24h | 7d | 30d

CVE-2026-7768

Overview

  • @fastify/accepts-serializer
  • @fastify/accepts-serializer
04 May 2026
Published
04 May 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
Pending
KEV

Description

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option.

Statistics

  • 2 Posts
Last activity: 3 hours ago

Bluesky

Profile picture fallback
Ulises Gascón @ulisesgascon.com
🚨 High-severity security fix in @fastify/accepts-serializer@6.0.4 just released! Patches CVE-2026-7768 — vulnerable to Denial of Service via Unbounded Accept Header Cache Growth github.com/fastify/fast...
  • 0
  • 0
  • 1
  • 3h ago

CVE-2026-29200

Overview

  • WebPros
  • Comet Backup
04 May 2026
Published
04 May 2026
Updated
CVSS v4.0
CRITICAL (9.9)
EPSS
0.04%
KEV

Description

A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call.

Statistics

  • 1 Post
Last activity: 15 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CVE-2026-29200: CRITICAL IDOR in WebPros Comet Backup (20.11.0 – 26.1.1, 26.2.1) lets tenant admins impersonate any end user on the server. No patch yet — restrict admin access and monitor for suspicious cross-tenant activity. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 15h ago

CVE-2026-7712

Overview

  • MindsDB
03 May 2026
Published
03 May 2026
Updated
CVSS v4.0
MEDIUM (5.3)
EPSS
0.04%
KEV

Description

A security vulnerability has been detected in MindsDB up to 26.01. Affected is the function pickle.loads of the component Pickle Handler. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 1 Post
Last activity: 22 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

⚠️ CVE-2026-7712: MEDIUM severity deserialization vuln in MindsDB ≤26.01 (pickle.loads). Public exploit available, remote attack possible. No vendor response yet. Check your exposure. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 22h ago

CVE-2026-7719

Overview

  • Totolink
  • WA300
04 May 2026
Published
04 May 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.08%
KEV

Description

A security flaw has been discovered in Totolink WA300 5.2cu.7112_B20190227. The affected element is the function loginauth of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument http_host results in buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

Statistics

  • 1 Post
Last activity: 19 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

Totolink WA300 (5.2cu.7112_B20190227) faces a CRITICAL buffer overflow (CVE-2026-7719) via http_host in /cgi-bin/cstecgi.cgi. Public exploit out, no patch yet. Limit exposure, monitor closely. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 19h ago

CVE-2026-3323

Overview

  • VEGA Grieshaber
  • VEGAPULS 6X Two-wire PROFINET, Modbus TCP, OPC UA (Ethernet-APL)
28 Apr 2026
Published
28 Apr 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.02%
KEV

Description

An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes.

Statistics

  • 3 Posts
Last activity: 13 hours ago

Fediverse

Profile picture fallback
CERT@VDE @certvde

VDE-2026-046
VEGA: Unsecured Configuration Interface Allows Unauthorized Access Leading to Privilege Escalation

Vulnerable components expose sensitive information to unauthorized actors through an unsecured configuration interface. Vulnerable firmware releases contain an unsecured configuration interface that allows retrieval of sensitive information such as hashed credentials.
CVE-2026-3323

certvde.com/en/advisories/vde-

vega.csaf-tp.certvde.com/.well

  • 0
  • 0
  • 2
  • 13h ago

CVE-2026-42370

Overview

  • GeoVision Inc.
  • GV-VMS V20.0.2
04 May 2026
Published
04 May 2026
Updated
CVSS v3.1
CRITICAL (9.0)
EPSS
0.12%
KEV

Description

A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

Statistics

  • 1 Post
Last activity: 21 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL: CVE-2026-42370 affects GeoVision GV-VMS V20.0.2. Stack overflow in WebCam Server Login allows unauthenticated remote code execution via crafted HTTP requests. Patch urgently! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 21h ago

CVE-2026-7747

Overview

  • Totolink
  • N300RH
04 May 2026
Published
04 May 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.08%
KEV

Description

A security flaw has been discovered in Totolink N300RH 3.2.4-B20220812. Affected by this vulnerability is the function loginauth of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. Performing a manipulation of the argument Password results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.

Statistics

  • 1 Post
Last activity: 13 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🔴 CRITICAL: CVE-2026-7747 in Totolink N300RH (v3.2.4-B20220812) — remote, unauthenticated buffer overflow via /cgi-bin/cstecgi.cgi Password param. Exploit is public; no patch yet. Restrict mgmt access! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 13h ago

CVE-2026-24299

Overview

  • Microsoft
  • Microsoft 365 Copilot
19 Mar 2026
Published
14 Apr 2026
Updated
CVSS v3.1
MEDIUM (5.3)
EPSS
0.04%
KEV

Description

Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture fallback
#GlitterSquad🛸 @glitterbean

Copirate 365 at DEF CON: Plundering in the Depths of Microsoft Copilot (CVE-2026-24299) embracethered.com/blog/posts/2

  • 0
  • 0
  • 0
  • 7h ago

CVE-2025-71284

Overview

  • Synway Information Engineering Co., Ltd.
  • Synway SMG Gateway Management Software
30 Apr 2026
Published
30 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.49%
KEV

Description

Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the radius_address POST parameter is split and interpolated directly into a sed command without sanitization. An unauthenticated remote attacker can inject arbitrary shell commands by submitting a POST request with crafted radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry parameters along with save=1 and enable_radius=1 to achieve remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 (UTC).

Statistics

  • 1 Post
Last activity: 4 hours ago

Bluesky

Profile picture fallback
Modat @modat-io.bsky.social
⚠️CVE-2025-71284 Synway SMG RCE via en/9-2radius.php(CVSS 9.8). Sed injection via radius_address+POST params enables unauth RCE. No patch. Query: (web.title="IPPBX" or web.html~"synwayjs") OR (web.html~"text ml10 mr20" and (web.title="网关管理软件" or web.title~"Gateway Management")) and tag!="Honeypot"
  • 0
  • 0
  • 0
  • 4h ago

CVE-2026-31789

Overview

  • OpenSSL
  • OpenSSL
07 Apr 2026
Published
13 Apr 2026
Updated
CVSS
Pending
EPSS
0.03%
KEV

Description

Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Statistics

  • 1 Post
Last activity: 8 hours ago

Fediverse

Profile picture fallback
Xint @xint

After AIxCC wrapped in 2025, @DARPA worked with Xint and the other top performers to ensure the innovation continued even after the contest was done to secure the internet's open source infrastructure. Here is story of CVE-2026-31789
xint.io/blog/170315

  • 0
  • 0
  • 0
  • 8h ago
Showing 11 to 20 of 33 CVEs