24h | 7d | 30d

CVE-2026-32157

Overview

  • Microsoft
  • Remote Desktop client for Windows Desktop
14 Apr 2026
Published
16 Apr 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.12%
KEV

Description

Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 21 hours ago

Bluesky

Profile picture fallback
CyberVeille @cyberveille-ch.bsky.social
📢 Patch Tuesday Microsoft Avril 2026 : 243 vulnérabilités dont une exploitée activement 📝 ## 🗓️ Contexte Publié le 14 avril 2026 par Johannes Ull… https://cyberveille.ch/posts/2026-04-15-patch-tuesday-microsoft-avril-2026-243-vulnerabilites-dont-une-exploitee-activement/ #CVE_2026_32157 #Cyberveille
  • 0
  • 1
  • 0
  • 21h ago

CVE-2026-6410

Overview

  • @fastify/static
  • @fastify/static
16 Apr 2026
Published
16 Apr 2026
Updated
CVSS v3.1
MEDIUM (5.3)
EPSS
Pending
KEV

Description

@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration.

Statistics

  • 2 Posts
  • 1 Interaction
Last activity: 4 hours ago

Bluesky

Profile picture fallback
Ulises Gascón @ulisesgascon.com
🚨 Medium-severity security fix in @fastify/static@9.1.1 just released! Patches CVE-2026-6410 — path traversal in directory listing github.com/fastify/fast...
  • 0
  • 1
  • 1
  • 4h ago

CVE-2026-5194

Overview

  • wolfSSL
  • wolfSSL
09 Apr 2026
Published
10 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.04%
KEV

Description

Missing hash/digest size and OID checks allow digests smaller than allowed when verifying ECDSA certificates, or smaller than is appropriate for the relevant key type, to be accepted by signature verification functions. This could lead to reduced security of ECDSA certificate-based authentication if the public CA key used is also known. This affects ECDSA/ECC verification when EdDSA or ML-DSA is also enabled.

Statistics

  • 1 Post
Last activity: 2 hours ago

Fediverse

Profile picture fallback
ThreatNoir @threatnoir

⚠️ CRITICAL: wolfSSL Vulnerability Hits IoT, Routers and Military Systems, Update to 5.9.1 Now

Critical vulnerability CVE-2026-5194 in wolfSSL allows attackers to forge digital certificates by bypassing signature verification across ECDSA, DSA, ML-DSA, ED25519, and ED448 algorithms. Affects approximately 5 billion devices including IoT, routers, and military systems. Legacy devices unlikely…

threatnoir.com/focus

  • 0
  • 0
  • 0
  • 2h ago

CVE-2026-40504

Overview

  • marcobambini
  • gravity
16 Apr 2026
Published
16 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.07%
KEV

Description

Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope. Attackers can exploit insufficient bounds checking in gravity_fiber_reassign() to corrupt heap metadata and achieve arbitrary code execution in applications that evaluate untrusted scripts.

Statistics

  • 1 Post
Last activity: 8 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CVE-2026-40504: Critical heap-based buffer overflow in Creolabs Gravity (<0.9.6). Attackers could achieve RCE via malicious scripts. No patch yet — avoid untrusted input & monitor for updates. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 8h ago

CVE-2026-6270

Overview

  • @fastify/middie
  • @fastify/middie
16 Apr 2026
Published
16 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
Pending
KEV

Description

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.

Statistics

  • 2 Posts
Last activity: 4 hours ago

Fediverse

Profile picture fallback
Ulises Gascon @ulisesgascon

🚨 Critical-severity security fix in @fastify/middie@9.3.2 just released!

Patches CVE-2026-6270 — middleware authentication bypass in child plugin scopes

github.com/fastify/middie/secu

  • 0
  • 0
  • 1
  • 4h ago

CVE-2026-33804

Overview

  • @fastify/middie
  • @fastify/middie
16 Apr 2026
Published
16 Apr 2026
Updated
CVSS v3.1
HIGH (7.4)
EPSS
Pending
KEV

Description

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

Statistics

  • 2 Posts
Last activity: 3 hours ago

Fediverse

Profile picture fallback
Ulises Gascon @ulisesgascon

🚨 High-severity security fix in @fastify/middie@9.3.2 just released!

Patches CVE-2026-33804 — middleware bypass via deprecated ignoreDuplicateSlashes option

github.com/fastify/middie/secu

  • 0
  • 0
  • 1
  • 3h ago

CVE-2025-55182

Overview

  • Meta
  • react-server-dom-webpack
03 Dec 2025
Published
26 Feb 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
86.90%
KEV

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Statistics

  • 1 Post
Last activity: 13 hours ago

Fediverse

Profile picture fallback
ThreatNoir @threatnoir

2026-W14 — Weekly Threat Roundup

🔥 Critical week for supply chain attacks with React2Shell (CVE-2025-55182) exploited to harvest credentials from 766+ Next.js hosts
🎯 North Korean UNC1069 compromised Axios npm maintainer via fake Teams call, injecting malware into packages with 100M weekly downloads
🚨 European Commission breach…

threatnoir.com/weekly/2026-w14

  • 0
  • 0
  • 0
  • 13h ago

CVE-2026-30459

Overview

  • Pending
16 Apr 2026
Published
16 Apr 2026
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message.

Statistics

  • 1 Post
Last activity: 6 hours ago

Fediverse

Profile picture fallback
pentest-tools.com @pentesttools

FuelCMS doesn't validate the Host header on password reset requests.

Spoof it, trigger a reset for a valid user, and the app sends them a legitimate-looking email with your server in the link. They click. You get the token.

PTT-2025-029 / CVE-2026-30459, CVSS 7.1 High. No fix coming (vendor's been quiet for ~4 years).
Full PoC: pentest-tools.com/research

  • 0
  • 0
  • 0
  • 6h ago

CVE-2026-6350

Overview

  • Openfind
  • MailGates
16 Apr 2026
Published
16 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.06%
KEV

Description

MailGates/MailAudit developed by Openfind has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers to control the program's execution flow and execute arbitrary code.

Statistics

  • 1 Post
Last activity: 14 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL: CVE-2026-6350 in Openfind MailGates 6.0 & 5.0 — stack-based buffer overflow enables unauthenticated RCE. No mitigation yet. Restrict exposure & watch for updates. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 14h ago

CVE-2026-20163

Overview

  • Splunk
  • Splunk Enterprise
11 Mar 2026
Published
12 Mar 2026
Updated
CVSS v3.1
HIGH (8.0)
EPSS
0.08%
KEV

Description

In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint.

Statistics

  • 1 Post
Last activity: 11 hours ago

Bluesky

Profile picture fallback
SecQube | Harvey | AI Platform for MS Graph @secqube.com
Splunk has issued urgent patches for critical RCE vulnerabilities like CVE-2026-20163 and clear-text token leaks that expose systems to unauthorised access. Attackers with elevated privileges can execute arbitrary commands via insecure REST endpoints, while unencrypted tokens risk credential theft.
  • 0
  • 0
  • 0
  • 11h ago
Showing 11 to 20 of 47 CVEs