Overview
Description
Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
Statistics
- 1 Post
- 1 Interaction
Last activity: Last hour
Bluesky
Overview
- notepad-plus-plus
- notepad-plus-plus
03 Feb 2026
Published
03 Feb 2026
Updated
CVSS v4.0
HIGH (7.7)
EPSS
0.03%
KEV
Description
Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.
Statistics
- 1 Post
Last activity: 6 hours ago
Overview
- Rapid7
- Vulnerability Management
03 Feb 2026
Published
04 Feb 2026
Updated
CVSS v3.1
CRITICAL (9.6)
EPSS
Pending
KEV
Description
Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup
via "Security Console" installations, resulting in full account takeover. The issue occurs due to the application processing these unsigned assertions and issuing session cookies that granted access to the
targeted user accounts. This has been fixed in version 8.34.0 of InsightVM.
Statistics
- 1 Post
Last activity: 4 hours ago
Overview
- risesoft-y9
- Digital-Infrastructure
17 Jan 2026
Published
20 Jan 2026
Updated
CVSS v4.0
MEDIUM (6.9)
EPSS
0.04%
KEV
Description
A flaw has been found in risesoft-y9 Digital-Infrastructure up to 9.6.7. This affects an unknown function of the file source-code/src/main/java/net/risesoft/util/Y9PlatformUtil.java of the component REST Authenticate Endpoint. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Statistics
- 1 Post
Last activity: 12 hours ago
Fediverse
Our autonomous verification engine detected and validated a SQL Injection (CVE-2026-1050) in Digital-Infrastructure in versions <= 9.6.7.
Key Findings:
Vulnerability: SQL Injection (SQLi).
Endpoint: /server-platform/services/rest/auth/authenticate3
Root Cause: Lack of prepared statements in Y9PlatformUtil.
Impact: Attackers can manipulate database queries to access unauthorized tenant data or compromise the server.
The vulnerability was confirmed with Zero False Positives using an executable Proof of Concept (PoC). We recommend immediate remediation by implementing parameterized queries.
Vulnerability details: https://github.com/risesoft-y9/Digital-Infrastructure/issues/2
Overview
- VibeThemes
- WPLMS Learning Management System for WordPress, WordPress LMS
09 Nov 2024
Published
12 Nov 2024
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
49.00%
KEV
Description
The WPLMS Learning Management System for WordPress, WordPress LMS theme for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks in the readfile and unlink functions in all versions up to, and including, 4.962. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The theme is vulnerable even when it is not activated.
Statistics
- 1 Post
Last activity: 23 hours ago
Overview
Description
Windows Search Remote Code Execution Vulnerability
Statistics
- 1 Post
Last activity: 1 hour ago
Bluesky
Overview
Description
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
Statistics
- 1 Post
Last activity: 2 hours ago
Bluesky
Overview
- QOS.CH Sarl
- Logback-core
22 Jan 2026
Published
22 Jan 2026
Updated
CVSS v4.0
LOW (1.8)
EPSS
0.01%
KEV
Description
ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.
The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a
configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.
Statistics
- 1 Post
Last activity: 20 hours ago
Overview
Description
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
Statistics
- 1 Post
Last activity: 18 hours ago
Overview
Description
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API
Statistics
- 2 Posts
- 3 Interactions
Last activity: 17 hours ago
Fediverse
‼️ CISA has added 4 vulnerabilities to the KEV Catalog
https://darkwebinformer.com/cisa-kev-catalog/
CVE-2025-40551: SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
CVE-2019-19006: Sangoma FreePBX Improper Authentication Vulnerability
CVE-2025-64328: Sangoma FreePBX OS Command Injection Vulnerability
CVE-2021-39935: GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability