24h | 7d | 30d

CVE-2026-3910

Overview

  • Google
  • Chrome
12 Mar 2026
Published
14 Mar 2026
Updated
CVSS
Pending
EPSS
0.08%
KEV

Description

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Statistics

  • 6 Posts
  • 2 Interactions
Last activity: 8 hours ago

Fediverse

Profile picture fallback
Neil E. Hodges @tk
@tresronours@parlote.facil.services:

Two Newly Discovered Chrome Zero-Days Exploited in the Wild to Run Malicious Code


Google has released an urgent security update for its Chrome desktop browser to address two critical zero-day vulnerabilities. Tracked as CVE-2026-3909 and CVE-2026-3910, both flaws are categorized as high-severity and are confirmed to be actively exploited by attackers in the wild. Users are strongly advised to update their browsers immediately to protect against potential malicious […]

The post Two Newly Discovered Chrome Zero-Days Exploited in the Wild to Run Malicious Code appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
posted by pod_feeder

  • 0
  • 0
  • 0
  • 23h ago

Bluesky

Profile picture fallback
Sam Stepanyan @securestep9.bsky.social
#Chrome: Google released security updates for its Chrome web browser to address two high-severity #zeroday #vulnerabilities CVE-2026-3909 & CVE-2026-3910 that it said have been exploited in the wild. Make sure to update your Chrome today! (restart it): 👇
  • 1
  • 0
  • 1
  • 20h ago
Profile picture fallback
News Analysis @newsanalysis.com
Emergency Chrome update! Google patched two zero-day vulnerabilities (CVE-2026-3909 & CVE-2026-3910) actively exploited in attacks. Update your browser now to version 146.0.7680.75/.76. #Cybersecurity #News
  • 0
  • 1
  • 0
  • 8h ago
Profile picture fallback
Cybersecurity News Everyday @hendryadrian.bsky.social
Google released an emergency Chrome 146 update fixing two zero-day exploits: an out-of-bounds write in Skia (CVE-2026-3909) and a V8 engine flaw (CVE-2026-3910), patched on multiple platforms. #ZeroDay #ChromeUpdate #USA
  • 0
  • 0
  • 0
  • 22h ago
Profile picture fallback
piggo @pigondrugs.bsky.social
~Cisa~ CISA added two actively exploited Google vulnerabilities (Skia and Chromium V8) to its KEV catalog, urging immediate patching. - IOCs: CVE-2026-3909, CVE-2026-3910 - #CISA #KEV #ThreatIntel
  • 0
  • 0
  • 0
  • 12h ago

CVE-2026-3909

Overview

  • Google
  • Chrome
12 Mar 2026
Published
14 Mar 2026
Updated
CVSS
Pending
EPSS
0.07%
KEV

Description

Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Statistics

  • 6 Posts
  • 2 Interactions
Last activity: 8 hours ago

Fediverse

Profile picture fallback
Neil E. Hodges @tk
@tresronours@parlote.facil.services:

Two Newly Discovered Chrome Zero-Days Exploited in the Wild to Run Malicious Code


Google has released an urgent security update for its Chrome desktop browser to address two critical zero-day vulnerabilities. Tracked as CVE-2026-3909 and CVE-2026-3910, both flaws are categorized as high-severity and are confirmed to be actively exploited by attackers in the wild. Users are strongly advised to update their browsers immediately to protect against potential malicious […]

The post Two Newly Discovered Chrome Zero-Days Exploited in the Wild to Run Malicious Code appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
posted by pod_feeder

  • 0
  • 0
  • 0
  • 23h ago

Bluesky

Profile picture fallback
Sam Stepanyan @securestep9.bsky.social
#Chrome: Google released security updates for its Chrome web browser to address two high-severity #zeroday #vulnerabilities CVE-2026-3909 & CVE-2026-3910 that it said have been exploited in the wild. Make sure to update your Chrome today! (restart it): 👇
  • 1
  • 0
  • 1
  • 20h ago
Profile picture fallback
News Analysis @newsanalysis.com
Emergency Chrome update! Google patched two zero-day vulnerabilities (CVE-2026-3909 & CVE-2026-3910) actively exploited in attacks. Update your browser now to version 146.0.7680.75/.76. #Cybersecurity #News
  • 0
  • 1
  • 0
  • 8h ago
Profile picture fallback
Cybersecurity News Everyday @hendryadrian.bsky.social
Google released an emergency Chrome 146 update fixing two zero-day exploits: an out-of-bounds write in Skia (CVE-2026-3909) and a V8 engine flaw (CVE-2026-3910), patched on multiple platforms. #ZeroDay #ChromeUpdate #USA
  • 0
  • 0
  • 0
  • 22h ago
Profile picture fallback
piggo @pigondrugs.bsky.social
~Cisa~ CISA added two actively exploited Google vulnerabilities (Skia and Chromium V8) to its KEV catalog, urging immediate patching. - IOCs: CVE-2026-3909, CVE-2026-3910 - #CISA #KEV #ThreatIntel
  • 0
  • 0
  • 0
  • 12h ago

