24h | 7d | 30d

CVE-2026-6113

Overview

  • Totolink
  • A7100RU
12 Apr 2026
Published
12 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.89%
KEV

Description

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setTtyServiceCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument ttyEnable leads to os command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.

Statistics

  • 1 Post
Last activity: 9 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

Totolink A7100RU (7.4cu.2313_b20191024) hit by CRITICAL OS command injection (CVE-2026-6113) β€” remote, unauthenticated attackers could execute commands. No patch yet; restrict access & monitor for updates. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 9h ago

CVE-2026-2297

Overview

  • Python Software Foundation
  • CPython
04 Mar 2026
Published
07 Apr 2026
Updated
CVSS v4.0
MEDIUM (5.7)
EPSS
0.02%
KEV

Description

The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.

Statistics

  • 1 Post
Last activity: 22 hours ago

Bluesky

Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
#openSUSE just patched two Python CVEs (CVE-2026-2297 & 3479). But local integrity flaws aren't distro-specific. Read more: πŸ‘‰ tinyurl.com/bdrmatdj
  • 0
  • 0
  • 0
  • 22h ago

CVE-2025-59362

Overview

  • Pending
26 Sep 2025
Published
29 Sep 2025
Updated
CVSS
Pending
EPSS
0.18%
KEV

Description

Squid through 7.1 mishandles ASN.1 encoding of long SNMP OIDs. This occurs in asn_build_objid in lib/snmplib/asn1.c.

Statistics

  • 1 Post
Last activity: 2 hours ago

Bluesky

Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
Stop chasing vulnerability dates. Here’s your evergreen script to fix Squid proxy (CVE-2025-59362 & friends) on Ubuntu, Rocky, SUSE – with iptables workaround if you can’t update. Read more: πŸ‘‰ tinyurl.com/9r3pfc76 #Mageia
  • 0
  • 0
  • 0
  • 2h ago

CVE-2026-6114

Overview

  • Totolink
  • A7100RU
12 Apr 2026
Published
12 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.89%
KEV

Description

A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setNetworkCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument proto results in os command injection. The attack may be initiated remotely. The exploit is now public and may be used.

Statistics

  • 1 Post
Last activity: 14 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

Totolink A7100RU (7.4cu.2313_b20191024) faces a CRITICAL OS command injection (CVE-2026-6114, CVSS 9.3). Remote, unauthenticated code execution possible. No patch yet β€” disable remote mgmt & watch for updates. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 14h ago

CVE-2026-31413

Overview

  • Linux
  • Linux
12 Apr 2026
Published
12 Apr 2026
Updated
CVSS
Pending
EPSS
0.01%
KEV

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the source operand is a constant. When dst has signed range [-1, 0], it forks the verifier state: the pushed path gets dst = 0, the current path gets dst = -1. For BPF_AND this is correct: 0 & K == 0. For BPF_OR this is wrong: 0 | K == K, not 0. The pushed path therefore tracks dst as 0 when the runtime value is K, producing an exploitable verifier/runtime divergence that allows out-of-bounds map access. Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to push_stack(), so the pushed path re-executes the ALU instruction with dst = 0 and naturally computes the correct result for any opcode.

Statistics

  • 4 Posts
Last activity: 8 hours ago

Fediverse

Profile picture fallback
Nad @Nadsec

CVE-2026-31413

Found a 1-char bug in the Linux BPF verifier. A + 1 that should've been + 0 in maybe_fork_scalars() gives you OOB map access and full container escape from any pod with CAP_BPF. Fix in 7.0-rc5.
-Technical writeup with POC dropping soon.

cve.org/CVERecord?id=CVE-2026-

  • 0
  • 0
  • 1
  • 10h ago
Profile picture fallback
Nad @Nadsec

CVE-2026-31413 - Linux Kernel Local Priv Esc

One extra + 1. That's the whole bug.

BPF verifier: insn_idx + 1 instead of insn_idx. Skips an instruction it shouldn't. For BPF_OR, verifier sees zero, CPU has your constant. Arbitrary kernel R/W.

Full container escape. No --privileged. Just CAP_BPF.

nadsec.online/blog/bpf-contain

github.com/Rat5ak/bpf-research

  • 0
  • 0
  • 1
  • 8h ago

CVE-2026-31845

Overview

  • Rukovoditel
  • Rukovoditel CRM
11 Apr 2026
Published
11 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.02%
KEV

Description

A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response without proper sanitization, output encoding, or content-type restrictions. The vulnerable code is: if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']); An unauthenticated attacker can exploit this issue by crafting a malicious URL containing JavaScript payloads. When a victim visits the link, the payload executes in the context of the application within the victim's browser, potentially leading to session hijacking, credential theft, phishing, or account takeover. The issue is fixed in version 3.7, which introduces proper input validation and output encoding to prevent script injection.

Statistics

  • 1 Post
Last activity: 23 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL XSS in Rukovoditel CRM 3.6.4 (CVE-2026-31845): Pre-auth reflected XSS in the Zadarma API (/api/tel/zadarma.php) lets attackers inject JS via 'zd_echo'. Patch or restrict access! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 23h ago

CVE-2026-34079

Overview

  • flatpak
  • flatpak
07 Apr 2026
Published
10 Apr 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.10%
KEV

Description

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.

Statistics

  • 1 Post
Last activity: 9 hours ago

Fediverse

Profile picture fallback
Stefan Schmidt @zaphodb

nice typo in
[SECURITY] [DSA 6207-1] flatpak security update:
"delete arbitrary hosts on the host"
lists.debian.org/debian-securi

in security-tracker.debian.org/tr it's "files" btw.

  • 0
  • 0
  • 0
  • 9h ago

CVE-2026-1116

Overview

  • parisneo
  • parisneo/lollms
12 Apr 2026
Published
12 Apr 2026
Updated
CVSS v3.0
HIGH (8.2)
EPSS
0.01%
KEV

Description

A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content` field when deserializing user-provided data. This allows an attacker to inject malicious HTML or JavaScript payloads, which can be executed in the context of another user's browser. Exploitation of this vulnerability can lead to account takeover, session hijacking, or wormable attacks.

Statistics

  • 1 Post
Last activity: 15 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 HIGH severity XSS (CVE-2026-1116) in parisneo/lollms pre-2.2.0: Improper input sanitization in from_dict allows attackers to inject malicious scripts. Update ASAP! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 15h ago

CVE-2026-6116

Overview

  • Totolink
  • A7100RU
12 Apr 2026
Published
12 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.89%
KEV

Description

A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This vulnerability affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument ip leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

Statistics

  • 1 Post
Last activity: 12 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

Totolink A7100RU (fw 7.4cu.2313_b20191024) suffers CRITICAL OS command injection (CVE-2026-6116, CVSS 9.3). Remote, unauthenticated RCE is possible. No patch yet β€” disable remote access or isolate device! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 12h ago

CVE-2026-24880

Overview

  • Apache Software Foundation
  • Apache Tomcat
09 Apr 2026
Published
10 Apr 2026
Updated
CVSS
Pending
EPSS
0.03%
KEV

Description

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.

Statistics

  • 1 Post
Last activity: 1 hour ago

Bluesky

Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
Tomcat request smuggling (CVE-2026-24880) isn't going away. Check if you're vulnerable on Ubuntu, Rocky, or SUSE: dpkg -l | grep tomcat9 rpm -qa | grep tomcat zypper info tomcat Then run the fix script β†’ Read more: πŸ‘‰ tinyurl.com/43ud2kjt #Mageia
  • 0
  • 0
  • 0
  • 1h ago
Showing 11 to 20 of 24 CVEs