Overview
- musl-libc
- musl
10 Apr 2026
Published
10 Apr 2026
Updated
CVSS v3.1
HIGH (8.1)
EPSS
Pending
KEV
Description
An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly implemented double-word primitives. The number of elements must exceed about seven million, i.e., the 32nd Leonardo number on 32-bit platforms (or the 64th Leonardo number on 64-bit platforms, which is not practical).
Statistics
- 1 Post
- 73 Interactions
Last activity: 13 hours ago
Overview
- marimo-team
- marimo
09 Apr 2026
Published
09 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
2.70%
KEV
Description
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.
Statistics
- 3 Posts
- 1 Interaction
Last activity: 16 hours ago
Fediverse
A critical remote code execution (RCE) vulnerability in the Marimo notebook, CVE-2026-39987, was exploited by a threat actor just nine hours after its public disclosure. The unauthenticated flaw allows arbitrary system command execution, and the attacker successfully used it to steal credentials and exfiltrate files.
https://www.securityweek.com/critical-marimo-flaw-exploited-hours-after-public-disclosure/
Bluesky
A critical unauthenticated RCE in Marimo (CVE-2026-39987) was exploited just 9 hours after public disclosure via the terminal WebSocket endpoint, allowing shell access and data exfiltration. Upgrade to 0.23.0+. #MarimoExploit #RCEvulnerability
Overview
Description
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Statistics
- 2 Posts
- 4 Interactions
Last activity: 8 hours ago
Fediverse
Critical Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Actively Exploited — Patch Now
#CyberSecurity
https://securebulletin.com/critical-fortinet-forticlient-ems-zero-day-cve-2026-35616-actively-exploited-patch-now/
Overview
- Meta
- react-server-dom-turbopack
08 Apr 2026
Published
08 Apr 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.32%
KEV
Description
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
Statistics
- 2 Posts
- 2 Interactions
Last activity: 11 hours ago
Bluesky
Overview
Description
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.
Statistics
- 1 Post
Last activity: 22 hours ago
Overview
- Totolink
- A7100RU
10 Apr 2026
Published
10 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.89%
KEV
Description
A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setVpnAccountCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument User results in os command injection. The attack may be launched remotely. The exploit is now public and may be used.
Statistics
- 1 Post
Last activity: 21 hours ago
Fediverse
⚠️ CVE-2026-6029 (CRITICAL, CVSS 9.3): Totolink A7100RU firmware 7.4cu.2313_b20191024 is vulnerable to unauthenticated OS command injection via setVpnAccountCfg. No patch yet — restrict access and monitor for updates. https://radar.offseq.com/threat/cve-2026-6029-os-command-injection-in-totolink-a71-25809d7e #OffSeq #CVE20266029 #Infosec
Overview
- Ubuntu
- openssh
- openssh
12 Mar 2026
Published
18 Mar 2026
Updated
CVSS v4.0
LOW (2.7)
EPSS
0.03%
KEV
Description
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
Statistics
- 1 Post
Last activity: 17 hours ago
Fediverse
OpenSSH 10.3 には
CVE-2026-3497
https://nvd.nist.gov/vuln/detail/CVE-2026-3497
の修正が含まれる(つまり 11.0_RC4 追加アイテム)ということなのだろうか
Overview
- Juniper Networks
- JSI LWC
09 Apr 2026
Published
09 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.04%
KEV
Description
A Use of Default Password vulnerability in the Juniper Networks
Support Insights (JSI)
Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.
vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.
Statistics
- 1 Post
Last activity: 13 hours ago
Overview
Description
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
Statistics
- 1 Post
Last activity: 1 hour ago
Bluesky
Overview
- patrickhener
- goshs
10 Apr 2026
Published
10 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
Pending
KEV
Description
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4.
Statistics
- 1 Post
Last activity: 5 hours ago
Fediverse
🚨 CVE-2026-40189: goshs <2.0.0-beta.4 has a CRITICAL auth bypass. Attackers can upload, delete, and remove folder auth to access protected files. Mitigate by upgrading now! https://radar.offseq.com/threat/cve-2026-40189-cwe-862-missing-authorization-in-pa-3a1ae9b4 #OffSeq #CVE202640189 #infosec #GoLang