24h | 7d | 30d

CVE-2026-33032

Overview

  • 0xJacky
  • nginx-ui
30 Mar 2026
Published
16 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.06%
KEV

Description

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.

Statistics

  • 13 Posts
  • 4 Interactions
Last activity: 3 hours ago

Fediverse

Profile picture fallback
AllAboutSecurity @allaboutsecurity

CVE-2026-33032: Authentifizierungslücke in nginx-ui wird aktiv ausgenutzt

Eine fehlende Middleware-Zeile im webbasierten Nginx-Verwaltungstool nginx-ui genügt, damit Angreifer im Netzwerk sämtliche Konfigurationsdateien manipulieren und den Webserver übernehmen können – ganz ohne Anmeldedaten

all-about-security.de/cve-2026

#cve #middleware #nginx #mcp #mcpserver

  • 0
  • 0
  • 0
  • 16h ago
Profile picture fallback
GuardingPearSoftware @guardingpearsoftware

A critical vulnerability in Nginx UI is being actively exploited, allowing attackers to gain complete control over affected servers.
Nginx UI (nginx-ui) is an open source, web-based management tool for the Nginx web server.
The flaw, tracked as CVE-2026-33032, was recently fixed in version 2.3.4.

  • 0
  • 0
  • 0
  • 15h ago
Profile picture fallback
ThreatNoir @threatnoir

⚠️ CRITICAL: Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover

CVE-2026-33032 is a critical authentication bypass in nginx-ui that allows unauthenticated attackers to modify Nginx configurations and take over the service completely. An estimated 2,689 vulnerable instances remain exposed globally and active exploitation is confirmed in the wild. Any unpatched n…

threatnoir.com/focus

  • 0
  • 0
  • 0
  • 8h ago
Profile picture fallback
CyberNetsecIO @netsecio

📰 Critical Auth Bypass in nginx-ui (CVE-2026-33032) Actively Exploited for Full Nginx Takeover

🚨 CRITICAL FLAW: nginx-ui is being actively exploited via an auth bypass (CVE-2026-33032, CVSS 9.8). Unauthenticated attackers can gain full RCE. Patch to version 2.3.4+ immediately! #nginx #CyberSecurity #Vulnerability

🔗 cyber.netsecops.io/articles/cr

  • 0
  • 0
  • 0
  • 3h ago

Bluesky

Profile picture fallback
All About Security @allaboutsecurity.bsky.social
CVE-2026-33032: Authentifizierungslücke in nginx-ui wird aktiv ausgenutzt - Eine fehlende Middleware-Zeile im webbasierten Nginx-Verwaltungstool nginx-ui genügt, damit Angreifer im Netzwerk sämtliche Konfigurationsdateien manipulieren und den Webserver... www.all-about-security.de/cve-2026-330...
  • 1
  • 0
  • 0
  • 13h ago
Profile picture fallback
Giorgio di Grazia @rcinghio.bsky.social
Actively Exploited nginx-ui Flaw Enables Full Nginx Server Takeover. This authentication bypass vulnerability (CVE-2026-33032) enables threat actors to seize control of the service. It has been codenamed MCPwn by Pluto Security. #nginx #vulnerability thehackernews.com/2026/04/crit...
  • 1
  • 0
  • 0
  • 11h ago
Profile picture fallback
Rapid7 @rapid7.com
🚨 On 3/30/26, a security advisory was published for CVE-2026-33032 – a critical vulnerability affecting #NginxUI. This is a missing authentication bug with a CVSS score of 9.8, and exploitation in the wild has begun. More from Rapid7: r-7.co/4mzAr7G
  • 0
  • 2
  • 0
  • 3h ago
Profile picture fallback
キタきつね @kitafox.bsky.social
CVE-2026-33032: nginx-ui の深刻なバグにより、認証されていないサーバーへのアクセスが許可される CVE-2026-33032: severe nginx-ui bug grants unauthenticated server access #SecurityAffairs (Apr 15) securityaffairs.com/190841/hacki...
  • 0
  • 0
  • 0
  • 23h ago
Profile picture fallback
キタきつね @kitafox.bsky.social
nginx-uiの脆弱性(CVE-2026-33032)が悪用され、Nginxサーバーの完全な乗っ取りが可能になる Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover #HackerNews (Apr 15) thehackernews.com/2026/04/crit...
  • 0
  • 0
  • 0
  • 23h ago
Profile picture fallback
Cybersecurity News Everyday @hendryadrian.bsky.social
A critical auth bypass in nginx-ui (CVE-2026-33032) allows attackers to restart servers, modify configs, and steal credentials via the unauthenticated /mcp_message endpoint. Patch released in version 2.3.4. #nginx #AuthBypass #USA
  • 0
  • 0
  • 0
  • 19h ago
Profile picture fallback
ReconBee @reconbee.bsky.social
Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover reconbee.com/actively-exp... #nginxuiflaw #Nginxservertakeover #cybersecurity #cyberattack
  • 0
  • 0
  • 0
  • 18h ago
Profile picture fallback
Ahmet BÜTÜN @ahmetbutun.bsky.social
Critical Nginx UI Auth Bypass Flaw Actively Exploited A critical vulnerability in the Nginx UI, known as CVE-2026-33032, is being exploited by attackers,.... @thecosmicmeta.com #Nginx https://u2m.io/h88aY2wo
  • 0
  • 0
  • 0
  • 9h ago
Profile picture fallback
piggo @pigondrugs.bsky.social
~Cybergcca~ Critical flaws in Drupal core (XSS) and Nginx UI (CVE-2026-33032, exploited in wild). - IOCs: CVE-2026-33032, SA-CORE-2026-001 - #Drupal #Nginx #ThreatIntel
  • 0
  • 0
  • 0
  • 7h ago

