24h | 7d | 30d

CVE-2026-1829

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 2 Interactions
Last activity: 16 hours ago

Fediverse

Profile picture fallback
ZAST AI @zastai

ZAST engine has identified and verified CVE-2026-1829 in Content Visibility for Divi Builder 4.01, along with one additional verified vulnerability in the same plugin.

Project page: wordpress.org/plugins/content- Project footprint: 2,000+ active installations on WordPress.org.

The critical issue is a code-execution path where user-controlled visibility expressions reach eval() through multiple application features. This is a representative example of why security teams need autonomous verification: dangerous APIs alone do not define risk. Reachability, privilege boundaries, and runtime behavior do.

ZAST.AI promotes findings into reports only after successful PoC validation, which supports a zero-false-positive operating model and helps enterprise teams prioritize remediation on verified issues.

Full report: blog.zast.ai/vulnerability%20r

@wordfence @WordPress@mastodon.world @wordpress@lemmy.world

  • 1
  • 1
  • 0
  • 16h ago

CVE-2026-24291

Overview

  • Microsoft
  • Windows 10 Version 1607
10 Mar 2026
Published
20 Mar 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.07%
KEV

Description

Incorrect permission assignment for critical resource in Windows Accessibility Infrastructure (ATBroker.exe) allows an authorized attacker to elevate privileges locally.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 8 hours ago

Fediverse

Profile picture fallback
Günter Born @gborn

#RegPwn - eine Schwachstelle in Windows, die Nutzern eine Rechteausweitung per Registry ermöglicht, wurde still im März 2026 per Update gepatcht.

borncity.com/blog/2026/03/20/w

  • 1
  • 0
  • 0
  • 8h ago

CVE-2026-23554

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 21 hours ago

Bluesky

Profile picture fallback
piggo @pigondrugs.bsky.social
~Cybergcca~ 11 security advisories released including a critical GNU flaw and updates for Apple, Atlassian, Chrome, and VMware. - IOCs: CVE-2026-23554 - #Patch #ThreatIntel #Vulnerability
  • 0
  • 1
  • 0
  • 21h ago

CVE-2026-31812

Overview

  • quinn-rs
  • quinn
10 Mar 2026
Published
11 Mar 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.20%
KEV

Description

Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quic_transport_parameters. In quinn-proto parsing logic, attacker-controlled varints are decoded with unwrap(), so truncated encodings cause Err(UnexpectedEnd) and panic. This is reachable over the network with a single packet and no prior trust or authentication. This vulnerability is fixed in 0.11.14.

Statistics

  • 2 Posts
  • 1 Interaction
Last activity: 2 hours ago

Bluesky

Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
Critical security advisory for #Fedora 43 users: The bpfman package has been updated to fix CVE-2026-31812, a high-impact Denial of Service vulnerability in the quinn-proto QUIC implementation. Read more: 👉 tinyurl.com/4wdprtnd #Security
  • 0
  • 1
  • 1
  • 2h ago

CVE-2026-4342

Overview

  • Kubernetes
  • ingress-nginx
19 Mar 2026
Published
20 Mar 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.04%
KEV

Description

A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Statistics

  • 3 Posts
  • 1 Interaction
Last activity: 4 hours ago

Bluesky

Profile picture fallback
K8sContributors @kubernetes.dev
CVE-2026-4342: ingress-nginx comment-based nginx configuration injection -
  • 0
  • 1
  • 2
  • 4h ago

CVE-2026-3843

Overview

  • Nefteprodukttekhnika LLC
  • BUK TS-G Gas Station Automation System
10 Mar 2026
Published
10 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.58%
KEV

Description

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do&sql=<query_here>&reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 14 hours ago

Bluesky

Profile picture fallback
SecQube | Harvey | AI Platform for MS Graph @secqube.com
CVE-2026-3843 - Nefteprodukttekhnika BUK TS-G Gas Station Automation System SQL Injection scq.ms/40RFxCm
  • 0
  • 1
  • 0
  • 14h ago

CVE-2026-32767

Overview

  • siyuan-note
  • siyuan
20 Mar 2026
Published
20 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.05%
KEV

Description

SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user — including those with the Reader role — to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1.

Statistics

  • 1 Post
Last activity: 15 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CVE-2026-32767: SiYuan (<3.6.1) has a CRITICAL SQL injection flaw in /api/search/fullTextSearchBlock. Any authenticated user can run SQL, risking full data compromise. Upgrade to 3.6.1+ ASAP. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 15h ago

CVE-2026-1757

Overview

  • Red Hat
  • Red Hat Enterprise Linux 10
  • libxml2
02 Feb 2026
Published
12 Mar 2026
Updated
CVSS
Pending
EPSS
0.02%
KEV

Description

A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.

Statistics

  • 1 Post
Last activity: 5 hours ago

Bluesky

Profile picture fallback
Lambda Watchdog @lambdawatchdog.bsky.social
🔍 Lambda Watchdog detected that CVE-2026-1757 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/434 #AWS #Lambda #Security #CVE #DevOps #SecOps
  • 0
  • 0
  • 0
  • 5h ago

CVE-2026-32985

Overview

  • Xerte
  • Xerte Online Toolkits
20 Mar 2026
Published
20 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.37%
KEV

Description

Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality. The issue exists in /website_code/php/import/import.php where missing authentication checks allow an attacker to upload a crafted ZIP archive disguised as a project template. The archive can contain a malicious PHP payload placed in the media/ directory, which is extracted into a web-accessible USER-FILES/{projectID}--{targetFolder}/ path. An attacker can then directly access the uploaded PHP file to achieve remote code execution under the web server context.

Statistics

  • 1 Post
Last activity: 14 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🔴 CRITICAL: CVE-2026-32985 in Xerte Online Toolkits ≤3.14 lets attackers upload PHP via import.php and gain RCE — no auth needed! Patch ASAP or restrict access, disable PHP in user dirs. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 14h ago

CVE-2026-33024

Overview

  • WWBN
  • AVideo-Encoder
20 Mar 2026
Published
20 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.08%
KEV

Description

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an attacker can supply URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server reach internal network resources. The response is not directly returned (blind), but timing differences and error logs can be used to infer results. The issue has been fixed in version 8.0.

Statistics

  • 1 Post
Last activity: 11 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🚨 CVE-2026-33024: CRITICAL SSRF in WWBN AVideo-Encoder <8.0. Public API allows blind SSRF, risking internal/cloud data exposure. Upgrade to v8.0 or restrict outbound traffic now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 11h ago
Showing 11 to 20 of 55 CVEs