24h | 7d | 30d

Overview

  • ProFTPD
  • ProFTPD

05 May 2026
Published
06 May 2026
Updated

CVSS v3.1
HIGH (8.1)
EPSS
0.03%

KEV

Description

In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.

Statistics

  • 2 Posts

Last activity: 11 hours ago

Bluesky

Profile picture fallback
proftpd: patch CVE-2026-44331 https://github.com/NixOS/nixpkgs/pull/517211 https://tracker.security.nixos.org/issues/NIXPKGS-2026-1407 #security
  • 0
  • 0
  • 0
  • 12h ago
Profile picture fallback
[Backport release-25.11] proftpd: patch CVE-2026-44331 https://github.com/NixOS/nixpkgs/pull/517683 #security
  • 0
  • 0
  • 0
  • 11h ago

Overview

  • GitHub
  • Enterprise Server

10 Mar 2026
Published
29 Apr 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.30%

KEV

Description

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.

Statistics

  • 1 Post

Last activity: 13 hours ago

Fediverse

Profile picture fallback

@DrHyde To put a fine point on it: GitHub's status page showed nothing alarming on April 23—no major outage, no partial outage—because its calculus excludes "Degraded Performance" from downtime numbers. The platform never went down; it was just silently producing wrong merge results, corrupting repository history across 230 organizations and about 3,000 pull requests. That's not a blip. That's a data integrity failure.

Here's GitHub's own heavily-spun blog post on the matter (which also covers another incident on April 27).

Bonus: Five days after the merge queue incident, GitHub disclosed CVE-2026-3854, a critical remote code execution vulnerability where a crafted git push could execute code on GitHub's servers. Patched on github.com in 75 minutes, but 88% of GitHub Enterprise Server instances were still exposed when the disclosure went public.

One bad week doesn't explain a year of red squares, but it does crystallize the pattern.

/cc @choroba

  • 0
  • 0
  • 0
  • 13h ago

Overview

  • Microsoft
  • Windows Admin Center

11 Dec 2025
Published
16 Apr 2026
Updated

CVSS v3.1
HIGH (7.8)
EPSS
0.10%

KEV

Description

Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges locally.

Statistics

  • 1 Post

Last activity: 3 hours ago

Bluesky

Profile picture fallback
CVE-2025-64669: Uncovering Local Privilege Escalation Vulnerability in Windows Admin Center
  • 0
  • 0
  • 0
  • 3h ago

Overview

  • axios
  • axios

24 Apr 2026
Published
27 Apr 2026
Updated

CVSS v3.1
MEDIUM (5.3)
EPSS
0.06%

KEV

Description

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.js proxy service) can inject arbitrary MIME part headers into the multipart form-data body. This bypasses Node.js v18+ built-in header protections because the injection targets the multipart body structure, not HTTP request headers. This vulnerability is fixed in 1.15.1.

Statistics

  • 1 Post

Last activity: 14 hours ago

Bluesky

Profile picture fallback
🚨 New MEDIUM CVE detected in AWS Lambda 🚨 CVE-2026-42037 impacts axios in 3 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/495 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 14h ago

Overview

  • FreeBSD
  • FreeBSD

30 Apr 2026
Published
01 May 2026
Updated

CVSS
Pending
EPSS
0.06%

KEV

Description

The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it. A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient.

Statistics

  • 2 Posts

Last activity: 10 hours ago

Bluesky

Profile picture fallback
CVE-2026-42511 Breakdown: RCE in FreeBSD
  • 0
  • 0
  • 1
  • 10h ago

Overview

  • isaacs
  • node-glob

17 Nov 2025
Published
19 Nov 2025
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.02%

KEV

Description

Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

Statistics

  • 1 Post

Last activity: 14 hours ago

Bluesky

Profile picture fallback
🔍 Lambda Watchdog detected that CVE-2025-64756 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/353 #AWS #Lambda #Security #CVE #DevOps #SecOps
  • 0
  • 0
  • 0
  • 14h ago

Overview

  • axios
  • axios

24 Apr 2026
Published
27 Apr 2026
Updated

CVSS v3.1
HIGH (7.2)
EPSS
0.04%

KEV

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1.

Statistics

  • 1 Post

Last activity: 14 hours ago

Bluesky

Profile picture fallback
🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2026-42043 impacts axios in 3 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/492 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 14h ago

Overview

  • ci4-cms-erp
  • ci4ms

07 May 2026
Published
07 May 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
0.04%

KEV

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via a sql file that tampers with the file name field to contain hidden XSS payload. This issue has been patched in version 0.31.5.0.

Statistics

  • 1 Post

Last activity: 16 hours ago

Fediverse

Profile picture fallback

⚠️ CRITICAL XSS in ci4ms 0.31.4.0 (CVE-2026-41201): Stored DOM XSS via backup filename lets attackers fully take over accounts. Upgrade to 0.31.5.0 now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 16h ago

Overview

  • argoproj
  • argo-cd

07 May 2026
Published
07 May 2026
Updated

CVSS v3.1
CRITICAL (9.6)
EPSS
Pending

KEV

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

Statistics

  • 1 Post

Last activity: 2 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL: CVE-2026-42880 in Argo CD (v3.2.0 – 3.2.10, 3.3.0 – 3.3.8) allows attackers with read-only access to extract plaintext Kubernetes Secrets via the ServerSideDiff endpoint. Patch to 3.2.11/3.3.9+ now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 2h ago

Overview

  • Spring
  • Spring Cloud Config

07 May 2026
Published
07 May 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
0.11%

KEV

Description

Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Statistics

  • 1 Post

Last activity: 22 hours ago

Fediverse

Profile picture fallback

⚠️ CRITICAL: CVE-2026-40982 in Spring Cloud Config (3.1.0 – 5.0.0) enables path traversal — attackers can access arbitrary files via crafted URLs. Upgrade to a safe version ASAP: 3.1.14, 4.1.10, 4.2.7, 4.3.3, or 5.0.3. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 22h ago
Showing 11 to 20 of 115 CVEs