24h | 7d | 30d

CVE-2026-44331

Overview

  • ProFTPD
  • ProFTPD
05 May 2026
Published
06 May 2026
Updated
CVSS v3.1
HIGH (8.1)
EPSS
0.03%
KEV

Description

In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.

Statistics

  • 2 Posts
Last activity: 11 hours ago

Bluesky

Profile picture fallback
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
proftpd: patch CVE-2026-44331 https://github.com/NixOS/nixpkgs/pull/517211 https://tracker.security.nixos.org/issues/NIXPKGS-2026-1407 #security
  • 0
  • 0
  • 0
  • 12h ago
Profile picture fallback
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
[Backport release-25.11] proftpd: patch CVE-2026-44331 https://github.com/NixOS/nixpkgs/pull/517683 #security
  • 0
  • 0
  • 0
  • 11h ago

CVE-2026-3854

Overview

  • GitHub
  • Enterprise Server
10 Mar 2026
Published
29 Apr 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.30%
KEV

Description

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.

Statistics

  • 1 Post
Last activity: 13 hours ago

Fediverse

Profile picture fallback
Mark Gardner @mjg

@DrHyde To put a fine point on it: GitHub's status page showed nothing alarming on April 23—no major outage, no partial outage—because its calculus excludes "Degraded Performance" from downtime numbers. The platform never went down; it was just silently producing wrong merge results, corrupting repository history across 230 organizations and about 3,000 pull requests. That's not a blip. That's a data integrity failure.

Here's GitHub's own heavily-spun blog post on the matter (which also covers another incident on April 27).

Bonus: Five days after the merge queue incident, GitHub disclosed CVE-2026-3854, a critical remote code execution vulnerability where a crafted git push could execute code on GitHub's servers. Patched on github.com in 75 minutes, but 88% of GitHub Enterprise Server instances were still exposed when the disclosure went public.

One bad week doesn't explain a year of red squares, but it does crystallize the pattern.

/cc @choroba

  • 0
  • 0
  • 0
  • 13h ago

CVE-2025-64669

Overview

  • Microsoft
  • Windows Admin Center
11 Dec 2025
Published
16 Apr 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.10%
KEV

Description

Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges locally.

Statistics

  • 1 Post
Last activity: 3 hours ago

Bluesky

Profile picture fallback
r/redteamsec bot @r-redteamsec.bsky.social
CVE-2025-64669: Uncovering Local Privilege Escalation Vulnerability in Windows Admin Center
  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-42037

Overview

  • axios
  • axios
24 Apr 2026
Published
27 Apr 2026
Updated
CVSS v3.1
MEDIUM (5.3)
EPSS
0.06%
KEV

Description

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.js proxy service) can inject arbitrary MIME part headers into the multipart form-data body. This bypasses Node.js v18+ built-in header protections because the injection targets the multipart body structure, not HTTP request headers. This vulnerability is fixed in 1.15.1.

Statistics

  • 1 Post
Last activity: 14 hours ago

Bluesky

Profile picture fallback
Lambda Watchdog @lambdawatchdog.bsky.social
🚨 New MEDIUM CVE detected in AWS Lambda 🚨 CVE-2026-42037 impacts axios in 3 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/495 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 14h ago

CVE-2026-42511

Overview

  • FreeBSD
  • FreeBSD
30 Apr 2026
Published
01 May 2026
Updated
CVSS
Pending
EPSS
0.06%
KEV

Description

The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it. A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient.

Statistics

  • 2 Posts
Last activity: 10 hours ago

Bluesky

Profile picture fallback
/r/netsec @r-netsec-bot.bsky.social
CVE-2026-42511 Breakdown: RCE in FreeBSD
  • 0
  • 0
  • 1
  • 10h ago

CVE-2025-64756

Overview

  • isaacs
  • node-glob
17 Nov 2025
Published
19 Nov 2025
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.02%
KEV

Description

Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

Statistics

  • 1 Post
Last activity: 14 hours ago

Bluesky

Profile picture fallback
Lambda Watchdog @lambdawatchdog.bsky.social
🔍 Lambda Watchdog detected that CVE-2025-64756 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/353 #AWS #Lambda #Security #CVE #DevOps #SecOps
  • 0
  • 0
  • 0
  • 14h ago

CVE-2026-42043

Overview

  • axios
  • axios
24 Apr 2026
Published
27 Apr 2026
Updated
CVSS v3.1
HIGH (7.2)
EPSS
0.04%
KEV

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1.

Statistics

  • 1 Post
Last activity: 14 hours ago

Bluesky

Profile picture fallback
Lambda Watchdog @lambdawatchdog.bsky.social
🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2026-42043 impacts axios in 3 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/492 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 14h ago

CVE-2026-41201

Overview

  • ci4-cms-erp
  • ci4ms
07 May 2026
Published
07 May 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.04%
KEV

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via a sql file that tampers with the file name field to contain hidden XSS payload. This issue has been patched in version 0.31.5.0.

Statistics

  • 1 Post
Last activity: 16 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

⚠️ CRITICAL XSS in ci4ms 0.31.4.0 (CVE-2026-41201): Stored DOM XSS via backup filename lets attackers fully take over accounts. Upgrade to 0.31.5.0 now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 16h ago

CVE-2026-42880

Overview

  • argoproj
  • argo-cd
07 May 2026
Published
07 May 2026
Updated
CVSS v3.1
CRITICAL (9.6)
EPSS
Pending
KEV

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

Statistics

  • 1 Post
Last activity: 2 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL: CVE-2026-42880 in Argo CD (v3.2.0 – 3.2.10, 3.3.0 – 3.3.8) allows attackers with read-only access to extract plaintext Kubernetes Secrets via the ServerSideDiff endpoint. Patch to 3.2.11/3.3.9+ now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 2h ago

CVE-2026-40982

Overview

  • Spring
  • Spring Cloud Config
07 May 2026
Published
07 May 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.11%
KEV

Description

Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Statistics

  • 1 Post
Last activity: 22 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

⚠️ CRITICAL: CVE-2026-40982 in Spring Cloud Config (3.1.0 – 5.0.0) enables path traversal — attackers can access arbitrary files via crafted URLs. Upgrade to a safe version ASAP: 3.1.14, 4.1.10, 4.2.7, 4.3.3, or 5.0.3. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 22h ago
Showing 11 to 20 of 115 CVEs