24h | 7d | 30d

Overview

  • home-assistant
  • Home Assistant Operating System

27 Mar 2026
Published
27 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.7)
EPSS
Pending

KEV

Description

Home Assistant is open source home automation software that puts local control and privacy first. Home Assistant apps (formerly add-ons) configured with host network mode expose unauthenticated endpoints bound to the internal Docker bridge interface to the local network. On Linux, this configuration does not restrict access to the app as intended, allowing any device on the same network to reach these endpoints without authentication. Home Assistant Supervisor 2026.03.02 addresses the issue.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: Last hour

Fediverse

Profile picture fallback

🚨 CVE-2026-34205 (CRITICAL): Home Assistant OS ≤17.1 apps in host network mode expose unauthenticated endpoints to local networks. Upgrade to Supervisor 2026.03.02, segment networks, and review configs now! radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • Last hour

Overview

  • Microsoft
  • Windows 10 Version 21H2

13 Jan 2026
Published
26 Feb 2026
Updated

CVSS v3.1
HIGH (7.8)
EPSS
0.02%

KEV

Description

Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally.

Statistics

  • 2 Posts
  • 1 Interaction

Last activity: 18 hours ago

Bluesky

Profile picture fallback
SYSTEM Takeover: New Windows Error Reporting Flaw (CVE-2026-20817) Demands Immediate Action + Video Introduction: The Windows Error Reporting (WER) service, a critical component designed to capture crash dumps and telemetry, has become the latest attack vector for privilege escalation. Security…
  • 0
  • 1
  • 0
  • 18h ago
Profile picture fallback
CVE-2026-20817: Windows Error Reporting Goes Nuclear – How a Single Flaw Forced Microsoft to Nuke Its Own Feature + Video Introduction: A recently patched Elevation of Privilege (EoP) vulnerability in the Windows Error Reporting (WER) service, tracked as CVE-2026-20817, has exposed a critical flaw…
  • 0
  • 0
  • 0
  • 19h ago

Overview

  • handlebars-lang
  • handlebars.js

27 Mar 2026
Published
27 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
Pending

KEV

Description

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-compiled at build time; `compile()` will be unavailable.

Statistics

  • 1 Post

Last activity: 4 hours ago

Fediverse

Profile picture fallback

⚠️ CRITICAL: handlebars.js v4.0.0 – 4.7.8 vulnerable (CVE-2026-33937). Type confusion in compile() lets attackers inject JS & gain RCE via crafted AST. Upgrade to 4.7.9+, validate inputs, use runtime-only build if possible. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 4h ago

Overview

  • Progress Software
  • Flowmon ADS

12 Mar 2026
Published
13 Mar 2026
Updated

CVSS v4.0
HIGH (8.6)
EPSS
0.04%

KEV

Description

In Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, a vulnerability exists whereby an adversary with access to Flowmon monitoring ports may craft malicious network data that, when processed by Flowmon ADS and viewed by an authenticated user, could result in unintended actions being executed in the user's browser context.

Statistics

  • 1 Post

Last activity: 17 hours ago

Bluesky

Profile picture fallback
CVE-2026-2514 - Possibility of unintended actions when viewing maliciously crafted network data in Progress Flowmon ADS web application scq.ms/4sGkWge
  • 0
  • 0
  • 0
  • 17h ago

Overview

  • langflow-ai
  • langflow

27 Mar 2026
Published
27 Mar 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
Pending

KEV

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class server-side. In deployments where an attacker can access the Agentic Assistant feature and influence the model output, this can result in arbitrary server-side Python execution. Version 1.9.0 fixes the issue.

Statistics

  • 1 Post

Last activity: 2 hours ago

Fediverse

Profile picture fallback

⚠️ CRITICAL vuln in langflow-ai langflow < 1.9.0 (CVE-2026-33873): Agentic Assistant allows remote code injection via LLM-generated Python. Patch to 1.9.0+ or restrict feature access immediately. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 2h ago

Overview

  • Spring
  • Spring AI

27 Mar 2026
Published
27 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.07%

KEV

Description

In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression key are affected. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.

Statistics

  • 1 Post

Last activity: 21 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL: CVE-2026-22738 in Spring AI SimpleVectorStore allows unauth RCE via SpEL injection (1.0.0 – 1.0.4, 1.1.0 – 1.1.3). Patch to 1.0.5/1.1.4 when released. Validate input now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 21h ago

Overview

  • siyuan-note
  • siyuan

26 Mar 2026
Published
27 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.04%

KEV

Description

SiYuan is a personal knowledge management system. Prior to version 3.6.2, document IDs were retrieved via the /api/file/readDir interface, and then the /api/block/getChildBlocks interface was used to view the content of all documents. Version 3.6.2 patches the issue.

Statistics

  • 1 Post

Last activity: 20 hours ago

Fediverse

Profile picture fallback

🚨 CVE-2026-33669: SiYuan (<3.6.2) has a CRITICAL out-of-bounds read flaw (CVSS 9.8). No auth/user interaction needed — remote attackers can leak sensitive memory. Upgrade to 3.6.2 ASAP! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 20h ago

Overview

  • streetwriters
  • Notesnook Web/Desktop

27 Mar 2026
Published
27 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.7)
EPSS
Pending

KEV

Description

Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the source page’s root element and stores them inside web-clip HTML. When the clip is later opened, Notesnook renders that HTML into a same-origin, unsandboxed iframe using `contentDocument.write(...)`. Event-handler attributes such as `onload`, `onclick`, or `onmouseover` execute in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 Web/Desktop and 3.3.17 on Android/iOS patch the issue.

Statistics

  • 1 Post

Last activity: 5 hours ago

Fediverse

Profile picture fallback

🚨CRITICAL: CVE-2026-33976 in Notesnook Web/Desktop <3.3.11 — stored XSS in Web Clipper leads to RCE via Electron misconfig. Patch ASAP & review Electron security settings. More: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 5h ago

Overview

  • strongSwan
  • strongSwan

23 Mar 2026
Published
27 Mar 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.12%

KEV

Description

strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerability in the EAP-TTLS AVP parser that allows unauthenticated remote attackers to cause a denial of service by sending crafted AVP data with invalid length fields during IKEv2 authentication. Attackers can exploit the failure to validate AVP length fields before subtraction to trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon.

Statistics

  • 1 Post

Last activity: 16 hours ago

Bluesky

Profile picture fallback
We successfully exploited CVE-2026-25075, a denial of service affecting strongSwan VPN servers! Be sure to patch ASAP and check out our blog for a technical analysis: bishopfox.com/blog/strongs...
  • 0
  • 0
  • 0
  • 16h ago

Overview

  • The GNU C Library
  • glibc

20 Mar 2026
Published
23 Mar 2026
Updated

CVSS
Pending
EPSS
0.05%

KEV

Description

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

Statistics

  • 1 Post

Last activity: 20 hours ago

Bluesky

Profile picture fallback
glibc: 2.42-51 -> 2.42-58, fix CVE-2026-4437 https://github.com/NixOS/nixpkgs/pull/503779 #security
  • 0
  • 0
  • 0
  • 20h ago
Showing 11 to 20 of 44 CVEs