CVE-2026-33286

Overview

graphiti-api
graphiti

23 Mar 2026

Published

24 Mar 2026

Updated

CVSS v3.1

CRITICAL (9.1)

EPSS

0.04%

MITRE

KEV

Description

Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations. Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. The `Graphiti::Util::ValidationResponse#all_valid?` method recursively calls `model.send(name)` using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource's configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations. This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible. Some workarounds are available. Ensure Graphiti write endpoints (create/update) are not accessible to untrusted users and/or apply strong authentication and authorization checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed.

Statistics

1 Post

Last activity: 22 hours ago

Fediverse

Offensive Sequence @offseq

🚨 CRITICAL: CVE-2026-33286 in Graphiti (<1.10.2) lets unauthenticated attackers invoke arbitrary public methods via JSONAPI write requests. Patch to v1.10.2, restrict access, and validate inputs! https://radar.offseq.com/threat/cve-2026-33286-cwe-913-improper-control-of-dynamic-fd76d864 #OffSeq #CVE202633286 #Ruby #APIsecurity

0
0
0
22h ago

CVE-2025-41660

Overview

CODESYS
CODESYS Control RTE (SL)

24 Mar 2026

Published

24 Mar 2026

Updated

CVSS v3.1

HIGH (8.8)

EPSS

0.21%

MITRE

KEV

Description

A low-privileged remote attacker may be able to replace the boot application of the CODESYS Control runtime system, enabling unauthorized code execution.

Statistics

1 Post

Last activity: 18 hours ago

Fediverse

CERT@VDE @certvde

#OT #Advisory VDE-2026-011
CODESYS Control V3 - Untrusted boot application

The CODESYS Control runtime system provides a user management mechanism with multiple privilege groups. While only the privileged Administrators and Developer groups are intended to load or debug applications on the controller, users in the restricted Service group are allowed to perform maintenance operations, including explicitly replacing the boot application.
#CVE CVE-2025-41660

https://certvde.com/en/advisories/vde-2026-011/

#CSAF https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2026/advisory2026-02_vde-2026-011.json

0
0
0
18h ago

CVE-2026-28292

Overview

steveukx
simple-git

10 Mar 2026

Published

11 Mar 2026

Updated

CVSS v3.1

CRITICAL (9.8)

EPSS

0.10%

MITRE

KEV

Description

`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.

Statistics

1 Post

Last activity: 18 hours ago

Bluesky

今日視界 @g0rosato.bsky.social

CVE-2026-28292：simple-git遠程代碼執行漏洞，一個大寫字母即可繞過兩個CVE補丁（CVSS 9.8）

0
0
0
18h ago

CVE-2026-20963

Overview

Microsoft
Microsoft SharePoint Enterprise Server 2016

13 Jan 2026

Published

19 Mar 2026

Updated

CVSS v3.1

HIGH (8.8)

EPSS

7.10%

MITRE

KEV

Description

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Statistics

1 Post

Last activity: 1 hour ago

Bluesky

キタきつね @kitafox.bsky.social

CVE-2026-20963: SharePointの逆シリアル化におけるリモートコード実行の脆弱性 CVE-2026-20963: SharePoint Deserialization Remote Code Execution Vulnerability #SecurityBoulevard (Mar 24) securityboulevard.com/2026/03/cve-...

0
0
0
1h ago

CVE-2026-4283

Overview

legalweb
WP DSGVO Tools (GDPR)

24 Mar 2026

Published

24 Mar 2026

Updated

CVSS v3.1

CRITICAL (9.1)

EPSS

0.10%

MITRE

KEV

Description

The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the intended email-confirmation flow and immediately triggers irreversible account anonymization. This makes it possible for unauthenticated attackers to permanently destroy any non-administrator user account (password randomized, username/email overwritten, roles stripped, comments anonymized, sensitive usermeta wiped) by submitting the victim's email address with `process_now=1`. The nonce required for the request is publicly available on any page containing the `[unsubscribe_form]` shortcode.

