24h | 7d | 30d

CVE-2026-25253

Overview

  • OpenClaw
  • OpenClaw
01 Feb 2026
Published
03 Feb 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.08%
KEV

Description

OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.

Statistics

  • 2 Posts
  • 1 Interaction
Last activity: 15 hours ago

Bluesky

Profile picture fallback
/r/netsec @r-netsec-bot.bsky.social
OpenClaw CVE-2026-25253 is worse than it looks (quick security checklist)
  • 0
  • 1
  • 1
  • 15h ago

CVE-2026-33056

Overview

  • alexcrichton
  • tar-rs
20 Mar 2026
Published
20 Mar 2026
Updated
CVSS v4.0
MEDIUM (5.1)
EPSS
0.02%
KEV

Description

tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 16 hours ago

Fediverse

Profile picture fallback
Ain Tohvri @tekkie

First supply chain problems for Rust as well. No more unique to Node blog.rust-lang.org/2026/03/21/ #Rust #rustlang #Programming 🦀

  • 0
  • 1
  • 0
  • 16h ago

CVE-2026-33286

Overview

  • graphiti-api
  • graphiti
23 Mar 2026
Published
23 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
Pending
KEV

Description

Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations. Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. The `Graphiti::Util::ValidationResponse#all_valid?` method recursively calls `model.send(name)` using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource's configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations. This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible. Some workarounds are available. Ensure Graphiti write endpoints (create/update) are not accessible to untrusted users and/or apply strong authentication and authorization checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed.

Statistics

  • 1 Post
Last activity: 3 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🚨 CRITICAL: CVE-2026-33286 in Graphiti (<1.10.2) lets unauthenticated attackers invoke arbitrary public methods via JSONAPI write requests. Patch to v1.10.2, restrict access, and validate inputs! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-2903

Overview

  • skvadrik
  • re2c
22 Feb 2026
Published
26 Feb 2026
Updated
CVSS v4.0
MEDIUM (4.8)
EPSS
0.01%
KEV

Description

A flaw has been found in skvadrik re2c up to 4.4. Impacted is the function check_and_merge_special_rules of the file src/parse/ast.cc. This manipulation causes null pointer dereference. The attack can only be executed locally. The exploit has been published and may be used. Patch name: febeb977936f9519a25d9fbd10ff8256358cdb97. It is suggested to install a patch to address this issue.

Statistics

  • 1 Post
Last activity: 22 hours ago

Bluesky

Profile picture fallback
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
[Backport staging-25.11] re2c: apply patch for CVE-2026-2903 https://github.com/NixOS/nixpkgs/pull/501895 #security
  • 0
  • 0
  • 0
  • 22h ago

CVE-2026-3013

Overview

  • Coppermine Photo Gallery
  • Coppermine Photo Gallery
11 Mar 2026
Published
11 Mar 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.37%
KEV

Description

Coppermine Photo Gallery in versions 1.6.09 through 1.6.27 is vulnerable to path traversal. Unauthenticated remote attacker is able to exploit a vulnerable endpoint and construct payloads that allow to read content of any file accessible by the the web server process.This issue was fixed in version 1.6.28.

Statistics

  • 2 Posts
Last activity: 23 hours ago

Bluesky

Profile picture fallback
SecQube | Harvey | AI Platform for MS Graph @secqube.com
CVE-2026-3013 - Path Traversal in Coppermine Photo Gallery scq.ms/3N0lHBM
  • 0
  • 0
  • 1
  • 23h ago

CVE-2026-26119

Overview

  • Microsoft
  • Windows Admin Center
17 Feb 2026
Published
16 Mar 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.05%
KEV

Description

Improper authentication in Windows Admin Center allows an authorized attacker to elevate privileges over a network.

Statistics

  • 1 Post
Last activity: 14 hours ago

Bluesky

Profile picture fallback
Undercode Testing @undercode.bsky.social
CVE-2026-26119: Windows Admin Center Remote Privilege Escalation – Attack Analysis & Mitigation Guide + Video Introduction: A newly disclosed vulnerability, CVE-2026-26119, exposes Windows Admin Center (WAC) to a remote privilege escalation attack. This flaw, detailed by security researcher Andrea…
  • 0
  • 0
  • 0
  • 14h ago

CVE-2026-4601

Overview

  • jsrsasign
23 Mar 2026
Published
23 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.4)
EPSS
0.02%
KEV

Description

Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key by forcing r or s to be zero, so the library emits an invalid signature without retrying, and then solves for x from the resulting signature.

