24h | 7d | 30d

CVE-2026-5757

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 20 hours ago

Fediverse

Profile picture fallback
AI Sight @aisight

Krytyczna podatność bezpieczeństwa CVE-2026-5757 w Ollamie pozwala na wykradanie danych z serwerów za pomocą specjalnie spreparowanych plików GGUF. Luka ta wykorzystuje brak walidacji metadanych w mechanizmie kwantyzacji, co może prowadzić do nieautoryzowanego dostępu do wrażliwych informacji.

#si #ai #sztucznainteligencja #wiadomości #informacje #technologia

aisight.pl/cyberbezpieczenstwo

  • 1
  • 0
  • 0
  • 20h ago

CVE-2026-42208

Overview

  • BerriAI
  • litellm
08 May 2026
Published
08 May 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
Pending
KEV

Description

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 6 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL: CVE-2026-42208 in BerriAI LiteLLM (v1.81.16 – 1.83.6) enables unauthenticated SQL injection via API key processing. Patch to v1.83.7 immediately to protect credentials and data. Details: radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 6h ago

CVE-2026-42826

Overview

  • Microsoft
  • Azure DevOps
07 May 2026
Published
07 May 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
Pending
KEV

Description

Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 7 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CVE-2026-42826 (CRITICAL, CVSS 10.0) in Azure DevOps exposes sensitive data to unauthorized actors remotely. Microsoft has released a fix — ensure your environment is fully updated. More info: radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 0
  • 7h ago

CVE-2026-34197

Overview

  • Apache Software Foundation
  • Apache ActiveMQ Broker
  • org.apache.activemq:activemq-broker
07 Apr 2026
Published
17 Apr 2026
Updated
CVSS
Pending
EPSS
66.67%
KEV

Description

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 13 hours ago

Fediverse

Profile picture fallback
mc.fly @mcfly

I need things like github.com/V4bel/dirtyfrag/blo

Also horizon3.ai/attack-research/di

  • 0
  • 1
  • 0
  • 13h ago

CVE-2026-6692

Overview

  • Revolution Slider
  • Slider Revolution
07 May 2026
Published
07 May 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.10%
KEV

Description

The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function. This is due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload files that may be executable, which makes remote code execution possible. The vulnerability was partially patched in version 7.0.10 and fully patched in version 7.0.11.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 23 hours ago

Bluesky

Profile picture fallback
IT-Connect @it-connect.bsky.social
⚠️ WordPress : le plugin Slider Revolution doit être mis à jour (CVE-2026-6692) Plus d'infos par ici : - www.it-connect.fr/wordpress-le... #wordpress #infosec #web
  • 0
  • 1
  • 0
  • 23h ago

CVE-2026-44331

Overview

  • ProFTPD
  • ProFTPD
05 May 2026
Published
06 May 2026
Updated
CVSS v3.1
HIGH (8.1)
EPSS
0.03%
KEV

Description

In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.

Statistics

  • 2 Posts
Last activity: 19 hours ago

Bluesky

Profile picture fallback
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
proftpd: patch CVE-2026-44331 https://github.com/NixOS/nixpkgs/pull/517211 https://tracker.security.nixos.org/issues/NIXPKGS-2026-1407 #security
  • 0
  • 0
  • 0
  • 20h ago
Profile picture fallback
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
[Backport release-25.11] proftpd: patch CVE-2026-44331 https://github.com/NixOS/nixpkgs/pull/517683 #security
  • 0
  • 0
  • 0
  • 19h ago

CVE-2026-3854

Overview

  • GitHub
  • Enterprise Server
10 Mar 2026
Published
29 Apr 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.30%
KEV

Description

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.

Statistics

  • 1 Post
Last activity: 20 hours ago

Fediverse

Profile picture fallback
Mark Gardner @mjg

@DrHyde To put a fine point on it: GitHub's status page showed nothing alarming on April 23—no major outage, no partial outage—because its calculus excludes "Degraded Performance" from downtime numbers. The platform never went down; it was just silently producing wrong merge results, corrupting repository history across 230 organizations and about 3,000 pull requests. That's not a blip. That's a data integrity failure.

Here's GitHub's own heavily-spun blog post on the matter (which also covers another incident on April 27).

Bonus: Five days after the merge queue incident, GitHub disclosed CVE-2026-3854, a critical remote code execution vulnerability where a crafted git push could execute code on GitHub's servers. Patched on github.com in 75 minutes, but 88% of GitHub Enterprise Server instances were still exposed when the disclosure went public.

One bad week doesn't explain a year of red squares, but it does crystallize the pattern.

/cc @choroba

  • 0
  • 0
  • 0
  • 20h ago

CVE-2026-23918

Overview

  • Apache Software Foundation
  • Apache HTTP Server
04 May 2026
Published
05 May 2026
Updated
CVSS
Pending
EPSS
0.06%
KEV

Description

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Statistics

  • 1 Post
Last activity: 22 hours ago

Bluesky

Profile picture fallback
Commonwealth Sentinel Cyber Security @cwealthsentinel.bsky.social
Apache fixes critical HTTP/2 double-free flaw CVE-2026-23918 enabling RCE
  • 0
  • 0
  • 0
  • 22h ago

CVE-2025-64669

Overview

  • Microsoft
  • Windows Admin Center
11 Dec 2025
Published
16 Apr 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.10%
KEV

Description

Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges locally.

Statistics

  • 1 Post
Last activity: 11 hours ago

Bluesky

Profile picture fallback
r/redteamsec bot @r-redteamsec.bsky.social
CVE-2025-64669: Uncovering Local Privilege Escalation Vulnerability in Windows Admin Center
  • 0
  • 0
  • 0
  • 11h ago

CVE-2026-42037

Overview

  • axios
  • axios
24 Apr 2026
Published
27 Apr 2026
Updated
CVSS v3.1
MEDIUM (5.3)
EPSS
0.06%
KEV

Description

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.js proxy service) can inject arbitrary MIME part headers into the multipart form-data body. This bypasses Node.js v18+ built-in header protections because the injection targets the multipart body structure, not HTTP request headers. This vulnerability is fixed in 1.15.1.

Statistics

  • 1 Post
Last activity: 22 hours ago

Bluesky

Profile picture fallback
Lambda Watchdog @lambdawatchdog.bsky.social
🚨 New MEDIUM CVE detected in AWS Lambda 🚨 CVE-2026-42037 impacts axios in 3 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/495 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 22h ago
Showing 11 to 20 of 109 CVEs