24h | 7d | 30d

Overview

  • AWS
  • aws-c-event-stream

31 Mar 2026
Published
01 Apr 2026
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.02%

KEV

Description

Out-of-bounds write in the streaming decoder component in aws-c-event-stream before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages. To remediate this issue, users should upgrade to version 0.6.0 or later.

Statistics

  • 1 Post

Last activity: 22 hours ago

Bluesky

Profile picture fallback
aws-c-event-stream: 0.5.7 -> 0.7.0, fixes CVE-2026-5190 https://github.com/NixOS/nixpkgs/pull/510410 https://tracker.security.nixos.org/issues/NIXPKGS-2026-0915 #security
  • 0
  • 0
  • 0
  • 22h ago

Overview

  • Tinyproxy Project
  • Tinyproxy

07 Apr 2026
Published
07 Apr 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.06%

KEV

Description

Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against "chunked", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass.

Statistics

  • 1 Post

Last activity: 3 hours ago

Bluesky

Profile picture fallback
[Backport release-25.11] tinyproxy: 1.11.2 -> 1.11.3, tinyproxy: add patch for CVE-2026-31842 https://github.com/NixOS/nixpkgs/pull/511418 https://tracker.security.nixos.org/issues/NIXPKGS-2026-0995 #security
  • 0
  • 0
  • 0
  • 3h ago

Overview

  • niteo
  • CMP – Coming Soon & Maintenance Plugin by NiteoThemes

18 Apr 2026
Published
18 Apr 2026
Updated

CVSS v3.1
HIGH (8.8)
EPSS
0.07%

KEV

Description

The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file's content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability.

Statistics

  • 1 Post

Last activity: 21 hours ago

Fediverse

Profile picture fallback

🔥 HIGH severity: CVE-2026-6518 affects niteo CMP – Coming Soon & Maintenance Plugin (≤4.1.16). Authenticated Admins can trigger RCE via malicious ZIP uploads. No patch yet — restrict admin access & monitor logs. More: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 21h ago

Overview

  • H3C
  • Magic B1

19 Apr 2026
Published
19 Apr 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.04%

KEV

Description

A vulnerability has been found in H3C Magic B1 up to 100R004. The affected element is the function SetAPWifiorLedInfoById of the file /goform/aspForm. The manipulation of the argument param leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 1 Post

Last activity: 12 hours ago

Fediverse

Profile picture fallback

🚨 CVE-2026-6563: HIGH severity buffer overflow in H3C Magic B1 ≤100R004 (SetAPWifiorLedInfoById, /goform/aspForm). Public exploit out, vendor silent. Audit exposure, restrict access! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 12h ago

Overview

  • osuuu
  • LightPicture

19 Apr 2026
Published
19 Apr 2026
Updated

CVSS v4.0
MEDIUM (6.9)
EPSS
Pending

KEV

Description

A vulnerability has been found in osuuu LightPicture up to 1.2.2. This issue affects some unknown processing of the file /public/install/lp.sql of the component API Upload Endpoint. Such manipulation of the argument key leads to hard-coded credentials. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 1 Post

Last activity: 6 hours ago

Fediverse

Profile picture fallback

📢 CVE-2026-6574 (MEDIUM): osuuu LightPicture 1.2.0 – 1.2.2 has hard-coded credentials in API Upload Endpoint (/public/install/lp.sql). No vendor patch yet. Restrict endpoint access & monitor for misuse. More info: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 6h ago

Overview

  • Microsoft
  • .NET 10.0

14 Apr 2026
Published
17 Apr 2026
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.05%

KEV

Description

Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network.

Statistics

  • 1 Post

Last activity: 4 hours ago

Bluesky

Profile picture fallback
.NET vulns keep coming because teams patch but don't learn. Here's the patch script for CVE-2026-32178 (SMTP injection) + the book that teaches secure memory mgmt on Linux. Stop reacting. Start preventing. Read more: 👉 tinyurl.com/5n8mzxaw #Rocky_Linux
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • H3C
  • Magic B0

19 Apr 2026
Published
19 Apr 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.04%

KEV

Description

A security vulnerability has been detected in H3C Magic B0 up to 100R002. This vulnerability affects the function Edit_BasicSSID of the file /goform/aspForm. Such manipulation of the argument param leads to buffer overflow. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 1 Post

Last activity: 13 hours ago

Fediverse

Profile picture fallback

⚠️ HIGH-severity buffer overflow (CVE-2026-6560) in H3C Magic B0 (100R002) allows remote code execution or DoS via Edit_BasicSSID in /goform/aspForm. No patch yet; restrict access & monitor updates. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 13h ago

Overview

  • Collabora
  • KodExplorer

19 Apr 2026
Published
19 Apr 2026
Updated

CVSS v4.0
MEDIUM (6.3)
EPSS
Pending

KEV

Description

A security vulnerability has been detected in Collabora KodExplorer up to 4.52. Affected by this issue is some unknown functionality of the file /app/controller/share.class.php of the component fileUpload Endpoint. The manipulation of the argument fileUpload leads to improper authorization. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 1 Post

Last activity: 4 hours ago

Fediverse

Profile picture fallback

🔔 CVE-2026-6572: Collabora KodExplorer (4.0 – 4.52) has a MEDIUM improper authorization bug in fileUpload. High attack complexity, no patch, vendor silent. Restrict endpoint access & monitor for updates. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 4h ago

Overview

  • Fortinet
  • FortiClientEMS

06 Feb 2026
Published
14 Apr 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
33.91%

Description

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

Statistics

  • 1 Post

Last activity: 3 hours ago

Bluesky

Profile picture fallback
Critical Pre-Auth SQL Injection in FortiClient EMS (CVE-2026-21643): From Zero to RCE – Patch Now! + Video Introduction: FortiClient EMS (Endpoint Management Server) is a centralized management console used by organizations to deploy, monitor, and secure endpoint security policies across thousands…
  • 0
  • 0
  • 0
  • 3h ago

Overview

  • Microsoft
  • Internet Explorer 9

23 Sep 2019
Published
21 Oct 2025
Updated

CVSS
Pending
EPSS
89.25%

Description

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.

Statistics

  • 1 Post

Last activity: 1 hour ago
Showing 11 to 20 of 34 CVEs