24h | 7d | 30d

CVE-2026-40200

Overview

  • musl-libc
  • musl
10 Apr 2026
Published
10 Apr 2026
Updated
CVSS v3.1
HIGH (8.1)
EPSS
Pending
KEV

Description

An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly implemented double-word primitives. The number of elements must exceed about seven million, i.e., the 32nd Leonardo number on 32-bit platforms (or the 64th Leonardo number on 64-bit platforms, which is not practical).

Statistics

  • 1 Post
  • 80 Interactions
Last activity: 21 hours ago

Fediverse

Profile picture fallback
musl libc @musl

SECURITY ADVISORY: musl libc up through 1.2.6 (present version) is affected by CVE-2026-40200 affecting qsort with large arrays.

Unless you have a setup with at least tens of terrabytes of virtual memory, this does not affect 64-bit systems, only 32-bit ones. But all users should patch.

openwall.com/lists/musl/2026/0

  • 39
  • 41
  • 0
  • 21h ago

CVE-2026-39987

Overview

  • marimo-team
  • marimo
09 Apr 2026
Published
09 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
2.70%
KEV

Description

marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.

Statistics

  • 3 Posts
  • 5 Interactions
Last activity: 4 hours ago

Fediverse

Profile picture fallback
N_{Dario Fadda} @nuke

CVE-2026-39987: Critical Marimo Python Notebook RCE Exploited Within 10 Hours of Disclosure
#CyberSecurity
securebulletin.com/cve-2026-39

  • 5
  • 0
  • 0
  • 4h ago
Profile picture fallback
ekiledjian @edwardk

A critical remote code execution (RCE) vulnerability in the Marimo notebook, CVE-2026-39987, was exploited by a threat actor just nine hours after its public disclosure. The unauthenticated flaw allows arbitrary system command execution, and the attacker successfully used it to steal credentials and exfiltrate files.
securityweek.com/critical-mari

  • 0
  • 0
  • 0
  • 23h ago

Bluesky

Profile picture fallback
Bitnewsbot @bitnewsbot.bsky.social
A critical security vulnerability (CVE-2026-39987) in the open-source Python notebook Marimo was exploited within 9 hours and 41 minutes of […]
  • 0
  • 0
  • 0
  • 23h ago

CVE-2026-23869

Overview

  • Meta
  • react-server-dom-turbopack
08 Apr 2026
Published
08 Apr 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.32%
KEV

Description

A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.

Statistics

  • 2 Posts
  • 2 Interactions
Last activity: 18 hours ago

Bluesky

Profile picture fallback
Tech Trending @tech-trending.bsky.social
Summary of CVE-2026-23869 - Vercel https://vercel.com/changelog/summary-of-cve-2026-23869
  • 0
  • 2
  • 0
  • 23h ago
Profile picture fallback
Undercode Testing @undercode.bsky.social
CVE-2026-23869: React Server Components Flaw Unleashes Devastating DoS Attacks – Patch Now! + Video Introduction: React Server Components (RSC) represent a paradigm shift in modern web development, enabling server-side rendering with seamless client interactivity. However, a newly disclosed…
  • 0
  • 0
  • 0
  • 18h ago

CVE-2026-34621

Overview

  • Adobe
  • Acrobat Reader
11 Apr 2026
Published
11 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.6)
EPSS
Pending
KEV

Description

Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Statistics

  • 4 Posts
  • 1 Interaction
Last activity: Last hour

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL: CVE-2026-34621 in Adobe Acrobat Reader (≤26.001.21367) enables prototype pollution & arbitrary code execution via malicious files. No patch yet — avoid opening untrusted PDFs. Monitor advisories. radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 1
  • 2h ago
Profile picture fallback
happygeek :unverified: + :verified: = $0 @happygeek

By me @Forbes It's always at the weekend, innit? Adobe urges admins to patch Adobe Acrobat and Reader on Windows and macOS within 72 hours as CVE-2026-34621 attacks confirmed.

forbes.com/sites/daveywinder/2

  • 0
  • 0
  • 1
  • Last hour

CVE-2026-35616

Overview

  • Fortinet
  • FortiClientEMS
04 Apr 2026
Published
07 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
25.26%
KEV

