24h | 7d | 30d

CVE-2026-32288

Overview

  • Go standard library
  • archive/tar
  • archive/tar
08 Apr 2026
Published
13 Apr 2026
Updated
CVSS
Pending
EPSS
0.00%
KEV

Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Statistics

  • 1 Post
Last activity: Last hour

Bluesky

Profile picture fallback
Lambda Watchdog @lambdawatchdog.bsky.social
🔍 Lambda Watchdog detected that CVE-2026-32288 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/461 #AWS #Lambda #Security #CVE #DevOps #SecOps
  • 0
  • 0
  • 0
  • Last hour

CVE-2026-40493

Overview

  • HappySeaFox
  • sail
18 Apr 2026
Published
18 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
Pending
KEV

Description

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computes bytes-per-pixel (`bpp`) from raw header fields `channels * depth`, but the pixel buffer is allocated based on the resolved pixel format. For LAB mode with `channels=3, depth=16`, `bpp = (3*16+7)/8 = 6`, but the format `BPP40_CIE_LAB` allocates only 5 bytes per pixel. Every pixel write overshoots, causing a deterministic heap buffer overflow on every row. Commit c930284445ea3ff94451ccd7a57c999eca3bc979 contains a patch.

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CVE-2026-40493: CRITICAL out-of-bounds write in HappySeaFox sail (<c930284445ea3ff94451ccd7a57c999eca3bc979) — Heap buffer overflow in PSD codec risks RCE & data loss. Patch ASAP: commit c930284445ea3ff94451ccd7a57c999eca3bc979. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 7h ago

CVE-2025-64446

Overview

  • Fortinet
  • FortiWeb
14 Nov 2025
Published
26 Feb 2026
Updated
CVSS v3.1
CRITICAL (9.4)
EPSS
93.12%
KEV

Description

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

Statistics

  • 1 Post
Last activity: 6 hours ago

Bluesky

Profile picture fallback
Undercode Testing @undercode.bsky.social
FortiWeb Impersonation Flaw: How CVE-2025-64446 Lets Attackers Become Any User – And How To Stop It + Video Introduction: Fortinet’s FortiWeb web application firewall (WAF) includes an “impersonation function” designed to help administrators troubleshoot user sessions. However, security…
  • 0
  • 0
  • 0
  • 6h ago

CVE-2026-32289

Overview

  • Go standard library
  • html/template
  • html/template
08 Apr 2026
Published
13 Apr 2026
Updated
CVSS
Pending
EPSS
0.01%
KEV

Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Statistics

  • 1 Post
Last activity: Last hour

Bluesky

Profile picture fallback
Lambda Watchdog @lambdawatchdog.bsky.social
🔍 Lambda Watchdog detected that CVE-2026-32289 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/462 #AWS #Lambda #Security #CVE #DevOps #SecOps
  • 0
  • 0
  • 0
  • Last hour

CVE-2026-37749

Overview

  • Pending
17 Apr 2026
Published
17 Apr 2026
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

A SQL injection vulnerability in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php.

Statistics

  • 1 Post
Last activity: 17 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL SQL injection (CVE-2026-37749) in CodeAstro Simple Attendance Management System v1.0: Remote unauthenticated attackers can bypass authentication via index.php. Restrict access & deploy WAFs until a patch arrives. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 17h ago

CVE-2026-40317

Overview

  • MinecAnton209
  • NovumOS
18 Apr 2026
Published
18 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.4)
EPSS
Pending
KEV

Description

NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (JumpToUser) accepts an arbitrary entry point address from user-space registers without validation, allowing any Ring 3 user-mode process to jump to kernel addresses and execute arbitrary code in Ring 0 context, resulting in local privilege escalation. This issue has been fixed in version 0.24. If developers are unable to immediately update, they should restrict syscall access by running the system in single-user mode without Ring 3, and disable user-mode processes by only running kernel shell with no user processes. This issue has been fixed in version 0.24.

Statistics

  • 1 Post
Last activity: 4 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🔍 CVE-2026-40317 (CRITICAL, CVSS 9.4): NovumOS < 0.24 allows local privilege escalation via unchecked entry point in Syscall 12. Patch to 0.24 ASAP or restrict syscalls to mitigate. Full details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 4h ago

CVE-2026-32283

Overview

  • Go standard library
  • crypto/tls
  • crypto/tls
08 Apr 2026
Published
13 Apr 2026
Updated
CVSS
Pending
EPSS
0.02%
KEV

Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

Statistics

  • 1 Post
Last activity: Last hour

Bluesky

Profile picture fallback
Lambda Watchdog @lambdawatchdog.bsky.social
🔍 Lambda Watchdog detected that CVE-2026-32283 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/460 #AWS #Lambda #Security #CVE #DevOps #SecOps
  • 0
  • 0
  • 0
  • Last hour

CVE-2026-40582

Overview

  • ChurchCRM
  • CRM
17 Apr 2026
Published
17 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.1)
EPSS
Pending
KEV

Description

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication checks. An attacker with knowledge of a user's password can obtain API access even when the account is locked or has 2FA enabled, granting direct access to all protected API endpoints with that user's privileges. This issue has been fixed in version 7.2.0. Note: this issue had a duplicate, GHSA-472m-p3gf-46xp, which has been closed.

Statistics

  • 1 Post
Last activity: 3 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CVE-2026-40582: ChurchCRM < 7.2.0 has a CRITICAL auth bypass (CVSS 9.1). /api/public/user/login lets attackers with a password skip lockout & 2FA to get API access. Upgrade to 7.2.0+ ASAP. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-6284

Overview

  • Horner Automation
  • Cscape
17 Apr 2026
Published
17 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
Pending
KEV

Description

An attacker with network access to the PLC is able to brute force discover passwords to gain unauthorized access to systems and services. The limited password complexity and no password input limiters makes brute force password enumeration possible.

Statistics

  • 1 Post
Last activity: 19 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

⚠️ CRITICAL: CVE-2026-6284 hits Horner Automation Cscape v10.0 PLCs. Weak passwords & no input limits allow attackers to brute force access remotely. No patch yet — restrict access, monitor logins, & harden networks. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 19h ago

CVE-2026-4224

Overview

  • Python Software Foundation
  • CPython
16 Mar 2026
Published
08 Apr 2026
Updated
CVSS v4.0
MEDIUM (6.0)
EPSS
0.04%
KEV

Description

When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.

Statistics

  • 1 Post
Last activity: Last hour

Bluesky

Profile picture fallback
Lambda Watchdog @lambdawatchdog.bsky.social
🔍 Lambda Watchdog detected that CVE-2026-4224 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/456 #AWS #Lambda #Security #CVE #DevOps #SecOps
  • 0
  • 0
  • 0
  • Last hour
Showing 11 to 20 of 40 CVEs