24h | 7d | 30d

CVE-2026-33105

Overview

  • Microsoft
  • Azure Kubernetes Service
02 Apr 2026
Published
04 Apr 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.05%
KEV

Description

Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.

Statistics

  • 1 Post
Last activity: 16 hours ago

Fediverse

Profile picture fallback
Vito Botta @vitobotta

CVE-2026-33105 hits Azure Kubernetes Service with CVSS 10.0. Unauthenticated remote privilege escalation - Microsoft patched it but check your AKS clusters. Critical severity, no user interaction required.

  • 0
  • 0
  • 0
  • 16h ago

CVE-2026-34953

Overview

  • MervinPraison
  • PraisonAI
03 Apr 2026
Published
03 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
Pending
KEV

Description

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities. This issue has been patched in version 4.5.97.

Statistics

  • 1 Post
Last activity: 5 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CRITICAL vuln in PraisonAI (<4.5.97): CVE-2026-34953 allows any bearer token to bypass auth & gain full access to all agent capabilities. Patch to 4.5.97+ now! No exploits yet. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 5h ago

CVE-2026-34838

Overview

  • Intermesh
  • groupoffice
02 Apr 2026
Published
03 Apr 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.45%
KEV

Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12.

Statistics

  • 1 Post
Last activity: 20 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🚨 CVE-2026-34838 (CRITICAL, CVSS 10): Group-Office <6.8.156, <25.0.90, <26.0.12 vulnerable to insecure deserialization (CWE-502). Authenticated attackers can achieve RCE by injecting malicious serialized objects. Patch now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 20h ago

CVE-2026-5463

Overview

  • Dan McInerney
  • pymetasploit3
  • pymetasploit3
03 Apr 2026
Published
03 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.85%
KEV

Description

Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions.

Statistics

  • 1 Post
Last activity: 23 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CRITICAL vuln: pymetasploit3 ≤1.0.6 (CVE-2026-5463) lets attackers inject commands via newline chars in console.run_module_with_output(), risking full session compromise. Avoid untrusted input, watch for patches. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 23h ago

CVE-2025-25231

Overview

  • Omnissa
  • Omnissa Workspace ONE UEM
11 Aug 2025
Published
11 Aug 2025
Updated
CVSS v3.1
HIGH (7.5)
EPSS
3.95%
KEV

Description

Omnissa Workspace ONE UEM contains a Secondary Context Path Traversal Vulnerability. A malicious actor may be able to gain access to sensitive information by sending crafted GET requests (read-only) to restricted API endpoints.

Statistics

  • 1 Post
Last activity: 23 hours ago

Bluesky

Profile picture fallback
今日視界 @g0rosato.bsky.social
Omnissa Workspace ONE UEM存在敏感信息洩漏漏洞(CVE-2025-25231) 附POC
  • 0
  • 0
  • 0
  • 23h ago

CVE-2026-34745

Overview

  • ShaneIsrael
  • fireshare
02 Apr 2026
Published
02 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.09%
KEV

Description

Fireshare facilitates self-hosted media and link sharing. Prior to version 1.5.3, the fix for CVE-2026-33645 was applied to the authenticated /api/uploadChunked endpoint but was not applied to the unauthenticated /api/uploadChunked/public endpoint in the same file (app/server/fireshare/api.py). An unauthenticated attacker can exploit the checkSum parameter to write arbitrary files with attacker-controlled content to any writable path on the server filesystem. This issue has been patched in version 1.5.3.

Statistics

  • 1 Post
Last activity: 19 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🚨 CRITICAL: CVE-2026-34745 in ShaneIsrael fireshare (<1.5.3) enables unauth’d file writes to any server path via /api/uploadChunked/public. Upgrade to 1.5.3 ASAP or restrict access. Full details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 19h ago

CVE-2026-21536

Overview

  • Microsoft
  • Microsoft Devices Pricing Program
05 Mar 2026
Published
27 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.40%
KEV

Description

Microsoft Devices Pricing Program Remote Code Execution Vulnerability

Statistics

  • 1 Post
Last activity: 12 hours ago

Fediverse

Profile picture fallback
Vito Botta @vitobotta

XBOW autonomous AI found 3 critical RCEs in Microsoft Cloud - first time AI discovered production vulnerabilities without source code access. CVE-2026-21536 was flagged as one of March Patch Tuesday's most severe issues. The arms race between researchers and hackers has shifted.

  • 0
  • 0
  • 0
  • 12h ago

CVE-2026-4747

Overview

  • FreeBSD
  • FreeBSD
26 Mar 2026
Published
02 Apr 2026
Updated
CVSS
Pending
EPSS
0.18%
KEV

Description

Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first. As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel. In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.

Statistics

  • 1 Post
Last activity: 19 hours ago

Bluesky

Profile picture fallback
CrowdCyber @crowdcyber.bsky.social
MAD Bugs: Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747)
  • 0
  • 0
  • 0
  • 19h ago

CVE-2026-34938

Overview

  • MervinPraison
  • PraisonAI
03 Apr 2026
Published
03 Apr 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
Pending
KEV

Description

PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith() method to the _safe_getattr wrapper, achieving arbitrary OS command execution on the host. This issue has been patched in version 1.5.90.

Statistics

  • 1 Post
Last activity: 1 hour ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🚨 CRITICAL: CVE-2026-34938 in PraisonAI <1.5.90 lets attackers bypass sandbox protections and achieve arbitrary OS command execution. Immediate upgrade to v1.5.90+ required. Full system compromise possible. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 1h ago

CVE-2026-34952

Overview

  • MervinPraison
  • PraisonAI
03 Apr 2026
Published
03 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
Pending
KEV

Description

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets. This issue has been patched in version 4.5.97.

Statistics

  • 1 Post
Last activity: 2 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🚨 CVE-2026-34952 (CRITICAL): PraisonAI < 4.5.97 lets unauthenticated users access /ws & /info — enumerate agents & send arbitrary messages. High confidentiality & integrity risk. Patch to 4.5.97+ now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 2h ago
Showing 11 to 20 of 39 CVEs