24h | 7d | 30d

CVE-2026-1207

Overview

  • djangoproject
  • Django
  • django
03 Feb 2026
Published
03 Feb 2026
Updated
CVSS
Pending
EPSS
5.46%
KEV

Description

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Statistics

  • 1 Post
  • 5 Interactions
Last activity: 6 hours ago

Bluesky

Profile picture fallback
Philippe Vynckier @pvynckier.bsky.social
CrowdSec confirme la première exploitation active de CVE-2026-1207, une faille d'injection SQL dans Django - IT SOCIAL itsocial.fr/cybersecurit...
  • 1
  • 4
  • 0
  • 6h ago

CVE-2026-3888

Overview

  • snapd
17 Mar 2026
Published
18 Mar 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.00%
KEV

Description

Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.

Statistics

  • 2 Posts
  • 1 Interaction
Last activity: 21 hours ago

Fediverse

Profile picture fallback
fernand0 @fernand0

Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit thehackernews.com/2026/03/ubun

  • 1
  • 0
  • 1
  • 21h ago

CVE-2026-4809

Overview

  • plank
  • laravel-mediable
26 Mar 2026
Published
26 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.39%
KEV

Description

plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 18 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🚨 CRITICAL vuln in plank/laravel-mediable <=6.4.0 (CVE-2026-4809): attackers can upload malicious PHP files by spoofing MIME types. No patch yet. Disable client MIME trust & enforce server-side checks! Details: radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 18h ago

CVE-2026-20079

Overview

  • Cisco
  • Cisco Secure Firewall Management Center (FMC)
04 Mar 2026
Published
05 Mar 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.06%
KEV

Description

A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass authentication and execute script files on an affected device to obtain root access to the underlying operating system. This vulnerability is due to an improper system process that is created at boot time. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device.

Statistics

  • 1 Post
  • 2 Interactions
Last activity: 17 hours ago

Fediverse

Profile picture fallback
Caitlin Condon @catc0n

After 2+ weeks of semi-painful exploit development, @yeslikethefood and team have a full RCA out for Cisco Secure Firewall Management Center (FMC) CVE-2026-20079.

The bug is a CVSS 10, but there are significant prerequisites that may limit exploitability in real-world scenarios. There are between 300 and 700 FMC systems on the public internet as of today.

vulncheck.com/blog/cisco-fmc-a

  • 0
  • 2
  • 0
  • 17h ago

CVE-2026-33494

Overview

  • ory
  • oathkeeper
26 Mar 2026
Published
27 Mar 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.04%
KEV

Description

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. `/public/../admin/secrets`) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation. Version 26.2.0 contains a patch.

Statistics

  • 1 Post
Last activity: 21 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

CRITICAL: ory oathkeeper (<26.2.0) vulnerable to path traversal (CVE-2026-33494). Attackers can bypass authorization via crafted URLs. Upgrade to 26.2.0+ immediately. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 21h ago

CVE-2026-2514

Overview

  • Progress Software
  • Flowmon ADS
12 Mar 2026
Published
13 Mar 2026
Updated
CVSS v4.0
HIGH (8.6)
EPSS
0.04%
KEV

Description

In Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, a vulnerability exists whereby an adversary with access to Flowmon monitoring ports may craft malicious network data that, when processed by Flowmon ADS and viewed by an authenticated user, could result in unintended actions being executed in the user's browser context.

Statistics

  • 1 Post
Last activity: 5 hours ago

Bluesky

Profile picture fallback
SecQube | Harvey | AI Platform for MS Graph @secqube.com
CVE-2026-2514 - Possibility of unintended actions when viewing maliciously crafted network data in Progress Flowmon ADS web application scq.ms/4sGkWge
  • 0
  • 0
  • 0
  • 5h ago

CVE-2026-33152

Overview

  • TandoorRecipes
  • recipes
26 Mar 2026
Published
26 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.06%
KEV

Description

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue.

Statistics

  • 1 Post
Last activity: 20 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CVE-2026-33152: TandoorRecipes < 2.6.0 suffers CRITICAL vuln (CVSS 9.1). No rate limiting on API BasicAuth enables unlimited password guessing. Patch to 2.6.0 now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 20h ago

CVE-2026-4926

Overview

  • path-to-regexp
  • path-to-regexp
26 Mar 2026
Published
26 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.04%
KEV

Description

Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Workarounds: Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

Statistics

  • 2 Posts
Last activity: 21 hours ago

Fediverse

Profile picture fallback
Ulises Gascon @ulisesgascon

🚨 High-severity security fix in path-to-regexp@8.4.0 just released!

Patches CVE-2026-4926 — path-to-regexp vulnerable to Denial of Service via sequential optional groups

github.com/pillarjs/path-to-re

  • 0
  • 0
  • 1
  • 21h ago

CVE-2026-33728

Overview

  • DataDog
  • dd-trace-java
27 Mar 2026
Published
27 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.57%
KEV

Description

dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to 1.60.2, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, dd-trace-java is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, a JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable, Third, a gadget-chain-compatible library is present on the classpath. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK >= 8u121 < JDK 17, upgrade to dd-trace-java version 1.60.3 or later. For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround. The workaround is to set the following environment variable to disable the RMI integration: `DD_INTEGRATION_RMI_ENABLED=false`.

Statistics

  • 1 Post
Last activity: 14 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CRITICAL: CVE-2026-33728 in DataDog dd-trace-java (0.40.0 - <1.60.3) allows unauth RCE via unsafe deserialization if JMX/RMI port is exposed on JDK ≤16. Upgrade to 1.60.3+ & restrict access! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 14h ago

CVE-2026-32710

Overview

  • MariaDB
  • server
20 Mar 2026
Published
27 Mar 2026
Updated
CVSS v3.1
HIGH (8.6)
EPSS
0.29%
KEV

Description

MariaDB server is a community developed fork of MySQL server. An authenticated user can crash MariaDB versions 11.4 before 11.4.10 and 11.8 before 11.8.6 via a bug in JSON_SCHEMA_VALID() function. Under certain conditions it might be possible to turn the crash into a remote code execution. These conditions require tight control over memory layout which is generally only attainable in a lab environment. This issue is fixed in MariaDB 11.4.10, MariaDB 11.8.6, and MariaDB 12.2.2.

Statistics

  • 1 Post
Last activity: 15 hours ago

Bluesky

Profile picture fallback
セキュリティ対策Lab @securitylab-jp.bsky.social
MariaDBに深刻度「高」のバッファオーバーフロー 脆弱性(CVE-2026-32710) rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #セキュリティ #Security #CybersecurityNews
  • 0
  • 0
  • 0
  • 15h ago
Showing 11 to 20 of 56 CVEs