24h | 7d | 30d

Overview

  • GitHub
  • Enterprise Server

10 Mar 2026
Published
28 Apr 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.39%

KEV

Description

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.

Statistics

  • 5 Posts
  • 27 Interactions

Last activity: Last hour

Fediverse

Profile picture fallback

Beaucoup de gens vont sans doute résumer la faille de sécurité CVE-2026-3854 en « Mon Dieu, la totalité des logiciels hébergés sur GitHub ont peut-être été compromis ».

Mais, en fait, c'était déjà possible, Microsoft (propriétaire de GitHub) pouvait déjà tout modifier.

Tout ce qu'a permis CVE-2026-3854, si des gens l'ont exploité, c'est de démocratiser cette possibilité, en la rendant accessible à tous les gens ayant un compte GitHub.

wiz.io/blog/github-rce-vulnera

  • 11
  • 2
  • 0
  • 1h ago
Profile picture fallback

🚨 BREAKING: Wiz Research discovered Remote Code Execution on GitHub.com with a single git push.

Wiz Researchers uncovered a critical flaw in GitHub that could be exploited for RCE. The flaw allowed unauthorized access to millions of repositories belonging to other users and organizations 🤯

We responsibly disclosed the issue to GitHub, who deployed a fix on GitHub.com the same day (!) and released patches for all supported GHES versions.

GitHub Enterprise Server customers are strongly encouraged to update immediately.

Huge kudos to GitHub for addressing the issue 👏

Full technical breakdown here → wiz.io/blog/github-rce-vulnera

  • 8
  • 6
  • 0
  • 2h ago
Profile picture fallback

wiz.io/blog/github-rce-vulnera

RCE in GitHub.com and GitHub Enterprise Server (CVE-2026-3854)

#infosec #github

  • 0
  • 0
  • 0
  • 1h ago

Bluesky

Profile picture fallback
🚨 Critical GitHub Vulnerability — Patch Now Security firm Wiz Research discovered a serious RCE (Remote Code Execution) flaw in GitHub — CVE-2026-3854. Full details: www.cyberkendra.com/2026/04/a-si... #github #security #vulnerability
  • 0
  • 0
  • 0
  • 1h ago
Profile picture fallback
GitHub RCE Vulnerability: CVE-2026-3854 Breakdown https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854 (https://news.ycombinator.com/item?id=47936479)
  • 0
  • 0
  • 0
  • Last hour

Overview

  • Hugging Face
  • LeRobot

23 Apr 2026
Published
24 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.06%

KEV

Description

LeRobot through 0.5.1 contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components. An unauthenticated network-reachable attacker can achieve arbitrary code execution on the server or client by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls.

Statistics

  • 6 Posts
  • 11 Interactions

Last activity: 1 hour ago

Fediverse

Profile picture fallback

📰 Critical Unpatched RCE Flaw in Hugging Face's LeRobot AI Platform Puts Robotics Systems at Risk

🚨 CRITICAL FLAW: Unpatched RCE (CVE-2026-25874, CVSS 9.3) in Hugging Face's LeRobot AI platform. Unsafe deserialization allows unauthenticated attackers to execute code. #CVE202625874 #HuggingFace #AI #RCE

🔗 cyber.netsecops.io

  • 1
  • 0
  • 0
  • 1h ago
Profile picture fallback

⚠️ An unpatched critical flaw in Hugging Face’s LeRobot enables remote code execution (CVSS 9.3).

Untrusted pickle over unauthenticated gRPC (no TLS) lets attackers take over servers, steal keys and models, and impact connected robots.

🔗 Details → thehackernews.com/2026/04/crit

  • 0
  • 1
  • 0
  • 4h ago
Profile picture fallback

The vulnerability in question is CVE-2026-25874 (CVSS score: 9.3), which has been described as a case of untrusted data deserialization stemming from the use of the unsafe pickle format. thehackernews.com/2026/04/crit

  • 0
  • 0
  • 1
  • 5h ago

Bluesky

Profile picture fallback
A critical security flaw (CVE-2026-25874) has been disclosed in Hugging Face’s open-source robotics platform, LeRobot, allowing unauthenticated remote code execution. […]
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • Microsoft
  • Windows 10 Version 1607

14 Apr 2026
Published
28 Apr 2026
Updated

CVSS v3.1
MEDIUM (4.3)
EPSS
0.09%

Description

Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.

Statistics

  • 6 Posts
  • 1 Interaction

Last activity: Last hour

Fediverse

Profile picture fallback
  • 0
  • 0
  • 0
  • 7h ago
Profile picture fallback

🛡️ Title: Windows Shell Spoofing Vulnerability
Description

🛡️ Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.

cve.org/CVERecord?id=CVE-2026-

#cybersecurity #security #windows #microsoft

  • 0
  • 0
  • 0
  • Last hour

Bluesky

Profile picture fallback
Microsoft confirma la explotación activa de la vulnerabilidad CVE-2026-32202 del shell de Windows. 🔓 El riesgo es inminente y los atacantes están aprovechando el fallo. Actualiza tus sistemas de inmediato con los últimos parches de seguridad. #ciberseguridad www.linkedin.com/pulse/micros...
  • 1
  • 0
  • 0
  • 1h ago
Profile picture fallback
Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 thehackernews.com/2026/04/micr...
  • 0
  • 0
  • 1
  • 12h ago
Profile picture fallback
Microsoft потвърди, че уязвимост в Windows Shell, която беше отстранена в месечната актуализация за сигурност с оценка CVSS 4,3 се експлоатира активно. Уязвимостта CVE-2026-32202 позволява кражба на потребителски данни без никакви действия от страна на жертвата...
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • OpenBSD
  • OpenSSH

