Overview
Description
curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a
server, even if the new request uses different credentials for the HTTP proxy.
The proper behavior is to create or use a separate connection.
Statistics
- 1 Post
- 130 Interactions
Last activity: 15 hours ago
Fediverse
CVE-2026-3784 beat a new #curl record. This flaw existed in curl source code for 24.97 years before it was discovered.
Illustrated in the slightly hard-to-read graph below. The average age of a curl vulnerability when reported is eight years.
Overview
- elemntor
- Ally – Web Accessibility & Usability
11 Mar 2026
Published
11 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
Pending
KEV
Description
The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account.
Statistics
- 5 Posts
- 1 Interaction
Last activity: 2 hours ago
Fediverse
Vulnerability alert.
A high-severity SQL injection flaw (CVE-2026-2413) in the Ally WordPress Plugin from Elementor could expose data from 250K+ sites.
Patch available in v4.1.0.
Follow @technadu for security updates.
#Infosec #CyberSecurity
Critical SQL Injection Vulnerability Found in Ally WordPress Plugin Threatens 400,000+ Sites
Introduction: Rising Risks in WordPress Accessibility Tools A serious security flaw has been discovered in Ally, a popular WordPress plugin designed to improve website accessibility. The vulnerability, identified as CVE-2026-2413 and carrying a CVSS score of 7.5, could allow attackers to steal sensitive data from thousands of websites. With over 400,000 active installations,…
#WordPress und die PlugIn Hölle. 😵💫
"The plugin is used on over 400,000 WordPress sites." 😭
"An unauthenticated SQL injection flaw, tracked as CVE-2026-2413 (CVSS score 7.5), in Ally plugin could allow attackers to steal sensitive data. The offensive security engineer Drew Webber at Acquia discovered the vulnerability on February 4, 2026."
CVE-2026-2413 (CVSS score 7.5)
"Users are urged to update to Ally version 4.1.0 to mitigate the risk."
Bluesky
Security alert.
A SQL injection vulnerability (CVE-2026-2413) in the Ally WordPress Plugin from Elementor could affect 250K+ WordPress sites.
Admins are urged to update to v4.1.0.
Follow TechNadu for cybersecurity updates.
#CyberSecurity #WordPress
Overview
Description
n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.
Statistics
- 5 Posts
- 1 Interaction
Last activity: 4 hours ago
Bluesky
CISA mandates immediate patching of CVE-2025-68613, a critical 9.9-severity remote code execution vulnerability in n8n workflow automation platform affecting over 103,000 users.
CISA added a critical n8n vulnerability (CVE-2025-68613) with a 9.9 CVSS score to its Known Exploited Vulnerabilities catalog due to active exploitation, enabling remote code execution through expression injection in authenticated users.
🚨 La #CISA signale une faille critique n8n (CVE-2025-68613, score 9.9) exploitée activement, exposant 24 700 instances à une exécution de code à distance. Correctif déjà disponible. #CyberSecurity #Automatisation
Overview
- Microsoft
- Microsoft SQL Server 2016 Service Pack 3 (GDR)
10 Mar 2026
Published
12 Mar 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.08%
KEV
Description
Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.
Statistics
- 4 Posts
Last activity: 8 hours ago
Fediverse
March 2026 Microsoft Patch Tuesday | Tenable® #devopsish https://www.tenable.com/blog/microsofts-march-2026-patch-tuesday-addresses-83-cves-cve-2026-21262-cve-2026-26127
Bluesky
Microsoft SQL Server Zero-Day Exploit: The 88 Critical Privilege Escalation Threat You Must Patch Now + Video
Introduction A critical zero-day vulnerability tracked as CVE-2026-21262 has been disclosed in Microsoft SQL Server, carrying a CVSS score of 8.8 and allowing authenticated attackers to…
Microsoft corrige Zero-Day crítico en SQL Server que permite a atacantes tomar el control total como admin | CVE-2026-21262 www.newstecnicas.info.ve/2026/03/micr...
Overview
Description
The issue was addressed with improved memory handling. This issue is fixed in iOS 17.2 and iPadOS 17.2, macOS Sonoma 14.2, Safari 17.2, iOS 16.7.15 and iPadOS 16.7.15, iOS 15.8.7 and iPadOS 15.8.7. Processing maliciously crafted web content may lead to memory corruption.
Statistics
- 2 Posts
- 1 Interaction
Last activity: 12 hours ago
Bluesky
Apple backported security fixes for CVE-2023-43010 and three additional Coruna exploit vulnerabilities to older iOS, iPadOS, and macOS Sonoma versions to protect devices unable to update to the latest software.
Overview
- Microsoft
- .NET 10.0
10 Mar 2026
Published
12 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.04%
KEV
Description
Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.
Statistics
- 3 Posts
Last activity: 9 hours ago
Fediverse
March 2026 Microsoft Patch Tuesday | Tenable® #devopsish https://www.tenable.com/blog/microsofts-march-2026-patch-tuesday-addresses-83-cves-cve-2026-21262-cve-2026-26127
Bluesky
🚨 New HIGH CVE detected in AWS Lambda 🚨
CVE-2026-26127 impacts Microsoft.NETCore.App.Runtime.linux-x64 in 2 Lambda base images.
Details: https://github.com/aws/aws-lambda-base-images/issues/449
More: https://lambdawatchdog.com/
#AWS #Lambda #CVE #CloudSecurity #Serverless
Overview
- undici
- undici
- undici
12 Mar 2026
Published
12 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
Pending
KEV
Description
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
* The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
* The createInflateRaw() call is not wrapped in a try-catch block
* The resulting exception propagates up through the call stack and crashes the Node.js process
Statistics
- 1 Post
- 3 Interactions
Last activity: 2 hours ago
Overview
Description
DNG SDK versions 1.7.1 2471 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Statistics
- 1 Post
- 2 Interactions
Last activity: 4 hours ago
Overview
- Adobe
- Acrobat Reader
10 Mar 2026
Published
11 Mar 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.03%
KEV
Description
Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Statistics
- 1 Post
- 1 Interaction
Last activity: 23 hours ago
Overview
Description
Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.
Statistics
- 2 Posts
- 1 Interaction
Last activity: 11 hours ago