24h | 7d | 30d

CVE-2025-59362

Overview

  • Pending
26 Sep 2025
Published
29 Sep 2025
Updated
CVSS
Pending
EPSS
0.18%
KEV

Description

Squid through 7.1 mishandles ASN.1 encoding of long SNMP OIDs. This occurs in asn_build_objid in lib/snmplib/asn1.c.

Statistics

  • 1 Post
Last activity: 8 hours ago

Bluesky

Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
Stop chasing vulnerability dates. Here’s your evergreen script to fix Squid proxy (CVE-2025-59362 & friends) on Ubuntu, Rocky, SUSE – with iptables workaround if you can’t update. Read more: 👉 tinyurl.com/9r3pfc76 #Mageia
  • 0
  • 0
  • 0
  • 8h ago

CVE-2026-6114

Overview

  • Totolink
  • A7100RU
12 Apr 2026
Published
12 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.89%
KEV

Description

A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setNetworkCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument proto results in os command injection. The attack may be initiated remotely. The exploit is now public and may be used.

Statistics

  • 1 Post
Last activity: 20 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

Totolink A7100RU (7.4cu.2313_b20191024) faces a CRITICAL OS command injection (CVE-2026-6114, CVSS 9.3). Remote, unauthenticated code execution possible. No patch yet — disable remote mgmt & watch for updates. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 20h ago

CVE-2026-31413

Overview

  • Linux
  • Linux
12 Apr 2026
Published
12 Apr 2026
Updated
CVSS
Pending
EPSS
0.01%
KEV

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the source operand is a constant. When dst has signed range [-1, 0], it forks the verifier state: the pushed path gets dst = 0, the current path gets dst = -1. For BPF_AND this is correct: 0 & K == 0. For BPF_OR this is wrong: 0 | K == K, not 0. The pushed path therefore tracks dst as 0 when the runtime value is K, producing an exploitable verifier/runtime divergence that allows out-of-bounds map access. Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to push_stack(), so the pushed path re-executes the ALU instruction with dst = 0 and naturally computes the correct result for any opcode.

Statistics

  • 4 Posts
Last activity: 14 hours ago

Fediverse

Profile picture fallback
Nad @Nadsec

CVE-2026-31413

Found a 1-char bug in the Linux BPF verifier. A + 1 that should've been + 0 in maybe_fork_scalars() gives you OOB map access and full container escape from any pod with CAP_BPF. Fix in 7.0-rc5.
-Technical writeup with POC dropping soon.

cve.org/CVERecord?id=CVE-2026-

  • 0
  • 0
  • 1
  • 17h ago
Profile picture fallback
Nad @Nadsec

CVE-2026-31413 - Linux Kernel Local Priv Esc

One extra + 1. That's the whole bug.

BPF verifier: insn_idx + 1 instead of insn_idx. Skips an instruction it shouldn't. For BPF_OR, verifier sees zero, CPU has your constant. Arbitrary kernel R/W.

Full container escape. No --privileged. Just CAP_BPF.

nadsec.online/blog/bpf-contain

github.com/Rat5ak/bpf-research

  • 0
  • 0
  • 1
  • 14h ago

CVE-2026-34079

Overview

  • flatpak
  • flatpak
07 Apr 2026
Published
10 Apr 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.10%
KEV

Description

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.

Statistics

  • 1 Post
Last activity: 15 hours ago

Fediverse

Profile picture fallback
Stefan Schmidt @zaphodb

nice typo in
[SECURITY] [DSA 6207-1] flatpak security update:
"delete arbitrary hosts on the host"
lists.debian.org/debian-securi

in security-tracker.debian.org/tr it's "files" btw.

  • 0
  • 0
  • 0
  • 15h ago

CVE-2025-65114

Overview

  • Apache Software Foundation
  • Apache Traffic Server
02 Apr 2026
Published
02 Apr 2026
Updated
CVSS
Pending
EPSS
0.22%
KEV

Description

Apache Traffic Server allows request smuggling if chunked messages are malformed.  This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1. Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.

Statistics

  • 1 Post
Last activity: 3 hours ago

Bluesky

Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
Apache Traffic Server request smuggling (CVE-2025-65114) is fixed in 10.1.2. But the real problem is HTTP chunked parsing—and that will break again. Read more: 👉 tinyurl.com/ycmfz9pb #Security #Fedora
  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-1116

Overview

  • parisneo
  • parisneo/lollms
12 Apr 2026
Published
12 Apr 2026
Updated
CVSS v3.0
HIGH (8.2)
EPSS
0.01%
KEV

Description

A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content` field when deserializing user-provided data. This allows an attacker to inject malicious HTML or JavaScript payloads, which can be executed in the context of another user's browser. Exploitation of this vulnerability can lead to account takeover, session hijacking, or wormable attacks.

Statistics

  • 1 Post
Last activity: 22 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 HIGH severity XSS (CVE-2026-1116) in parisneo/lollms pre-2.2.0: Improper input sanitization in from_dict allows attackers to inject malicious scripts. Update ASAP! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 22h ago

CVE-2026-6116

Overview

  • Totolink
  • A7100RU
12 Apr 2026
Published
12 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.89%
KEV

Description

A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This vulnerability affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument ip leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

Statistics

  • 1 Post
Last activity: 19 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

Totolink A7100RU (fw 7.4cu.2313_b20191024) suffers CRITICAL OS command injection (CVE-2026-6116, CVSS 9.3). Remote, unauthenticated RCE is possible. No patch yet — disable remote access or isolate device! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 19h ago

CVE-2026-24880

Overview

  • Apache Software Foundation
  • Apache Tomcat
09 Apr 2026
Published
10 Apr 2026
Updated
CVSS
Pending
EPSS
0.03%
KEV

Description

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.

Statistics

  • 1 Post
Last activity: 7 hours ago

Bluesky

Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
Tomcat request smuggling (CVE-2026-24880) isn't going away. Check if you're vulnerable on Ubuntu, Rocky, or SUSE: dpkg -l | grep tomcat9 rpm -qa | grep tomcat zypper info tomcat Then run the fix script → Read more: 👉 tinyurl.com/43ud2kjt #Mageia
  • 0
  • 0
  • 0
  • 7h ago

CVE-2025-55182

Overview

  • Meta
  • react-server-dom-webpack
03 Dec 2025
Published
26 Feb 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
84.89%
KEV

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Statistics

  • 1 Post
Last activity: 22 hours ago

Bluesky

Profile picture fallback
CyberVeille @cyberveille-ch.bsky.social
📢 Kubernetes : escalade de privilèges via vol de tokens et exploitation de CVE-2025-55182 📝 ## 🔍 Contexte Publié le 6 avril 2026 par Unit 42 (… https://cyberveille.ch/posts/2026-04-12-kubernetes-escalade-de-privileges-via-vol-de-tokens-et-exploitation-de-cve-2025-55182/ #CVE_2025_55182 #Cyberveille
  • 0
  • 0
  • 0
  • 22h ago

CVE-2026-6115

Overview

  • Totolink
  • A7100RU
12 Apr 2026
Published
12 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.89%
KEV

Description

A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setAppCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument enable can lead to os command injection. The attack may be launched remotely. The exploit has been published and may be used.

Statistics

  • 1 Post
Last activity: 17 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL: CVE-2026-6115 in Totolink A7100RU (7.4cu.2313_b20191024) allows unauth'd remote OS command injection via /cgi-bin/cstecgi.cgi. No patch yet. Restrict access & monitor vendor updates. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 17h ago
Showing 11 to 20 of 22 CVEs