog ID 1). The `default-member` parameter accepts any WordPress role, including `administrator`, without validation against a whitelist. When combined with `groupblog-silent-add`, any user who joins the attacker's group is automatically added to the targeted blog with the injected role. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate any user (including themselves via a second account) to Administrator on the main site of the Multisite network.
Statistics
- 1 Post
Last activity: 20 hours ago
Fediverse
🚩 HIGH severity: CVE-2026-5144 impacts BuddyPress Groupblog ≤1.9.3. Authenticated users (even Subscribers) can escalate to Admin on WordPress Multisite. No patch yet — disable or restrict plugin for now. https://radar.offseq.com/threat/cve-2026-5144-cwe-269-improper-privilege-managemen-f1535bf6 #OffSeq #WordPress #CVE20265144 #infosec
Overview
- optimole
- Optimole – Optimize Images in Real Time
11 Apr 2026
Published
11 Apr 2026
Updated
CVSS v3.1
HIGH (7.2)
EPSS
0.08%
KEV
Description
The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied 's' parameter (srcset descriptor) in the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. The endpoint validates requests using an HMAC signature and timestamp, but these values are exposed directly in the frontend HTML making them accessible to any visitor. The plugin uses sanitize_text_field() on the descriptor value of rest.php, which strips HTML tags but does not escape double quotes. The poisoned descriptor is then stored via transients (backed by the WordPress options table) and later retrieved and injected verbatim into the srcset attribute of tag_replacer.php without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page.
Statistics
- 1 Post
Last activity: 18 hours ago
Fediverse
🚨 HIGH risk: Optimole WordPress plugin (≤4.2.2) vulnerable to unauthenticated stored XSS via /wp-json/optimole/v1/optimizations. HMAC bypassed. Disable plugin until patch. CVE-2026-5217 https://radar.offseq.com/threat/cve-2026-5217-cwe-79-improper-neutralization-of-in-49825cdd #OffSeq #WordPress #XSS #infosec