Description

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

Statistics

  • 2 Posts
  • 1 Interaction
Last activity: 1 hour ago

Fediverse

Profile picture fallback
Christoph Schmees @PC_Fluesterer

Noch ein Notfall-Update bei Fortinet

Mal etwas ganz neues - ach nein, ist ja leider nicht neu, sondern fast normal. Der US-Hersteller von Geräten für den Netzwerk-Perimeter Fortinet musste schon wieder ein Notfall-Update veröffentlichen. Die damit geflickte Sicherheiitslücke CVE-2026-35616 wird mindestens seit Ende März bereits für Angriffe ausgenutzt (Zero-Day Exploit). Das ist schon der zweite Zero-Day innerhalb weniger Wochen. Bereits im März musste CVE-2026-21643 geflickt werden. Wiederholung: Wer das Intranet gegen das wilde wüste Internet schützen möchte, muss zu FOSS greifen.

pc-fluesterer.info/wordpress/2

#Allgemein #Empfehlung #Hintergrund #Warnung #0day #closedsource #cybercrime #exploits #hersteller #sicherheit #UnplugTrump #usa

  • 1
  • 0
  • 0
  • 1h ago

Bluesky

Profile picture fallback
Bishop Fox @bishopfox.bsky.social
ICYMI: FortiClient EMS Auth Bypass (CVE-2026-35616) Unauthenticated attackers can bypass cert-based auth via header spoofing + weak validation. Exploitation confirmed in the wild. Patch now or upgrade to 7.4.7. We also released a safe detection tool: bishopfox.com/blog/api-aut...
  • 0
  • 0
  • 0
  • 16h ago

CVE-2026-40157

Overview

  • MervinPraison
  • PraisonAI
10 Apr 2026
Published
10 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.4)
EPSS
Pending
KEV

Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who distributes a malicious bundle can overwrite arbitrary files on the victim's filesystem when they run praisonai recipe unpack. This vulnerability is fixed in 4.5.128.

Statistics

  • 1 Post
Last activity: 5 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL: CVE-2026-40157 in PraisonAI (<4.5.128) enables path traversal via malicious .praison bundles — risk: file overwrite & code execution. Patch to 4.5.128+ & avoid untrusted archives. Full details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 5h ago

CVE-2026-25172

Overview

  • Microsoft
  • Windows 10 Version 1607
10 Mar 2026
Published
09 Apr 2026
Updated
CVSS v3.1
HIGH (8.0)
EPSS
0.07%
KEV

Description

Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network.

Statistics

  • 1 Post
Last activity: 1 hour ago

Bluesky

Profile picture fallback
NEWSTECNICAS | Tecnología , IA y Gaming @newstecnicas.info.ve
🛡️ CVE-2026-25172: El " #Hotpatch" urgente de Microsoft para #Windows11 que debes aplicar ya (Sin reiniciar) www.newstecnicas.info.ve/2026/04/cve-...
  • 0
  • 0
  • 0
  • 1h ago

CVE-2026-40175

Overview

  • axios
  • axios
10 Apr 2026
Published
10 Apr 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
Pending
KEV

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0.

Statistics

  • 1 Post
Last activity: Last hour

Bluesky

Profile picture fallback
Lambda Watchdog @lambdawatchdog.bsky.social
🚨 New CRITICAL CVE detected in AWS Lambda 🚨 CVE-2026-40175 impacts axios in 4 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/466 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • Last hour

CVE-2026-33017

Overview

  • langflow-ai
  • langflow
20 Mar 2026
Published
26 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
5.65%
KEV

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

Statistics

  • 1 Post
Last activity: 9 hours ago

Bluesky

Profile picture fallback
今日視界 @g0rosato.bsky.social
無需認證即可執行:Langflow CVE-2026-33017 未授權遠程代碼執行漏洞深度剖析與靶標實戰
  • 0
  • 0
  • 0
  • 9h ago

CVE-2026-33784

Overview

  • Juniper Networks
  • JSI LWC
09 Apr 2026
Published
09 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.04%
KEV

Description

A Use of Default Password vulnerability in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device. vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.

Statistics

  • 1 Post
Last activity: 20 hours ago

Bluesky

Profile picture fallback
Cybersecurity News Everyday @hendryadrian.bsky.social
Juniper Networks issued patches for nearly 36 vulnerabilities in Junos OS, vLWC, and more. Top flaw CVE-2026-33784 exposes a default high-privilege password in Support Insights vLWC. #JuniperFix #NetworkSecurity #USA
  • 0
  • 0
  • 0
  • 20h ago
Showing 1 to 10 of 36 CVEs