24h | 7d | 30d

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post

Last activity: 17 hours ago

Bluesky

Profile picture fallback
📢 GLPI 11.0.7 & 10.0.25 : 13 vulnérabilités corrigées dont 4 critiques (XSS, suppression arbitraire) 📝 📅 **Source** : IT-Connect, publié … https://cyberveille.ch/posts/2026-05-06-glpi-11-0-7-10-0-25-13-vulnerabilites-corrigees-dont-4-critiques-xss-suppression-arbitraire/ #CVE_2026_40108 #Cyberveille
  • 0
  • 0
  • 0
  • 17h ago

Overview

  • Pip maintainers
  • pip
  • pip

27 Apr 2026
Published
27 Apr 2026
Updated

CVSS v4.0
MEDIUM (5.3)
EPSS
0.02%

KEV

Description

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.

Statistics

  • 1 Post

Last activity: 1 hour ago

Bluesky

Profile picture fallback
🚨 New MEDIUM CVE detected in AWS Lambda 🚨 CVE-2026-6357 impacts pip in 6 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/489 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 1h ago

Overview

  • axios
  • axios

24 Apr 2026
Published
25 Apr 2026
Updated

CVSS v3.1
HIGH (7.4)
EPSS
0.08%

KEV

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself — any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1.

Statistics

  • 1 Post

Last activity: 1 hour ago

Bluesky

Profile picture fallback
🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2026-42035 impacts axios in 3 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/491 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 1h ago

Overview

  • ci4-cms-erp
  • ci4ms

07 May 2026
Published
07 May 2026
Updated

CVSS v4.0
CRITICAL (9.4)
EPSS
Pending

KEV

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the backup create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root. This issue has been patched in version 0.31.5.0.

Statistics

  • 1 Post

Last activity: 4 hours ago

Fediverse

Profile picture fallback

🔎 CVE-2026-41202: CRITICAL path traversal in ci4ms (<0.31.5.0) lets authenticated users upload ZIPs for remote code execution. Patch to 0.31.5.0 now! Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 4h ago

Overview

  • Spring
  • Spring Cloud Config

07 May 2026
Published
07 May 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
Pending

KEV

Description

Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Statistics

  • 1 Post

Last activity: 8 hours ago

Fediverse

Profile picture fallback

⚠️ CRITICAL: CVE-2026-40982 in Spring Cloud Config (3.1.0 – 5.0.0) enables path traversal — attackers can access arbitrary files via crafted URLs. Upgrade to a safe version ASAP: 3.1.14, 4.1.10, 4.2.7, 4.3.3, or 5.0.3. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 8h ago

Overview

  • juliangruber
  • brace-expansion

09 Jun 2025
Published
11 Jun 2025
Updated

CVSS v4.0
LOW (2.3)
EPSS
0.09%

KEV

Description

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.

Statistics

  • 1 Post

Last activity: 1 hour ago

Bluesky

Profile picture fallback
🔍 Lambda Watchdog detected that CVE-2025-5889 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/283 #AWS #Lambda #Security #CVE #DevOps #SecOps
  • 0
  • 0
  • 0
  • 1h ago

Overview

  • givanz
  • Vvveb

06 May 2026
Published
06 May 2026
Updated

CVSS v4.0
CRITICAL (9.2)
EPSS
Pending

KEV

Description

Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire Vvveb database, including administrator password hashes, customer personally identifiable information, and order data, enabling account takeover and data manipulation.

Statistics

  • 1 Post

Last activity: 10 hours ago

Fediverse

Profile picture fallback

‼️ CRITICAL vuln: givanz Vvveb <1.0.8.2 exposes phpMyAdmin via hard-coded creds in docker-compose-apache.yaml (CVE-2026-41930). Unauth attackers get full DB access. Restrict access & monitor for patches. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 10h ago

Overview

  • hyperledger
  • fabric

07 May 2026
Published
07 May 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
Pending

KEV

Description

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches.

Statistics

  • 1 Post

Last activity: 7 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL: CVE-2026-41586 in Hyperledger Fabric (1.0.0-2.2.26) allows remote code execution via unsafe deserialization. No patch yet — restrict untrusted input and monitor for updates. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 7h ago

Overview

  • libssh2

01 May 2026
Published
04 May 2026
Updated

CVSS v4.0
MEDIUM (6.9)
EPSS
0.05%

KEV

Description

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.

Statistics

  • 1 Post

Last activity: 20 hours ago

Bluesky

Profile picture fallback
libssh2: apply patch for CVE-2026-7598 https://github.com/NixOS/nixpkgs/pull/516098 #security
  • 0
  • 0
  • 0
  • 20h ago

Overview

  • axios
  • axios

24 Apr 2026
Published
27 Apr 2026
Updated

CVSS v3.1
MEDIUM (5.3)
EPSS
0.06%

KEV

Description

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.js proxy service) can inject arbitrary MIME part headers into the multipart form-data body. This bypasses Node.js v18+ built-in header protections because the injection targets the multipart body structure, not HTTP request headers. This vulnerability is fixed in 1.15.1.

Statistics

  • 1 Post

Last activity: 1 hour ago

Bluesky

Profile picture fallback
🚨 New MEDIUM CVE detected in AWS Lambda 🚨 CVE-2026-42037 impacts axios in 3 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/495 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 1h ago
Showing 11 to 20 of 66 CVEs