Overview
- thorsten
- phpMyFAQ
27 Feb 2026
Published
03 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.04%
KEV
Description
phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts even when registration is disabled. Version 4.0.18 fixes the issue.
Statistics
- 1 Post
- 1 Interaction
Last activity: 23 hours ago
Overview
- gradio-app
- gradio
27 Feb 2026
Published
02 Mar 2026
Updated
CVSS v3.1
HIGH (8.2)
EPSS
0.04%
KEV
Description
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue.
Statistics
- 1 Post
- 1 Interaction
Last activity: 17 hours ago
Overview
- gradio-app
- gradio
27 Feb 2026
Published
02 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.18%
KEV
Description
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ changed the definition of `os.path.isabs` so that root-relative paths like `/windows/win.ini` on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely. This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication. Version 6.7 fixes the issue.
Statistics
- 1 Post
- 1 Interaction
Last activity: 15 hours ago
Overview
Description
This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.
Statistics
- 1 Post
- 1 Interaction
Last activity: 23 hours ago
Fediverse
CVE-2026-27820: Buffer overflow vulnerability in Zlib::GzipReader Ruby.
https://www.ruby-lang.org/en/news/2026/03/05/buffer-overflow-zlib-cve-2026-27820/
https://vulnerability.circl.lu/vuln/CVE-2026-27820#sightings
Overview
- Hyland
- Alfresco Enterprise
19 Feb 2026
Published
05 Mar 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.06%
KEV
Description
Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.
Statistics
- 1 Post
- 1 Interaction
Last activity: 17 hours ago
Overview
Description
Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue.
Statistics
- 1 Post
Last activity: 19 hours ago
Overview
- Cisco
- Cisco Catalyst SD-WAN Manager
25 Feb 2026
Published
06 Mar 2026
Updated
CVSS v3.1
MEDIUM (5.4)
EPSS
0.04%
KEV
Description
A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on the affected system.
This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.
Statistics
- 2 Posts
Last activity: Last hour
Fediverse
Cisco has identified two additional Catalyst SD-WAN Manager security flaws (CVE-2026-20128 and CVE-2026-20122) that are being actively exploited in the wild, urging administrators to upgrade vulnerable devices. These vulnerabilities affect the network management software regardless of device configuration, with one allowing arbitrary file overwrite and the other disclosing information.
https://www.bleepingcomputer.com/news/security/cisco-flags-more-sd-wan-flaws-as-actively-exploited-in-attacks/
Overview
- zed-industries
- zed
25 Feb 2026
Published
28 Feb 2026
Updated
CVSS v3.1
HIGH (7.1)
EPSS
0.01%
KEV
Description
Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools (`read_file`, `edit_file`). It allows reading and writing files **outside the project directory** when a project contains symbolic links pointing to external paths. This bypasses the intended workspace boundary and privacy protections (`file_scan_exclusions`, `private_files`), potentially leaking sensitive user data to the LLM. Version 0.225.9 fixes the issue.
Statistics
- 1 Post
Last activity: 13 hours ago
Overview
- Qualcomm, Inc.
- Snapdragon
02 Mar 2026
Published
03 Mar 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.02%
KEV
Description
Memory Corruption when concurrent access to shared buffer occurs due to improper synchronization between assignment and deallocation of buffer resources.
Statistics
- 1 Post
Last activity: 7 hours ago
Description
Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
Statistics
- 1 Post
Last activity: 9 hours ago