Overview
- anthropics
- claude-code
21 Jan 2026
Published
21 Jan 2026
Updated
CVSS v4.0
MEDIUM (5.3)
EPSS
0.02%
KEV
Description
Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.
Statistics
- 2 Posts
- 1 Interaction
Last activity: 18 hours ago
Fediverse
Claude Code Security Analysis: Understanding the CVE-2026-21852 API Key Exfiltration Vulnerability | HackerNoon
https://hackernoon.com/claude-code-security-analysis-understanding-the-cve-2026-21852-api-key-exfiltration-vulnerability?utm_source=flipboard&utm_medium=activitypub
Posted into Hacker Noon @hacker-noon-HackerNoon
VE-2026-21852 exposed a Claude Code flaw that let malicious repositories redirect API traffic and steal Anthropic API keys before trust confirmation. https://hackernoon.com/claude-code-security-analysis-understanding-the-cve-2026-21852-api-key-exfiltration-vulnerability #claudecodevulnerability
Overview
Description
loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.
Statistics
- 2 Posts
Last activity: 7 hours ago
Bluesky
~Cisa~
CISA added CVE-2025-47813, an actively exploited Wing FTP Server info disclosure flaw, to its KEV catalog.
-
IOCs: CVE-2025-47813
-
#CISA #CVE202547813 #ThreatIntel
Overview
- Ubuntu
- openssh
- openssh
12 Mar 2026
Published
14 Mar 2026
Updated
CVSS v4.0
LOW (2.7)
EPSS
0.06%
KEV
Description
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
Statistics
- 2 Posts
Last activity: 4 hours ago
Bluesky
Overview
- jellyfin
- code-quality.yml
11 Mar 2026
Published
11 Mar 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.08%
KEV
Description
Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow's elevated permissions (nearly all write permissions), this vulnerability enables full repository takeover of jellyfin/jellyfin-ios, exfiltration of highly privileged secrets, Apple App Store supply chain attack, GitHub Container Registry (ghcr.io) package poisoning, and full jellyfin organization compromise via cross-repository token usage. Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions.
Statistics
- 1 Post
- 5 Interactions
Last activity: 10 hours ago
Overview
Description
Heap buffer overflow in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Statistics
- 1 Post
- 3 Interactions
Last activity: 10 hours ago
Overview
- pluginsGLPI
- fields
16 Mar 2026
Published
16 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
Pending
KEV
Description
Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3.
Statistics
- 1 Post
- 2 Interactions
Last activity: 1 hour ago
Fediverse
🚨 CVE-2026-23489 (CRITICAL, CVSS 9.1): GLPI 'fields' plugin (<1.23.3) allows privileged users to execute arbitrary PHP code (RCE risk). Patch to 1.23.3+, review permissions, and monitor activity. https://radar.offseq.com/threat/cve-2026-23489-cwe-20-improper-input-validation-in-9483a14f #OffSeq #GLPI #CVE202623489 #infosec
Overview
- MediaTek, Inc.
- MT2737, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6813, MT6833, MT6853, MT6855, MT6877, MT6878, MT6879, MT6880, MT6885, MT6886, MT6890, MT6893, MT6895, MT6897, MT6983, MT6985, MT6989, MT6990, MT6993, MT8169, MT8186, MT8188, MT8370, MT8390, MT8676, MT8678, MT8696, MT8793
02 Mar 2026
Published
02 Mar 2026
Updated
CVSS
Pending
EPSS
0.01%
KEV
Description
In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118.
Statistics
- 1 Post
- 2 Interactions
Last activity: 6 hours ago
Overview
- Microsoft
- Windows Server 2008 R2 Service Pack 1
13 Jan 2026
Published
26 Feb 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.08%
KEV
Description
Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network.
Statistics
- 1 Post
- 2 Interactions
Last activity: 21 hours ago
Overview
Description
QGIS is a free, open source, cross platform geographical information system (GIS) The repository contains a GitHub Actions workflow called "pre-commit checks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was vulnerable to remote code execution and repository compromise because it used the `pull_request_target` trigger and then checked out and executed untrusted pull request code in a privileged context. Workflows triggered by `pull_request_target` ran with the base repository's credentials and access to secrets. If these workflows then checked out and executed code from the head of an external pull request (which could have been attacker controlled), the attacker could have executed arbitrary commands with elevated privileges. This insecure pattern has been documented as a security risk by GitHub and security researchers. Commit 76a693cd91650f9b4e83edac525e5e4f90d954e9 removed the vulnerable code.
Statistics
- 1 Post
- 1 Interaction
Last activity: 11 hours ago
Overview
Description
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.
Statistics
- 1 Post
- 2 Interactions
Last activity: 13 hours ago
Fediverse
An update of #gpg4win has been released: Version 5.0.2. See https://gpg4win.org
An update to this version is recommended due to the following security fixes:
- A security bug in GpgOL has been fixed which could result in no warning shown to the user when a signed mail contained a not signed attachment after a signed one. (T8110)
- The libpng component has been updated to version 1.6.55 to fix a security issue (CVE-2026-25646). This is only exploitable in our software if a mail is opened via Kleopatra.