CVE-2026-3909

Overview

Google
Chrome

12 Mar 2026

Published

14 Mar 2026

Updated

CVSS

Pending

EPSS

27.12%

MITRE

KEV

Description

Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Statistics

6 Posts
8 Interactions

Last activity: 2 hours ago

Fediverse

Deskmodder @Deskmodder

Google Chrome 146.0.7680.80 schließt CVE-2026-3909 als weiteren Exploit

https://www.deskmodder.de/blog/2026/03/14/google-chrome-146-0-7680-80-schliesst-cve-2026-3909-als-weiteren-exploit/

4
1
1
6h ago

Ruarí Ødegaard @ruario

@browserversiontracker For the curious, this includes security fixes for CVE-2026-3909 & CVE-2026-3910 from Chromium 146.0.7680.80.

And yes, we somehow beat the Chrome team getting this out even though they did the fix. 😂

1
0
0
2h ago

Ruarí Ødegaard @ruario

@vivaldiversiontracker This includes security fixes for CVE-2026-3909 & CVE-2026-3910 from Chromium 146.0.7680.80.

0
1
0
2h ago

Bluesky

News Analysis @newsanalysis.com

Emergency Chrome update! Google patched two zero-day vulnerabilities (CVE-2026-3909 & CVE-2026-3910) actively exploited in attacks. Update your browser now to version 146.0.7680.75/.76. #Cybersecurity #News

0
1
0
15h ago

piggo @pigondrugs.bsky.social

~Cisa~ CISA added two actively exploited Google vulnerabilities (Skia and Chromium V8) to its KEV catalog, urging immediate patching. - IOCs: CVE-2026-3909, CVE-2026-3910 - #CISA #KEV #ThreatIntel

0
0
0
19h ago

CVE-2026-28356

Overview

defnull
multipart

12 Mar 2026

Published

13 Mar 2026

Updated

CVSS v3.1

HIGH (7.5)

EPSS

0.54%

MITRE

KEV

Description

multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for denial of service (DoS) attacks against web applications using this library to parse request headers or multipart/form-data streams. The issue is fixed in 1.2.2, 1.3.1 and 1.4.0-dev.

Statistics

1 Post
32 Interactions

Last activity: 7 hours ago

Fediverse

defnull @defnull

The 'multipart' #python library got an independent #security audit and I only know about that because they found something -> CVE-2026-28356

This is great, actually! Someone looked into it so thoroughly that they found an obscure single-character issue in a regular expression ... and didn't find anything else! Which means I can now be really confident about the security of this library. Nice!

#cve #infosec #sansio

16
16
0
7h ago

CVE-2026-26123

Overview

Microsoft
Microsoft Authenticator for Android

10 Mar 2026

Published

13 Mar 2026

Updated

CVSS v3.1

MEDIUM (5.5)

EPSS

0.04%

MITRE

KEV

Description

Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally.

Statistics

2 Posts
6 Interactions

Last activity: Last hour

Fediverse

informapirata ⁂ :privacypride: @informapirata

Microsoft Authenticator potrebbe divulgare i codici di accesso: se lo stai usando, aggiorna subito l'app

Una vulnerabilità in Microsoft Authenticator per iOS e Android ( CVE-2026-26123 ) potrebbe far trapelare i codici di accesso monouso o i deep link di autenticazione a un'app dannosa sullo stesso dispositivo.

https://www.malwarebytes.com/blog/news/2026/03/microsoft-authenticator-could-leak-login-codes-update-your-app-now

@informatica

5
1
0
Last hour

Bluesky

Eyal Estrin ☁️ @eyalestrin.bsky.social

Microsoft Authenticator could leak login codes - update your app now (CVE-2026-26123) #patchmanagement

0
0
0
22h ago

CVE-2026-21536

Overview

Microsoft
Microsoft Devices Pricing Program

05 Mar 2026

Published

13 Mar 2026

Updated

CVSS v3.1

CRITICAL (9.8)

EPSS

0.38%

MITRE

KEV

Description

Microsoft Devices Pricing Program Remote Code Execution Vulnerability

Statistics

3 Posts
4 Interactions

Last activity: 11 hours ago

Bluesky

Undercode Testing @undercode.bsky.social

Microsoft’s March 2026 Patch Tuesday: Critical CVE-2026-21536 Exposed – How AI-Powered Offensive Security is Changing the Game + Video Introduction In March 2026, Microsoft released its monthly Patch Tuesday update, addressing over 100 vulnerabilities, including a critical flaw in the Microsoft…

1
2
0
11h ago

XBOW @xbow.com

In a historic first for Microsoft, XBOW, an autonomous pentesting system, discovered and reported a critical unauthenticated remote code execution vulnerability in the Microsoft Devices Pricing Program (CVE-2026-21536). https://bit.ly/4s2u8vq

0
1
0
20h ago

piggo @pigondrugs.bsky.social

~Sophos~ Microsoft patched 84 CVEs, including 8 Critical flaws and 2 publicly disclosed issues. - IOCs: CVE-2026-21536, CVE-2026-21262, CVE-2026-23668 - #PatchTuesday #ThreatIntel #Vulnerability

0
0
0
19h ago

CVE-2025-69985

Overview

Pending

24 Feb 2026

Published

25 Feb 2026

Updated

CVSS

Pending

EPSS

0.64%

MITRE

KEV

Description

FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.

Statistics

1 Post
13 Interactions

Last activity: 18 hours ago

Fediverse

Dio9sys @Dio9sys

Today's CVE stinker: https://github.com/joshuavanderpoll/CVE-2025-69985

You can get auth bypass on a SCADA HMI that already doesn't require auth, and then run a script by sending the script to `api/runscript`

Is this still a useful CVE? Perhaps! I am not an expert on FUXA HMIs specifically, and I'm sure they didn't intend for their runscript endpoint to be used to run *anything*

but still.

