24h | 7d | 30d

CVE-2026-21992

Overview

  • Oracle Corporation
  • Oracle Identity Manager
20 Mar 2026
Published
20 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.02%
KEV

Description

Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. Note: Oracle Web Services Manager is installed with an Oracle Fusion Middleware Infrastructure. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Statistics

  • 4 Posts
  • 2 Interactions
Last activity: 15 hours ago

Fediverse

Profile picture fallback
𝔸𝕟𝕠𝕟𝕪𝕞𝕠𝕦𝕤 :verified: @youranonnewsirc

Geopolitical tensions remain high as the Iran conflict disrupts the Strait of Hormuz, impacting oil prices and global tech supply chains due to halted helium output from Qatar (Mar 20-21, 2026). In technology, Google introduced a mandatory 24-hour wait for Android sideloading from unverified developers (Mar 20, 2026), while Nvidia showcased new AI chips at GTC 2026 (Mar 20, 2026). Cybersecurity saw Oracle patch a critical RCE vulnerability (CVE-2026-21992) (Mar 21, 2026), and Iranian-linked hackers targeted medical tech firm Stryker, wiping devices (Mar 20, 2026). A Trivy supply chain attack also deployed 'CanisterWorm' across npm packages (Mar 20, 2026).

#Cybersecurity #Geopolitics #TechNews

  • 0
  • 1
  • 0
  • 22h ago
Profile picture fallback
HackerWorkspace @hackerworkspace

Oracle Patches Critical CVE-2026-21992 Enabling Unauthenticated RCE in Identity Manager

thehackernews.com/2026/03/orac

Short summary: hackerworkspace.com/article/or

  • 0
  • 1
  • 1
  • 21h ago

Bluesky

Profile picture fallback
Ninja Owl @ninjaowl.ai
Oracle Patches Critical CVE-2026-21992 Enabling Unauthenticated RCE in Identity Manager #cybersecurity #hacking #news #infosec #security #technology #privacy thehackernews.com/20...
  • 0
  • 0
  • 0
  • 15h ago

CVE-2026-33017

Overview

  • langflow-ai
  • langflow
20 Mar 2026
Published
21 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.46%
KEV

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

Statistics

  • 3 Posts
  • 2 Interactions
Last activity: 1 hour ago

Bluesky

Profile picture fallback
Ninja Owl @ninjaowl.ai
Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure #cybersecurity #hacking #news #infosec #security #technology #privacy thehackernews.com/20...
  • 0
  • 1
  • 0
  • 23h ago
Profile picture fallback
Cybersecurity News Everyday @hendryadrian.bsky.social
CVE-2026-33017 is an unauthenticated remote code execution flaw in Langflow’s public flow build endpoint, exploited within 20 hours to run arbitrary Python and steal credentials via multi-stage attacks. #Langflow #RemoteCode #Exploit2026
  • 0
  • 1
  • 0
  • 1h ago
Profile picture fallback
Philippe Vynckier @pvynckier.bsky.social
Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure thehackernews.com/2026/03/crit...
  • 0
  • 0
  • 0
  • 8h ago

CVE-2026-31979

Overview

  • himmelblau-idm
  • himmelblau
11 Mar 2026
Published
11 Mar 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.02%
KEV

Description

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Prior to 3.1.0 and 2.3.8, the himmelblaud-tasks daemon, running as root, writes Kerberos cache files under /tmp/krb5cc_<uid> without symlink protections. Since commit 87a51ee, PrivateTmp is explicitly removed from the tasks daemon's systemd hardening, exposing it to the host /tmp. A local user can exploit this via symlink attacks to chown or overwrite arbitrary files, achieving local privilege escalation. This vulnerability is fixed in 3.1.0 and 2.3.8.

Statistics

  • 1 Post
  • 9 Interactions
Last activity: 3 hours ago

Fediverse

Profile picture fallback
Catalin Cimpanu @campuscodi

A vulnerability in a Linux enterprise app can allow attackers root access over devices

The issue impacts Himmelblau, an interoperability suite to integrate Linux with Entra ID and Intune networks.

akamai.com/blog/security-resea

  • 6
  • 3
  • 0
  • 3h ago

CVE-2026-24291

Overview

  • Microsoft
  • Windows 10 Version 1607
10 Mar 2026
Published
20 Mar 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.06%
KEV

Description

Incorrect permission assignment for critical resource in Windows Accessibility Infrastructure (ATBroker.exe) allows an authorized attacker to elevate privileges locally.

