24h | 7d | 30d

Overview

  • pac4j
  • pac4j-jwt

04 Mar 2026
Published
11 Mar 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.06%

KEV

Description

pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 23 hours ago

Bluesky

Profile picture fallback
March 2026 exposed critical flaws in Pac4j (CVE-2026-29000), Ingress-NGINX, and Langflow enabling auth bypass and unauthenticated RCE. TeamPCP exploited GitHub Actions spreading backdoors in Trivy, Checkmarx, and PyPI. #SupplyChain #AIexploitation
  • 0
  • 1
  • 0
  • 23h ago

Overview

  • Fortinet
  • FortiClientEMS

06 Feb 2026
Published
31 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
0.07%

KEV

Description

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

Statistics

  • 2 Posts
  • 1 Interaction

Last activity: 18 hours ago

Bluesky

Profile picture fallback
📢 CVE-2026-35616 : faille critique FortiClient EMS exploitée activement en zero-day 📝 ## 🗓️ Contexte Source : BleepingComputer — publié le 5 avril 20… https://cyberveille.ch/posts/2026-04-07-cve-2026-35616-faille-critique-forticlient-ems-exploitee-activement-en-zero-day/ #CVE_2026_21643 #Cyberveille
  • 0
  • 1
  • 0
  • 19h ago
Profile picture fallback
Two critical FortiClientEMS vulnerabilities are actively exploited: CVE-2026-21643 (unauthenticated SQL injection) and CVE-2026-35616 (improper access control/API bypass). Patch updates released by Fortinet. #FortinetFlaw #RemoteCodeExec #Singapore
  • 0
  • 0
  • 0
  • 18h ago

Overview

  • Progress Software
  • Telerik UI for ASP.NET AJAX

14 May 2025
Published
27 Aug 2025
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.60%

KEV

Description

In Progress® Telerik® UI for AJAX, versions 2011.2.712 to 2025.1.218, an unsafe reflection vulnerability exists that may lead to an unhandled exception resulting in a crash of the hosting process and denial of service.

Statistics

  • 1 Post

Last activity: 3 hours ago

Bluesky

Profile picture fallback
More Than DoS (Progress Telerik UI for ASP.NET AJAX Unsafe Reflection CVE-2025-3600) - watchTowr Labs
  • 0
  • 0
  • 0
  • 3h ago

Overview

  • mintplex-labs
  • mintplex-labs/anything-llm

07 Apr 2026
Published
07 Apr 2026
Updated

CVSS v3.0
CRITICAL (9.1)
EPSS
Pending

KEV

Description

A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component. The vulnerability arises from improper handling of user input in the `loadFlow` and `deleteFlow` methods in `server/utils/agentFlows/index.js`. Specifically, the combination of `path.join` and `normalizePath` allows attackers to bypass directory restrictions and access or delete arbitrary `.json` files on the server. This can lead to information disclosure, such as leaking sensitive configuration files containing API keys, or denial of service by deleting critical files like `package.json`. The issue is resolved in version 1.12.1.

Statistics

  • 1 Post

Last activity: 16 hours ago

Fediverse

Profile picture fallback

🚨 CVE-2026-5627: Critical path traversal in mintplex-labs/anything-llm (<=1.9.1). Attackers with high privileges can access/delete sensitive .json files. Upgrade to 1.12.1. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 16h ago

Overview

  • gravitational
  • teleport

17 Jun 2025
Published
18 Jun 2025
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
11.53%

KEV

Description

Teleport provides connectivity, authentication, access controls and audit for infrastructure. Community Edition versions before and including 17.5.1 are vulnerable to remote authentication bypass. At time of posting, there is no available open-source patch.

Statistics

  • 1 Post

Last activity: 23 hours ago

Bluesky

Profile picture fallback
Exploiting CVE-2025-49825 (authentication bypass vulnerability in Teleport)
  • 0
  • 0
  • 0
  • 23h ago

Overview

  • felixmartinez
  • Users manager – PN

08 Apr 2026
Published
08 Apr 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
Pending

KEV

Description

The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update_user_meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint ('userspn-nonce') is exposed to all visitors via wp_localize_script on the public wp_enqueue_scripts hook, rendering the nonce check ineffective as a security control. This makes it possible for unauthenticated attackers to update arbitrary user metadata for any user account, including the userspn_secret_token field.

Statistics

  • 1 Post

Last activity: 1 hour ago

Fediverse

Profile picture fallback

🔥 CRITICAL: CVE-2026-4003 in Users manager – PN for WordPress allows unauthenticated attackers to escalate privileges via arbitrary user meta updates. Disable plugin ASAP and monitor for patches. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 1h ago

Overview

  • WatchGuard
  • Fireware OS

17 Sep 2025
Published
26 Feb 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
68.97%

Description

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.

Statistics

  • 1 Post

Last activity: 3 hours ago

Bluesky

Profile picture fallback
yIKEs (WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242) - watchTowr Labs
  • 0
  • 0
  • 0
  • 3h ago

Overview

  • siyuan-note
  • siyuan

07 Apr 2026
Published
07 Apr 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
Pending

KEV

Description

SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer runs with nodeIntegration enabled and contextIsolation disabled, attacker-controlled JavaScript executes with access to Node.js APIs. In practice, an attacker can import a crafted note into a synced workspace, wait for the victim to sync, and achieve code execution when the victim opens the note. This vulnerability is fixed in 3.6.4.

Statistics

  • 1 Post

Last activity: 3 hours ago

Fediverse

Profile picture fallback

🚨 CVE-2026-39846 | CRITICAL: SiYuan < 3.6.4 vulnerable to stored XSS in table captions. Exploit enables RCE via Electron’s Node.js access — patch to 3.6.4 ASAP! Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 3h ago

Overview

  • parisneo
  • parisneo/lollms

07 Apr 2026
Published
07 Apr 2026
Updated

CVSS v3.0
CRITICAL (9.8)
EPSS
0.04%

KEV

Description

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0.

Statistics

  • 1 Post

Last activity: 23 hours ago

Fediverse

Profile picture fallback

🔴 CRITICAL: CVE-2026-1114 in parisneo/lollms v2.1.0 — weak JWT secret lets attackers brute-force, forge admin tokens & escalate privileges. Patch to v2.2.0 now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 23h ago

Overview

  • OpenBSD
  • OpenSSH

06 Oct 2025
Published
26 Feb 2026
Updated

CVSS v3.1
LOW (3.6)
EPSS
0.01%

KEV

Description

ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)

Statistics

  • 1 Post

Last activity: 3 hours ago

Bluesky

Profile picture fallback
Bash a newline: Exploiting SSH via ProxyCommand, again (CVE-2025-61984)
  • 0
  • 0
  • 0
  • 3h ago
Showing 11 to 20 of 43 CVEs