Overview
- Adobe
- Acrobat Reader
11 Apr 2026
Published
12 Apr 2026
Updated
CVSS v3.1
HIGH (8.6)
EPSS
0.24%
KEV
Description
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Statistics
- 10 Posts
- 4 Interactions
Last activity: 1 hour ago
Fediverse
Adobe hat einen Notfall-Patch für die 0-day-Schwachstelle CVE-2026-34621 (CVSS 9,6) im Adobe Reader veröffentlicht.
🚨 CRITICAL: CVE-2026-34621 in Adobe Acrobat Reader (≤26.001.21367) enables prototype pollution & arbitrary code execution via malicious files. No patch yet — avoid opening untrusted PDFs. Monitor advisories. https://radar.offseq.com/threat/cve-2026-34621-improperly-controlled-modification--1b9951d5 #OffSeq #Adobe #Vuln #Infosec
By me @Forbes It's always at the weekend, innit? Adobe urges admins to patch Adobe Acrobat and Reader on Windows and macOS within 72 hours as CVE-2026-34621 attacks confirmed.
Bluesky
Adobe has released a security update for Adobe Acrobat and Reader for Windows and macOS. This update addresses a critical vulnerability. Successful exploitation could lead to arbitrary code execution. Adobe is aware of CVE-2026-34621 being exploited in the wild.
Adobe Acrobat Zero-Day Under Attack: CVE-2026-34621 Prototype Pollution Leads to RCE – Patch Now! + Video
Introduction: A prototype pollution vulnerability in Adobe Acrobat and Reader (CVE-2026-34621, CVSS 9.6) is being actively exploited in the wild, allowing attackers to execute arbitrary code…
Overview
- axios
- axios
10 Apr 2026
Published
10 Apr 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.24%
KEV
Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0.
Statistics
- 2 Posts
- 1 Interaction
Last activity: Last hour
Bluesky
🚨 New CRITICAL CVE detected in AWS Lambda 🚨
CVE-2026-40175 impacts axios in 4 Lambda base images.
Details: https://github.com/aws/aws-lambda-base-images/issues/466
More: https://lambdawatchdog.com/
#AWS #Lambda #CVE #CloudSecurity #Serverless
Overview
Description
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
Statistics
- 1 Post
- 1 Interaction
Last activity: 16 hours ago
Overview
- 1Panel-dev
- MaxKB
11 Apr 2026
Published
11 Apr 2026
Updated
CVSS v4.0
MEDIUM (5.1)
EPSS
Pending
KEV
Description
A vulnerability was detected in 1Panel-dev MaxKB up to 2.2.1. This vulnerability affects the function StaticHeadersMiddleware of the file apps/common/middleware/static_headers_middleware.py of the component Public Chat Interface. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. Upgrading to version 2.8.0 is able to resolve this issue. The patch is identified as 026a2d623e2aa5efa67c4834651e79d5d7cab1da. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Statistics
- 1 Post
Last activity: 7 hours ago
Fediverse
🔎 CVE-2026-6106: 1Panel-dev MaxKB v2.2.0/2.2.1 impacted by MEDIUM XSS via Public Chat Interface (Name arg). Patch to v2.8.0 to mitigate. No in-the-wild exploits yet. Full details: https://radar.offseq.com/threat/cve-2026-6106-cross-site-scripting-in-1panel-dev-m-cd592a06 #OffSeq #XSS #Vuln
Overview
Description
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.
Statistics
- 1 Post
Last activity: 18 hours ago
Bluesky
Overview
- Microsoft
- Windows 10 Version 1607
10 Mar 2026
Published
09 Apr 2026
Updated
CVSS v3.1
HIGH (8.0)
EPSS
0.08%
KEV
Description
Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network.
Statistics
- 2 Posts
Last activity: 21 hours ago
Overview
- boonebgorges
- BuddyPress Groupblog
11 Apr 2026
Published
11 Apr 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.05%
KEV
Description
The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-silent-add` parameters from user input without proper authorization checks. The `groupblog-blogid` parameter allows any group admin (including Subscribers who create their own group) to associate their group with any blog on the Multisite network, including the main site (blog ID 1). The `default-member` parameter accepts any WordPress role, including `administrator`, without validation against a whitelist. When combined with `groupblog-silent-add`, any user who joins the attacker's group is automatically added to the targeted blog with the injected role. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate any user (including themselves via a second account) to Administrator on the main site of the Multisite network.
Statistics
- 1 Post
Last activity: 10 hours ago
Fediverse
🚩 HIGH severity: CVE-2026-5144 impacts BuddyPress Groupblog ≤1.9.3. Authenticated users (even Subscribers) can escalate to Admin on WordPress Multisite. No patch yet — disable or restrict plugin for now. https://radar.offseq.com/threat/cve-2026-5144-cwe-269-improper-privilege-managemen-f1535bf6 #OffSeq #WordPress #CVE20265144 #infosec
Overview
- Python Software Foundation
- CPython
04 Mar 2026
Published
07 Apr 2026
Updated
CVSS v4.0
MEDIUM (5.7)
EPSS
0.02%
KEV
Description
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
Statistics
- 1 Post
Last activity: 12 hours ago
Overview
- optimole
- Optimole – Optimize Images in Real Time
11 Apr 2026
Published
11 Apr 2026
Updated
CVSS v3.1
HIGH (7.2)
EPSS
0.08%
KEV
Description
The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied 's' parameter (srcset descriptor) in the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. The endpoint validates requests using an HMAC signature and timestamp, but these values are exposed directly in the frontend HTML making them accessible to any visitor. The plugin uses sanitize_text_field() on the descriptor value of rest.php, which strips HTML tags but does not escape double quotes. The poisoned descriptor is then stored via transients (backed by the WordPress options table) and later retrieved and injected verbatim into the srcset attribute of tag_replacer.php without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page.
Statistics
- 1 Post
Last activity: 8 hours ago
Fediverse
🚨 HIGH risk: Optimole WordPress plugin (≤4.2.2) vulnerable to unauthenticated stored XSS via /wp-json/optimole/v1/optimizations. HMAC bypassed. Disable plugin until patch. CVE-2026-5217 https://radar.offseq.com/threat/cve-2026-5217-cwe-79-improper-neutralization-of-in-49825cdd #OffSeq #WordPress #XSS #infosec
Overview
- Totolink
- A7100RU
12 Apr 2026
Published
12 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
Pending
KEV
Description
A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setNetworkCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument proto results in os command injection. The attack may be initiated remotely. The exploit is now public and may be used.
Statistics
- 1 Post
Last activity: 4 hours ago
Fediverse
Totolink A7100RU (7.4cu.2313_b20191024) faces a CRITICAL OS command injection (CVE-2026-6114, CVSS 9.3). Remote, unauthenticated code execution possible. No patch yet — disable remote mgmt & watch for updates. https://radar.offseq.com/threat/cve-2026-6114-os-command-injection-in-totolink-a71-384165a1 #OffSeq #CVE20266114 #Vuln #RouterSecurity