24h | 7d | 30d

Overview

  • ServiceNow
  • ServiceNow AI Platform

13 Jul 2026
Published
14 Jul 2026
Updated

CVSS v4.0
CRITICAL (9.5)
EPSS
0.51%

KEV

Description

ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability could enable an unauthenticated user, in certain circumstances, to execute code within the ServiceNow platform. ServiceNow addressed this vulnerability by deploying a security update to hosted instances. Relevant security updates have also been provided to ServiceNow self-hosted customers and partners. Further, the vulnerability is addressed in the listed patches and family releases, which have been made available to hosted and self-hosted customers, as well as partners. We are not currently aware of exploitation against ServiceNow instances. We recommend customers promptly apply appropriate updates or upgrade to a patched release if they have not already done so.

Statistics

  • 4 Posts
  • 5 Interactions

Last activity: 2 hours ago

Fediverse

Profile picture fallback

I fucking hate delayed advisories like this. Do better, ServiceNow.

support.servicenow.com/kb?id=k

ServiceNow has addressed a critical remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability, tracked as CVE-2026-6875, could enable an unauthenticated user, in certain circumstances, to execute code within the ServiceNow platform.

cve.org/CVERecord?id=CVE-2026-

sev:CRIT 9.5 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

  • 3
  • 1
  • 0
  • 4h ago
Profile picture fallback

CVE-2026-6875 (CVSS 9.5) is a ServiceNow sandbox escape in the AI Platform that allows unauthenticated remote code execution. Patch now.

securityonline.info/servicenow

  • 1
  • 0
  • 0
  • 17h ago
Profile picture fallback

ServiceNow security advisory AV26-693 addresses a critical sandbox escape vulnerability affecting multiple versions of their AI platform products. Users and administrators are urged to apply the necessary security updates to mitigate risks identified in CVE-2026-6875.
cyber.gc.ca/en/alerts-advisori

  • 0
  • 0
  • 0
  • 2h ago

Bluesky

Profile picture fallback
~Cybergcca~ Canadian Cyber Centre published 6 advisories covering critical vulnerabilities in ServiceNow, Veeam, Mozilla, SAP, Siemens, and HPE. - IOCs: CVE-2026-6875 - #PatchTuesday #ThreatIntel #Vulnerability
  • 0
  • 0
  • 0
  • 3h ago

Overview

  • Gitea
  • Gitea Open Source Git Server

03 Jul 2026
Published
07 Jul 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.78%

KEV

Description

Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.

Statistics

  • 3 Posts
  • 7 Interactions

Last activity: Last hour

Fediverse

Profile picture fallback

Ein Header genügt: Wie Gitea und Forgejo jedem Fremden die Admin-Rechte schenkten

Ein gefälschter HTTP-Header genügte monatelang, um sich in Gitea und Forgejo zum Admin zu machen, ganz ohne Passwort. CVE-2026-20896 hat einen CVSS-Wert von 9.8. Gitea ist seit dem 21. Juni gepatcht, Forgejo hängt weiter in der Luft. Was du an deiner Konfiguration sofort prüfen musst.

chrislo.de/blog/2026-07-14-20-

#chrislo #ITSicherheit #ServerInfrastruktur #Gitea #Forgejo #Docker #SelfHosting #CVE #ReverseProxy #OpenSource #Codeberg

  • 4
  • 0
  • 0
  • Last hour
Profile picture fallback

Ein Header genügt: Wie Gitea und Forgejo jedem Fremden die Admin-Rechte schenkten

Ein gefälschter HTTP-Header genügte monatelang, um sich in Gitea und Forgejo zum Admin zu machen, ganz ohne Passwort. CVE-2026-20896 hat einen CVSS-Wert von 9.8. Gitea ist seit dem 21. Juni gepatcht, Forgejo hängt weiter in der Luft. Was du an deiner Konfiguration sofort prüfen musst.

chrislo.de/blog/2026-07-14-20-…

#chrislo #ITSicherheit #ServerInfrastruktur #Gitea #Forgejo #Docker #SelfHosting #CVE #ReverseProxy #OpenSource #Codeberg

  • 3
  • 0
  • 0
  • Last hour
Profile picture fallback

Interesting to see Forgejo patched CVE-2026-20896 a month before it was reported affecting Gitea!

Well done @forgejo !!

