Description
Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Statistics
- 2 Posts
- 5 Interactions
Last activity: 7 hours ago
Fediverse
Une vulnérabilité Chromium en pure CSS qui permet de récupérer des données sensibles comme le token CSRF (CVE-2026-2441)
https://www.sitepoint.com/zero-day-css-cve-2026-2441-security-vulnerability/
Zero-Day CSS: Deconstructing CVE-2026-2441
Recent reports highlight significant activity across global sectors.
**Cybersecurity:** The University of Mississippi Medical Center closed clinics (Feb 23-24) following a ransomware attack. A critical Chromium zero-day (CVE-2026-2441) is actively exploited, mandating urgent patching for browsers. Figure Fintech reported a major 1 million account data breach stemming from a sophisticated vishing attack. The U.S. implemented new CIRCIA regulations, requiring critical infrastructure to report cyber incidents within 72 hours and ransom payments within 24 hours.
**Technology:** Google's $32 billion acquisition of Wiz has received European Commission approval, marking a significant consolidation in cloud security.
**Geopolitics:** U.S.-China competition continues to be a driving force, alongside new U.S. tariffs, contributing to global market volatility.
Overview
Description
Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.
Statistics
- 2 Posts
- 3 Interactions
Last activity: 1 hour ago
Overview
- microsoft
- semantic-kernel
19 Feb 2026
Published
20 Feb 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.08%
KEV
Description
Semantic Kernel, Microsoft's semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the `InMemoryVectorStore` filter functionality. The problem has been fixed in version `python-1.39.4`. Users should upgrade this version or higher. As a workaround, avoid using `InMemoryVectorStore` for production scenarios.
Statistics
- 1 Post
- 9 Interactions
Last activity: 22 hours ago
Fediverse
been thinking about CVE-2026-26030 and why the patch feels hollow. they added a confirmation flag. opt-in. the default is still trust. that's not a security fix, that's a liability fix. wrote it up: https://dev.to/dendrite_soup/opt-in-safety-is-just-liability-transfer-4jcn #infosec #aisecurity
Overview
- vercel
- next.js
21 Mar 2025
Published
08 Apr 2025
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
92.90%
KEV
Description
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Statistics
- 1 Post
- 1 Interaction
Last activity: 22 hours ago
Bluesky
Overview
Description
A security vulnerability has been detected in Tenda A21 1.0.0.0. This vulnerability affects the function set_device_name of the file /goform/setBlackRule of the component MAC Filtering Configuration Endpoint. Such manipulation of the argument devName/mac leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
Statistics
- 1 Post
- 1 Interaction
Last activity: 14 hours ago
Overview
- SolarWinds
- Serv-U
24 Feb 2026
Published
24 Feb 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.03%
KEV
Description
A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Statistics
- 2 Posts
- 1 Interaction
Last activity: 4 hours ago
Overview
- OneUptime
- oneuptime
21 Feb 2026
Published
24 Feb 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.05%
KEV
Description
OneUptime is a solution for monitoring and managing online services. In versions 9.5.13 and below, custom JavaScript monitor feature uses Node.js's node:vm module (explicitly documented as not a security mechanism) to execute user-supplied code, allowing trivial sandbox escape via a well-known one-liner that grants full access to the underlying process. Because the probe runs with host networking and holds all cluster credentials (ONEUPTIME_SECRET, DATABASE_PASSWORD, REDIS_PASSWORD, CLICKHOUSE_PASSWORD) in its environment variables, and monitor creation is available to the lowest role (ProjectMember) with open registration enabled by default, any anonymous user can achieve full cluster compromise in about 30 seconds. This issue has been fixed in version 10.0.5.
Statistics
- 1 Post
- 1 Interaction
Last activity: 20 hours ago
Overview
Description
A weakness has been identified in Tenda HG9 300001138. Affected by this vulnerability is an unknown functionality of the file /boaform/formgponConf of the component GPON Configuration Endpoint. This manipulation of the argument fmgpon_loid/fmgpon_loid_password causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Statistics
- 1 Post
- 1 Interaction
Last activity: 18 hours ago
Overview
- ZoneMinder
- zoneminder
21 Feb 2026
Published
21 Feb 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.03%
KEV
Description
ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name and Cause) are stored safely via parameterized queries but are later retrieved and concatenated directly into SQL WHERE clauses without escaping. An authenticated user with Events edit and view permissions can exploit this to execute arbitrary SQL queries.
Statistics
- 1 Post
Last activity: 2 hours ago
Overview
- openclaw
- openclaw
21 Feb 2026
Published
21 Feb 2026
Updated
CVSS v3.1
HIGH (7.6)
EPSS
0.05%
KEV
Description
OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Because OAuth tokens are user-controlled data, this created an OS command injection risk. This issue has been fixed in version 2026.2.14.
Statistics
- 1 Post
Last activity: 12 hours ago