CVE-2026-21536

Overview

  • Microsoft
  • Microsoft Devices Pricing Program
05 Mar 2026
Published
13 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.38%
KEV

Description

Microsoft Devices Pricing Program Remote Code Execution Vulnerability

Statistics

  • 3 Posts
  • 4 Interactions
Last activity: 5 hours ago

Bluesky

Profile picture fallback
Undercode Testing @undercode.bsky.social
Microsoft’s March 2026 Patch Tuesday: Critical CVE-2026-21536 Exposed – How AI-Powered Offensive Security is Changing the Game + Video Introduction In March 2026, Microsoft released its monthly Patch Tuesday update, addressing over 100 vulnerabilities, including a critical flaw in the Microsoft…
  • 1
  • 2
  • 0
  • 5h ago
Profile picture fallback
XBOW @xbow.com
In a historic first for Microsoft, XBOW, an autonomous pentesting system, discovered and reported a critical unauthenticated remote code execution vulnerability in the Microsoft Devices Pricing Program (CVE-2026-21536). https://bit.ly/4s2u8vq
  • 0
  • 1
  • 0
  • 13h ago
Profile picture fallback
piggo @pigondrugs.bsky.social
~Sophos~ Microsoft patched 84 CVEs, including 8 Critical flaws and 2 publicly disclosed issues. - IOCs: CVE-2026-21536, CVE-2026-21262, CVE-2026-23668 - #PatchTuesday #ThreatIntel #Vulnerability
  • 0
  • 0
  • 0
  • 12h ago

CVE-2026-20127

Overview

  • Cisco
  • Cisco Catalyst SD-WAN Manager
25 Feb 2026
Published
26 Feb 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
2.60%
KEV

Description

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric. 

Statistics

  • 2 Posts
  • 2 Interactions
Last activity: 20 hours ago

Fediverse

Profile picture fallback
Hackread.com @Hackread

US agencies face a CISA deadline to secure networks after a critical Cisco SD-WAN flaw (CVE-2026-20127) exposed federal systems to long-term intrusion and admin access.

Read: hackread.com/us-agencies-cisa-

#CyberSecurity #Cisco #SDWAN #CISA #Vulnerability

  • 0
  • 1
  • 0
  • 20h ago

Bluesky

Profile picture fallback
Hackread.com @hackread.bsky.social
US agencies face a CISA deadline to secure networks after a critical Cisco SD-WAN flaw (CVE-2026-20127) exposed federal systems to long-term intrusion and admin access. Read: hackread.com/us-agencies-... #CyberSecurity #Cisco #SDWAN #CISA #Vulnerability
  • 1
  • 0
  • 0
  • 20h ago

CVE-2026-2413

Overview

  • elemntor
  • Ally – Web Accessibility & Usability
11 Mar 2026
Published
11 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
11.89%
KEV

Description

The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account.

Statistics

  • 3 Posts
Last activity: 17 hours ago

Fediverse

Profile picture fallback
Hackread.com @Hackread

Over 200,000 #WordPress sites are exposed due to an SQL injection flaw in the Ally plugin (CVE-2026-2413), allowing attackers to extract database data. Patch released, but many sites remain vulnerable.

Read: hackread.com/sql-injection-vul

#CyberSecurity #SQLInjection #Vulnerability

  • 0
  • 0
  • 1
  • 19h ago

Bluesky

Profile picture fallback
CyberMaterial @cybermaterial.bsky.social
Critical SQLi Bug Hits Ally Plugin Sites Read More: buff.ly/O6ZOGn0 #CVE20262413 #WordPressSecurity #SQLInjection #AllyPlugin #WebAppSecurity #CriticalVulnerability #PatchNow #InfosecAlert
  • 0
  • 0
  • 0
  • 17h ago

CVE-2025-69985

Overview

  • Pending
24 Feb 2026
Published
25 Feb 2026
Updated
CVSS
Pending
EPSS
0.64%
KEV

Description

FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.

