24h | 7d | 30d

Overview

  • D-Link
  • DIR-513

29 Mar 2026
Published
29 Mar 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
Pending

KEV

Description

A vulnerability was found in D-Link DIR-513 1.10. This issue affects the function formSetEmail of the file /goform/formSetEmail. Performing a manipulation of the argument curTime results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.

Statistics

  • 1 Post

Last activity: 4 hours ago

Fediverse

Profile picture fallback

๐Ÿ”ด CVE-2026-5024: HIGH-severity stack buffer overflow in D-Link DIR-513 (v1.10). Remote, no auth needed, public exploit released. Replace ASAP or isolate device & restrict access. No patch from vendor. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 4h ago

Overview

  • samtools
  • htslib

18 Mar 2026
Published
18 Mar 2026
Updated

CVSS v4.0
HIGH (8.8)
EPSS
0.06%

KEV

Description

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. While most alignment records store DNA sequence and quality values, the format also allows them to omit this data in certain cases to save space. Due to some quirks of the CRAM format, it is necessary to handle these records carefully as they will actually store data that needs to be consumed and then discarded. Unfortunately the `cram_decode_seq()` did not handle this correctly in some cases. Where this happened it could result in reading a single byte from beyond the end of a heap allocation, followed by writing a single attacker-controlled byte to the same location. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.

Statistics

  • 1 Post

Last activity: 16 hours ago

Bluesky

Profile picture fallback
Fedora 42 just pushed a critical update for Samtools to fix CVE-2026-31962 (heap buffer overflow). ๐Ÿงฌ๐Ÿ”’ Read more: ๐Ÿ‘‰ tinyurl.com/2udnjzha #Security
  • 0
  • 0
  • 0
  • 16h ago

Overview

  • code-projects
  • Accounting System

29 Mar 2026
Published
29 Mar 2026
Updated

CVSS v4.0
MEDIUM (6.9)
EPSS
Pending

KEV

Description

A vulnerability has been found in code-projects Accounting System 1.0. This affects an unknown part of the file /view_work.php of the component Parameter Handler. Such manipulation of the argument en_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Statistics

  • 1 Post

Last activity: 1 hour ago

Fediverse

Profile picture fallback

โš ๏ธ MEDIUM severity SQL Injection (CVE-2026-5035) found in code-projects Accounting System 1.0 (/view_work.php, Parameter Handler). Public exploit available โ€” review your systems and restrict access if possible. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 1h ago

Overview

  • n8n-io
  • n8n

25 Mar 2026
Published
25 Mar 2026
Updated

CVSS v4.0
CRITICAL (9.4)
EPSS
0.24%

KEV

Description

n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with permission to create or modify workflows could exploit a prototype pollution vulnerability in the XML and the GSuiteAdmin nodes. By supplying a crafted parameters as part of node configuration, an attacker could write attacker-controlled values onto `Object.prototype`. An attacker could use this prototype pollution to achieve remote code execution on the n8n instance. The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Statistics

  • 1 Post

Last activity: 15 hours ago

Bluesky

Profile picture fallback
CVE-2026-33696 - n8n: Prototype Pollution in XML and GSuiteAdmin node parameters lead to RCE
  • 0
  • 0
  • 0
  • 15h ago

Overview

  • quickjs-ng
  • quickjs

12 Mar 2026
Published
12 Mar 2026
Updated

CVSS v4.0
MEDIUM (4.8)
EPSS
0.01%

KEV

Description

A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the function js_iterator_concat_return of the file quickjs.c. This manipulation causes use after free. The attack requires local access. The exploit has been published and may be used. Patch name: daab4ad4bae4ef071ed0294618d6244e92def4cd. Applying a patch is the recommended action to fix this issue.

Statistics

  • 1 Post

Last activity: 11 hours ago

Bluesky

Profile picture fallback
quickjs-ng: 0.11.0 -> 0.13.0; quickjs: mark vulnerable for CVE-2026-3979 https://github.com/NixOS/nixpkgs/pull/503250 https://tracker.security.nixos.org/issues/NIXPKGS-2026-0676 #security
  • 0
  • 0
  • 0
  • 11h ago

Overview

  • aquasecurity
  • setup-trivy

23 Mar 2026
Published
27 Mar 2026
Updated

CVSS v4.0
CRITICAL (9.4)
EPSS
26.61%

Description

Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 โ€“ 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 โ€“ 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19โ€“20, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags.

