Overview
- manyfold3d
- manyfold
25 Feb 2026
Published
26 Feb 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.05%
KEV
Description
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, a logged-in user can achieve RCE by uploading a ZIP containing a file with a shell metacharacter in its name. The filename reaches a Ruby backtick call unsanitized. Version 0.133.0 fixes the issue.
Statistics
- 1 Post
- 1 Interaction
Last activity: 13 hours ago
Overview
Description
Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is not covered. When sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value of "::ffff:127.0.0.1", a successful response is received, even though "127.0.0.0/8" is blocked via "denied-peer-ip". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::", but not "::ffff:0.0.0.0." "addr_less_eq()" used by "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262.
Statistics
- 1 Post
- 1 Interaction
Last activity: 10 hours ago
Overview
Description
Integer overflow in the Libraries component in NSS. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Statistics
- 1 Post
- 1 Interaction
Last activity: 15 hours ago
Fediverse
Oh look, a 9.8 critical vulnerability in the NSS service used by #Firefox and #Thunderbird.
Overview
- jugmac00
- flask-reuploaded
25 Feb 2026
Published
25 Feb 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.10%
KEV
Description
Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). Flask-Reuploaded has been patched in version 1.5.0. Some workarounds are available. Do not pass user input to the `name` parameter, use auto-generated filenames only, and implement strict input validation if `name` must be used.
Statistics
- 1 Post
Last activity: 21 hours ago
Overview
Description
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. A reflected Cross-site Scripting vulnerability was located in versions prior to 35.8.3, 38.5.4, and 39.3.1 in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Statistics
- 1 Post
Last activity: 19 hours ago
Overview
- Copeland
- Copeland XWEB 300D PRO
27 Feb 2026
Published
27 Feb 2026
Updated
CVSS v3.1
HIGH (8.0)
EPSS
0.11%
KEV
Description
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
sending malicious input injected into the server username field of the
import preconfiguration action in the API V1 route.
Statistics
- 1 Post
Last activity: 16 hours ago
Overview
Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
Statistics
- 1 Post
Last activity: 5 hours ago
Overview
Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.4 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause Denial of Service by sending specially crafted requests to the Jira events endpoint.
Statistics
- 1 Post
Last activity: 4 hours ago
Overview
- Copeland
- Copeland XWEB 300D PRO
27 Feb 2026
Published
27 Feb 2026
Updated
CVSS v3.1
HIGH (8.0)
EPSS
0.20%
KEV
Description
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into requests sent to the templates route.
Statistics
- 1 Post
Last activity: 14 hours ago
Overview
Description
A vulnerability was determined in Tenda F453 1.0.0.3. Affected is the function fromDhcpListClient of the file /goform/DhcpListClient of the component httpd. This manipulation of the argument page causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Statistics
- 1 Post
Last activity: 23 hours ago