24h | 7d | 30d

Overview

  • SolarWinds
  • Web Help Desk

23 Sep 2025
Published
10 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
29.28%

Description

SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 20 hours ago

Fediverse

Profile picture fallback

QEMU abuse rising 🚨
QEMU used for stealth VMs, SSH tunnels, persistence
CVE-2025-26399, CitrixBleed2 exploited
πŸ’¬ Monitoring VM layer yet?

Source: securityweek.com/hackers-abuse

Follow TechNadu

  • 1
  • 0
  • 0
  • 20h ago

Overview

  • spinnaker
  • spinnaker

20 Apr 2026
Published
21 Apr 2026
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
0.06%

KEV

Description

Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 14 hours ago

Fediverse

Profile picture fallback

Spinnaker, the open-source continuous delivery platform from Netflix and Google, patched CVE-2026-32613, a CVSS 9.9 remote code execution in the Echo notification service. Echo did not restrict its Spring Expression Language context to trusted classes, giving attackers full Java process access. Maintainers back-ported across four branches (2026.1.0, 2026.0.1, 2025.4.2, 2025.3.2). Quality is what maintainers do the week a critical hits an old branch.

#OpenSource #DevOps #CyberSec #Spinnaker

  • 0
  • 1
  • 0
  • 14h ago

Overview

  • NewSoft
  • NewSoftOA

21 Apr 2026
Published
21 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
6.34%

KEV

Description

NewSoftOA developed by NewSoft has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 23 hours ago

Fediverse

Profile picture fallback

🚨 NewSoftOA faces a critical OS command injection (CVE-2026-5965, CVSS 9.3). Unauthenticated local attackers can run arbitrary OS commands. No patch yet β€” restrict access & monitor vendor updates! radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 0
  • 23h ago

Overview

  • Sudo project
  • Sudo

30 Jun 2025
Published
26 Feb 2026
Updated

CVSS v3.1
CRITICAL (9.3)
EPSS
38.49%

Description

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.

Statistics

  • 1 Post

Last activity: 18 hours ago

Fediverse

Profile picture fallback

VDE-2026-032
Endress+Hauser: sudo vulnerability affects Endress+Hauser MCS200HW

The display unit of the Endress+Hauser MCS200HW is affected by a sudo chroot vulnerability.
CVE-2025-32463

certvde.com/en/advisories/vde-

endress-hauser.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 18h ago

Overview

  • Microsoft
  • Azure SRE Agent Gateway - SignalR Hub

02 Apr 2026
Published
21 Apr 2026
Updated

CVSS v3.1
HIGH (8.6)
EPSS
0.05%

KEV

Description

Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over a network.

Statistics

  • 1 Post

Last activity: 8 hours ago

Fediverse

Profile picture fallback

A security vulnerability in Azure's AI Agent allowed unauthorized access to commands, credentials, and sensitive information due to a flawed token verification system. This critical flaw, now patched and tracked as CVE-2026-32173, highlights growing concerns about AI agent security as rapid adoption outpaces governance controls.
govinfosecurity.com/token-flaw

  • 0
  • 0
  • 0
  • 8h ago

Overview

  • Quantum Networks
  • Router QN-I-470

21 Apr 2026
Published
21 Apr 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.40%

KEV

Description

This vulnerability exists in Quantum Networks router due to inadequate sanitization of user-supplied input in the management CLI interface. An authenticated remote attacker could exploit this vulnerability by injecting arbitrary OS commands on the targeted device. Successful exploitation of this vulnerability could allow the attacker to perform remote code execution with root privileges on the targeted device.

Statistics

  • 1 Post

Last activity: 17 hours ago

Fediverse

Profile picture fallback

🚨 HIGH severity alert: Quantum Networks QN-I-470 routers (6.1.1.B1) have a CLI OS command injection (CVE-2026-41036). Authenticated attackers can execute root commands remotely. Limit access & monitor systems. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 17h ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post

Last activity: 2 hours ago

Fediverse

Profile picture fallback

ZAST has identified and verified an insecure deserialization issue in pycel <= 1.0b30, now assigned CVE-2026-30108.

Project page: github.com/dgorissen/pycel
Project footprint: 618 GitHub stars as of April 20, 2026.
Package page: pypi.org/project/pycel/
Latest PyPI release: 1.0b30 on October 13, 2021.

The verified issue is in ExcelCompiler.from_file(), which loads pickle-backed files through pickle.load() without enforcing a trust boundary. The result is a deserialization path where attacker-controlled content can execute code before the application later rejects the loaded object.

This is a representative example of why security teams need automated exploit verification. A dangerous API can often be detected syntactically. The harder problem is determining whether a real product path makes that sink reachable with untrusted input and whether the impact is real. In this case, the PoC confirmed arbitrary code execution during deserialization.

ZAST.AI promotes findings into reports only after successful PoC validation, which supports a zero-false-positive operating model and helps teams prioritize what is demonstrably real.

Full report: blog.zast.ai/vulnerability%20r

  • 0
  • 0
  • 0
  • 2h ago

Overview

  • OpenClaw
  • OpenClaw

20 Apr 2026
Published
21 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.0)
EPSS
0.04%

KEV

Description

OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve unauthorized privilege escalation.

Statistics

  • 1 Post

Last activity: 20 hours ago

Bluesky

Profile picture fallback
AI agents rely on sandboxing to stay safe. CVE-2026-41329 shows how that protection can fail in OpenClaw β€” allowing attackers to bypass sandbox restrictions and escalate privileges. πŸ”— basefortify.eu/cve_reports/... #CyberSecurity #AI #CVE
  • 0
  • 0
  • 0
  • 20h ago

Overview

  • givanz
  • Vvveb

20 Apr 2026
Published
20 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.2)
EPSS
0.22%

KEV

Description

Vvveb prior toΒ 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the define statement to achieve unauthenticated remote code execution as the web server user.

Statistics

  • 1 Post

Last activity: 21 hours ago

Fediverse

Profile picture fallback

⚠️ CRITICAL: CVE-2026-39918 in givanz Vvveb <1.0.8.1 allows unauth RCE via code injection in the installation endpoint (unsanitized subdir param). Restrict access, monitor for updates, and deploy WAF rules. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 21h ago

Overview

  • Artifex Software Inc. *PyMuPDF*
  • MuPDF

31 Mar 2026
Published
21 Apr 2026
Updated

CVSS
Pending
EPSS
0.02%

KEV

Description

An integer overflow vulnerability in 'pdf-image.c' in Artifex's MuPDF version 1.27.0 allows an attacker to maliciously craft a PDF that can trigger an integer overflow within the 'pdf_load_image_imp' function. This allows a heap out-of-bounds write that could be exploited for arbitrary code execution.

Statistics

  • 1 Post

Last activity: 7 hours ago

Bluesky

Profile picture fallback
πŸ”΄ CVE-2026-3308 is old news – but heap overflows in PDF parsers never die. Here’s your evergreen fix for MuPDF on #Debian / #Ubuntu. Read more-> tinyurl.com/yc6rcywr
  • 0
  • 0
  • 0
  • 7h ago
Showing 11 to 20 of 43 CVEs