Statistics

  • 1 Post

Last activity: 7 hours ago

Bluesky

Profile picture fallback
่ฆ‹ใฆใ‚‹: "Trivy ecosystem supply chain was briefly compromised ยท CVE-2026-33634 ยท GitHub Advisory Database" https://github.com/advisories/GHSA-69fq-xp46-6x23
  • 0
  • 0
  • 0
  • 7h ago

Overview

  • LabRedesCefetRJ
  • WeGIA

27 Mar 2026
Published
27 Mar 2026
Updated

CVSS v3.1
HIGH (8.8)
EPSS
0.05%

KEV

Description

WeGIA is a web manager for charitable institutions. Prior to version 3.6.7, the file `html/socio/sistema/deletar_tag.php` uses `extract($_REQUEST)` on line 14 and directly concatenates the `$id_tag` variable into SQL queries on lines 16-17 without prepared statements or sanitization. Version 3.6.7 patches the vulnerability.

Statistics

  • 1 Post

Last activity: 22 hours ago

Fediverse

Profile picture fallback

โš ๏ธ CVE-2026-33991: HIGH severity SQL Injection in WeGIA < 3.6.7. Vulnerable PHP code in deletar_tag.php lets attackers inject SQL remotely โ€” risking data theft & disruption for charities. Patch to 3.6.7 or mitigate ASAP. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 22h ago

Overview

  • strongSwan
  • strongSwan

23 Mar 2026
Published
27 Mar 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.13%

KEV

Description

strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerability in the EAP-TTLS AVP parser that allows unauthenticated remote attackers to cause a denial of service by sending crafted AVP data with invalid length fields during IKEv2 authentication. Attackers can exploit the failure to validate AVP length fields before subtraction to trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon.

Statistics

  • 1 Post

Last activity: 17 hours ago

Bluesky

Profile picture fallback
strongSwan Vulnerability (CVE-2026-25075) in EAP-TTLS
  • 0
  • 0
  • 0
  • 17h ago

Overview

  • code-projects
  • Accounting System

29 Mar 2026
Published
29 Mar 2026
Updated

CVSS v4.0
MEDIUM (6.9)
EPSS
Pending

KEV

Description

A vulnerability was detected in code-projects Accounting System 1.0. Affected by this vulnerability is an unknown functionality of the file /view_costumer.php of the component Parameter Handler. The manipulation of the argument cos_id results in sql injection. The attack may be performed from remote. The exploit is now public and may be used.

Statistics

  • 1 Post

Last activity: 2 hours ago

Fediverse

Profile picture fallback

๐Ÿšจ CVE-2026-5033 (MEDIUM): SQL injection in code-projects Accounting System 1.0 (/view_costumer.php, cos_id) is being actively exploited. Remote risk โ€” monitor and patch as soon as fixes arrive. More: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 2h ago

Overview

  • TP-Link Systems Inc.
  • TL-MR6400 v5.3

12 Mar 2026
Published
13 Mar 2026
Updated

CVSS v4.0
HIGH (8.5)
EPSS
0.82%

KEV

Description

A command injection vulnerability has been identified in the Telnet command-line interface (CLI) of TP-Link TL-MR6400 v5.3. This issue is caused by insufficient sanitization of data processed during specific CLI operations. An authenticated attacker with elevated privileges may be able to execute arbitrary system commands. Successful exploitation may lead to full device compromise, including potential loss of confidentiality, integrity, and availability.

Statistics

  • 2 Posts

Last activity: 21 hours ago

Bluesky

Profile picture fallback
CVE-2026-3841 - Command Injection Vulnerability in Telnet CLI on TP-Link TL-MR6400 scq.ms/3P1y9Sp
  • 0
  • 0
  • 1
  • 21h ago
Showing 11 to 20 of 26 CVEs