24h | 7d | 30d

Overview

  • The Wikimedia Foundation
  • Mediawiki - GlobalWatchlist Extension

07 Apr 2026
Published
08 Apr 2026
Updated

CVSS v4.0
CRITICAL (10.0)
EPSS
0.05%

KEV

Description

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - GlobalWatchlist Extension allows Cross-Site Scripting (XSS).This issue affects non release branches.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 18 hours ago

Fediverse

Profile picture fallback

🚨 CVE-2026-39933: CRITICAL XSS (CVSS 10) in Mediawiki - GlobalWatchlist Extension. Non-release branches vulnerable to input neutralization flaw (CWE-79). Audit deployments urgently! More info: radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 0
  • 18h ago

Overview

  • Fortinet
  • FortiClientEMS

12 Mar 2024
Published
21 Oct 2025
Updated

CVSS v3.1
CRITICAL (9.3)
EPSS
94.13%

Description

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 17 hours ago

Fediverse

Profile picture fallback

CISA just added CVE-2023-48788 to its Known Exploited Vulnerabilities catalog and is giving federal agencies until Friday to patch FortiClient EMS.

Read more: steelefortress.com/nuy028

Privacy

  • 0
  • 1
  • 0
  • 17h ago

Overview

  • FontForge
  • FontForge

31 Dec 2025
Published
31 Dec 2025
Updated

CVSS v3.0
HIGH (8.8)
EPSS
0.20%

KEV

Description

FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28563.

Statistics

  • 1 Post

Last activity: Last hour

Bluesky

Profile picture fallback
🚨 NEW CVE-2025-15270: FontForge memory corruption in #Rocky Linux 9 core execution module. CVSS 7.8 (High). Affects font rasterization stack. Read more: 👉 tinyurl.com/end6xede #Security
  • 0
  • 0
  • 0
  • Last hour

Overview

  • Progress Software
  • Telerik UI for ASP.NET AJAX

14 May 2025
Published
27 Aug 2025
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.60%

KEV

Description

In Progress® Telerik® UI for AJAX, versions 2011.2.712 to 2025.1.218, an unsafe reflection vulnerability exists that may lead to an unhandled exception resulting in a crash of the hosting process and denial of service.

Statistics

  • 1 Post

Last activity: 13 hours ago

Bluesky

Profile picture fallback
More Than DoS (Progress Telerik UI for ASP.NET AJAX Unsafe Reflection CVE-2025-3600) - watchTowr Labs
  • 0
  • 0
  • 0
  • 13h ago

Overview

  • Go standard library
  • html/template
  • html/template

08 Apr 2026
Published
08 Apr 2026
Updated

CVSS
Pending
EPSS
0.01%

KEV

Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Statistics

  • 1 Post

Last activity: 4 hours ago

Bluesky

Profile picture fallback
🚨 New UNKNOWN CVE detected in AWS Lambda 🚨 CVE-2026-32289 impacts stdlib in 26 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/462 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • Six Apart Ltd.
  • Movable Type

08 Apr 2026
Published
08 Apr 2026
Updated

CVSS v3.0
CRITICAL (9.8)
EPSS
0.05%

KEV

Description

Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl script.

Statistics

  • 1 Post

Last activity: 6 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL: CVE-2026-25776 impacts Six Apart Movable Type ≤9.1.0. Unauthenticated code injection enables remote Perl script execution. No patch yet — restrict access & monitor. More info: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 6h ago

Overview

  • felixmartinez
  • Users manager – PN

08 Apr 2026
Published
08 Apr 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.42%

KEV

Description

The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update_user_meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint ('userspn-nonce') is exposed to all visitors via wp_localize_script on the public wp_enqueue_scripts hook, rendering the nonce check ineffective as a security control. This makes it possible for unauthenticated attackers to update arbitrary user metadata for any user account, including the userspn_secret_token field.

Statistics

  • 1 Post

Last activity: 11 hours ago

Fediverse

Profile picture fallback

🔥 CRITICAL: CVE-2026-4003 in Users manager – PN for WordPress allows unauthenticated attackers to escalate privileges via arbitrary user meta updates. Disable plugin ASAP and monitor for patches. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 11h ago

Overview

  • Go standard library
  • crypto/x509
  • crypto/x509

08 Apr 2026
Published
08 Apr 2026
Updated

CVSS
Pending
EPSS
0.01%

KEV

Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Statistics

  • 1 Post

Last activity: 4 hours ago

Bluesky

Profile picture fallback
🚨 New UNKNOWN CVE detected in AWS Lambda 🚨 CVE-2026-32280 impacts stdlib in 26 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/457 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • WatchGuard
  • Fireware OS

17 Sep 2025
Published
26 Feb 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
68.97%

Description

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.

Statistics

  • 1 Post

Last activity: 13 hours ago

Bluesky

Profile picture fallback
yIKEs (WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242) - watchTowr Labs
  • 0
  • 0
  • 0
  • 13h ago

Overview

  • 0xJacky
  • nginx-ui

30 Mar 2026
Published
30 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.06%

KEV

Description

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.

Statistics

  • 1 Post

Last activity: 9 hours ago

Bluesky

Profile picture fallback
⚠️ CVE-2026-33032 (CVSS 9.8) in Nginx UI ≤2.3.5 allows unauthenticated takeover via exposed /mcp_message endpoint (missing auth + fail-open IP whitelist). Attackers can control configs & service. No patch, restrict access now. Query: web.title~"nginx ui"
  • 0
  • 0
  • 0
  • 9h ago
Showing 11 to 20 of 46 CVEs