  • 0
  • 0
  • 0
  • 5h ago

Overview

  • SAP_SE
  • SAP NetWeaver Application Server ABAP

14 Jul 2026
Published
14 Jul 2026
Updated

CVSS v3.1
CRITICAL (9.9)
EPSS
0.44%

KEV

Description

SAP NetWeaver Application Server ABAP allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could lead to unauthorized data access, modification, or system unavailability. This has high impact on confidentiality, integrity, and availability of the application.

Statistics

  • 3 Posts
  • 3 Interactions

Last activity: 7 hours ago

Fediverse

Profile picture fallback

CVE-2026-44747: CRITICAL out-of-bounds write in SAP NetWeaver AS ABAP (CVSS 9.9). Authenticated attackers can cause memory corruption — risking data & system availability. No patch. Restrict access, monitor activity. radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 16h ago
Profile picture fallback

SAP Security Patch Day July 2026 fixes CVE-2026-44747 (CVSS 9.9), a memory corruption flaw in NetWeaver AS ABAP, plus two more critical bugs.

securityonline.info/sap-patch-

  • 1
  • 0
  • 0
  • 11h ago
Profile picture fallback

SAP July 2026 patch day delivers CRITICAL fixes: NetWeaver (CVE-2026-44747, memory corruption), Approuter (CVE-2026-27690, HTTP smuggling), Commerce Cloud (CVE-2026-44761, hardcoded creds). Patch ASAP. radar.offseq.com/threat/sap-pa

  • 1
  • 0
  • 0
  • 7h ago

Overview

  • SAP_SE
  • SAP Commerce Cloud

14 Jul 2026
Published
14 Jul 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
0.35%

KEV

Description

SAP Commerce Cloud could retain a sample OAuth2 client with publicly documented sample credentials originating from sample configuration provided in SAP Help Portal documentation. If left unchanged, an unauthenticated attacker could use these well-known credentials to obtain a valid access token and invoke certain APIs to read and modify data. Successful exploitation results in high impact on confidentiality and integrity, with no impact on availability.

Statistics

  • 3 Posts
  • 2 Interactions

Last activity: 2 hours ago

Fediverse

Profile picture fallback

SAP Commerce Cloud impacted by CRITICAL CVE-2026-44761 (CVSS 9.1): Default OAuth2 credentials can let unauthenticated attackers access APIs & modify data. Change/remove sample creds now. No patch yet. radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 17h ago
Profile picture fallback

CVE-2026-44761 - Critical supply chain risk in SAP Commerce Cloud. Sample OAuth2 credentials left unchanged allow unauthenticated data read/write. CVSS 9.1. Check and remove defaults immediately. #CVE #SAP #infosec

valtersit.com/cve/CVE-2026-447

  • 0
  • 0
  • 0
  • 2h ago
Profile picture fallback

SAP July 2026 patch day delivers CRITICAL fixes: NetWeaver (CVE-2026-44747, memory corruption), Approuter (CVE-2026-27690, HTTP smuggling), Commerce Cloud (CVE-2026-44761, hardcoded creds). Patch ASAP. radar.offseq.com/threat/sap-pa

  • 1
  • 0
  • 0
  • 7h ago

Overview

  • tenable
  • tenable_agent

14 Jul 2026
Published
14 Jul 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
Pending

KEV

Description

A path traversal vulnerability in Tenable Agent 11.2.0 and 11.1.3 and lower allows a privileged attacker to write arbitrary files outside the intended plugin directory, potentially leading to remote code execution.

Statistics

  • 1 Post
  • 17 Interactions

Last activity: 3 hours ago

Fediverse

Profile picture fallback

nvd.nist.gov/vuln/detail/CVE-2

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

A path traversal vulnerability in Tenable Agent 11.2.0 and 11.1.3 and lower allows a privileged attacker to write arbitrary files outside the intended plugin directory, potentially leading to remote code execution.

  • 3
  • 14
  • 0
  • 3h ago

Overview

  • Linux
  • Linux

22 Apr 2026
Published
14 Jul 2026
Updated

CVSS v3.1
HIGH (7.8)
EPSS
96.27%

Description

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.

