24h | 7d | 30d

CVE-2026-4415

Overview

  • GIGABYTE
  • Gigabyte Control Center
30 Mar 2026
Published
31 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.2)
EPSS
0.37%
KEV

Description

Gigabyte Control Center developed by GIGABYTE has an Arbitrary File Write vulnerability. When the pairing feature is enabled, unauthenticated remote attackers can write arbitrary files to any location on the underlying operating system, leading to arbitrary code execution or privilege escalation.

Statistics

  • 1 Post
Last activity: 13 hours ago

Bluesky

Profile picture fallback
Eyal Estrin ☁️ @eyalestrin.bsky.social
GIGABYTE Control Center vulnerable to arbitrary file write flaw (CVE-2026-4415) #patchmanagement
  • 0
  • 0
  • 0
  • 13h ago

CVE-2025-55182

Overview

  • Meta
  • react-server-dom-webpack
03 Dec 2025
Published
26 Feb 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
66.27%
KEV

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Statistics

  • 1 Post
Last activity: 22 hours ago

Fediverse

Profile picture fallback
jbz @jbz

⚠️ Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials

「 The campaign is assessed to be targeting Next.js applications that are vulnerable to CVE-2025-55182 (CVSS score: 10.0), a critical flaw in React Server Components and Next.js App Router that could result in remote code execution, for initial access, and then dropping the NEXUS Listener collection framework 」

thehackernews.com/2026/04/hack

#nextjs #infosec #react2shell #CVE202555182

  • 0
  • 0
  • 0
  • 22h ago

CVE-2026-34935

Overview

  • MervinPraison
  • PraisonAI
03 Apr 2026
Published
03 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.08%
KEV

Description

PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user. This issue has been patched in version 4.5.69.

Statistics

  • 1 Post
Last activity: 11 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CRITICAL: PraisonAI (v4.5.15 - <4.5.69) vulnerable to OS command injection via - -mcp, allowing arbitrary OS commands (CVE-2026-34935). Patch to 4.5.69+ now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 11h ago

CVE-2026-25197

Overview

  • Gardyn
  • Cloud API
03 Apr 2026
Published
03 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.03%
KEV

Description

A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call.

Statistics

  • 1 Post
Last activity: 8 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🚨 CVE-2026-25197 (CRITICAL): Gardyn Cloud API lets authenticated users access other profiles by tweaking ID in API calls (CWE-639). No patch yet — restrict access & monitor for abuse. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 8h ago

CVE-2024-12254

Overview

  • Python Software Foundation
  • CPython
06 Dec 2024
Published
04 Apr 2025
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.25%
KEV

Description

Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.

Statistics

  • 1 Post
Last activity: 5 hours ago

Bluesky

Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
The python313-3.13.12-3.1 update for #OpenSUSE Tumbleweed resolves a heap buffer overflow (CVE-2024-12254) with escalation potential. Read more: 👉 tinyurl.com/yc4fpsa3 #Security
  • 0
  • 0
  • 0
  • 5h ago

CVE-2026-4438

Overview

  • The GNU C Library
  • glibc
20 Mar 2026
Published
23 Mar 2026
Updated
CVSS
Pending
EPSS
0.03%
KEV

Description

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

Statistics

  • 1 Post
Last activity: 10 hours ago

Bluesky

Profile picture fallback
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
glibc: 2.42-58 -> 2.42-61, fixes CVE-2026-4438 https://github.com/NixOS/nixpkgs/pull/506517 #security
  • 0
  • 0
  • 0
  • 10h ago

CVE-2026-34934

Overview

  • MervinPraison
  • PraisonAI
03 Apr 2026
Published
03 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.05%
KEV

Description

PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the get_all_user_threads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via update_thread. When the application loads the thread list, the injected payload executes and grants full database access. This issue has been patched in version 4.5.90.

Statistics

  • 1 Post
Last activity: 13 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🚨 CVE-2026-34934: PraisonAI <4.5.90 affected by CRITICAL SQL injection (CVSS 9.8). Unauthenticated attackers can gain full DB access via unsanitized thread IDs. Upgrade to 4.5.90+ ASAP. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 13h ago

CVE-2025-70951

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
Last activity: 23 hours ago

Bluesky

Profile picture fallback
WarthogTK @warthogtk.bsky.social
Remote code execution in CentOS Web Panel - CVE-2025-70951 fenrisk.com/rce-centos-w...
  • 0
  • 0
  • 0
  • 23h ago

CVE-2026-34612

Overview

  • kestra-io
  • kestra
03 Apr 2026
Published
03 Apr 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.14%
KEV

Description

Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated, simply visiting a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., which in turn runs arbitrary OS commands on the host. This issue has been patched in version 1.3.7.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ SQL Injection (CVSS 10, CRITICAL) in Kestra < 1.3.7 — authenticated users can trigger RCE via /api/v1/main/flows/search. Patch to v1.3.7 to mitigate. CVE-2026-34612. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 10h ago

CVE-2026-34938

Overview

  • MervinPraison
  • PraisonAI
03 Apr 2026
Published
03 Apr 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.10%
KEV

Description

PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith() method to the _safe_getattr wrapper, achieving arbitrary OS command execution on the host. This issue has been patched in version 1.5.90.

Statistics

  • 1 Post
Last activity: 14 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🚨 CRITICAL: CVE-2026-34938 in PraisonAI <1.5.90 lets attackers bypass sandbox protections and achieve arbitrary OS command execution. Immediate upgrade to v1.5.90+ required. Full system compromise possible. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 14h ago
Showing 11 to 20 of 27 CVEs