Statistics

  • 1 Post
Last activity: 22 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🛡️ CVE-2026-4601: CRITICAL bug in jsrsasign <11.1.1 misses a vital DSA signing step, letting attackers recover private keys if exploited. No active attacks yet, but update ASAP! Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 22h ago

CVE-2026-3635

Overview

  • fastify
  • fastify
23 Mar 2026
Published
23 Mar 2026
Updated
CVSS v3.1
MEDIUM (6.1)
EPSS
Pending
KEV

Description

Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. Affected Versions fastify <= 5.8.2 Impact Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function. When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.

Statistics

  • 2 Posts
Last activity: 15 hours ago

Fediverse

Profile picture fallback
Ulises Gascon @ulisesgascon

🚨 Moderate-severity security fix in fastify@5.8.3 just released!

Patches CVE-2026-3635 — vulnerable to request (protocol and host) spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function

github.com/fastify/fastify/sec

  • 0
  • 0
  • 1
  • 15h ago

CVE-2026-4606

Overview

  • GeoVision
  • GV-Edge Recording Manager
  • GV-Edge Recording Manager
23 Mar 2026
Published
24 Mar 2026
Updated
CVSS v4.0
CRITICAL (10.0)
EPSS
0.04%
KEV

Description

GV Edge Recording Manager (ERM) v2.3.1 improperly runs application components with SYSTEM-level privileges, allowing any local user to gain full control of the operating system.  During installation, ERM creates a Windows service that runs under the LocalSystem account.  When the ERM application is launched, related processes are spawned under SYSTEM privileges rather than the security context of the logged-in user.  Functions such as 'Import Data' open a Windows file dialog operating with SYSTEM permissions, enabling modification or deletion of protected system files and directories.  Any ERM function invoking Windows file open/save dialogs exposes the same risk.  This vulnerability allows local privilege escalation and may result in full system compromise.

Statistics

  • 1 Post
Last activity: 16 hours ago

Bluesky

Profile picture fallback
BaseFortify.eu @basefortify.bsky.social
CVE-2026-4606 (CRITICAL 10.0) GV Edge ERM runs with SYSTEM privileges, allowing any local user to gain full OS control. 🔎 Full analysis: basefortify.eu/cve_reports/... #CVE #CyberSecurity #PrivilegeEscalation #WindowsSecurity
  • 0
  • 0
  • 0
  • 16h ago

CVE-2025-68493

Overview

  • Apache Software Foundation
  • Apache Struts
  • com.opensymphony:xwork
11 Jan 2026
Published
11 Mar 2026
Updated
CVSS
Pending
EPSS
0.03%
KEV

Description

Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue.

Statistics

  • 1 Post
Last activity: 5 hours ago

Fediverse

Profile picture fallback
ZAST AI @zastai

ZAST engine has identified and verified hundreds of previously undisclosed 0-days so far in Q1 2026 across modern web applications, software supply chain code, and IoT systems.

One highlighted case is CVE-2025-68493 in Apache Struts, a widely deployed Java web framework: struts.apache.org/

Ecosystem exposure remains significant. Sonatype reported more than 387,000 downloads in one week for affected org.apache.struts:* artifacts, with most usage concentrated in end-of-life branches. That combination of legacy adoption and delayed remediation is exactly why verification matters for enterprise infrastructure.

Technically, the issue was an XXE in com.opensymphony.xwork2.util.DomHelper.parse(), where SAXParserFactory hardening was incomplete and external entity handling was not fully disabled.

ZAST.AI focuses on autonomous verification. Findings are promoted into reports only after successful PoC validation, which supports our zero-false-positive reporting standard and helps engineering teams spend time on issues that are demonstrably real.

Full report: blog.zast.ai/cybersecurity/art

Source (Sonatype): sonatype.com/blog/years-old-ap

  • 0
  • 0
  • 0
  • 5h ago
Showing 11 to 20 of 44 CVEs