Statistics

  • 1 Post
  • 12 Interactions
Last activity: 12 hours ago

Fediverse

Profile picture fallback
Dio9sys @Dio9sys

Today's CVE stinker: github.com/joshuavanderpoll/CV

You can get auth bypass on a SCADA HMI that already doesn't require auth, and then run a script by sending the script to `api/runscript`

Is this still a useful CVE? Perhaps! I am not an expert on FUXA HMIs specifically, and I'm sure they didn't intend for their runscript endpoint to be used to run *anything*

but still.

"you can run scripts by sending them to /api/runscript" sure is a funny CVE description.

  • 6
  • 6
  • 0
  • 12h ago

CVE-2026-28356

Overview

  • defnull
  • multipart
12 Mar 2026
Published
13 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
Pending
KEV

Description

multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for denial of service (DoS) attacks against web applications using this library to parse request headers or multipart/form-data streams. The issue is fixed in 1.2.2, 1.3.1 and 1.4.0-dev.

Statistics

  • 1 Post
  • 9 Interactions
Last activity: Last hour

Fediverse

Profile picture fallback
defnull @defnull

The 'multipart' #python library got an independent #security audit and I only know about that because they found something -> CVE-2026-28356

This is great, actually! Someone looked into it so thoroughly that they found an obscure single-character issue in a regular expression ... and didn't find anything else! Which means I can now be really confident about the security of this library. Nice!

#cve #infosec #sansio

  • 4
  • 5
  • 0
  • Last hour

CVE-2026-31886

Overview

  • dagu-org
  • dagu
13 Mar 2026
Published
13 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
Pending
KEV

Description

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves .. segments lexically, so a caller can supply a value such as ".." to redirect the computed directory outside the intended /tmp/<name>/<id> path. A deferred cleanup function that calls os.RemoveAll on that directory then runs unconditionally when the HTTP handler returns, deleting whatever directory the traversal resolved to. With dagRunId set to "..", the resolved directory is the system temporary directory (/tmp on Linux). On non-root deployments, os.RemoveAll("/tmp") removes all files in /tmp owned by the dagu process user, disrupting every concurrent dagu run that has live temp files. On root or Docker deployments, the call removes the entire contents of /tmp, causing a system-wide denial of service. This vulnerability is fixed in 2.2.4.

Statistics

  • 1 Post
  • 2 Interactions
Last activity: 5 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CRITICAL vuln: dagu <2.2.4 suffers from path traversal (CVE-2026-31886). Exploit allows deletion of /tmp, causing system-wide DoS. Upgrade to 2.2.4+ or enforce input validation now! radar.offseq.com/threat/cve-20

  • 1
  • 1
  • 0
  • 5h ago

CVE-2026-29022

Overview

  • mackron
  • dr_libs
03 Mar 2026
Published
04 Mar 2026
Updated
CVSS v4.0
MEDIUM (6.8)
EPSS
0.03%
KEV

Description

dr_libs version 0.14.4 and earlier (fixed in commit 8a7258c) contain a heap buffer overflow vulnerability in the drwav__read_smpl_to_metadata_obj() function of dr_wav.h that allows memory corruption via crafted WAV files. Attackers can exploit a mismatch between sampleLoopCount validation in pass 1 and unconditional processing in pass 2 to overflow heap allocations with 36 bytes of attacker-controlled data through any drwav_init_*_with_metadata() call on untrusted input.

Statistics

  • 2 Posts
  • 2 Interactions
Last activity: 18 hours ago

Bluesky

Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
The #Fedora 42 EasyRPG Player update is a masterclass in dependency management. A single audio library (dr_wav) posed a critical code execution risk (CVE-2026-29022). Read more: 👉 tinyurl.com/6csn36wc #Security
  • 1
  • 0
  • 0
  • 19h ago
Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
Just a heads up for the Fedora and open-source gaming community: CVE-2026-29022 has been patched in easyrpg-player for #Fedora 43. Read more: 👉 tinyurl.com/8nhzu8v6 #Security
  • 0
  • 1
  • 0
  • 18h ago

CVE-2026-26954

Overview

  • nyariv
  • SandboxJS
13 Mar 2026
Published
13 Mar 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
Pending
KEV

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 2 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🔥 CRITICAL: CVE-2026-26954 in SandboxJS (< 0.8.34) enables sandbox escape via Function & Object.fromEntries. Attackers can run arbitrary code remotely! Upgrade to v0.8.34+ now. Full details: radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 2h ago
Showing 1 to 10 of 66 CVEs