24h | 7d | 30d

CVE-2026-34621

Overview

  • Adobe
  • Acrobat Reader
11 Apr 2026
Published
11 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.6)
EPSS
0.24%
KEV

Description

Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Statistics

  • 4 Posts
  • 1 Interaction
Last activity: 6 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL: CVE-2026-34621 in Adobe Acrobat Reader (≤26.001.21367) enables prototype pollution & arbitrary code execution via malicious files. No patch yet — avoid opening untrusted PDFs. Monitor advisories. radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 1
  • 7h ago
Profile picture fallback
happygeek :unverified: + :verified: = $0 @happygeek

By me @Forbes It's always at the weekend, innit? Adobe urges admins to patch Adobe Acrobat and Reader on Windows and macOS within 72 hours as CVE-2026-34621 attacks confirmed.

forbes.com/sites/daveywinder/2

  • 0
  • 0
  • 1
  • 6h ago

CVE-2026-35616

Overview

  • Fortinet
  • FortiClientEMS
04 Apr 2026
Published
07 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
25.26%
KEV

Description

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

Statistics

  • 2 Posts
  • 1 Interaction
Last activity: 7 hours ago

Fediverse

Profile picture fallback
Christoph Schmees @PC_Fluesterer

Noch ein Notfall-Update bei Fortinet

Mal etwas ganz neues - ach nein, ist ja leider nicht neu, sondern fast normal. Der US-Hersteller von Geräten für den Netzwerk-Perimeter Fortinet musste schon wieder ein Notfall-Update veröffentlichen. Die damit geflickte Sicherheiitslücke CVE-2026-35616 wird mindestens seit Ende März bereits für Angriffe ausgenutzt (Zero-Day Exploit). Das ist schon der zweite Zero-Day innerhalb weniger Wochen. Bereits im März musste CVE-2026-21643 geflickt werden. Wiederholung: Wer das Intranet gegen das wilde wüste Internet schützen möchte, muss zu FOSS greifen.

pc-fluesterer.info/wordpress/2

#Allgemein #Empfehlung #Hintergrund #Warnung #0day #closedsource #cybercrime #exploits #hersteller #sicherheit #UnplugTrump #usa

  • 1
  • 0
  • 0
  • 7h ago

Bluesky

Profile picture fallback
Bishop Fox @bishopfox.bsky.social
ICYMI: FortiClient EMS Auth Bypass (CVE-2026-35616) Unauthenticated attackers can bypass cert-based auth via header spoofing + weak validation. Exploitation confirmed in the wild. Patch now or upgrade to 7.4.7. We also released a safe detection tool: bishopfox.com/blog/api-aut...
  • 0
  • 0
  • 0
  • 21h ago

CVE-2026-39987

Overview

  • marimo-team
  • marimo
09 Apr 2026
Published
09 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
2.70%
KEV

Description

marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.

Statistics

  • 1 Post
  • 5 Interactions
Last activity: 10 hours ago

Fediverse

Profile picture fallback
N_{Dario Fadda} @nuke

CVE-2026-39987: Critical Marimo Python Notebook RCE Exploited Within 10 Hours of Disclosure
#CyberSecurity
securebulletin.com/cve-2026-39

  • 5
  • 0
  • 0
  • 10h ago

CVE-2026-27135

Overview

  • nghttp2
  • nghttp2
18 Mar 2026
Published
20 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.02%
KEV

Description

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 2 hours ago

Bluesky

Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
CVE-2026-27135 (nghttp2 assertion DoS) is fixed, but the process to detect, patch, and mitigate is what keeps you safe. Read more: 👉 tinyurl.com/mhap9fe #SUSE
  • 0
  • 1
  • 0
  • 2h ago

CVE-2026-34040

Overview

  • moby
  • moby
31 Mar 2026
Published
02 Apr 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.01%
KEV

Description

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.

Statistics

  • 1 Post
Last activity: 4 hours ago

Bluesky

Profile picture fallback
Undercode Testing @undercode.bsky.social
DOCKER’S GHOST IN THE MACHINE: CVE-2026-34040 – THE AUTHZ BYPASS THAT JUST WON’T DIE + Video Introduction A security vulnerability originally patched in 2019, then patched again in 2024, has resurfaced in 2026—Docker Engine’s authorization bypass (CVE‑2026‑34040) allows attackers to silently…
  • 0
  • 0
  • 0
  • 4h ago

CVE-2026-40157

Overview

  • MervinPraison
  • PraisonAI
10 Apr 2026
Published
10 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.4)
EPSS
0.07%
KEV

Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who distributes a malicious bundle can overwrite arbitrary files on the victim's filesystem when they run praisonai recipe unpack. This vulnerability is fixed in 4.5.128.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL: CVE-2026-40157 in PraisonAI (<4.5.128) enables path traversal via malicious .praison bundles — risk: file overwrite & code execution. Patch to 4.5.128+ & avoid untrusted archives. Full details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 10h ago

CVE-2026-25172

Overview

  • Microsoft
  • Windows 10 Version 1607
10 Mar 2026
Published
09 Apr 2026
Updated
CVSS v3.1
HIGH (8.0)
EPSS
0.08%
KEV

Description

Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network.

Statistics

  • 2 Posts
Last activity: 7 hours ago

Bluesky

Profile picture fallback
NEWSTECNICAS | Tecnología , IA y Gaming @newstecnicas.info.ve
🛡️ CVE-2026-25172: El " #Hotpatch" urgente de Microsoft para #Windows11 que debes aplicar ya (Sin reiniciar) www.newstecnicas.info.ve/2026/04/cve-...
  • 0
  • 0
  • 1
  • 7h ago

CVE-2026-40175

Overview

  • axios
  • axios
10 Apr 2026
Published
10 Apr 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.24%
KEV

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0.

Statistics

  • 1 Post
Last activity: 6 hours ago

Bluesky

Profile picture fallback
Lambda Watchdog @lambdawatchdog.bsky.social
🚨 New CRITICAL CVE detected in AWS Lambda 🚨 CVE-2026-40175 impacts axios in 4 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/466 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 6h ago

CVE-2026-33017

Overview

  • langflow-ai
  • langflow
20 Mar 2026
Published
26 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
5.65%
KEV

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

Statistics

  • 1 Post
Last activity: 15 hours ago

Bluesky

Profile picture fallback
今日視界 @g0rosato.bsky.social
無需認證即可執行:Langflow CVE-2026-33017 未授權遠程代碼執行漏洞深度剖析與靶標實戰
  • 0
  • 0
  • 0
  • 15h ago

CVE-2026-40189

Overview

  • patrickhener
  • goshs
10 Apr 2026
Published
10 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.10%
KEV

Description

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4.

Statistics

  • 2 Posts
Last activity: 18 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CVE-2026-40189: goshs <2.0.0-beta.4 has a CRITICAL auth bypass. Attackers can upload, delete, and remove folder auth to access protected files. Mitigate by upgrading now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 1
  • 18h ago
Showing 1 to 10 of 33 CVEs