Overview
Description
This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.
Statistics
- 1 Post
- 1 Interaction
Last activity: 11 hours ago
Overview
- FontForge
- FontForge
31 Dec 2025
Published
31 Dec 2025
Updated
CVSS v3.0
HIGH (8.8)
EPSS
0.20%
KEV
Description
FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28563.
Statistics
- 1 Post
Last activity: 14 hours ago
Overview
Description
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Statistics
- 1 Post
Last activity: 8 hours ago
Overview
- nyariv
- SandboxJS
06 Apr 2026
Published
06 Apr 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.06%
KEV
Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36.
Statistics
- 1 Post
Last activity: 6 hours ago
Overview
- Go standard library
- html/template
- html/template
08 Apr 2026
Published
08 Apr 2026
Updated
CVSS
Pending
EPSS
0.01%
KEV
Description
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.
Statistics
- 1 Post
Last activity: 18 hours ago
Overview
- D-Link
- DIR-882
09 Apr 2026
Published
09 Apr 2026
Updated
CVSS v4.0
HIGH (8.6)
EPSS
Pending
KEV
Description
A vulnerability was found in D-Link DIR-882 1.01B02. Impacted is the function sprintf of the file prog.cgi of the component HNAP1 SetNetworkSettings Handler. The manipulation of the argument IPAddress results in os command injection. The attack may be performed from remote. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.
Statistics
- 1 Post
Last activity: 1 hour ago
Fediverse
🔒 CVE-2026-5844: HIGH-severity OS command injection in D-Link DIR-882 (v1.01B02). Remote attackers can execute arbitrary OS commands. No official fix — upgrade or restrict remote access. Details: https://radar.offseq.com/threat/cve-2026-5844-os-command-injection-in-d-link-dir-8-643de94e #OffSeq #DLink #Vuln #RouterSecurity
Overview
- Six Apart Ltd.
- Movable Type
08 Apr 2026
Published
08 Apr 2026
Updated
CVSS v3.0
CRITICAL (9.8)
EPSS
0.05%
KEV
Description
Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl script.
Statistics
- 1 Post
Last activity: 21 hours ago
Fediverse
🚨 CRITICAL: CVE-2026-25776 impacts Six Apart Movable Type ≤9.1.0. Unauthenticated code injection enables remote Perl script execution. No patch yet — restrict access & monitor. More info: https://radar.offseq.com/threat/cve-2026-25776-code-injection-in-six-apart-ltd-mov-c0a38b7e #OffSeq #Vuln #InfoSec #CVE #WebSecurity
Overview
- Go standard library
- crypto/x509
- crypto/x509
08 Apr 2026
Published
08 Apr 2026
Updated
CVSS
Pending
EPSS
0.01%
KEV
Description
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
Statistics
- 1 Post
Last activity: 18 hours ago
Overview
Description
npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430.
Statistics
- 1 Post
Last activity: 10 hours ago
Bluesky
Overview
- Go standard library
- internal/syscall/unix
- internal/syscall/unix
08 Apr 2026
Published
08 Apr 2026
Updated
CVSS
Pending
EPSS
0.01%
KEV
Description
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
Statistics
- 1 Post
Last activity: 18 hours ago