Statistics

  • 2 Posts
  • 6 Interactions

Last activity: 10 hours ago

Fediverse

Profile picture fallback

A normal Thursday, 8:29 AM: a Slack message about CVE-2026-31431, "Copy Fail", a Linux kernel 0-day. A few lines of Python turn an unprivileged user into root – being a 0-day, no patch existed yet.

One engineer verified the exploit, one researched the fix, one rolled it out, one checked the fleet and one tested it, all within about an hour. No escalation, no drama. NKE and Deploio ran on Flatcar Container Linux, unaffected.

nine.ch/en/blog/linux-kernel-0day-copy-fail/

#security #blog #nine

  • 3
  • 3
  • 1
  • 10h ago

Overview

  • Monsta Limited of New Zealand
  • Monsta FTP

08 Jul 2026
Published
14 Jul 2026
Updated

CVSS v4.0
HIGH (7.7)
EPSS
0.31%

KEV

Description

Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtain a CSRF token from the public getSystemVars endpoint and submit a fetchRemoteFile request with a source URL resolving to an IPv4-mapped address, causing the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination, enabling retrieval of cloud instance metadata credentials.

Statistics

  • 1 Post
  • 4 Interactions

Last activity: 3 hours ago

Fediverse

Profile picture fallback

New vuln disclosure out from
@chocapikk_: Unauth SSRF in Monsta FTP (CVE-2026-60105), makes for a nice primitive. Silently fixed a couple weeks ago, go figure. Full details + PoC out on the @vulncheck blog: vulncheck.com/blog/monsta-ftp-

  • 2
  • 2
  • 0
  • 3h ago

Overview

  • decolua
  • 9Router

13 Jul 2026
Published
14 Jul 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.52%

KEV

Description

9Router through version 0.4.41 contains an unauthenticated access vulnerability that allows remote attackers to interact with provider management API endpoints by sending requests without any credentials due to missing authentication middleware in the Next.js API routes under src/app/api/providers/*. Attackers can enumerate, create, modify, or delete provider connections to expose partial credentials, OAuth tokens, and API keys, redirect AI traffic to attacker-controlled servers, or cause complete denial of service by deleting all provider connections.

Statistics

  • 1 Post
  • 2 Interactions

Last activity: 13 hours ago

Fediverse

Profile picture fallback

decolua 9Router <=0.4.41 hit by CVE-2026-59801 (CRITICAL): Missing authentication on provider APIs lets remote attackers control connections, steal creds, or disrupt service. Restrict access & monitor now. radar.offseq.com/threat/cve-20

  • 1
  • 1
  • 0
  • 13h ago

Overview

  • Eclipse Foundation
  • Eclipse BaSyx - Java Server SDK

14 Jul 2026
Published
14 Jul 2026
Updated

CVSS v3.1
CRITICAL (9.0)
EPSS
0.45%

KEV

Description

In Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12, deployments using the MongoDB backend are vulnerable to an unauthenticated arbitrary file write through the AAS thumbnail API. The AAS thumbnail upload path accepted a client-controlled fileName request parameter and passed it through repository file handling as both a repository key and, during thumbnail retrieval, a local filesystem path. With the MongoDB file repository, the supplied filename was treated as an opaque GridFS key and was not normalized or restricted as a filesystem path. A remote attacker could upload thumbnail content using an absolute or traversal-style filename, then trigger thumbnail retrieval so that the uploaded bytes were written to the attacker-chosen path on the server filesystem. This could allow writing files anywhere the Java process has permission to write and may lead to remote code execution. The default InMemory backend is not affected by this specific path because it normalizes and restricts file paths to its temporary directory. The issue is fixed in Eclipse BaSyx Java Server SDK 2.0.0-milestone-13.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 10 hours ago

Fediverse

Profile picture fallback

Eclipse BaSyx Java Server SDK (MongoDB backend) CRITICAL vuln: CVE-2026-57898 (CVSS 9.0) allows unauthenticated path traversal & arbitrary file writes — potential RCE. Upgrade to 2.0.0-milestone-13. Details: radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 10h ago

Overview

  • MariaDB
  • server

11 Jun 2026
Published
13 Jul 2026
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
1.00%

KEV

Description

MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable `wsrep_notify_cmd`.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 4 hours ago

Fediverse

Profile picture fallback

CVE-2026-49261 🔥 10.0

  • 0
  • 1
  • 0
  • 4h ago
Showing 1 to 10 of 55 CVEs