Overview
- Juniper Networks
- Junos OS Evolved
25 Feb 2026
Published
26 Feb 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.25%
KEV
Description
An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to execute code as root.
The On-Box Anomaly detection framework should only be reachable by other internal processes over the internal routing instance, but not over an externally exposed port. With the ability to access and manipulate the service to execute code as root a remote attacker can take complete control of the device.
Please note that this service is enabled by default as no specific configuration is required.
This issue affects Junos OS Evolved on PTX Series:
* 25.4 versions before 25.4R1-S1-EVO, 25.4R2-EVO.
This issue does not affect Junos OS Evolved versions before 25.4R1-EVO.
This issue does not affect Junos OS.
Statistics
- 5 Posts
- 4 Interactions
Last activity: 15 hours ago
Fediverse
Juniper Networks has released an update for its Junos OS Evolved to fix a critical vulnerability (CVE-2026-21902) affecting PTX series routers. This flaw, if exploited by an unauthenticated attacker, could allow for arbitrary code execution with root privileges, potentially giving an attacker complete control over the device.
https://www.securityweek.com/juniper-networks-ptx-routers-affected-by-critical-vulnerability/
The security issue is identified as CVE-2026-21902 and is caused by incorrect permission assignment in the ‘On-Box Anomaly Detection’ framework, which should be exposed to internal processes only over the internal routing interface. bleepingcomputer.com/news/security/critical-juniper-networks-ptx-flaw-allows-full-router-takeover/
Bluesky
Junos OS Evolved: PTX Series: A vulnerability allows a unauthenticated,
network-based attacker to execute code as root (CVE-2026-21902)
URL: supportportal.juniper.net/s/article/20...
Classification: Critical, Solution: Official Fix, Exploit Maturity: Unproven, CVSSv4.0: 9.3
Juniper Networks released an emergency patch for CVE-2026-21902, a critical vulnerability in Junos OS Evolved that allows unauthenticated remote attackers to execute arbitrary code with root privileges on PTX routers.
Overview
Description
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
Statistics
- 4 Posts
Last activity: 11 hours ago
Bluesky
The latest update for #ArcticWolf includes "CVE-2026-20127: Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability" and "Welcoming Sevco Security: Expanding the Aurora Platform with Visionary Exposure Management".
#cybersecurity #infosec #networks https://opsmtrs.com/2ZFbaTl
CISA and Partners Release Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems (CVE-2026-20127) #patchmanagement
A critical Cisco Catalyst SD-WAN vulnerability (CVE-2026-20127) remained undetected for three years before attackers exploited it to bypass authentication, gain root access, and steal data through chained exploitation with older flaws.
Overview
Description
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
Statistics
- 2 Posts
- 3 Interactions
Last activity: 11 hours ago
Fediverse
Overview
- isaacs
- minimatch
26 Feb 2026
Published
26 Feb 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.05%
KEV
Description
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Statistics
- 2 Posts
- 1 Interaction
Last activity: 6 hours ago
Bluesky
📌 CVE-2026-27903 - minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, ... https://www.cyberhub.blog/cves/CVE-2026-27903
Overview
- isaacs
- minimatch
26 Feb 2026
Published
26 Feb 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.04%
KEV
Description
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Statistics
- 2 Posts
Last activity: 1 hour ago
Bluesky
🚨 New HIGH CVE detected in AWS Lambda 🚨
CVE-2026-27904 impacts minimatch in 4 Lambda base images.
Details: https://github.com/aws/aws-lambda-base-images/issues/432
More: https://lambdawatchdog.com/
#AWS #Lambda #CVE #CloudSecurity #Serverless
Overview
- Totolink
- N300RH
27 Feb 2026
Published
27 Feb 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.89%
KEV
Description
A security flaw has been discovered in Totolink N300RH 6.1c.1353_B20190305. Affected by this vulnerability is the function setWebWlanIdx of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument webWlanIdx results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
Statistics
- 2 Posts
Last activity: 12 hours ago
Fediverse
⚠️ CRITICAL OS command injection in Totolink N300RH (v6.1c.1353_B20190305) — CVE-2026-3301. Unauthenticated remote exploit possible, with public exploit code out. Restrict access & monitor until patch released. https://radar.offseq.com/threat/cve-2026-3301-os-command-injection-in-totolink-n30-8ab5e0b9 #OffSeq #CVE20263301 #IoTSecurity
Overview
- OpenClaw
- OpenClaw
27 Feb 2026
Published
27 Feb 2026
Updated
CVSS v3.1
CRITICAL (9.9)
EPSS
0.08%
KEV
Description
In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as --compress-prog) in allowlist mode, leading to approval-free execution paths that were intended to require approval. Only an exact string such as --compress-program was denied.
Statistics
- 2 Posts
Last activity: 9 hours ago
Fediverse
another day another critical vulnerability in openclaw 🥲🤡
"In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as --compress-prog) in allowlist mode, leading to approval-free execution paths that were intended to require approval."
🔐 CVE-2026-28363
📊 CVSS: 9.9 · Critical
📅 02/27/2026, 04:16 AM
🛡️ CWE: CWE-184
📦 Affected: OpenClaw OpenClaw (< 2026.2.23)
Overview
- @fastify/middie
- @fastify/middie
27 Feb 2026
Published
27 Feb 2026
Updated
CVSS v4.0
HIGH (8.2)
EPSS
Pending
KEV
Description
A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).
When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.
Statistics
- 2 Posts
- 1 Interaction
Last activity: 11 hours ago
Fediverse
🚨 High-severity security fix in @fastify/middie@9.2.0 just released!
Patches CVE-2026-2880 — vulnerable to a path normalization inconsistency that can result in authentication/authorization bypass when using path-scoped middleware.
https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw
Overview
Description
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 contain a SQL injection vulnerability in prescription that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the prescription listing functionality. Version 8.0.0 fixes the vulnerability.
Statistics
- 1 Post
- 1 Interaction
Last activity: 13 hours ago
Overview
- manyfold3d
- manyfold
25 Feb 2026
Published
26 Feb 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.05%
KEV
Description
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, a logged-in user can achieve RCE by uploading a ZIP containing a file with a shell metacharacter in its name. The filename reaches a Ruby backtick call unsanitized. Version 0.133.0 fixes the issue.
Statistics
- 1 Post
- 1 Interaction
Last activity: 1 hour ago