CVE-2026-20184

Overview

  • Cisco
  • Cisco Webex Meetings
15 Apr 2026
Published
16 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.05%
KEV

Description

A vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services could have allowed an unauthenticated, remote attacker to impersonate any user within the service. This vulnerability existed because of improper certificate validation. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by connecting to a service endpoint and supplying a crafted token. A successful exploit could have allowed the attacker to gain unauthorized access to legitimate Cisco Webex services.

Statistics

  • 2 Posts
  • 1 Interaction
Last activity: 8 hours ago

Fediverse

Profile picture fallback
benzogaga33 :verified: @benzogaga33

Cisco Webex – CVE-2026-20184 : cette faille critique nécessite une action de l’admin it-connect.fr/cisco-webex-cve- #ActuCybersécurité #Vulnérabilités #Cybersécurité #Cisco

  • 0
  • 1
  • 0
  • 8h ago

Bluesky

Profile picture fallback
Undercode Testing @undercode.bsky.social
Cisco Webex Zero-Day Alert: Unauthenticated Remote Attackers Can Impersonate Any User – Patch Now! + Video Introduction A critical vulnerability (CVE-2026-20184) has been discovered in Cisco Webex cloud-based services, allowing an unauthenticated remote attacker to bypass authentication mechanisms…
  • 0
  • 0
  • 0
  • 13h ago

CVE-2026-33826

Overview

  • Microsoft
  • Windows Server 2012 R2
14 Apr 2026
Published
16 Apr 2026
Updated
CVSS v3.1
HIGH (8.0)
EPSS
0.36%
KEV

Description

Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network.

Statistics

  • 2 Posts
  • 1 Interaction
Last activity: 11 hours ago

Bluesky

Profile picture fallback
Securitycipher @securitycipher.bsky.social
Windows Active Directory Flaw Enables Remote Code Execution (CVE-2026-33826) https://medium.com/@ajudeb55/windows-active-directory-flaw-enables-remote-code-execution-cve-2026-33826-04968705df96?source=rss------bug_bounty-5
  • 0
  • 1
  • 0
  • 19h ago
Profile picture fallback
Undercode Testing @undercode.bsky.social
CVE-2026-33826: The 80-Second RCE That Turns Your Identity Management Into a Sieve + Video Introduction: A single malformed Remote Procedure Call (RPC) sent by an authenticated low-privilege user is all it takes to trigger arbitrary code execution at the SYSTEM level on your domain controllers.…
  • 0
  • 0
  • 0
  • 11h ago

CVE-2026-33825

Overview

  • Microsoft
  • Microsoft Defender Antimalware Platform
14 Apr 2026
Published
16 Apr 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.04%
KEV

Description

Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.

Statistics

  • 2 Posts
Last activity: 6 hours ago

Fediverse

Profile picture fallback
Klaus Frank @agowa338

Fully exploitable Windows Defender vulnerability with full source code public for >8 days no CVE assigned so far (BlueHammer).

Writeup: hackingpassion.com/bluehammer-

Full source code: github.com/Nightmare-Eclipse/B

/cc @bsi Was ist eigentlich der "Prozess" für vollständig öffentliche Lücken zu denen es seit über einer Woche noch nicht einmal eine CVE Nummer gibt?

Edit: Patch and CVE number CVE-2026-33825 available by now. Took 6 days though.

