24h | 7d | 30d

Overview

  • The GNU C Library
  • glibc

20 Mar 2026
Published
23 Mar 2026
Updated

CVSS
Pending
EPSS
0.03%

KEV

Description

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

Statistics

  • 1 Post
  • 5 Interactions

Last activity: 20 hours ago

Fediverse

Profile picture fallback

CVE-2026-4438 reminds me of that time I discovered BIND's "check-names no" and found out that "freenode/staff/foo.example.com" was a valid rDNS entry according to the ircd

  • 0
  • 5
  • 0
  • 20h ago

Overview

  • supsysticcom
  • Contact Form by Supsystic

30 Mar 2026
Published
30 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
Pending

KEV

Description

The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig `Twig_Loader_String` template engine without sandboxing, combined with the `cfsPreFill` prefill functionality that allows unauthenticated users to inject arbitrary Twig expressions into form field values via GET parameters. This makes it possible for unauthenticated attackers to execute arbitrary PHP functions and OS commands on the server by leveraging Twig's `registerUndefinedFilterCallback()` method to register arbitrary PHP callbacks.

Statistics

  • 1 Post

Last activity: 7 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL: CVE-2026-4257 in Contact Form by Supsystic (all versions) enables unauth RCE via SSTI (Twig). No patch yet. Disable plugin or block endpoints ASAP. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 7h ago

Overview

  • Microsoft
  • Windows 10 Version 21H2

13 Jan 2026
Published
26 Feb 2026
Updated

CVSS v3.1
HIGH (7.8)
EPSS
0.02%

KEV

Description

Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally.

Statistics

  • 1 Post

Last activity: 7 hours ago

Bluesky

Profile picture fallback
Windowsのエラー報告サービスに深刻な欠陥、低権限ユーザーが SYSTEM 権限を奪取できる脆弱性(CVE-2026-20817) rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #セキュリティ #Security #CybersecurityNews
  • 0
  • 0
  • 0
  • 7h ago

Overview

  • Zabbix
  • Zabbix

24 Mar 2026
Published
26 Mar 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.03%

KEV

Description

A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.

Statistics

  • 1 Post

Last activity: 1 hour ago

Bluesky

Profile picture fallback
Zabbix APIにブラインドSQLインジェクションが可能になる脆弱性(CVE-2026-23921) rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #セキュリティ #Security #CybersecurityNews
  • 0
  • 0
  • 0
  • 1h ago

Overview

  • ruby
  • json

20 Mar 2026
Published
23 Mar 2026
Updated

CVSS v4.0
HIGH (8.3)
EPSS
0.03%

KEV

Description

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.

Statistics

  • 1 Post

Last activity: 2 hours ago

Bluesky

Profile picture fallback
Articles about Ruby JSON Format String Injection CVE-2026-33210 (31.3.2026) #patchmanagement
  • 0
  • 0
  • 0
  • 2h ago

Overview

  • GIGABYTE
  • Gigabyte Control Center

30 Mar 2026
Published
31 Mar 2026
Updated

CVSS v4.0
CRITICAL (9.2)
EPSS
0.37%

KEV

Description

Gigabyte Control Center developed by GIGABYTE has an Arbitrary File Write vulnerability. When the pairing feature is enabled, unauthenticated remote attackers can write arbitrary files to any location on the underlying operating system, leading to arbitrary code execution or privilege escalation.

Statistics

  • 1 Post

Last activity: 22 hours ago

Fediverse

Profile picture fallback

🚨 CVE-2026-4415 (CRITICAL, CVSS 9.2) hits Gigabyte Control Center: unauth’d remote attackers can write files anywhere if pairing is enabled. No patch yet — disable pairing & monitor for anomalies. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 22h ago

Overview

  • pyca
  • cryptography

31 Mar 2026
Published
31 Mar 2026
Updated

CVSS v4.0
LOW (1.7)
EPSS
Pending

KEV

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.

Statistics

  • 1 Post

Last activity: 20 hours ago

Bluesky

Profile picture fallback
🚨 BREAKING: CVE-2026-34073 affects #python-cryptography <46.0.5 . Read more: 👉 tinyurl.com/2s3vptvc #Security #Fedora
  • 0
  • 0
  • 0
  • 20h ago

Overview

  • OneUptime
  • oneuptime

12 Mar 2026
Published
14 Mar 2026
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
0.40%

KEV

Description

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append() method (documented as "trusted SQL"). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions. This vulnerability is fixed in 10.0.23.

Statistics

  • 1 Post

Last activity: 21 hours ago

Bluesky

Profile picture fallback
CVE-2026-32306 - OneUptime ClickHouse SQL Injection via Aggregate Query Parameters scq.ms/4sC5f9O
  • 0
  • 0
  • 0
  • 21h ago

Overview

  • baserproject
  • basercms

31 Mar 2026
Published
31 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
Pending

KEV

Description

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is directly passed to exec() without sufficient validation or escaping. This issue has been patched in version 5.2.3.

Statistics

  • 1 Post

Last activity: 1 hour ago

Fediverse

Profile picture fallback

🚨 CVE-2026-21861: CRITICAL OS command injection in baserCMS < 5.2.3. Admins can execute arbitrary system commands via core update. Patch to 5.2.3+ ASAP to prevent full compromise. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 1h ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post

Last activity: 10 hours ago

Fediverse

Profile picture fallback

🔒 Security Advisory: OWASP CRS file upload extension checks could be bypassed using whitespace padding in filenames (e.g. shell. php). CVE-2026-33691, Moderate severity.
Upgrade to CRS v4.25.0 or v3.3.9.
Thanks @HackingRepo for the report!
github.com/coreruleset/corerul

  • 0
  • 0
  • 0
  • 10h ago
Showing 11 to 20 of 39 CVEs