Overview
- wpeverest
- User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
03 Mar 2026
Published
03 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.07%
KEV
Description
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.
Statistics
- 5 Posts
- 3 Interactions
Last activity: Last hour
Fediverse
⚠️ WordPress membership plugin bug exploited to create admin accounts
「 The security vulnerability is tracked as CVE-2026-1492 and received a critical severity rating of 9.8. Because the plugin accepts a user-supplied role during membership registration, hackers can create administrator accounts without authentication 」
WordPress – CVE-2026-1492 : une faille dans un plugin permet de devenir admin très facilement https://www.it-connect.fr/wordpress-cve-2026-1492-une-faille-dans-un-plugin-permet-de-devenir-admin-tres-facilement/ #ActuCybersécurité #Cybersécurité #Vulnérabilité #Wordpress
Overview
Description
VMware Aria Operations contains a command injection vulnerability. A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress.
To remediate CVE-2026-22719, apply the patches listed in the 'Fixed Version' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001
Workarounds for CVE-2026-22719 are documented in the 'Workarounds' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001
Statistics
- 2 Posts
- 1 Interaction
Last activity: 1 hour ago
Bluesky
CISA added CVE-2026-22719 to KEV after active exploitation of VMware Aria Operations (incl. Cloud Foundation & vSphere Foundation). Patch immediately. Query: web.html~"com.vmware.vsphere.client" OR web.title~"VMware Cloud Director Availability" OR web.title~"VMware Aria Operations"
Overview
- WWBN
- AVideo-Encoder
06 Mar 2026
Published
06 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.10%
KEV
Description
AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.
Statistics
- 2 Posts
Last activity: 5 hours ago
Fediverse
⚠️ CRITICAL OS command injection in WWBN AVideo-Encoder < 7.0 (CVE-2026-29058). Unauthenticated attackers can execute arbitrary commands, risking full server takeover. Patch to v7.0 ASAP! https://radar.offseq.com/threat/cve-2026-29058-cwe-78-improper-neutralization-of-s-6e5bf915 #OffSeq #Vulnerability #CyberSecurity
Bluesky
Overview
- pac4j
- pac4j-jwt
04 Mar 2026
Published
05 Mar 2026
Updated
CVSS v4.0
CRITICAL (10.0)
EPSS
0.24%
KEV
Description
pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators.
Statistics
- 2 Posts
Last activity: Last hour
Bluesky
JWT Java a rischio: la falla in pac4j-jwt permette di diventare admin con un solo token
La vulnerabilità CVE-2026-29000 in pac4j-jwt consente di aggirare l’autenticaz...
https://www.ilsoftware.it/vulnerabilita-applicazioni-jwt-java-libreria-pac4j-jwt/
Overview
- Cisco
- Cisco Catalyst SD-WAN Manager
25 Feb 2026
Published
06 Mar 2026
Updated
CVSS v3.1
MEDIUM (5.4)
EPSS
0.04%
KEV
Description
A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on the affected system.
This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.
Statistics
- 3 Posts
- 1 Interaction
Last activity: Last hour
Bluesky
Cisco has confirmed active exploitation targeting two vulnerabilities in Cisco Catalyst SD-WAN Manager (formerly vManage), tracked as CVE-2026-20122 and CVE-2026-20128.
socradar.io/blog/cisco-c...
Cisco Catalyst SD-WANの脆弱性、さらに2件の悪用が明らかに:CVE-2026-20128、CVE-2026-20122 | Codebook|Security News https://codebook.machinarecord.com/threatreport/silobreaker-cyber-alert/44386/
Overview
- Cisco
- Cisco Catalyst SD-WAN Manager
25 Feb 2026
Published
06 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.02%
KEV
Description
A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker to gain DCA user privileges on an affected system. To exploit this vulnerability, the attacker must have valid vmanage credentials on the affected system.
This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by accessing the filesystem as a low-privileged user and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges.
Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.
Statistics
- 3 Posts
- 1 Interaction
Last activity: Last hour
Bluesky
Cisco has confirmed active exploitation targeting two vulnerabilities in Cisco Catalyst SD-WAN Manager (formerly vManage), tracked as CVE-2026-20122 and CVE-2026-20128.
socradar.io/blog/cisco-c...
Cisco Catalyst SD-WANの脆弱性、さらに2件の悪用が明らかに:CVE-2026-20128、CVE-2026-20122 | Codebook|Security News https://codebook.machinarecord.com/threatreport/silobreaker-cyber-alert/44386/
Overview
Description
Integer overflow in ANGLE in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical)
Statistics
- 2 Posts
Last activity: 7 hours ago
Bluesky
Heads up, #Debian self-hosters and sysadmins. DSA-6157-1 is out for Chromium, addressing CVE-2026-3536 (arbitrary code execution) and friends. Read more: 👉 tinyurl.com/4hrbcfek #Security
Overview
Description
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
Statistics
- 1 Post
- 3 Interactions
Last activity: 22 hours ago
Fediverse
Cisco Catalyst SD-WAN CVSS 10.0 zero-day (CVE-2026-20127) has been actively exploited, with attackers gaining admin access.
Full technical breakdown: https://forum.hashpwn.net/post/10802
#cisco #sdwan #cvss10 #cve202620127 #exploit #cybersecurity #infosec #news #hashpwn
Overview
- zed-industries
- zed
25 Feb 2026
Published
27 Feb 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.05%
KEV
Description
Zed, a code editor, has an extension installer allows tar/gzip downloads. Prior to version 0.224.4, the tar extractor (`async_tar::Archive::unpack`) creates symlinks from the archive without validation, and the path guard (`writeable_path_from_extension`) only performs lexical prefix checks without resolving symlinks. An attacker can ship a tar that first creates a symlink inside the extension workdir pointing outside (e.g., `escape -> /`), then writes files through the symlink, causing writes to arbitrary host paths. This escapes the extension sandbox and enables code execution. Version 0.224.4 patches the issue.
Statistics
- 1 Post
- 2 Interactions
Last activity: 4 hours ago
Overview
Description
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In 1.6.2 and earlier, a resource exhaustion vulnerability in joserfc allows an unauthenticated attacker to cause a Denial of Service (DoS) via CPU exhaustion. When the library decrypts a JSON Web Encryption (JWE) token using Password-Based Encryption (PBES2) algorithms, it reads the p2c (PBES2 Count) parameter directly from the token's protected header. This parameter defines the number of iterations for the PBKDF2 key derivation function. Because joserfc does not validate or bound this value, an attacker can specify an extremely large iteration count (e.g., 2^31 - 1), forcing the server to expend massive CPU resources processing a single token. This vulnerability exists at the JWA layer and impacts all high-level JWE and JWT decryption interfaces if PBES2 algorithms are allowed by the application's policy.
Statistics
- 1 Post
- 1 Interaction
Last activity: 22 hours ago