24h | 7d | 30d

CVE-2026-6919

Overview

  • Google
  • Chrome
23 Apr 2026
Published
24 Apr 2026
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Statistics

  • 1 Post
Last activity: Last hour

Fediverse

Profile picture fallback
nyanbinary @nyanbinary

@andrewnez hm, is that search correct? The 343 on linked NVD page seems to include e.g. CVE-2026-6919 which isnt really related?

It's not an in any way relevant difference (4 false associations) but now I am really curious why those are associated....

  • 0
  • 0
  • 0
  • Last hour

CVE-2026-39920

Overview

  • BridgeHead Software
  • FileStore
24 Apr 2026
Published
24 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
Pending
KEV

Description

BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.

Statistics

  • 1 Post
Last activity: 3 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🔥 CVE-2026-39920: BridgeHead FileStore <24A has a CRITICAL flaw — Apache Axis2 admin exposed with default creds, allowing unauthenticated remote OS command execution. Restrict access, change creds & monitor! Patch status pending. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-32201

Overview

  • Microsoft
  • Microsoft SharePoint Enterprise Server 2016
14 Apr 2026
Published
24 Apr 2026
Updated
CVSS v3.1
MEDIUM (6.5)
EPSS
7.94%
KEV

Description

Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.

Statistics

  • 2 Posts
Last activity: 17 hours ago

Bluesky

Profile picture fallback
Dragster Systems @dragstersystems.bsky.social
Más de 1,300 servidores SharePoint expuestos a la vulnerabilidad CVE-2026-32201 de abril Vía: @seguinfo.bsky.social
  • 0
  • 0
  • 1
  • 17h ago

CVE-2022-29248

Overview

  • guzzle
  • guzzle
25 May 2022
Published
23 Apr 2025
Updated
CVSS v3.1
HIGH (8.0)
EPSS
0.64%
KEV

Description

Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.

Statistics

  • 1 Post
Last activity: 8 hours ago

Bluesky

Profile picture fallback
piggo @pigondrugs.bsky.social
~Socket~ Socket introduces experimental PHP reachability analysis to prioritize real vulnerability risks by tracing execution paths. - IOCs: CVE-2022-29248 - #AppSec #PHP #ThreatIntel
  • 0
  • 0
  • 0
  • 8h ago

CVE-2026-4367

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
Last activity: 15 hours ago

Bluesky

Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
Linux security: CVE-2026-4367 in libXpm is fixed, but image parsing bugs never die. Here's how to check, auto-update (bash script), and mitigate with iptables/AppArmor – works TODAY even if you can't patch. Read more-> tinyurl.com/mr3bfdtv #openSUSE
  • 0
  • 0
  • 0
  • 15h ago

CVE-2026-27966

Overview

  • langflow-ai
  • langflow
26 Feb 2026
Published
28 Feb 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.23%
KEV

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). Version 1.8.0 fixes the issue.

Statistics

  • 1 Post
Last activity: 15 hours ago

Fediverse

Profile picture fallback
Metasploit @metasploit

The latest Metasploit Weekly Wrapup is here! Highlights include a new RCE exploit for Langflow (CVE-2026-27966), improved check method visibility with detailed reasoning, and updates for legacy SMB targets. Plus 3 other new modules!

Read more: rapid7.com/blog/post/pt-metasp

  • 0
  • 0
  • 0
  • 15h ago

CVE-2026-40347

Overview

  • Kludex
  • python-multipart
17 Apr 2026
Published
20 Apr 2026
Updated
CVSS v3.1
MEDIUM (5.3)
EPSS
0.02%
KEV

Description

Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.

Statistics

  • 2 Posts
Last activity: 4 hours ago

Bluesky

Profile picture fallback
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
python3Packages.python-multipart: add patches for CVE-2026-40347 https://github.com/NixOS/nixpkgs/pull/512899 #security
  • 0
  • 0
  • 0
  • 6h ago
Profile picture fallback
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
[Backport staging-25.11] python3Packages.python-multipart: add patches for CVE-2026-40347 https://github.com/NixOS/nixpkgs/pull/513269 #security
  • 0
  • 0
  • 0
  • 4h ago

CVE-2026-41328

Overview

  • dgraph-io
  • dgraph
24 Apr 2026
Published
24 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
Pending
KEV

Description

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack requires two HTTP POSTs to port 8080. The first sets up a schema predicate with @unique @index(exact) @lang via /alter (also unauthenticated in default config). The second sends a crafted JSON mutation to /mutate?commitNow=true where a JSON key contains the predicate name followed by @ and a DQL injection payload in the language tag position. The injection exploits the addQueryIfUnique function in edgraph/server.go, which constructs DQL queries using fmt.Sprintf with unsanitized predicateName that includes the raw pred.Lang value. The Lang field is extracted from JSON mutation keys by x.PredicateLang(), which splits on @, and is never validated by any function in the codebase. The attacker injects a closing parenthesis to escape the eq() function, adds an arbitrary named query block, and uses a # comment to neutralize trailing template syntax. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CVE-2026-41328: CRITICAL DQL injection in dgraph-io Dgraph (<25.3.3) allows unauthenticated full DB read! Exploit via crafted POSTs to port 8080. Patch to 25.3.3+ or enable ACL to mitigate. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 7h ago

CVE-2026-6911

Overview

  • AWS
  • AWS Ops Wheel
24 Apr 2026
Published
24 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
Pending
KEV

Description

Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the deployment's User Pool, via a crafted JWT sent to the API Gateway endpoint. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.

Statistics

  • 1 Post
Last activity: 4 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL: CVE-2026-6911 in AWS Ops Wheel — missing JWT signature checks allow unauth access & admin control over all tenants. Patch by redeploying from the updated repo! Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 4h ago

CVE-2026-3844

Overview

  • cloudways
  • Breeze Cache
23 Apr 2026
Published
23 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.06%
KEV

Description

The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if "Host Files Locally - Gravatars" is enabled, which is disabled by default.

Statistics

  • 1 Post
Last activity: 17 hours ago

Fediverse

Profile picture fallback
RS Web Solutions (RSWEBSOLS) @rswebsols

Hackers Take Advantage of File Upload Vulnerability in Breeze Cache Plugin for WordPress #wordpress

Urgent security update: Hackers are exploiting a file upload vulnerability in Breeze Cache for WordPress (CVE-2026-3844), risking remote code execution. Upgrade to Breeze Cache 2.4.5 now or disable the Host Files Locally – Gravatars option to mitigate. Details: ift.tt/ZoIb1XJ

Source: ift.tt/ZoIb1XJ | Image: ift.tt/dtFh1AJ

  • 0
  • 0
  • 0
  • 17h ago
Showing 11 to 20 of 37 CVEs