24h | 7d | 30d

Overview

  • Red Hat
  • Red Hat Directory Server 11.5 E4S for RHEL 8
  • redhat-ds:11

23 Feb 2026
Published
31 Mar 2026
Updated

CVSS
Pending
EPSS
0.47%

KEV

Description

A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the `schema_attr_enum_callback` function within the `schema.c` file. This occurs because the code incorrectly calculates the buffer size by summing alias string lengths without accounting for additional formatting characters. When a large number of aliases are processed, this oversight can lead to a heap overflow, potentially allowing a remote attacker to cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE).

Statistics

  • 1 Post

Last activity: 7 hours ago

Bluesky

Profile picture fallback
_389-ds-base: add patch to fix CVE-2025-14905 https://github.com/NixOS/nixpkgs/pull/508544 https://tracker.security.nixos.org/issues/NIXPKGS-2026-0311 #security
  • 0
  • 0
  • 0
  • 7h ago

Overview

  • Apache Software Foundation
  • Apache ActiveMQ Broker
  • org.apache.activemq:activemq-broker

07 Apr 2026
Published
08 Apr 2026
Updated

CVSS
Pending
EPSS
5.60%

KEV

Description

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue

Statistics

  • 1 Post

Last activity: 15 hours ago

Fediverse

Profile picture fallback

A 13-year-old ActiveMQ RCE bug (CVE-2026-34197) was discovered and weaponized in minutes by researchers using AI, specifically Claude, highlighting the potential of AI in exploit-building. The vulnerability, which allowed arbitrary system command execution through the Jolokia API, has been fixed in newer versions of ActiveMQ Classic.
csoonline.com/article/4157146/

  • 0
  • 0
  • 0
  • 15h ago

Overview

  • djangoproject
  • Django
  • django

05 Nov 2025
Published
26 Feb 2026
Updated

CVSS
Pending
EPSS
0.58%

KEV

Description

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

Statistics

  • 1 Post

Last activity: 15 hours ago

Bluesky

Profile picture fallback
GitHub - omarkurt/django-connector-CVE-2025-64459-testbed: A self-contained testbed for Django CVE-2025-64459. Demonstrates QuerySet.filter() parameter injection via dictionary expansion using Docker.
  • 0
  • 0
  • 0
  • 15h ago

Overview

  • axios
  • axios

09 Apr 2026
Published
09 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.02%

KEV

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0.

Statistics

  • 1 Post

Last activity: 16 hours ago

Bluesky

Profile picture fallback
🚨 New CRITICAL CVE detected in AWS Lambda 🚨 CVE-2025-62718 impacts axios in 4 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/465 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 16h ago

Overview

  • parisneo
  • parisneo/lollms

10 Apr 2026
Published
10 Apr 2026
Updated

CVSS v3.0
CRITICAL (9.6)
EPSS
0.04%

KEV

Description

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0.

Statistics

  • 1 Post

Last activity: 19 hours ago

Fediverse

Profile picture fallback

⚠️ CVE-2026-1115: CRITICAL stored XSS in parisneo/lollms <2.2.0. Unsanitized input in create_post lets attackers run JS in user browsers via Home Feed. Upgrade to 2.2.0+ now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 19h ago

Overview

  • Microsoft
  • Windows Server 2012

14 Oct 2025
Published
26 Feb 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
75.75%

Description

Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

Statistics

  • 1 Post

Last activity: 15 hours ago

Bluesky

Profile picture fallback
Weekly Purple Team Episode: CVE-2025-59287 - Exploiting & Detecting the Critical WSUS RCE
  • 0
  • 0
  • 0
  • 15h ago

Overview

  • arubadev
  • Aruba HiSpeed Cache

10 Apr 2026
Published
10 Apr 2026
Updated

CVSS v3.1
MEDIUM (4.3)
EPSS
0.02%

KEV

Description

The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the `ahsc_ajax_reset_options()` function. This makes it possible for unauthenticated attackers to reset all plugin settings to their default values via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Statistics

  • 1 Post

Last activity: 20 hours ago

Bluesky

Profile picture fallback
The Great AI Hallucination: Why Automated Tools Failed to Catch CVE-2026-1924 and the CSRF Epidemic + Video Introduction: Cross-Site Request Forgery (CSRF) remains one of the most overlooked attack vectors in web security, often dismissed as a "low priority" issue by automated scanners while…
  • 0
  • 0
  • 0
  • 20h ago

Overview

  • SaturdayDrive
  • Ninja Forms - File Uploads

07 Apr 2026
Published
08 Apr 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.07%

KEV

Description

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in version 3.3.27.

Statistics

  • 1 Post

Last activity: 13 hours ago

Fediverse

Overview

  • Totolink
  • A7100RU

10 Apr 2026
Published
10 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.89%

KEV

Description

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This issue affects the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument telnet_enabled results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.

Statistics

  • 1 Post

Last activity: 22 hours ago

Fediverse

Profile picture fallback

⚠️ CVE-2026-5994: CRITICAL OS command injection in Totolink A7100RU (7.4cu.2313_b20191024). Remote attackers can run OS commands via setTelnetCfg. No patch yet; public exploit released. Restrict access & monitor traffic. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 22h ago

Overview

  • libtiff

25 Jan 2024
Published
09 Apr 2026
Updated

CVSS
Pending
EPSS
0.74%

KEV

Description

A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.

Statistics

  • 1 Post

Last activity: 9 hours ago

Bluesky

Profile picture fallback
libtiff CVE-2023-52356 crashes apps with a single malicious TIFF. Still unpatched on many Rocky/Ubuntu/SUSE boxes. Read more: 👉 tinyurl.com/2sphv8h8 #RockyLinux
  • 0
  • 0
  • 0
  • 9h ago
Showing 11 to 20 of 41 CVEs