Statistics

1 Post

Last activity: Last hour

Fediverse

Offensive Sequence @offseq

🚨 CRITICAL: CVE-2026-4283 in WP DSGVO Tools (GDPR) plugin allows unauthenticated attackers to irreversibly destroy non-admin accounts via 'super-unsubscribe' AJAX. All versions ≤3.1.38 affected. Remove '[unsubscribe_form]' & monitor for abuse. https://radar.offseq.com/threat/cve-2026-4283-cwe-862-missing-authorization-in-leg-b0b3a8d9 #OffSeq #WordPress #Infosec

0
0
0
Last hour

CVE-2025-14917

Overview

Pending

Pending

Published

Pending

Updated

CVSS

Pending

EPSS

Pending

MITRE

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

1 Post

Last activity: 9 hours ago

Bluesky

knaepp.bsky.social @knaepp.bsky.social

IBM WebSphere Application Server Liberty could provide weaker than expected security (CVE-2025-14917) https://tinyurl.com/2cyftztb

0
0
0
9h ago

CVE-2026-1207

Overview

djangoproject
Django
django

03 Feb 2026

Published

03 Feb 2026

Updated

CVSS

Pending

EPSS

5.38%

MITRE

KEV

Description

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Statistics

1 Post

Last activity: 8 hours ago

Bluesky

CyberVeille @cyberveille-ch.bsky.social

📢 CVE-2026-1207 : Injection SQL dans Django/GeoDjango activement exploitée dans la nature 📝 ## 🔍 Contexte Publié le 23 mars 2026 par CrowdSec, … https://cyberveille.ch/posts/2026-03-23-cve-2026-1207-injection-sql-dans-django-geodjango-activement-exploitee-dans-la-nature/ #CVE_2026_1207 #Cyberveille

0
0
0
8h ago

CVE-2026-32746

Overview

GNU
inetutils

13 Mar 2026

Published

23 Mar 2026

Updated

CVSS v3.1

CRITICAL (9.8)

EPSS

0.03%

MITRE

KEV

Description

telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full.

Statistics

1 Post

Last activity: 17 hours ago

Fediverse

Stanislav Ochotnický @drizzy

Fixed a security vulnerability regarding Telnetd (CVE-2026-32746)

I know I'm late to the game but this is one funny CVE.

A) Who uses telnet these days. Really. Who?
B) That bug has been lurking there for ... a long time. Ooof

0
0
0
17h ago

CVE-2026-4745

Overview

dendibakh
perf-ninja

24 Mar 2026

Published

24 Mar 2026

Updated

CVSS v4.0

CRITICAL (10.0)

EPSS

0.05%

MITRE

KEV

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in dendibakh perf-ninja (labs/misc/pgo/lua modules). This vulnerability is associated with program files ldo.C. This issue affects perf-ninja.

Statistics

1 Post

Last activity: 16 hours ago

Fediverse

Offensive Sequence @offseq

🚨 CRITICAL: CVE-2026-4745 in dendibakh perf-ninja (CVSS 10) — remote code injection flaw in labs/misc/pgo/lua & ldo.C. No exploits yet, but restrict access, monitor logs, and prep for urgent patches. Full system compromise risk. https://radar.offseq.com/threat/cve-2026-4745-cwe-94-improper-control-of-generatio-1708b5aa #OffSeq #Vuln #AppSec

0
0
0
16h ago

CVE-2026-4739

Overview

InsightSoftwareConsortium
ITK

24 Mar 2026

Published

24 Mar 2026

Updated

CVSS v4.0

CRITICAL (9.4)

EPSS

0.04%

MITRE

KEV

Description

Integer Overflow or Wraparound vulnerability in InsightSoftwareConsortium ITK (‎Modules/ThirdParty/Expat/src/expat modules).This issue affects ITK: before 2.7.1.

Statistics

1 Post

Last activity: 15 hours ago

Fediverse

Offensive Sequence @offseq

🚨 CVE-2026-4739 (CRITICAL, CVSS 9.4) in ITK: Integer overflow in Expat XML parser enables remote code execution or DoS in medical/scientific apps. Update to v2.7.1 now. User interaction required. Details: https://radar.offseq.com/threat/cve-2026-4739-cwe-190-integer-overflow-or-wraparou-4dc9a6b8 #OffSeq #Vulnerability #ITK #Infosec

0
0
0
15h ago