24h | 7d | 30d

Overview

  • coreruleset
  • coreruleset

08 Jan 2026
Published
08 Jan 2026
Updated

CVSS v3.1
CRITICAL (9.3)
EPSS
0.04%

KEV

Description

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.

Statistics

  • 2 Posts
  • 1 Interaction

Last activity: 9 hours ago

Fediverse

Profile picture

CVE-2026-21876: Critical Multipart Charset Bypass Fixed in CRS 4.22.0 and 3.3.8 coreruleset.org/20260106/cve-2

  • 1
  • 0
  • 1
  • 9h ago

Overview

  • Pending

20 Oct 2025
Published
16 Jan 2026
Updated

CVSS
Pending
EPSS
0.03%

KEV

Description

An issue was discovered in Dolby UDC 4.5 through 4.13. A crash of the DD+ decoder process can occur when a malformed DD+ bitstream is processed. When Evolution data is processed by evo_priv.c from the DD+ bitstream, the decoder writes that data into a buffer. The length calculation for a write can overflow due to an integer wraparound. This can lead to the allocated buffer being too small, and the out-of-bounds check of the subsequent write to be ineffective, leading to an out-of-bounds write.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 6 hours ago

Fediverse

Profile picture

I like to point out issues at Apple. They are an easy target because even with the amount of money they make, they still don't manage to fix glaring known issues.

But
#Xiaomi is no better. On #HyperOS many devices have not received 2026-01-05 security patch level including critical CVE-2025-54957.

Fun fact: currently you can't even ask about this since their forum won't load. Not that they care or give sensible answers when it is operational, so ...
🙄

  • 1
  • 0
  • 0
  • 6h ago

Overview

  • Fortinet
  • FortiProxy

27 Jan 2026
Published
29 Jan 2026
Updated

CVSS v3.1
CRITICAL (9.4)
EPSS
3.14%

Description

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.

Statistics

  • 1 Post
  • 2 Interactions

Last activity: 17 hours ago

Bluesky

Profile picture
That new version resolves CVE-2026-24858 which is that big oopsie where if you have a FortiCloud account you can access devices registered to other FortiCloud account. fortiguard.fortinet.com/psirt/FG-IR-...
  • 0
  • 2
  • 0
  • 17h ago

Overview

  • win.rar GmbH
  • WinRAR

08 Aug 2025
Published
21 Oct 2025
Updated

CVSS v4.0
HIGH (8.4)
EPSS
4.61%

Description

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET.

Statistics

  • 1 Post

Last activity: 17 hours ago

Fediverse

Profile picture

Google Warns of Active Exploitation of WinRAR Vulnerability CVE-2025-8088 thehackernews.com/2026/01/goog #cybersecurity #infosec

  • 0
  • 0
  • 0
  • 17h ago

Overview

  • Apple
  • macOS

11 Dec 2024
Published
03 Nov 2025
Updated

CVSS
Pending
EPSS
0.12%

KEV

Description

A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An app may be able to execute arbitrary code with kernel privileges.

Statistics

  • 1 Post

Last activity: 14 hours ago

Bluesky

Profile picture
📌 Google Project Zero Researcher Details Exploitation of macOS CoreAudio Type Confusion Vulnerability (CVE-2024-54529) https://www.cyberhub.blog/article/18896-google-project-zero-researcher-details-exploitation-of-macos-coreaudio-type-confusion-vulnerability-cve-2024-54529
  • 0
  • 0
  • 0
  • 14h ago

Overview

  • Palo Alto Networks
  • PAN-OS

14 May 2025
Published
14 May 2025
Updated

CVSS v4.0
MEDIUM (5.1)
EPSS
4.26%

KEV

Description

A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN. There is no availability impact to GlobalProtect features or GlobalProtect users. Attackers cannot use this vulnerability to tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact of this vulnerability is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect portal. For GlobalProtect users with Clientless VPN enabled, there is a limited impact on confidentiality due to inherent risks of Clientless VPN that facilitate credential theft. You can read more about this risk in the informational bulletin PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 . There is no impact to confidentiality for GlobalProtect users if you did not enable (or you disable) Clientless VPN.

Statistics

  • 1 Post

Last activity: 3 hours ago

Bluesky

Profile picture
The SSL VPN XSS Ticking Time Bomb: How CVE-2025-0133 Exposes Your Corporate Gateway + Video Introduction: A recently disclosed vulnerability, CVE-2025-0133, exposes a critical reflected Cross-Site Scripting (XSS) flaw within a specific SSL VPN endpoint. This finding, highlighted by security…
  • 0
  • 0
  • 0
  • 3h ago

Overview

  • kimai
  • kimai

18 Jan 2026
Published
20 Jan 2026
Updated

CVSS v3.1
MEDIUM (6.8)
EPSS
0.03%

KEV

Description

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue.

Statistics

  • 1 Post

Last activity: 2 hours ago

Bluesky

Profile picture
[release-25.11] kimai: 2.44.0 -> 2.46.0; fixes CVE-2026-23626 https://github.com/NixOS/nixpkgs/pull/483486 #security
  • 0
  • 0
  • 0
  • 2h ago

Overview

  • BYVoid
  • OpenCC

18 Jan 2026
Published
20 Jan 2026
Updated

CVSS v4.0
MEDIUM (4.8)
EPSS
0.02%

KEV

Description

A weakness has been identified in BYVoid OpenCC up to 1.1.9. This vulnerability affects the function opencc::MaxMatchSegmentation of the file src/MaxMatchSegmentation.cpp. This manipulation causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. Patch name: 345c9a50ab07018f1b4439776bad78a0d40778ec. To fix this issue, it is recommended to deploy a patch.

Statistics

  • 1 Post

Last activity: 6 hours ago

Bluesky

Profile picture
🚨 URGENT: CVE-2025-15536 Patch Released for #Fedora 43. Heap-based buffer overflow in OpenCC (Chinese text converter). Read more: 👉 tinyurl.com/ydzavmk7 #Security
  • 0
  • 0
  • 0
  • 6h ago

Overview

  • OpenSSL
  • OpenSSL

27 Jan 2026
Published
29 Jan 2026
Updated

CVSS
Pending
EPSS
0.32%

KEV

Description

Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

Statistics

  • 1 Post

Last activity: 7 hours ago

Overview

  • Ivanti
  • Endpoint Manager Mobile

29 Jan 2026
Published
30 Jan 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.16%

KEV

Description

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 1 hour ago

Fediverse

Profile picture

‼️ CVE-2026-1281: Safe indicator check for Ivanti EPMM & CVE-2026-1340 related paths

GitHub: github.com/Ashwesker/Ashwesker

  • 0
  • 1
  • 0
  • 1h ago
Showing 1 to 10 of 13 CVEs