"you can run scripts by sending them to /api/runscript" sure is a funny CVE description.

6
7
0
18h ago

CVE-2026-3910

Overview

Google
Chrome

12 Mar 2026

Published

14 Mar 2026

Updated

CVSS

Pending

EPSS

21.89%

MITRE

KEV

Description

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Statistics

4 Posts
3 Interactions

Last activity: 2 hours ago

Fediverse

Ruarí Ødegaard @ruario

@browserversiontracker For the curious, this includes security fixes for CVE-2026-3909 & CVE-2026-3910 from Chromium 146.0.7680.80.

And yes, we somehow beat the Chrome team getting this out even though they did the fix. 😂

1
0
0
2h ago

Ruarí Ødegaard @ruario

@vivaldiversiontracker This includes security fixes for CVE-2026-3909 & CVE-2026-3910 from Chromium 146.0.7680.80.

0
1
0
2h ago

Bluesky

News Analysis @newsanalysis.com

Emergency Chrome update! Google patched two zero-day vulnerabilities (CVE-2026-3909 & CVE-2026-3910) actively exploited in attacks. Update your browser now to version 146.0.7680.75/.76. #Cybersecurity #News

0
1
0
15h ago

piggo @pigondrugs.bsky.social

~Cisa~ CISA added two actively exploited Google vulnerabilities (Skia and Chromium V8) to its KEV catalog, urging immediate patching. - IOCs: CVE-2026-3909, CVE-2026-3910 - #CISA #KEV #ThreatIntel

0
0
0
19h ago

CVE-2026-21262

Overview

Microsoft
Microsoft SQL Server 2016 Service Pack 3 (GDR)

10 Mar 2026

Published

13 Mar 2026

Updated

CVSS v3.1

HIGH (8.8)

EPSS

0.09%

MITRE

KEV

Description

Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.

Statistics

2 Posts

Last activity: 5 hours ago

Bluesky

NEWSTECNICAS | Tecnología , IA y Gaming @newstecnicas.info.ve

#Microsoft corrige Zero-Day crítico en #SQL Server que permite a atacantes tomar el control total como admin | CVE-2026-21262 www.newstecnicas.info.ve/2026/03/micr...

0
0
0
5h ago

piggo @pigondrugs.bsky.social

~Sophos~ Microsoft patched 84 CVEs, including 8 Critical flaws and 2 publicly disclosed issues. - IOCs: CVE-2026-21536, CVE-2026-21262, CVE-2026-23668 - #PatchTuesday #ThreatIntel #Vulnerability

0
0
0
19h ago

CVE-2026-31886

Overview

dagu-org
dagu

13 Mar 2026

Published

13 Mar 2026

Updated

CVSS v3.1

CRITICAL (9.1)

EPSS

0.08%

MITRE

KEV

Description

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves .. segments lexically, so a caller can supply a value such as ".." to redirect the computed directory outside the intended /tmp/<name>/<id> path. A deferred cleanup function that calls os.RemoveAll on that directory then runs unconditionally when the HTTP handler returns, deleting whatever directory the traversal resolved to. With dagRunId set to "..", the resolved directory is the system temporary directory (/tmp on Linux). On non-root deployments, os.RemoveAll("/tmp") removes all files in /tmp owned by the dagu process user, disrupting every concurrent dagu run that has live temp files. On root or Docker deployments, the call removes the entire contents of /tmp, causing a system-wide denial of service. This vulnerability is fixed in 2.2.4.

Statistics

1 Post
2 Interactions

Last activity: 12 hours ago

Fediverse

Offensive Sequence @offseq

⚠️ CRITICAL vuln: dagu <2.2.4 suffers from path traversal (CVE-2026-31886). Exploit allows deletion of /tmp, causing system-wide DoS. Upgrade to 2.2.4+ or enforce input validation now! https://radar.offseq.com/threat/cve-2026-31886-cwe-22-improper-limitation-of-a-pat-116cb11a #OffSeq #dagu #security #CVE2026_31886

1
1
0
12h ago

CVE-2026-32720

Overview

ctfer-io
monitoring

13 Mar 2026

Published

13 Mar 2026

Updated

CVSS v4.0

HIGH (7.1)

EPSS

0.04%

MITRE

KEV

Description

The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). Prior to 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from a component to any other namespace. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. This vulnerability is fixed in 0.2.1.

Statistics

1 Post
1 Interaction

Last activity: 6 hours ago

Fediverse

Offensive Sequence @offseq

CVE-2026-32720 (HIGH): ctfer-io monitoring <0.2.1 has improper access control, allowing lateral movement across Kubernetes namespaces — risks sensitive logs/metrics. Patch to 0.2.1+ ASAP! 🔒 https://radar.offseq.com/threat/cve-2026-32720-cwe-284-improper-access-control-in--c14eb5d2 #OffSeq #Kubernetes #CVE #CloudSecurity

1
0
0
6h ago

CVE-2026-26954

Overview

nyariv
SandboxJS

13 Mar 2026

Published

13 Mar 2026

Updated

CVSS v3.1

CRITICAL (10.0)

EPSS

0.05%

MITRE

KEV

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34.

Statistics

1 Post
1 Interaction

Last activity: 9 hours ago

Fediverse

Offensive Sequence @offseq

🔥 CRITICAL: CVE-2026-26954 in SandboxJS (< 0.8.34) enables sandbox escape via Function & Object.fromEntries. Attackers can run arbitrary code remotely! Upgrade to v0.8.34+ now. Full details: https://radar.offseq.com/threat/cve-2026-26954-cwe-94-improper-control-of-generati-35790079 #OffSeq #CVE202626954 #infosec #sandbox

1
0
0
9h ago