#infosec #itsec #Microsoft #WindowsDefender #BlueHammer

  • 0
  • 0
  • 0
  • 12h ago

Bluesky

Profile picture fallback
Helios Mier @hmier.bsky.social
clarificar sobre los nuevos CVEs El misto tipo libero 3 PoCs... BLUEHAMMER - LPE en windows defender. CVE-2026-33825 parche incluido en el rollup de abril. UNDEFED - DoS a windows defender. no info de CVE o parche. REDSUN - LEP en windows defender. Exploit liberado. no parche.
  • 0
  • 0
  • 0
  • 6h ago

CVE-2026-21643

Overview

  • Fortinet
  • FortiClientEMS
06 Feb 2026
Published
14 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
33.91%
KEV

Description

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

Statistics

  • 1 Post
  • 4 Interactions
Last activity: 15 hours ago

Fediverse

Profile picture fallback
N_{Dario Fadda} @nuke

Critical Fortinet FortiClient EMS Vulnerability CVE-2026-21643 Actively Exploited — CISA Demands Patch Today
#CyberSecurity
securebulletin.com/critical-fo

  • 4
  • 0
  • 0
  • 15h ago

CVE-2009-0238

Overview

  • Pending
25 Feb 2009
Published
15 Apr 2026
Updated
CVSS
Pending
EPSS
81.14%
KEV

Description

Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for Mac allow remote attackers to execute arbitrary code via a crafted Excel document that triggers an access attempt on an invalid object, as exploited in the wild in February 2009 by Trojan.Mdropper.AC.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 4 hours ago

Fediverse

Profile picture fallback
Christoph Schmees @PC_Fluesterer

Antiker Fehler in MS Excel wird angegriffen

Kaum zu glauben, aber wahr: Die Sicherheitslücke CVE-2009-0238 vom Februar 2009, gegen die längst ein Update vorliegt, wird offenbar gerade aktiv in Angriffen ausgenutzt. Jedenfalls ist sie am 2026-04-14 in den KEV Katalog der CISA aufgenommen worden; die US-Behörden müssen innerhalb von zwei Wochen ihre Systeme aktualisieren. Betroffen sind

Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, 2007 SP1
Excel Viewer 2003 Gold und SP3
Excel Viewer
Compatibility Pack für Word, Excel, und PowerPoint 2007 Dateiformate SP1
Excel in Microsoft Office 2004 und 2008 for Mac

Ein Angreifer kann die volle Kontrolle über den

pc-fluesterer.info/wordpress/2

#Empfehlung #Hintergrund #Warnung #cybercrime #exploits #Microsoft #office #sicherheit #unplugMicrosoft

  • 1
  • 0
  • 0
  • 4h ago

CVE-2026-6388

Overview

  • Red Hat
  • Red Hat OpenShift GitOps
  • openshift-gitops-1/argocd-image-updater-rhel8
15 Apr 2026
Published
16 Apr 2026
Updated
CVSS
Pending
EPSS
0.03%
KEV

Description

A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on applications managed by other tenants. This leads to cross-namespace privilege escalation, impacting application integrity through unauthorized application updates.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 22 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL: CVE-2026-6388 in Red Hat OpenShift GitOps (CVSS 9.1) lets attackers with ImageUpdater access bypass namespace boundaries in multi-tenant setups. Restrict permissions & monitor changes. No patch yet — see radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 22h ago

CVE-2026-33210

Overview

  • ruby
  • json
20 Mar 2026
Published
23 Mar 2026
Updated
CVSS v4.0
HIGH (8.3)
EPSS
0.03%
KEV

Description

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 11 hours ago

Bluesky

Profile picture fallback
Lambda Watchdog @lambdawatchdog.bsky.social
🚨 New CRITICAL CVE detected in AWS Lambda 🚨 CVE-2026-33210 impacts json in 1 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/479 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 1
  • 0
  • 11h ago

CVE-2026-33824

Overview

  • Microsoft
  • Windows 10 Version 1607
14 Apr 2026
Published
16 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.07%
KEV

Description

Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 15 hours ago

Fediverse

Profile picture fallback
Vito Botta @vitobotta

Microsoft dropped two wormable bugs in this month's Patch Tuesday. CVE-2026-33824 is a double free in the Windows IKE extension that lets an unauthorised attacker execute code over the network.

No auth needed, no user interaction. ZDI gave it two "bugs of the month" labels in the same release because both the IKE and TCP/IP flaws are wormable.

1/2

  • 0
  • 1
  • 0
  • 15h ago

CVE-2026-6410

Overview

  • @fastify/static
  • @fastify/static
16 Apr 2026
Published
16 Apr 2026
Updated
CVSS v3.1
MEDIUM (5.3)
EPSS
Pending
KEV

Description

@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration.

Statistics

  • 2 Posts
  • 1 Interaction
Last activity: 10 hours ago

Bluesky

Profile picture fallback
Ulises Gascón @ulisesgascon.com
🚨 Medium-severity security fix in @fastify/static@9.1.1 just released! Patches CVE-2026-6410 — path traversal in directory listing github.com/fastify/fast...
  • 0
  • 1
  • 1
  • 10h ago
Showing 1 to 10 of 49 CVEs