24h | 7d | 30d

Overview

  • flatpak
  • flatpak

07 Apr 2026
Published
11 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.04%

KEV

Description

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 8 hours ago

Bluesky

Profile picture fallback
📢 CVE-2026-34078 : Sandbox escape dans Flatpak via injection de chemins non fiables 📝 ## 🗓️ Contexte Article publié le 23 avril 2026 par Sebastian Wi… https://cyberveille.ch/posts/2026-04-24-cve-2026-34078-sandbox-escape-dans-flatpak-via-injection-de-chemins-non-fiables/ #CVE_2026_34078 #Cyberveille
  • 0
  • 1
  • 0
  • 8h ago

Overview

  • dgraph-io
  • dgraph

24 Apr 2026
Published
24 Apr 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
Pending

KEV

Description

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler. This vulnerability is fixed in 25.3.3.

Statistics

  • 1 Post

Last activity: 4 hours ago

Fediverse

Profile picture fallback

⚠️ CRITICAL: dgraph-io Dgraph (< 25.3.3) leaks admin tokens via unauthenticated /debug/vars endpoint. Attackers can gain admin access! Patch to 25.3.3+ ASAP. CVE-2026-41492 | More: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 4h ago

Overview

  • SenseLive
  • X3050

23 Apr 2026
Published
24 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.04%

KEV

Description

A vulnerability exists in SenseLive X3050’s web management interface in which password updates are not reliably applied due to improper handling of credential changes on the backend. After the device undergoes a factory restore using the SenseLive Config 2.0 tool, the interface may indicate that the password update was successful; however, the system may continue to accept the previous or default credentials, demonstrating that the password-change process is not consistently enforced. Even after a factory reset, attempted password changes may fail to propagate correctly.

Statistics

  • 1 Post

Last activity: 23 hours ago

Fediverse

Profile picture fallback

CVE-2026-39462 (CRITICAL): SenseLive X3050 V1.523 lets attackers bypass password changes after factory reset — device may accept old or default creds. No fix yet. Limit reliance on resets and monitor for updates. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 23h ago

Overview

  • Microsoft
  • Microsoft SharePoint Enterprise Server 2016

14 Apr 2026
Published
24 Apr 2026
Updated

CVSS v3.1
MEDIUM (6.5)
EPSS
7.94%

Description

Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.

Statistics

  • 2 Posts

Last activity: 11 hours ago

Bluesky

Profile picture fallback
Más de 1,300 servidores SharePoint expuestos a la vulnerabilidad CVE-2026-32201 de abril Vía: @seguinfo.bsky.social
  • 0
  • 0
  • 1
  • 11h ago

Overview

  • guzzle
  • guzzle

25 May 2022
Published
23 Apr 2025
Updated

CVSS v3.1
HIGH (8.0)
EPSS
0.64%

KEV

Description

Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.

Statistics

  • 1 Post

Last activity: 1 hour ago

Bluesky

Profile picture fallback
~Socket~ Socket introduces experimental PHP reachability analysis to prioritize real vulnerability risks by tracing execution paths. - IOCs: CVE-2022-29248 - #AppSec #PHP #ThreatIntel
  • 0
  • 0
  • 0
  • 1h ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post

Last activity: 8 hours ago

Bluesky

Profile picture fallback
Linux security: CVE-2026-4367 in libXpm is fixed, but image parsing bugs never die. Here's how to check, auto-update (bash script), and mitigate with iptables/AppArmor – works TODAY even if you can't patch. Read more-> tinyurl.com/mr3bfdtv #openSUSE
  • 0
  • 0
  • 0
  • 8h ago

Overview

  • DeltaWW
  • AS320T

24 Apr 2026
Published
24 Apr 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.04%

KEV

Description

Delta Electronics AS320T has denial of service via the undocumented subfunction vulnerability.

Statistics

  • 1 Post

Last activity: 20 hours ago

Fediverse

Profile picture fallback

⚠️ CRITICAL: CVE-2026-1952 in DeltaWW AS320T (CVSS 9.8) enables denial of service via hidden subfunction (CWE-912). Vendor patch is available for this cloud-hosted service — confirm your instance is protected. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 20h ago

Overview

  • langflow-ai
  • langflow

26 Feb 2026
Published
28 Feb 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.23%

KEV

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). Version 1.8.0 fixes the issue.

Statistics

  • 1 Post

Last activity: 9 hours ago

Fediverse

Profile picture fallback

The latest Metasploit Weekly Wrapup is here! Highlights include a new RCE exploit for Langflow (CVE-2026-27966), improved check method visibility with detailed reasoning, and updates for legacy SMB targets. Plus 3 other new modules!

Read more: rapid7.com/blog/post/pt-metasp

  • 0
  • 0
  • 0
  • 9h ago

Overview

  • Kludex
  • python-multipart

17 Apr 2026
Published
20 Apr 2026
Updated

CVSS v3.1
MEDIUM (5.3)
EPSS
0.02%

KEV

Description

Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.

Statistics

  • 1 Post

Last activity: Last hour

Bluesky

Profile picture fallback
python3Packages.python-multipart: add patches for CVE-2026-40347 https://github.com/NixOS/nixpkgs/pull/512899 #security
  • 0
  • 0
  • 0
  • Last hour

Overview

  • dgraph-io
  • dgraph

24 Apr 2026
Published
24 Apr 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
Pending

KEV

Description

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack requires two HTTP POSTs to port 8080. The first sets up a schema predicate with @unique @index(exact) @lang via /alter (also unauthenticated in default config). The second sends a crafted JSON mutation to /mutate?commitNow=true where a JSON key contains the predicate name followed by @ and a DQL injection payload in the language tag position. The injection exploits the addQueryIfUnique function in edgraph/server.go, which constructs DQL queries using fmt.Sprintf with unsanitized predicateName that includes the raw pred.Lang value. The Lang field is extracted from JSON mutation keys by x.PredicateLang(), which splits on @, and is never validated by any function in the codebase. The attacker injects a closing parenthesis to escape the eq() function, adds an arbitrary named query block, and uses a # comment to neutralize trailing template syntax. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.

Statistics

  • 1 Post

Last activity: 1 hour ago

Fediverse

Profile picture fallback

🚨 CVE-2026-41328: CRITICAL DQL injection in dgraph-io Dgraph (<25.3.3) allows unauthenticated full DB read! Exploit via crafted POSTs to port 8080. Patch to 25.3.3+ or enable ACL to mitigate. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 1h ago
Showing 11 to 20 of 42 CVEs