24h | 7d | 30d

Overview

  • Mozilla
  • Firefox

09 Dec 2025
Published
11 Dec 2025
Updated

CVSS
Pending
EPSS
0.06%

KEV

Description

Use-after-free in the WebRTC: Signaling component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.

Statistics

  • 1 Post

Last activity: 5 hours ago

Bluesky

Profile picture fallback
🚨 Attention #openSUSE Tumbleweed Users & System Admins! 🚨 A new security update is live, patching vulnerability CVE-2025-14321 in the cockpit-machines package. Read more: 👉 tinyurl.com/325jehsn #Security
  • 0
  • 0
  • 0
  • 5h ago

Overview

  • Go standard library
  • crypto/tls
  • crypto/tls

28 Jan 2026
Published
02 Feb 2026
Updated

CVSS
Pending
EPSS
0.02%

KEV

Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

Statistics

  • 1 Post

Last activity: 14 hours ago

Bluesky

Profile picture fallback
🔍 Lambda Watchdog detected that CVE-2025-61730 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/389 #AWS #Lambda #Security #CVE #DevOps #SecOps
  • 0
  • 0
  • 0
  • 14h ago

Overview

  • Microsoft
  • Microsoft Edge (Chromium-based)

05 Feb 2026
Published
06 Feb 2026
Updated

CVSS v3.1
MEDIUM (6.5)
EPSS
0.06%

KEV

Description

User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.

Statistics

  • 1 Post

Last activity: 14 hours ago

Overview

  • Lodash
  • Lodash
  • lodash

21 Jan 2026
Published
21 Jan 2026
Updated

CVSS v4.0
MEDIUM (6.9)
EPSS
0.06%

KEV

Description

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

Statistics

  • 2 Posts

Last activity: 5 hours ago

Bluesky

Profile picture fallback
ust published a deep dive on the critical pgAdmin 4 security update for #Fedora 42 (CVE-2025-13465). It's more than just a "run dnf update" notice. Read more: 👉 tinyurl.com/yc5sruwj #Security
  • 0
  • 0
  • 0
  • 15h ago
Profile picture fallback
URGENT: #Fedora 42 security patch released for yarnpkg prototype pollution vulnerability (CVE-2025-13465). Read more: 👉 tinyurl.com/n9yr3rw8 #Security
  • 0
  • 0
  • 0
  • 5h ago

Overview

  • Pending

04 Feb 2024
Published
03 Nov 2025
Updated

CVSS
Pending
EPSS
0.13%

KEV

Description

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Statistics

  • 1 Post

Last activity: 4 hours ago

Bluesky

Profile picture fallback
Just published: A technical deep-dive into the critical libxml2 vulnerability (CVE-2024-25062) impacting #OpenSUSE and the broader Linux ecosystem. Read more: 👉 tinyurl.com/bdh26pfx #Security
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • netty
  • netty

15 Oct 2025
Published
17 Oct 2025
Updated

CVSS v4.0
MEDIUM (5.5)
EPSS
0.97%

KEV

Description

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to insufficient input validation for Carriage Return (\r) and Line Feed (\n) characters in user-supplied parameters. The vulnerability exists in io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are directly concatenated into the SMTP command string without sanitization. When methods such as SmtpRequests.rcpt(recipient) are called with a malicious string containing CRLF sequences, attackers can inject arbitrary SMTP commands. Because the injected commands are sent from the server's trusted IP address, resulting emails will likely pass SPF and DKIM authentication checks, making them appear legitimate. This allows remote attackers who can control SMTP command parameters (such as email recipients) to forge arbitrary emails from the trusted server, potentially impersonating executives and forging high-stakes corporate communications. This issue has been patched in versions 4.1.129.Final and 4.2.8.Final. No known workarounds exist.

Statistics

  • 1 Post

Last activity: 11 hours ago

Overview

  • libxml2

08 Aug 2025
Published
08 Aug 2025
Updated

CVSS v4.0
MEDIUM (4.8)
EPSS
0.01%

KEV

Description

A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."

Statistics

  • 1 Post

Last activity: 14 hours ago

Bluesky

Profile picture fallback
🔍 Lambda Watchdog detected that CVE-2025-8732 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/382 #AWS #Lambda #Security #CVE #DevOps #SecOps
  • 0
  • 0
  • 0
  • 14h ago

Overview

  • Zyxel
  • ATP series firmware

05 Feb 2026
Published
06 Feb 2026
Updated

CVSS v3.1
HIGH (7.2)
EPSS
0.20%

KEV

Description

A post‑authentication command injection vulnerability in the Dynamic DNS (DDNS) configuration CLI command in Zyxel ATP series firmware versions from V5.35 through V5.41, USG FLEX series firmware versions from V5.35 through V5.41, USG FLEX 50(W) series firmware versions from V5.35 through V5.41, and USG20(W)-VPN series firmware versions from V5.35 through V5.41 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device by supplying a specially crafted string as an argument to the CLI command.

Statistics

  • 1 Post

Last activity: 16 hours ago

Fediverse

Profile picture fallback

I’ve published a technical analysis of CVE-2025-11730, a Remote Code Execution vulnerability affecting ZYXEL ATP/USG Series devices running firmware 5.41.

The issue is caused by improper input sanitization in the DDNS profile configuration.
A crafted public-ip-url value allows arbitrary command execution as root during DDNS updates.

Technical details and PoC:
rainpwn.blog/blog/cve-2025-117

Affected: ZYXEL ATP/USG Series (fw 5.41)

  • 0
  • 0
  • 0
  • 16h ago

Overview

  • isaacs
  • brace-expansion

04 Feb 2026
Published
05 Feb 2026
Updated

CVSS v4.0
CRITICAL (9.2)
EPSS
0.04%

KEV

Description

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.

Statistics

  • 1 Post

Last activity: 14 hours ago

Bluesky

Profile picture fallback
🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2026-25547 impacts @isaacs/brace-expansion in 1 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/395 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 14h ago

Overview

  • urllib3
  • urllib3

07 Jan 2026
Published
23 Jan 2026
Updated

CVSS v4.0
HIGH (8.9)
EPSS
0.02%

KEV

Description

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.

Statistics

  • 1 Post

Last activity: 3 hours ago

Fediverse

Profile picture fallback

Aw man, someone had to go and ruin all our fun with cve.org/CVERecord?id=CVE-2026- 😩

  • 0
  • 0
  • 0
  • 3h ago
Showing 11 to 20 of 33 CVEs