24h | 7d | 30d

Overview

  • axios
  • axios

24 Apr 2026
Published
27 Apr 2026
Updated

CVSS v3.1
MEDIUM (5.3)
EPSS
0.06%

KEV

Description

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.js proxy service) can inject arbitrary MIME part headers into the multipart form-data body. This bypasses Node.js v18+ built-in header protections because the injection targets the multipart body structure, not HTTP request headers. This vulnerability is fixed in 1.15.1.

Statistics

  • 1 Post

Last activity: 8 hours ago

Bluesky

Profile picture fallback
🚨 New MEDIUM CVE detected in AWS Lambda 🚨 CVE-2026-42037 impacts axios in 3 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/495 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 8h ago

Overview

  • FreeBSD
  • FreeBSD

30 Apr 2026
Published
01 May 2026
Updated

CVSS
Pending
EPSS
0.06%

KEV

Description

The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it. A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient.

Statistics

  • 2 Posts

Last activity: 3 hours ago

Bluesky

Profile picture fallback
CVE-2026-42511 Breakdown: RCE in FreeBSD
  • 0
  • 0
  • 1
  • 3h ago

Overview

  • isaacs
  • node-glob

17 Nov 2025
Published
19 Nov 2025
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.02%

KEV

Description

Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

Statistics

  • 1 Post

Last activity: 8 hours ago

Bluesky

Profile picture fallback
🔍 Lambda Watchdog detected that CVE-2025-64756 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/353 #AWS #Lambda #Security #CVE #DevOps #SecOps
  • 0
  • 0
  • 0
  • 8h ago

Overview

  • axios
  • axios

24 Apr 2026
Published
27 Apr 2026
Updated

CVSS v3.1
HIGH (7.2)
EPSS
0.04%

KEV

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1.

Statistics

  • 1 Post

Last activity: 8 hours ago

Bluesky

Profile picture fallback
🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2026-42043 impacts axios in 3 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/492 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 8h ago

Overview

  • ci4-cms-erp
  • ci4ms

07 May 2026
Published
07 May 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
0.04%

KEV

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via a sql file that tampers with the file name field to contain hidden XSS payload. This issue has been patched in version 0.31.5.0.

Statistics

  • 1 Post

Last activity: 9 hours ago

Fediverse

Profile picture fallback

⚠️ CRITICAL XSS in ci4ms 0.31.4.0 (CVE-2026-41201): Stored DOM XSS via backup filename lets attackers fully take over accounts. Upgrade to 0.31.5.0 now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 9h ago

Overview

  • openmrs
  • openmrs-core

06 May 2026
Published
07 May 2026
Updated

CVSS v4.0
CRITICAL (9.4)
EPSS
0.37%

KEV

Description

OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the module upload endpoint at POST `/openmrs/ws/rest/v1/module` is vulnerable to a Zip Slip path traversal attack. During automatic extraction of uploaded .omod archives in `WebModuleUtil.startModule()`, ZIP entries under web/module/ are checked only to see whether the full entry path starts with `..,` and the remaining path is then concatenated into the destination path without normalization or a boundary check. A crafted archive can therefore include entries such as `web/module/../../../../malicious.jsp` and cause files to be written outside the intended module directory. An authenticated attacker with module upload access can write arbitrary files to locations such as the web application root and achieve remote code execution by uploading a JSP file and then requesting it. The issue is compounded by the fact that the module.allow_web_admin runtime property is enforced in the legacy UI controller but not in the REST API upload path, so deployments relying on that property to block web-based module administration remain exposed through the REST endpoint. This issue has been fixed in versions after 2.7.8 in the 2.7.x line and in version 2.8.6 and later.

Statistics

  • 1 Post

Last activity: 20 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL OpenMRS Core vuln: Path traversal (CVE-2026-40076, CVSS 9.4) lets auth users upload .omod files to gain RCE via crafted ZIPs. Affects ≤2.7.8, 2.8.0 – 2.8.5. Upgrade to 2.7.9/2.8.6+ now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 20h ago

Overview

  • Spring
  • Spring Cloud Config

07 May 2026
Published
07 May 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
0.11%

KEV

Description

Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Statistics

  • 1 Post

Last activity: 15 hours ago

Fediverse

Profile picture fallback

⚠️ CRITICAL: CVE-2026-40982 in Spring Cloud Config (3.1.0 – 5.0.0) enables path traversal — attackers can access arbitrary files via crafted URLs. Upgrade to a safe version ASAP: 3.1.14, 4.1.10, 4.2.7, 4.3.3, or 5.0.3. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 15h ago

Overview

  • hyperledger
  • fabric

07 May 2026
Published
07 May 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.04%

KEV

Description

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches.

Statistics

  • 1 Post

Last activity: 14 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL: CVE-2026-41586 in Hyperledger Fabric (1.0.0-2.2.26) allows remote code execution via unsafe deserialization. No patch yet — restrict untrusted input and monitor for updates. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 14h ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post

Last activity: 22 hours ago

Bluesky

Profile picture fallback
📢 CVE-2026-42208 : Injection SQL pré-authentification critique dans LiteLLM Proxy 📝 ## 🔍 Contexte Bishop Fox a publié le 6 mai 2026 une analyse techni… https://cyberveille.ch/posts/2026-05-06-cve-2026-42208-injection-sql-pre-authentification-critique-dans-litellm-proxy/ #CVE_2026_42208 #Cyberveille
  • 0
  • 0
  • 0
  • 22h ago

Overview

  • patriksimek
  • vm2

04 May 2026
Published
05 May 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.09%

KEV

Description

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.

Statistics

  • 1 Post

Last activity: 4 hours ago
Showing 11 to 20 of 107 CVEs