24h | 7d | 30d

CVE-2026-0401

Overview

  • SonicWall
  • SonicOS
24 Feb 2026
Published
24 Feb 2026
Updated
CVSS
Pending
EPSS
0.22%
KEV

Description

A post-authentication NULL Pointer Dereference vulnerability in SonicOS allows a remote attacker to crash a firewall.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
Rémi @remi

Attaque par oreiller à mémoire de forme. Une forme de hack éclair, dite 'blitzHack', fait des ravages dans les chaumières. Tout est documenté dans la CVE-20260401. Correctif nommé 'Padecrandemain' si l'attaque s'est déroulé avec des effets de bords néfastes (fenêtre brisée par exemple) #informatique #ousontmespilules

  • 0
  • 0
  • 0
  • 10h ago

CVE-2026-34569

Overview

  • ci4-cms-erp
  • ci4ms
01 Apr 2026
Published
01 Apr 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
Pending
KEV

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog categories. An attacker can inject a malicious JavaScript payload into the category title field, which is then stored server-side. This stored payload is later rendered unsafely across public-facing blog category pages, administrative interfaces, and blog post views without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.

Statistics

  • 1 Post
Last activity: Last hour

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CRITICAL XSS (CVE-2026-34569) in ci4ms (<0.31.0.0): Low-priv attackers can store JS in blog category titles, impacting public & admin views. Update to 0.31.0.0+ ASAP! Full compromise possible. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • Last hour

CVE-2025-14819

Overview

  • curl
  • curl
08 Jan 2026
Published
08 Jan 2026
Updated
CVSS
Pending
EPSS
0.04%
KEV

Description

When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.

Statistics

  • 1 Post
Last activity: 23 hours ago

Bluesky

Profile picture fallback
Undercode Testing @undercode.bsky.social
Notepad++ v893: Critical cURL Vulnerability Patched—Why Your Text Editor Just Became a Security Frontline + Video Introduction: A routine text editor update has just become a critical security event. Notepad++ version 8.9.3 addresses a significant vulnerability, CVE-2025-14819, lurking within its…
  • 0
  • 0
  • 0
  • 23h ago

CVE-2026-32746

Overview

  • GNU
  • inetutils
13 Mar 2026
Published
23 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.03%
KEV

Description

telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full.

Statistics

  • 1 Post
Last activity: 22 hours ago

Bluesky

Profile picture fallback
SecQube | Harvey | AI Platform for MS Graph @secqube.com
CVE-2026-32746 - GNU inetutils telnetd LINEMODE SLC Buffer Overflow scq.ms/47zeUG3
  • 0
  • 0
  • 0
  • 22h ago

CVE-2026-23898

Overview

  • Joomla! Project
  • Joomla! CMS
01 Apr 2026
Published
01 Apr 2026
Updated
CVSS v4.0
HIGH (8.6)
EPSS
0.06%
KEV

Description

Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.

Statistics

  • 1 Post
Last activity: 17 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CVE-2026-23898: HIGH-severity flaw in Joomla! CMS (4.0.0-5.4.3, 6.0.0-6.0.3) lets admin-level attackers delete arbitrary files, risking DoS or system compromise. Patch ASAP, restrict high-priv accounts, monitor for deletions. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 17h ago

CVE-2026-33017

Overview

  • langflow-ai
  • langflow
20 Mar 2026
Published
26 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
5.65%
KEV

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

Statistics

  • 1 Post
Last activity: 16 hours ago

Bluesky

Profile picture fallback
IT-Connect @it-connect.bsky.social
💣 Langflow Une nouvelle faille a été découverte dans Langflow, un outil open source de création de workflow avec de l'IA. -> CVE-2026-33017 En moins de 24 heures, elle est passée de divulguée à exploitée. 👇 - www.it-connect.fr/langflow-cve... #langflow #infosec #cybersecurite
  • 0
  • 0
  • 0
  • 16h ago

CVE-2025-55182

Overview

  • Meta
  • react-server-dom-webpack
03 Dec 2025
Published
26 Feb 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
65.08%
KEV

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Statistics

  • 1 Post
Last activity: 3 hours ago

Bluesky

Profile picture fallback
Cybersecurity News Everyday @hendryadrian.bsky.social
FulcrumSec exploited CVE-2025-55182 on an unpatched AWS host to access 57 S3 buckets, exposing 23,000 insurance policyholders, $797M in premiums, driver licenses, SSNs, and proprietary ML models. #DataBreach #AWSBreach #USA
  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-33056

Overview

  • alexcrichton
  • tar-rs
20 Mar 2026
Published
20 Mar 2026
Updated
CVSS v4.0
MEDIUM (5.1)
EPSS
0.01%
KEV

Description

tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.

Statistics

  • 1 Post
Last activity: 12 hours ago

Fediverse

Profile picture fallback
Jeremy Morgan @jeremymorgan

Rust disclosed a CVE in the tar crate used by Cargo: a malicious crate can change permissions on arbitrary directories during package extraction. The vulnerable step is build-time extraction, so the exposure lands on CI runners and developer machines. Rust 1.94.1 is planned for March 26 with a fix.

blog.rust-lang.org/2026/03/21/

  • 0
  • 0
  • 0
  • 12h ago

CVE-2026-34571

Overview

  • ci4-cms-erp
  • ci4ms
01 Apr 2026
Published
01 Apr 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
Pending
KEV

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, a Stored Cross-Site Scripting (Stored XSS) vulnerability exists in the backend user management functionality. The application fails to properly sanitize user-controlled input before rendering it in the administrative interface, allowing attackers to inject persistent JavaScript code. This results in automatic execution whenever backend users access the affected page, enabling session hijacking, privilege escalation, and full administrative account compromise. This issue has been patched in version 0.31.0.0.

Statistics

  • 1 Post
Last activity: 3 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CRITICAL: CVE-2026-34571 in ci4ms (<0.31.0.0) enables stored XSS in backend user management. Attackers can hijack admin sessions with persistent JS — upgrade to 0.31.0.0+ ASAP! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-3356

Overview

  • Anritsu
  • Remote Spectrum Monitor MS27100A
31 Mar 2026
Published
01 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.05%
KEV

Description

The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management interface. Because the device provides no mechanism to enable or configure authentication, the issue is inherent to its design rather than a deployment error.

Statistics

  • 1 Post
Last activity: 23 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚡️ CVE-2026-3356 (CVSS 9.3): Anritsu MS27100A lacks authentication for management — remote attackers can access & control all versions. No patch yet. Urgent: segment networks & restrict access! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 23h ago
Showing 11 to 20 of 39 CVEs