24h | 7d | 30d

CVE-2026-28356

Overview

  • defnull
  • multipart
12 Mar 2026
Published
13 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.54%
KEV

Description

multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for denial of service (DoS) attacks against web applications using this library to parse request headers or multipart/form-data streams. The issue is fixed in 1.2.2, 1.3.1 and 1.4.0-dev.

Statistics

  • 1 Post
  • 36 Interactions
Last activity: 14 hours ago

Fediverse

Profile picture fallback
defnull @defnull

The 'multipart' #python library got an independent #security audit and I only know about that because they found something -> CVE-2026-28356

This is great, actually! Someone looked into it so thoroughly that they found an obscure single-character issue in a regular expression ... and didn't find anything else! Which means I can now be really confident about the security of this library. Nice!

#cve #infosec #sansio

  • 17
  • 19
  • 0
  • 14h ago

CVE-2026-3909

Overview

  • Google
  • Chrome
12 Mar 2026
Published
14 Mar 2026
Updated
CVSS
Pending
EPSS
27.12%
KEV

Description

Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Statistics

  • 5 Posts
  • 8 Interactions
Last activity: 9 hours ago

Fediverse

Profile picture fallback
Deskmodder @Deskmodder

Google Chrome 146.0.7680.80 schließt CVE-2026-3909 als weiteren Exploit

deskmodder.de/blog/2026/03/14/

  • 4
  • 1
  • 1
  • 13h ago
Profile picture fallback
Ruarí Ødegaard @ruario

@browserversiontracker For the curious, this includes security fixes for CVE-2026-3909 & CVE-2026-3910 from Chromium 146.0.7680.80.

And yes, we somehow beat the Chrome team getting this out even though they did the fix. 😂

  • 1
  • 0
  • 0
  • 9h ago
Profile picture fallback
Ruarí Ødegaard @ruario

@vivaldiversiontracker This includes security fixes for CVE-2026-3909 & CVE-2026-3910 from Chromium 146.0.7680.80.

  • 0
  • 1
  • 0
  • 9h ago

Bluesky

Profile picture fallback
News Analysis @newsanalysis.com
Emergency Chrome update! Google patched two zero-day vulnerabilities (CVE-2026-3909 & CVE-2026-3910) actively exploited in attacks. Update your browser now to version 146.0.7680.75/.76. #Cybersecurity #News
  • 0
  • 1
  • 0
  • 22h ago

CVE-2026-26123

Overview

  • Microsoft
  • Microsoft Authenticator for Android
10 Mar 2026
Published
13 Mar 2026
Updated
CVSS v3.1
MEDIUM (5.5)
EPSS
0.04%
KEV

Description

Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally.

Statistics

  • 1 Post
  • 8 Interactions
Last activity: 7 hours ago

Fediverse

Profile picture fallback
informapirata ⁂ :privacypride: @informapirata

Microsoft Authenticator potrebbe divulgare i codici di accesso: se lo stai usando, aggiorna subito l'app

Una vulnerabilità in Microsoft Authenticator per iOS e Android ( CVE-2026-26123 ) potrebbe far trapelare i codici di accesso monouso o i deep link di autenticazione a un'app dannosa sullo stesso dispositivo.

malwarebytes.com/blog/news/202

@informatica

  • 7
  • 1
  • 0
  • 7h ago

CVE-2026-3836

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 2 Posts
  • 4 Interactions
Last activity: 1 hour ago

Fediverse

Profile picture fallback
geeknik @geeknik

Your package manager's D-Bus interface is root-privileged, always-on, and crashes instantly if you whisper the wrong locale at it.

CVE-2026-3836.
CVSS 7.5.
No auth required.

The tool patching your system was the hole. Upgrade dnf5 now.
portallinuxferramentas.blogspo

  • 2
  • 2
  • 1
  • 1h ago

CVE-2026-21536

Overview

  • Microsoft
  • Microsoft Devices Pricing Program
05 Mar 2026
Published
13 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.38%
KEV

Description

Microsoft Devices Pricing Program Remote Code Execution Vulnerability

Statistics

  • 1 Post
  • 3 Interactions
Last activity: 19 hours ago

Bluesky

Profile picture fallback
Undercode Testing @undercode.bsky.social
Microsoft’s March 2026 Patch Tuesday: Critical CVE-2026-21536 Exposed – How AI-Powered Offensive Security is Changing the Game + Video Introduction In March 2026, Microsoft released its monthly Patch Tuesday update, addressing over 100 vulnerabilities, including a critical flaw in the Microsoft…
  • 1
  • 2
  • 0
  • 19h ago