Statistics

  • 1 Post
  • 3 Interactions
Last activity: 20 hours ago

Bluesky

Profile picture fallback
Undercode Testing @undercode.bsky.social
RegPwn: The 0-Day That Weaponized Windows Accessibility for Stealth Privilege Escalation + Video Introduction: A newly disclosed Local Privilege Escalation (LPE) vulnerability, tracked as CVE-2026-24291 and dubbed "RegPwn," demonstrates a sophisticated shift in adversary tradecraft. Exploiting…
  • 1
  • 2
  • 0
  • 20h ago

CVE-2026-3564

Overview

  • ConnectWise
  • ScreenConnect
17 Mar 2026
Published
18 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.0)
EPSS
0.06%
KEV

Description

A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including elevated privileges, in certain scenarios.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 6 hours ago

Bluesky

Profile picture fallback
Philippe Vynckier @pvynckier.bsky.social
Unpatched ScreenConnect servers open to attack (CVE-2026-3564) - Help Net Security www.helpnetsecurity.com/2026/03/20/c...
  • 1
  • 0
  • 0
  • 6h ago

CVE-2026-4535

Overview

  • Tenda
  • FH451
22 Mar 2026
Published
22 Mar 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.05%
KEV

Description

A vulnerability has been found in Tenda FH451 1.0.0.9. This vulnerability affects the function WrlclientSet of the file /goform/WrlclientSet. Such manipulation of the argument GO leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 9 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ HIGH severity: CVE-2026-4535 in Tenda FH451 (v1.0.0.9) — stack-based buffer overflow in /goform/WrlclientSet. Remote, unauthenticated code execution possible. Patch or mitigate now! radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 9h ago

CVE-2026-1581

Overview

  • tomdever
  • wpForo Forum
19 Feb 2026
Published
23 Feb 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
11.33%
KEV

Description

The wpForo Forum plugin for WordPress is vulnerable to time-based SQL Injection via the 'wpfob' parameter in all versions up to, and including, 2.4.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 19 hours ago

Fediverse

Profile picture fallback
HackerWorkspace @hackerworkspace

wpForo Forum <= 2.4.14 - SQL Injection (CVE-2026-1581)

pentest-tools.com/vulnerabilit

Short summary: hackerworkspace.com/article/wp

  • 0
  • 1
  • 0
  • 19h ago

CVE-2026-4534

Overview

  • Tenda
  • FH451
22 Mar 2026
Published
22 Mar 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.05%
KEV

Description

A flaw has been found in Tenda FH451 1.0.0.9. This affects the function formWrlExtraSet of the file /goform/WrlExtraSet. This manipulation of the argument GO causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been published and may be used.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 7 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🔎 CVE-2026-4534 (HIGH, CVSS 8.7): Stack-based buffer overflow in Tenda FH451 (v1.0.0.9) lets remote attackers execute code. PoC exploit published. Patch/mitigate now — restrict access & monitor for attacks. Info: radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 0
  • 7h ago

CVE-2026-4543

Overview

  • Wavlink
  • WL-WN578W2
22 Mar 2026
Published
22 Mar 2026
Updated
CVSS v4.0
MEDIUM (5.3)
EPSS
0.18%
KEV

Description

A vulnerability was found in Wavlink WL-WN578W2 221110. The impacted element is an unknown function of the file /cgi-bin/firewall.cgi of the component POST Request Handler. Performing a manipulation of the argument dmz_flag/del_flag results in command injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 4 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CVE-2026-4543: Wavlink WL-WN578W2 (v221110) has a MEDIUM severity command injection flaw in /cgi-bin/firewall.cgi. No patch; public exploit exists. Isolate, restrict access, and monitor traffic urgently. radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 0
  • 4h ago

CVE-2026-3629

Overview

  • carazo
  • Import and export users and customers
21 Mar 2026
Published
21 Mar 2026
Updated
CVSS v3.1
HIGH (8.1)
EPSS
0.04%
KEV

Description

The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'save_extra_user_profile_fields' function not properly restricting which user meta keys can be updated via profile fields. The 'get_restricted_fields' method does not include sensitive meta keys such as 'wp_capabilities'. This makes it possible for unauthenticated attackers to escalate their privileges to Administrator by submitting a crafted registration request that sets the 'wp_capabilities' meta key. The vulnerability can only be exploited if the "Show fields in profile" setting is enabled and a CSV with a wp_capabilities column header has been previously imported.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 12 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CVE-2026-3629: HIGH severity in carazo's 'Import and export users and customers' WP plugin (≤1.29.7). Privilege escalation to admin possible if 'Show fields in profile' is on and CSV with 'wp_capabilities' imported. Mitigate now! radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 0
  • 12h ago
Showing 1 to 10 of 25 CVEs