24h | 7d | 30d

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 20 hours ago

Fediverse

Profile picture fallback

Krytyczna podatność bezpieczeństwa CVE-2026-5757 w Ollamie pozwala na wykradanie danych z serwerów za pomocą specjalnie spreparowanych plików GGUF. Luka ta wykorzystuje brak walidacji metadanych w mechanizmie kwantyzacji, co może prowadzić do nieautoryzowanego dostępu do wrażliwych informacji.

#si #ai #sztucznainteligencja #wiadomości #informacje #technologia

aisight.pl/cyberbezpieczenstwo

  • 1
  • 0
  • 0
  • 20h ago

Overview

  • BerriAI
  • litellm

08 May 2026
Published
08 May 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
Pending

KEV

Description

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 6 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL: CVE-2026-42208 in BerriAI LiteLLM (v1.81.16 – 1.83.6) enables unauthenticated SQL injection via API key processing. Patch to v1.83.7 immediately to protect credentials and data. Details: radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 6h ago

Overview

  • Microsoft
  • Azure DevOps

07 May 2026
Published
07 May 2026
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
Pending

KEV

Description

Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 7 hours ago

Fediverse

Profile picture fallback

🚨 CVE-2026-42826 (CRITICAL, CVSS 10.0) in Azure DevOps exposes sensitive data to unauthorized actors remotely. Microsoft has released a fix — ensure your environment is fully updated. More info: radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 0
  • 7h ago

Overview

  • Apache Software Foundation
  • Apache ActiveMQ Broker
  • org.apache.activemq:activemq-broker

07 Apr 2026
Published
17 Apr 2026
Updated

CVSS
Pending
EPSS
66.67%

Description

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 13 hours ago

Overview

  • Revolution Slider
  • Slider Revolution

07 May 2026
Published
07 May 2026
Updated

CVSS v3.1
HIGH (8.8)
EPSS
0.10%

KEV

Description

The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function. This is due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload files that may be executable, which makes remote code execution possible. The vulnerability was partially patched in version 7.0.10 and fully patched in version 7.0.11.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 23 hours ago

Bluesky

Profile picture fallback
⚠️ WordPress : le plugin Slider Revolution doit être mis à jour (CVE-2026-6692) Plus d'infos par ici : - www.it-connect.fr/wordpress-le... #wordpress #infosec #web
  • 0
  • 1
  • 0
  • 23h ago

Overview

  • ProFTPD
  • ProFTPD

05 May 2026
Published
06 May 2026
Updated

CVSS v3.1
HIGH (8.1)
EPSS
0.03%

KEV

Description

In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.

Statistics

  • 2 Posts

Last activity: 19 hours ago

Bluesky

Profile picture fallback
proftpd: patch CVE-2026-44331 https://github.com/NixOS/nixpkgs/pull/517211 https://tracker.security.nixos.org/issues/NIXPKGS-2026-1407 #security
  • 0
  • 0
  • 0
  • 20h ago
Profile picture fallback
[Backport release-25.11] proftpd: patch CVE-2026-44331 https://github.com/NixOS/nixpkgs/pull/517683 #security
  • 0
  • 0
  • 0
  • 19h ago

Overview

  • GitHub
  • Enterprise Server

10 Mar 2026
Published
29 Apr 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.30%

KEV

Description

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.

Statistics

  • 1 Post

Last activity: 20 hours ago

Fediverse

Profile picture fallback

@DrHyde To put a fine point on it: GitHub's status page showed nothing alarming on April 23—no major outage, no partial outage—because its calculus excludes "Degraded Performance" from downtime numbers. The platform never went down; it was just silently producing wrong merge results, corrupting repository history across 230 organizations and about 3,000 pull requests. That's not a blip. That's a data integrity failure.

Here's GitHub's own heavily-spun blog post on the matter (which also covers another incident on April 27).

Bonus: Five days after the merge queue incident, GitHub disclosed CVE-2026-3854, a critical remote code execution vulnerability where a crafted git push could execute code on GitHub's servers. Patched on github.com in 75 minutes, but 88% of GitHub Enterprise Server instances were still exposed when the disclosure went public.

One bad week doesn't explain a year of red squares, but it does crystallize the pattern.

/cc @choroba

  • 0
  • 0
  • 0
  • 20h ago

Overview

  • Apache Software Foundation
  • Apache HTTP Server

04 May 2026
Published
05 May 2026
Updated

CVSS
Pending
EPSS
0.06%

KEV

Description

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Statistics

  • 1 Post

Last activity: 22 hours ago

Bluesky

Profile picture fallback
Apache fixes critical HTTP/2 double-free flaw CVE-2026-23918 enabling RCE
  • 0
  • 0
  • 0
  • 22h ago

Overview

  • Microsoft
  • Windows Admin Center

11 Dec 2025
Published
16 Apr 2026
Updated

CVSS v3.1
HIGH (7.8)
EPSS
0.10%

KEV

Description

Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges locally.

Statistics

  • 1 Post

Last activity: 11 hours ago

Bluesky

Profile picture fallback
CVE-2025-64669: Uncovering Local Privilege Escalation Vulnerability in Windows Admin Center
  • 0
  • 0
  • 0
  • 11h ago

Overview

  • axios
  • axios

24 Apr 2026
Published
27 Apr 2026
Updated

CVSS v3.1
MEDIUM (5.3)
EPSS
0.06%

KEV

Description

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.js proxy service) can inject arbitrary MIME part headers into the multipart form-data body. This bypasses Node.js v18+ built-in header protections because the injection targets the multipart body structure, not HTTP request headers. This vulnerability is fixed in 1.15.1.

Statistics

  • 1 Post

Last activity: 22 hours ago

Bluesky

Profile picture fallback
🚨 New MEDIUM CVE detected in AWS Lambda 🚨 CVE-2026-42037 impacts axios in 3 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/495 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 22h ago
Showing 11 to 20 of 109 CVEs