24h | 7d | 30d

Overview

  • musl-libc
  • musl

10 Apr 2026
Published
10 Apr 2026
Updated

CVSS v3.1
HIGH (8.1)
EPSS
Pending

KEV

Description

An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly implemented double-word primitives. The number of elements must exceed about seven million, i.e., the 32nd Leonardo number on 32-bit platforms (or the 64th Leonardo number on 64-bit platforms, which is not practical).

Statistics

  • 1 Post
  • 73 Interactions

Last activity: 13 hours ago

Fediverse

Profile picture fallback

SECURITY ADVISORY: musl libc up through 1.2.6 (present version) is affected by CVE-2026-40200 affecting qsort with large arrays.

Unless you have a setup with at least tens of terrabytes of virtual memory, this does not affect 64-bit systems, only 32-bit ones. But all users should patch.

openwall.com/lists/musl/2026/0

  • 37
  • 36
  • 0
  • 13h ago

Overview

  • marimo-team
  • marimo

09 Apr 2026
Published
09 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
2.70%

KEV

Description

marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.

Statistics

  • 3 Posts
  • 1 Interaction

Last activity: 16 hours ago

Fediverse

Profile picture fallback

A critical remote code execution (RCE) vulnerability in the Marimo notebook, CVE-2026-39987, was exploited by a threat actor just nine hours after its public disclosure. The unauthenticated flaw allows arbitrary system command execution, and the attacker successfully used it to steal credentials and exfiltrate files.
securityweek.com/critical-mari

  • 0
  • 0
  • 0
  • 16h ago

Bluesky

Profile picture fallback
A critical unauthenticated RCE in Marimo (CVE-2026-39987) was exploited just 9 hours after public disclosure via the terminal WebSocket endpoint, allowing shell access and data exfiltration. Upgrade to 0.23.0+. #MarimoExploit #RCEvulnerability
  • 0
  • 1
  • 0
  • 18h ago
Profile picture fallback
A critical security vulnerability (CVE-2026-39987) in the open-source Python notebook Marimo was exploited within 9 hours and 41 minutes of […]
  • 0
  • 0
  • 0
  • 16h ago

Overview

  • Fortinet
  • FortiClientEMS

04 Apr 2026
Published
07 Apr 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
25.26%

Description

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

Statistics

  • 2 Posts
  • 4 Interactions

Last activity: 8 hours ago

Fediverse

Profile picture fallback

Critical Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Actively Exploited — Patch Now
#CyberSecurity
securebulletin.com/critical-fo

  • 4
  • 0
  • 0
  • 21h ago

Bluesky

Profile picture fallback
ICYMI: FortiClient EMS Auth Bypass (CVE-2026-35616) Unauthenticated attackers can bypass cert-based auth via header spoofing + weak validation. Exploitation confirmed in the wild. Patch now or upgrade to 7.4.7. We also released a safe detection tool: bishopfox.com/blog/api-aut...
  • 0
  • 0
  • 0
  • 8h ago

Overview

  • Meta
  • react-server-dom-turbopack

08 Apr 2026
Published
08 Apr 2026
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.32%

KEV

Description

A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.

Statistics

  • 2 Posts
  • 2 Interactions

Last activity: 11 hours ago

Bluesky

Profile picture fallback
Summary of CVE-2026-23869 - Vercel https://vercel.com/changelog/summary-of-cve-2026-23869
  • 0
  • 2
  • 0
  • 16h ago
Profile picture fallback
CVE-2026-23869: React Server Components Flaw Unleashes Devastating DoS Attacks – Patch Now! + Video Introduction: React Server Components (RSC) represent a paradigm shift in modern web development, enabling server-side rendering with seamless client interactivity. However, a newly disclosed…
  • 0
  • 0
  • 0
  • 11h ago

Overview

  • moby
  • moby

31 Mar 2026
Published
02 Apr 2026
Updated

CVSS v3.1
HIGH (8.8)
EPSS
0.01%

KEV

Description

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.

Statistics

  • 1 Post

Last activity: 22 hours ago

Bluesky

Profile picture fallback
Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access https://thehackernews.com/2026/04/docker-cve-2026-34040-lets-attackers.html
  • 0
  • 0
  • 0
  • 22h ago

Overview

  • Totolink
  • A7100RU

10 Apr 2026
Published
10 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.89%

KEV

Description

A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setVpnAccountCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument User results in os command injection. The attack may be launched remotely. The exploit is now public and may be used.

Statistics

  • 1 Post

Last activity: 21 hours ago

Fediverse

Profile picture fallback

⚠️ CVE-2026-6029 (CRITICAL, CVSS 9.3): Totolink A7100RU firmware 7.4cu.2313_b20191024 is vulnerable to unauthenticated OS command injection via setVpnAccountCfg. No patch yet — restrict access and monitor for updates. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 21h ago

Overview

  • Ubuntu
  • openssh
  • openssh

12 Mar 2026
Published
18 Mar 2026
Updated

CVSS v4.0
LOW (2.7)
EPSS
0.03%

KEV

Description

Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.

Statistics

  • 1 Post

Last activity: 17 hours ago

Fediverse

Profile picture fallback

OpenSSH 10.3 には
CVE-2026-3497
nvd.nist.gov/vuln/detail/CVE-2
の修正が含まれる(つまり 11.0_RC4 追加アイテム)ということなのだろうか

  • 0
  • 0
  • 0
  • 17h ago

Overview

  • Juniper Networks
  • JSI LWC

09 Apr 2026
Published
09 Apr 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.04%

KEV

Description

A Use of Default Password vulnerability in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device. vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.

Statistics

  • 1 Post

Last activity: 13 hours ago

Bluesky

Profile picture fallback
Juniper Networks issued patches for nearly 36 vulnerabilities in Junos OS, vLWC, and more. Top flaw CVE-2026-33784 exposes a default high-privilege password in Support Insights vLWC. #JuniperFix #NetworkSecurity #USA
  • 0
  • 0
  • 0
  • 13h ago

Overview

  • langflow-ai
  • langflow

20 Mar 2026
Published
26 Mar 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
5.65%

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

Statistics

  • 1 Post

Last activity: 1 hour ago

Bluesky

Profile picture fallback
無需認證即可執行:Langflow CVE-2026-33017 未授權遠程代碼執行漏洞深度剖析與靶標實戰
  • 0
  • 0
  • 0
  • 1h ago

Overview

  • patrickhener
  • goshs

10 Apr 2026
Published
10 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
Pending

KEV

Description

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4.

Statistics

  • 1 Post

Last activity: 5 hours ago

Fediverse

Profile picture fallback

🚨 CVE-2026-40189: goshs <2.0.0-beta.4 has a CRITICAL auth bypass. Attackers can upload, delete, and remove folder auth to access protected files. Mitigate by upgrading now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 5h ago
Showing 1 to 10 of 41 CVEs