24h | 7d | 30d

Overview

  • Unknown
  • PeproDev Ultimate Invoice

25 Mar 2026
Published
25 Mar 2026
Updated

CVSS
Pending
EPSS
0.02%

KEV

Description

The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bulk download invoices action that generates ZIP archives containing exported invoice PDFs. The ZIP files are named predictably making it possible to brute force and retreive PII.

Statistics

  • 1 Post

Last activity: 13 hours ago

Fediverse

Profile picture fallback

⚠️ HIGH: CVE-2026-2343 in PeproDev Ultimate Invoice ≤2.2.5 exposes PII via predictable ZIP archive names in bulk downloads. No auth needed — risk of mass data leaks! Disable feature, restrict access, monitor logs. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 13h ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 2 Posts

Last activity: 11 hours ago

Bluesky

Profile picture fallback
Stackfield Desktop App: RCE via Path Traversal and Arbitrary File Write (CVE-2026-28373)
  • 0
  • 0
  • 1
  • 11h ago

Overview

  • legalweb
  • WP DSGVO Tools (GDPR)

24 Mar 2026
Published
24 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
0.10%

KEV

Description

The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the intended email-confirmation flow and immediately triggers irreversible account anonymization. This makes it possible for unauthenticated attackers to permanently destroy any non-administrator user account (password randomized, username/email overwritten, roles stripped, comments anonymized, sensitive usermeta wiped) by submitting the victim's email address with `process_now=1`. The nonce required for the request is publicly available on any page containing the `[unsubscribe_form]` shortcode.

Statistics

  • 1 Post

Last activity: 19 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL: CVE-2026-4283 in WP DSGVO Tools (GDPR) plugin allows unauthenticated attackers to irreversibly destroy non-admin accounts via 'super-unsubscribe' AJAX. All versions ≤3.1.38 affected. Remove '[unsubscribe_form]' & monitor for abuse. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 19h ago

Overview

  • PTC
  • Windchill PDMLink

23 Mar 2026
Published
24 Mar 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.38%

KEV

Description

A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. This issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0.

Statistics

  • 1 Post

Last activity: 6 hours ago

Bluesky

Profile picture fallback
PTC alerts to critical CVE-2026-4681 flaw in Windchill PDMLink and FlexPLM allowing remote code execution via deserialization injection. Apache, IIS mitigations released; affected services may require shutdown. #PTC #RemoteCodeExecution #USA
  • 0
  • 0
  • 0
  • 6h ago

Overview

  • cursor
  • cursor

11 Mar 2026
Published
11 Mar 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.05%

KEV

Description

Cursor is a code editor built for programming with AI. Prior to 2.0 ,if a visited website contains maliciously crafted instructions, the model may attempt to follow them in order to “assist” the user. When combined with a bypass of the command whitelist mechanism, such indirect prompt injections could result in commands being executed automatically, without the user’s explicit intent, thereby posing a significant security risk. This vulnerability is fixed in 2.0.

Statistics

  • 1 Post

Last activity: 18 hours ago

Bluesky

Profile picture fallback
CVE-2026-31854 - Cursor Affected by Arbitrary Code Execution via Prompt Injection and Whitelist Bypass scq.ms/4cDQEGh
  • 0
  • 0
  • 0
  • 18h ago

Overview

  • higuma
  • web-audio-recorder-js

23 Feb 2026
Published
23 Feb 2026
Updated

CVSS v4.0
LOW (2.3)
EPSS
0.05%

KEV

Description

A vulnerability was identified in higuma web-audio-recorder-js 0.1/0.1.1. Impacted is the function extend in the library lib/WebAudioRecorder.js of the component Dynamic Config Handling. Such manipulation leads to improperly controlled modification of object prototype attributes. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 1 Post

Last activity: 6 hours ago

Bluesky

Profile picture fallback
CVE-2026-2964: How a Blind Merge Unlocks RCE in a JavaScript Audio Library + Video Introduction: Prototype pollution is a JavaScript vulnerability that allows attackers to inject properties into the global Object.prototype. When a poorly implemented recursive merge function copies user-controlled…
  • 0
  • 0
  • 0
  • 6h ago

Overview

  • langflow-ai
  • langflow

20 Mar 2026
Published
25 Mar 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.59%

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

Statistics

  • 1 Post

Last activity: Last hour

Bluesky

Profile picture fallback
~Cisa~ CISA added CVE-2026-33017, an actively exploited Langflow code injection flaw, to its KEV catalog. - IOCs: CVE-2026-33017 - #CVE202633017 #Langflow #threatintel
  • 0
  • 0
  • 0
  • Last hour

Overview

  • AWS
  • AWS API MCP Server

16 Mar 2026
Published
16 Mar 2026
Updated

CVSS v3.1
MEDIUM (5.5)
EPSS
0.01%

KEV

Description

Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context. To remediate this issue, users should upgrade to version 1.3.9.

Statistics

  • 1 Post

Last activity: 4 hours ago

Bluesky

Profile picture fallback
~Varonis~ An LFI flaw (CVE-2026-4270) in AWS Remote MCP Server allows authenticated users to read arbitrary files via CLI shorthand syntax. - IOCs: aws-mcp. us-east-1. api. aws, CVE-2026-4270 - #AWS #LFI #ThreatIntel
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • Sapido
  • RB-1732

11 Mar 2026
Published
11 Mar 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.20%

KEV

Description

SAPIDO RB-1732 V2.0.43 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the formSysCmd endpoint. Attackers can send POST requests with the sysCmd parameter containing shell commands to execute code on the device with router privileges.

Statistics

  • 1 Post

Last activity: 14 hours ago

Bluesky

Profile picture fallback
CVE-2019-25487 - SAPIDO RB-1732 V2.0.43 Remote Command Execution via formSysCmd scq.ms/3OVD2fN
  • 0
  • 0
  • 0
  • 14h ago

Overview

  • shopware
  • core

11 Mar 2026
Published
12 Mar 2026
Updated

CVSS v4.0
HIGH (8.9)
EPSS
0.04%

KEV

Description

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.

Statistics

  • 1 Post

Last activity: 10 hours ago

Bluesky

Profile picture fallback
CVE-2026-31887 - Shopware unauthenticated data extraction possible through store-api.order endpoint scq.ms/4ukmFcR
  • 0
  • 0
  • 0
  • 10h ago
Showing 11 to 20 of 37 CVEs