24h | 7d | 30d

Overview

  • djangoproject
  • Django
  • django

03 Feb 2026
Published
03 Feb 2026
Updated

CVSS
Pending
EPSS
5.46%

KEV

Description

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Statistics

  • 1 Post
  • 5 Interactions

Last activity: 6 hours ago

Bluesky

Profile picture fallback
CrowdSec confirme la première exploitation active de CVE-2026-1207, une faille d'injection SQL dans Django - IT SOCIAL itsocial.fr/cybersecurit...
  • 1
  • 4
  • 0
  • 6h ago

Overview

  • snapd

17 Mar 2026
Published
18 Mar 2026
Updated

CVSS v3.1
HIGH (7.8)
EPSS
0.00%

KEV

Description

Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.

Statistics

  • 2 Posts
  • 1 Interaction

Last activity: 21 hours ago

Fediverse

Profile picture fallback

Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit thehackernews.com/2026/03/ubun

  • 1
  • 0
  • 1
  • 21h ago

Overview

  • plank
  • laravel-mediable

26 Mar 2026
Published
26 Mar 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.39%

KEV

Description

plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 18 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL vuln in plank/laravel-mediable <=6.4.0 (CVE-2026-4809): attackers can upload malicious PHP files by spoofing MIME types. No patch yet. Disable client MIME trust & enforce server-side checks! Details: radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 18h ago

Overview

  • Cisco
  • Cisco Secure Firewall Management Center (FMC)

04 Mar 2026
Published
05 Mar 2026
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
0.06%

KEV

Description

A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass authentication and execute script files on an affected device to obtain root access to the underlying operating system. This vulnerability is due to an improper system process that is created at boot time. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device.

Statistics

  • 1 Post
  • 2 Interactions

Last activity: 17 hours ago

Fediverse

Profile picture fallback

After 2+ weeks of semi-painful exploit development, @yeslikethefood and team have a full RCA out for Cisco Secure Firewall Management Center (FMC) CVE-2026-20079.

The bug is a CVSS 10, but there are significant prerequisites that may limit exploitability in real-world scenarios. There are between 300 and 700 FMC systems on the public internet as of today.

vulncheck.com/blog/cisco-fmc-a

  • 0
  • 2
  • 0
  • 17h ago

Overview

  • ory
  • oathkeeper

26 Mar 2026
Published
27 Mar 2026
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
0.04%

KEV

Description

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. `/public/../admin/secrets`) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation. Version 26.2.0 contains a patch.

Statistics

  • 1 Post

Last activity: 21 hours ago

Fediverse

Profile picture fallback

CRITICAL: ory oathkeeper (<26.2.0) vulnerable to path traversal (CVE-2026-33494). Attackers can bypass authorization via crafted URLs. Upgrade to 26.2.0+ immediately. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 21h ago

Overview

  • Progress Software
  • Flowmon ADS

12 Mar 2026
Published
13 Mar 2026
Updated

CVSS v4.0
HIGH (8.6)
EPSS
0.04%

KEV

Description

In Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, a vulnerability exists whereby an adversary with access to Flowmon monitoring ports may craft malicious network data that, when processed by Flowmon ADS and viewed by an authenticated user, could result in unintended actions being executed in the user's browser context.

Statistics

  • 1 Post

Last activity: 5 hours ago

Bluesky

Profile picture fallback
CVE-2026-2514 - Possibility of unintended actions when viewing maliciously crafted network data in Progress Flowmon ADS web application scq.ms/4sGkWge
  • 0
  • 0
  • 0
  • 5h ago

Overview

  • TandoorRecipes
  • recipes

26 Mar 2026
Published
26 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
0.06%

KEV

Description

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue.

Statistics

  • 1 Post

Last activity: 20 hours ago

Fediverse

Profile picture fallback

⚠️ CVE-2026-33152: TandoorRecipes < 2.6.0 suffers CRITICAL vuln (CVSS 9.1). No rate limiting on API BasicAuth enables unlimited password guessing. Patch to 2.6.0 now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 20h ago

Overview

  • path-to-regexp
  • path-to-regexp

26 Mar 2026
Published
26 Mar 2026
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.04%

KEV

Description

Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Workarounds: Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

Statistics

  • 2 Posts

Last activity: 21 hours ago

Fediverse

Profile picture fallback

🚨 High-severity security fix in path-to-regexp@8.4.0 just released!

Patches CVE-2026-4926 — path-to-regexp vulnerable to Denial of Service via sequential optional groups

github.com/pillarjs/path-to-re

  • 0
  • 0
  • 1
  • 21h ago

Overview

  • DataDog
  • dd-trace-java

27 Mar 2026
Published
27 Mar 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.57%

KEV

Description

dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to 1.60.2, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, dd-trace-java is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, a JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable, Third, a gadget-chain-compatible library is present on the classpath. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK >= 8u121 < JDK 17, upgrade to dd-trace-java version 1.60.3 or later. For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround. The workaround is to set the following environment variable to disable the RMI integration: `DD_INTEGRATION_RMI_ENABLED=false`.

Statistics

  • 1 Post

Last activity: 14 hours ago

Fediverse

Profile picture fallback

⚠️ CRITICAL: CVE-2026-33728 in DataDog dd-trace-java (0.40.0 - <1.60.3) allows unauth RCE via unsafe deserialization if JMX/RMI port is exposed on JDK ≤16. Upgrade to 1.60.3+ & restrict access! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 14h ago

Overview

  • MariaDB
  • server

20 Mar 2026
Published
27 Mar 2026
Updated

CVSS v3.1
HIGH (8.6)
EPSS
0.29%

KEV

Description

MariaDB server is a community developed fork of MySQL server. An authenticated user can crash MariaDB versions 11.4 before 11.4.10 and 11.8 before 11.8.6 via a bug in JSON_SCHEMA_VALID() function. Under certain conditions it might be possible to turn the crash into a remote code execution. These conditions require tight control over memory layout which is generally only attainable in a lab environment. This issue is fixed in MariaDB 11.4.10, MariaDB 11.8.6, and MariaDB 12.2.2.

Statistics

  • 1 Post

Last activity: 15 hours ago

Bluesky

Profile picture fallback
MariaDBに深刻度「高」のバッファオーバーフロー 脆弱性(CVE-2026-32710) rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #セキュリティ #Security #CybersecurityNews
  • 0
  • 0
  • 0
  • 15h ago
Showing 11 to 20 of 56 CVEs