CVE-2026-31886

Overview

  • dagu-org
  • dagu
13 Mar 2026
Published
13 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.08%
KEV

Description

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves .. segments lexically, so a caller can supply a value such as ".." to redirect the computed directory outside the intended /tmp/<name>/<id> path. A deferred cleanup function that calls os.RemoveAll on that directory then runs unconditionally when the HTTP handler returns, deleting whatever directory the traversal resolved to. With dagRunId set to "..", the resolved directory is the system temporary directory (/tmp on Linux). On non-root deployments, os.RemoveAll("/tmp") removes all files in /tmp owned by the dagu process user, disrupting every concurrent dagu run that has live temp files. On root or Docker deployments, the call removes the entire contents of /tmp, causing a system-wide denial of service. This vulnerability is fixed in 2.2.4.

Statistics

  • 1 Post
  • 2 Interactions
Last activity: 19 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CRITICAL vuln: dagu <2.2.4 suffers from path traversal (CVE-2026-31886). Exploit allows deletion of /tmp, causing system-wide DoS. Upgrade to 2.2.4+ or enforce input validation now! radar.offseq.com/threat/cve-20

  • 1
  • 1
  • 0
  • 19h ago

CVE-2026-32720

Overview

  • ctfer-io
  • monitoring
13 Mar 2026
Published
13 Mar 2026
Updated
CVSS v4.0
HIGH (7.1)
EPSS
0.04%
KEV

Description

The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). Prior to 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from a component to any other namespace. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. This vulnerability is fixed in 0.2.1.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 13 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

CVE-2026-32720 (HIGH): ctfer-io monitoring <0.2.1 has improper access control, allowing lateral movement across Kubernetes namespaces — risks sensitive logs/metrics. Patch to 0.2.1+ ASAP! 🔒 radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 13h ago

CVE-2026-26954

Overview

  • nyariv
  • SandboxJS
13 Mar 2026
Published
13 Mar 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.05%
KEV

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 16 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🔥 CRITICAL: CVE-2026-26954 in SandboxJS (< 0.8.34) enables sandbox escape via Function & Object.fromEntries. Attackers can run arbitrary code remotely! Upgrade to v0.8.34+ now. Full details: radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 16h ago

CVE-2026-3910

Overview

  • Google
  • Chrome
12 Mar 2026
Published
14 Mar 2026
Updated
CVSS
Pending
EPSS
21.89%
KEV

Description

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Statistics

  • 3 Posts
  • 3 Interactions
Last activity: 9 hours ago

Fediverse

Profile picture fallback
Ruarí Ødegaard @ruario

@browserversiontracker For the curious, this includes security fixes for CVE-2026-3909 & CVE-2026-3910 from Chromium 146.0.7680.80.

And yes, we somehow beat the Chrome team getting this out even though they did the fix. 😂

  • 1
  • 0
  • 0
  • 9h ago
Profile picture fallback
Ruarí Ødegaard @ruario

@vivaldiversiontracker This includes security fixes for CVE-2026-3909 & CVE-2026-3910 from Chromium 146.0.7680.80.

  • 0
  • 1
  • 0
  • 9h ago

Bluesky

Profile picture fallback
News Analysis @newsanalysis.com
Emergency Chrome update! Google patched two zero-day vulnerabilities (CVE-2026-3909 & CVE-2026-3910) actively exploited in attacks. Update your browser now to version 146.0.7680.75/.76. #Cybersecurity #News
  • 0
  • 1
  • 0
  • 22h ago

CVE-2026-2890

Overview

  • strategy11team
  • Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
13 Mar 2026
Published
13 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.05%
KEV

Description

The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a high-value payment as complete, effectively bypassing payment for goods or services.

Statistics

  • 1 Post
  • 2 Interactions
Last activity: 23 hours ago

Fediverse

Profile picture fallback
Bold Outlook @boldoutlook

Formidable Forms Vulnerability Let Attackers Reuse Low-Value Stripe Payments for Higher-Cost Purchases boldoutlook.com/formidable-for

#wordpress #WordPressSecurity #cybersecurity #blogging #webdevelopment

  • 0
  • 2
  • 0
  • 23h ago
Showing 1 to 10 of 46 CVEs