24h | 7d | 30d

CVE-2026-30884

Overview

  • mdjnelson
  • moodle-mod_customcert
18 Mar 2026
Published
18 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.6)
EPSS
0.02%
KEV

Description

mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds `mod/customcert:manage` in any single course can read and silently overwrite certificate elements belonging to any other course in the Moodle installation. The `core_get_fragment` callback `editelement` and the `mod_customcert_save_element` web service both fail to verify that the supplied `elementid` belongs to the authorized context, enabling cross-course information disclosure and data tampering. Versions 4.4.9 and 5.0.3 fix the issue.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 11 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

CRITICAL: CVE-2026-30884 in mdjnelson moodle-mod_customcert (<4.4.9, 5.0.0 – 5.0.3) enables cross-course certificate tampering by teachers. Update to 4.4.9/5.0.3+ and review permissions. radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 0
  • 11h ago

CVE-2026-32292

Overview

  • GL-iNet
  • Comet KVM
17 Mar 2026
Published
17 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.03%
KEV

Description

The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 9 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CVE-2026-32292: CRITICAL vuln in GL-iNet Comet KVM (CVSS 9.3) — web UI lacks brute-force protections. No patch yet. Restrict access, use strong creds, monitor logs! Details: radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 0
  • 9h ago

CVE-2026-3288

Overview

  • Kubernetes
  • ingress-nginx
09 Mar 2026
Published
11 Mar 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.04%
KEV

Description

A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Statistics

  • 1 Post
Last activity: 10 hours ago

Bluesky

Profile picture fallback
SecQube | Harvey | AI Platform for MS Graph @secqube.com
CVE-2026-3288 - ingress-nginx rewrite-target nginx configuration injection scq.ms/3OVUOzu
  • 0
  • 0
  • 0
  • 10h ago

CVE-2026-27205

Overview

  • pallets
  • flask
21 Feb 2026
Published
24 Feb 2026
Updated
CVSS v4.0
LOW (2.3)
EPSS
0.03%
KEV

Description

Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn't ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3.

Statistics

  • 1 Post
Last activity: 3 hours ago

Bluesky

Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
Critical Flask vulnerability (CVE-2026-27205) lands for #Ubuntu LTS users. This isn't a drill—an oversight in marking user-specific responses could let attackers siphon sensitive data from your web apps. Read more: 👉 tinyurl.com/3kemmm57 #Security
  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-22171

Overview

  • OpenClaw
  • OpenClaw
18 Mar 2026
Published
18 Mar 2026
Updated
CVSS v4.0
HIGH (8.8)
EPSS
0.03%
KEV

Description

OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values returned to the client can use traversal segments to escape os.tmpdir() and write arbitrary files within the OpenClaw process permissions.

Statistics

  • 1 Post
Last activity: 5 hours ago

Bluesky

Profile picture fallback
BaseFortify.eu @basefortify.bsky.social
🚨 CVE-2026-22171 – HIGH (8.8) Path Traversal in OpenClaw Feishu media download allows arbitrary file write. Attackers can manipulate media keys to escape temp directories and write files on the system. Full report: basefortify.eu/cve_reports/... #CVE #CyberSecurity #AppSec #InfoSec
  • 0
  • 0
  • 0
  • 5h ago

CVE-2026-32297

Overview

  • ANGEET
  • ES3 KVM
17 Mar 2026
Published
17 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.03%
KEV

Description

The Angeet ES3 KVM allows a remote, unauthenticated attacker to write arbitrary files, including configuration files or system binaries. Modified configuration files or system binaries could allow an attacker to take complete control of a vulnerable system.

Statistics

  • 1 Post
Last activity: 14 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🚨 CVE-2026-32297 (CRITICAL, CVSS 9.3): ANGEET ES3 KVM allows unauthenticated remote file writes — attackers can take full control. Isolate & restrict access immediately. No patch yet. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 14h ago

CVE-2025-59284

Overview

  • Microsoft
  • Windows 11 version 22H2
14 Oct 2025
Published
22 Feb 2026
Updated
CVSS v3.1
LOW (3.3)
EPSS
0.04%
KEV

Description

Exposure of sensitive information to an unauthorized actor in Windows NTLM allows an unauthorized attacker to perform spoofing locally.

Statistics

  • 4 Posts
Last activity: 21 hours ago

Bluesky

Profile picture fallback
/r/netsec @r-netsec-bot.bsky.social
CVE-2025-59284: How reading a gnu manpage led to a Windows NetNTLM phishing exploit
  • 0
  • 0
  • 3
  • 21h ago

CVE-2026-32291

Overview

  • GL-iNet
  • Comet KVM
17 Mar 2026
Published
17 Mar 2026
Updated
CVSS v4.0
HIGH (7.0)
EPSS
0.03%
KEV

Description

The GL-iNet Comet (GL-RM1) KVM does not require authentication on the UART serial console. This attack requires physically opening the device and connecting to the UART pins.

Statistics

  • 1 Post
Last activity: 20 hours ago

Fediverse

Profile picture fallback
samueldr @samueldr

Hey look, some security reporters made CVE-2026-32291 for one of the flaw I reported in January to GL.iNet, but their reporting is missing one more important detail: up until you setup a password in the user interface, root ssh access is also available without a password.

I was told by the vendor that this was as working as intended.

https://ap.samueldr.com/notice/B21lr6Uhi3Xs4qBiG8

Anyway, I guess I just don't know how to play the CVE game, as that would likely have applied I guess.

  • 0
  • 0
  • 0
  • 20h ago

CVE-2025-11158

Overview

  • Hitachi Vantara
  • Pentaho Data Integration and Analytics
09 Mar 2026
Published
10 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.05%
KEV

Description

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE.

Statistics

  • 1 Post
Last activity: 6 hours ago

Bluesky

Profile picture fallback
SecQube | Harvey | AI Platform for MS Graph @secqube.com
CVE-2025-11158 - Hitachi Vantara Pentaho Data Integration & Analytics - Missing Authorization scq.ms/4ukJPQf
  • 0
  • 0
  • 0
  • 6h ago

CVE-2026-33058

Overview

  • kanboard
  • kanboard
18 Mar 2026
Published
18 Mar 2026
Updated
CVSS v4.0
HIGH (8.4)
EPSS
0.03%
KEV

Description

Kanboard is project management software focused on Kanban methodology. Versions prior to 1.2.51 have an authenticated SQL injection vulnerability. Attackers with the permission to add users to a project can leverage this vulnerability to dump the entirety of the kanboard database. Version 1.2.51 fixes the issue.

Statistics

  • 1 Post
Last activity: Last hour

Fediverse

Profile picture fallback
Dave @cydave

Published the writeup for the authenticated SQL injection vulnerability in Kanboard - CVE-2026-33058.

0dave.ch/posts/cve-2026-33058/
cve.org/CVERecord?id=CVE-2026-
github.com/kanboard/kanboard/s

  • 0
  • 0
  • 0
  • Last hour
Showing 11 to 20 of 43 CVEs