Overview
- pac4j
- pac4j-jwt
04 Mar 2026
Published
07 Mar 2026
Updated
CVSS v4.0
CRITICAL (10.0)
EPSS
0.24%
KEV
Description
pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators.
Statistics
- 2 Posts
- 2 Interactions
Last activity: 18 hours ago
Bluesky
Overview
- RocketChat
- Rocket.Chat
06 Mar 2026
Published
06 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.11%
KEV
Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows an attacker to log in to the service as any user with a password set, using any arbitrary password. The vulnerability stems from a missing await keyword when calling an asynchronous password validation function, causing a Promise object (which is always truthy) to be evaluated instead of the actual boolean validation result. This may lead to account takeover of any user whose username is known or guessable. This issue has been patched in versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0.
Statistics
- 1 Post
- 2 Interactions
Last activity: 13 hours ago
Fediverse
🚩 CRITICAL: CVE-2026-28514 in Rocket.Chat (<8.0.0) allows auth bypass via username-only login. Full account takeover possible! Patch now or restrict access + enable MFA. Details: https://radar.offseq.com/threat/cve-2026-28514-cwe-287-improper-authentication-in--bf7998c6 #OffSeq #RocketChat #Security #CVE202628514
Overview
- OpenClaw
- OpenClaw
01 Feb 2026
Published
03 Feb 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.05%
KEV
Description
OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.
Statistics
- 1 Post
- 1 Interaction
Last activity: Last hour
Fediverse
The OpenClaw AI security crisis:
42,000+ exposed instances, 93% auth bypass
CVE-2026-25253 (CVSS 8.8): one malicious link = shell RCE via WebSocket hijack
1.5M API tokens leaked (Moltbook breach)
341 malicious skills in official marketplace
36.82% flaw rate across all ClawHub skills
New coined terms:
→ One-Click Compromise
→ The Skill Poisoning Problem
→ The Sovereign AI Paradox
Sovereignty ≠security.
Overview
Description
A vulnerability was determined in D-Link DWR-M960 1.01.07. Impacted is the function sub_427D74 of the file /boafrm/formIpQoS. Executing a manipulation of the argument submit-url can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.
Statistics
- 1 Post
- 1 Interaction
Last activity: 3 hours ago
Overview
- Python Software Foundation
- CPython
31 Oct 2025
Published
03 Mar 2026
Updated
CVSS v4.0
LOW (1.8)
EPSS
0.03%
KEV
Description
If the value passed to os.path.expandvars() is user-controlled a
performance degradation is possible when expanding environment
variables.
Statistics
- 1 Post
- 1 Interaction
Last activity: 4 hours ago
Overview
- Red Hat
- Red Hat build of Keycloak 26.2
- rhbk/keycloak-operator-bundle
05 Mar 2026
Published
06 Mar 2026
Updated
CVSS
Pending
EPSS
0.42%
KEV
Description
A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.
Statistics
- 1 Post
- 1 Interaction
Last activity: 9 hours ago
Overview
Description
A vulnerability classified as problematic was found in INW Krbyyyzo 25.2002. Affected by this vulnerability is an unknown functionality of the file /gbo.aspx of the component Daily Huddle Site. The manipulation of the argument s leads to resource consumption. It is possible to launch the attack on the local host. Other endpoints might be affected as well.
Statistics
- 1 Post
- 1 Interaction
Last activity: 1 hour ago
Bluesky
Critical RCE Flaw in Kubeflow Puts AI/ML Pipelines at Risk – Full Technical Breakdown and Mitigation + Video
Introduction Kubeflow, the popular open-source machine learning toolkit for Kubernetes, has recently been found vulnerable to a remote code execution (RCE) flaw (CVE-2024-12345) that allows…
Overview
- Python Software Foundation
- CPython
20 Jan 2026
Published
03 Mar 2026
Updated
CVSS v4.0
MEDIUM (5.9)
EPSS
0.15%
KEV
Description
User-controlled header names and values containing newlines can allow injecting HTTP headers.
Statistics
- 1 Post
- 1 Interaction
Last activity: 4 hours ago
Overview
- Red Hat
- Enterprise Linux 9
- OpenSSH
01 Jul 2024
Published
11 Dec 2025
Updated
CVSS
Pending
EPSS
31.91%
KEV
Description
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
Statistics
- 1 Post
Last activity: 20 hours ago
Bluesky
Overview
- timstrifler
- Exclusive Addons for Elementor
13 Mar 2024
Published
01 Aug 2024
Updated
CVSS v3.1
MEDIUM (6.4)
EPSS
6.68%
KEV
Description
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via data attribute in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistics
- 1 Post
Last activity: 11 hours ago