02 Apr 2026
Published
02 Apr 2026
Updated

CVSS v3.1
MEDIUM (4.2)
EPSS
0.02%

KEV

Description

OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

Statistics

  • 5 Posts
  • 5 Interactions

Last activity: 2 hours ago

Fediverse

Profile picture fallback

Kritische OpenSSH-Luecke: Ein Komma in Zertifikatsnamen kann Root-Zugriff ermoeglichen. CVE-2026-35414 mit CVSS 8,1 betrifft Versionen der letzten 15 Jahre. Update auf OpenSSH 10.3 verfuegbar. winfuture.de/news,158363.html?

  • 1
  • 2
  • 1
  • 10h ago
Profile picture fallback

@kubikpixel Behoben wurde die Schwachstelle bereits Anfang April mit der Veröffentlichung von OpenSSH 10.3

Detail Description :
nvd.nist.gov/vuln/detail/CVE-2
(mW ein weiterhin funktionierender und gemeinnütziger Service der Regierung der United States :awesome: )

  • 1
  • 1
  • 0
  • 2h ago
Profile picture fallback

📰 Decade-Old OpenSSH Flaw (CVE-2026-35414) Allows Full Root Access, Exploits Hard to Detect

🚨 CRITICAL: A 15-year-old flaw in OpenSSH (CVE-2026-35414) allows attackers to gain full root access. The bug is trivial to exploit and hard to detect in logs. Update to OpenSSH 10.3p1 immediately! 🛡️ #OpenSSH #CVE #Linux #CyberSecurity

🔗 cyber.netsecops.io

  • 0
  • 0
  • 0
  • 22h ago

Bluesky

Profile picture fallback
rootシェルアクセスに繋がり得るOpenSSHの脆弱性、15年にわたり発見されず(CVE-2026-35414) | Codebook|Security News https://codebook.machinarecord.com/threatreport/silobreaker-cyber-alert/45415/
  • 0
  • 0
  • 0
  • 10h ago

Overview

  • PackageKit
  • PackageKit

22 Apr 2026
Published
22 Apr 2026
Updated

CVSS v3.1
HIGH (8.8)
EPSS
0.20%

KEV

Description

PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.

Statistics

  • 2 Posts
  • 9 Interactions

Last activity: 3 hours ago

Fediverse

Profile picture fallback

Pack2TheRoot: Critical Linux Privilege Escalation Flaw in PackageKit Affects 12+ Years of Releases (CVE-2026-41651)
#CyberSecurity
securebulletin.com/pack2theroo

  • 6
  • 0
  • 0
  • 9h ago
Profile picture fallback

Article sur une faille sur #PackageKit :

goodtech.info/pack2theroot-fai

Pour info packagekit est traduit en :
- Kabyle : 31%
- Occitan : 27%
- Breton : 22%

- Basque, Galicien, Catalan : +60%

  • 1
  • 2
  • 0
  • 3h ago

Overview

  • Microsoft
  • Microsoft Defender Antimalware Platform

14 Apr 2026
Published
28 Apr 2026
Updated

CVSS v3.1
HIGH (7.8)
EPSS
3.30%

Description

Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.

Statistics

  • 1 Post
  • 6 Interactions

Last activity: 7 hours ago

Fediverse

Profile picture fallback

Microsoft Defender “RedSun” Zero-Day (CVE-2026-33825): Unpatched Exploit Grants Full SYSTEM Access
#CyberSecurity
securebulletin.com/microsoft-d

  • 6
  • 0
  • 0
  • 7h ago

Overview

  • Microsoft
  • ASP.NET Core 10.0

21 Apr 2026
Published
28 Apr 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
0.02%

KEV

Description

Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.

Statistics

  • 1 Post
  • 4 Interactions

Last activity: 12 hours ago

Fediverse

Profile picture fallback

The diversity of advisory is key. Look at how good the advisory of GitHub is compared to the others.

db.gcve.eu/vuln/cve-2026-40372

  • 1
  • 3
  • 0
  • 12h ago

Overview

  • InternLM
  • lmdeploy

20 Apr 2026
Published
21 Apr 2026
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.04%

KEV

Description

LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 2 hours ago

Fediverse

Profile picture fallback

LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure thehackernews.com/2026/04/lmde

  • 1
  • 0
  • 0
  • 2h ago

Overview

  • Milesight
  • MS-Cxx63-PD

27 Apr 2026
Published
28 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.2)
EPSS
0.02%

KEV

Description

Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 11 hours ago

Fediverse

Profile picture fallback

CVE-2026-32644 (CRITICAL, CVSS 9.2): Milesight MS-Cxx63-PD cameras have default SSL private keys, exposing encrypted traffic to interception & tampering. No patch yet — restrict access & follow vendor updates. radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 11h ago

Overview

  • Pending

25 Mar 2025
Published
25 Apr 2026
Updated

CVSS
Pending
EPSS
58.94%

Description

A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function, triggering remote command execution.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 9 hours ago

Bluesky

Profile picture fallback
MiraiボットネットはCVE-2025-29635を悪用し、旧型のD-Linkルーターを標的 #CybersecurityNews securityaffairs.com/191135/malwa...
  • 1
  • 0
  • 0
  • 9h ago
Showing 1 to 10 of 133 CVEs