24h | 7d | 30d

Overview

  • Apache Software Foundation
  • Apache Storm Client
  • org.apache.storm:storm-client

13 Apr 2026
Published
13 Apr 2026
Updated

CVSS
Pending
EPSS
0.30%

KEV

Description

Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs. Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6. Credit: This issue was discovered by K.

Statistics

  • 1 Post

Last activity: 3 hours ago

Fediverse

Profile picture fallback

🔒 CRITICAL: CVE-2026-35337 in Apache Storm Client (<2.8.6) allows authenticated users to achieve RCE via unsafe deserialization in Nimbus/Worker JVMs. Upgrade to 2.8.6 or restrict deserialization classes now! Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 3h ago

Overview

  • Pending

09 Apr 2026
Published
09 Apr 2026
Updated

CVSS
Pending
EPSS
0.02%

KEV

Description

The pstrip64.sys driver in EnTech Taiwan PowerStrip <=3.90.736 allows local users to escalate privileges to SYSTEM via a crafted IOCTL request enabling unprivileged users to map arbitrary physical memory into their address space and modify critical kernel structures.

Statistics

  • 1 Post

Last activity: 5 hours ago

Bluesky

Profile picture fallback
CVE-2026-29923 - Local Privilege Escalation Attack via pstrip64.sys
  • 0
  • 0
  • 0
  • 5h ago

Overview

  • Pending

26 Sep 2025
Published
29 Sep 2025
Updated

CVSS
Pending
EPSS
0.18%

KEV

Description

Squid through 7.1 mishandles ASN.1 encoding of long SNMP OIDs. This occurs in asn_build_objid in lib/snmplib/asn1.c.

Statistics

  • 1 Post

Last activity: 21 hours ago

Bluesky

Profile picture fallback
Stop chasing vulnerability dates. Here’s your evergreen script to fix Squid proxy (CVE-2025-59362 & friends) on Ubuntu, Rocky, SUSE – with iptables workaround if you can’t update. Read more: 👉 tinyurl.com/9r3pfc76 #Mageia
  • 0
  • 0
  • 0
  • 21h ago

Overview

  • Totolink
  • A7100RU

13 Apr 2026
Published
13 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.89%

KEV

Description

A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument FileName results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used.

Statistics

  • 1 Post

Last activity: 12 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL: Totolink A7100RU 7.4cu.2313_b20191024 exposed to OS command injection via UploadFirmwareFile in /cgi-bin/cstecgi.cgi. Public exploit available — restrict access & monitor now. CVE-2026-6140 radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 12h ago

Overview

  • Apache Software Foundation
  • Apache Traffic Server

02 Apr 2026
Published
02 Apr 2026
Updated

CVSS
Pending
EPSS
0.22%

KEV

Description

Apache Traffic Server allows request smuggling if chunked messages are malformed.  This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1. Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.

Statistics

  • 1 Post

Last activity: 16 hours ago

Bluesky

Profile picture fallback
Apache Traffic Server request smuggling (CVE-2025-65114) is fixed in 10.1.2. But the real problem is HTTP chunked parsing—and that will break again. Read more: 👉 tinyurl.com/ycmfz9pb #Security #Fedora
  • 0
  • 0
  • 0
  • 16h ago

Overview

  • Rapid7
  • Insight Agent

08 Apr 2026
Published
13 Apr 2026
Updated

CVSS v3.1
MEDIUM (6.6)
EPSS
0.23%

KEV

Description

An eval() injection vulnerability in the Rapid7 Insight Agent beaconing logic for Linux versions could theoretically allow an attacker to achieve remote code execution as root via a crafted beacon response. Because the Agent uses mutual TLS (mTLS) to verify commands from the Rapid7 Platform, it is unlikely that the eval() function could be exploited remotely without prior, highly privileged access to the backend platform.

Statistics

  • 2 Posts

Last activity: 1 hour ago

Fediverse

Profile picture fallback

So it's not something random attackers can exploit, but if someone compromises the backend, they could own every Linux system running the agent. It's a high-impact scenario that shows how security tools themselves can become attack vectors.

sentinelone.com/vulnerability-

2/2

  • 0
  • 0
  • 0
  • 1h ago
Profile picture fallback

Interesting vulnerability in Rapid7's Insight Agent for Linux. CVE-2026-4837 is an eval() injection that could theoretically allow remote code execution as root. The catch? An attacker would need highly privileged access to the Rapid7 backend platform to craft a malicious beacon response.

1/2

  • 0
  • 0
  • 0
  • 1h ago

Overview

  • Apache Software Foundation
  • Apache ActiveMQ Broker
  • org.apache.activemq:activemq-broker

07 Apr 2026
Published
08 Apr 2026
Updated

CVSS
Pending
EPSS
6.22%

KEV

Description

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue

Statistics

  • 1 Post

Last activity: 20 hours ago

Bluesky

Profile picture fallback
與Claude共度的 10 分鐘:CVE-2026-34197 的遠程代碼執行
  • 0
  • 0
  • 0
  • 20h ago

Overview

  • Apache Software Foundation
  • Apache Tomcat

09 Apr 2026
Published
10 Apr 2026
Updated

CVSS
Pending
EPSS
0.03%

KEV

Description

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.

Statistics

  • 1 Post

Last activity: 20 hours ago

Bluesky

Profile picture fallback
Tomcat request smuggling (CVE-2026-24880) isn't going away. Check if you're vulnerable on Ubuntu, Rocky, or SUSE: dpkg -l | grep tomcat9 rpm -qa | grep tomcat zypper info tomcat Then run the fix script → Read more: 👉 tinyurl.com/43ud2kjt #Mageia
  • 0
  • 0
  • 0
  • 20h ago

Overview

  • Dolibarr
  • Dolibarr ERP/CRM

07 Apr 2026
Published
07 Apr 2026
Updated

CVSS v4.0
HIGH (8.6)
EPSS
0.15%

KEV

Description

Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can inject malicious payloads through computed extrafields or other evaluation paths using PHP dynamic callable syntax to bypass validation and achieve arbitrary command execution via eval().

Statistics

  • 1 Post

Last activity: Last hour

Bluesky

Profile picture fallback
CVE-2026-22666: Dolibarr 23.0.0 dol_eval() whitelist bypass -> RCE (full write-up + PoC)
  • 0
  • 0
  • 0
  • Last hour

Overview

  • Totolink
  • A7100RU

13 Apr 2026
Published
13 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.89%

KEV

Description

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument wizard results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.

Statistics

  • 1 Post

Last activity: 6 hours ago

Fediverse

Profile picture fallback

🛑 CRITICAL: Totolink A7100RU (v7.4cu.2313_b20191024) suffers from unauthenticated OS command injection (CVE-2026-6154). Public exploit out, no patch yet. Isolate devices & check vendor updates. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 6h ago
Showing 11 to 20 of 35 CVEs