24h | 7d | 30d

CVE-2026-40261

Overview

  • composer
  • composer
15 Apr 2026
Published
16 Apr 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.04%
KEV

Description

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands through crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source reference and url are provided as part of package metadata, meaning any compromised or malicious Composer repository can serve package metadata declaring perforce as a source type with malicious values. This vulnerability is exploitable when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted Composer repositories as a workaround.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 13 hours ago

Fediverse

Profile picture fallback
Can Artuc @canartuc

Composer (the dominant PHP package manager) shipped 2.9.6 and 2.2.27 LTS in April. The release fixes two command-injection bugs in the Perforce driver. CVE-2026-40261, severity 8.8. A malicious composer.json declares a Perforce repository and the shell runs whether or not Perforce is installed. Packagist disabled Perforce metadata April 10. Most CI build agents kept no audit trail across the ninety days the bug was live.

#PHP #CyberSecurity #DevOps #InfoSec #SupplyChain

  • 0
  • 1
  • 0
  • 13h ago

CVE-2026-7270

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 1 hour ago

Fediverse

Profile picture fallback
Graham Perrin @grahamperrin

RE: mastodon.bsd.cafe/@grahamperri

3/

CVE-2026-7270 <cve.org/CVERecord?id=CVE-2026-> FreeBSD-SA-26:13.exec <security.freebsd.org/advisorie> credited to Ryan of Calif.io.

Calif is recently known for post-CVE attention to an earlier CVE, <blog.calif.io/p/mad-bugs-claud>. This work by Calif was wrongly attributed to Nicholas Carlini (an error by Devansh in 'Artificial Intelligence Made Simple').

  • 0
  • 1
  • 0
  • 1h ago

CVE-2026-35547

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 1 hour ago

Fediverse

Profile picture fallback
Graham Perrin @grahamperrin

@thesaigoneer thanks!

Looking at the various credits …

1/

CVE-2026-35547 <cve.org/CVERecord?id=CVE-2026-> FreeBSD-SA-26:17.libnv <security.freebsd.org/advisorie> credited to Mariusz Zaborski.

<papers.freebsd.org/author/mari> is currently empty (<github.com/freebsd/freebsd-pap> relates), should probably comprise:

<papers.freebsd.org/2016/asiabs>

<papers.freebsd.org/2019/bsdcan>

Cc @jloc0 @ascreen @garyhtech

  • 0
  • 1
  • 0
  • 1h ago

CVE-2026-3143

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 8 hours ago

Fediverse

Profile picture fallback
Shrirang Kahale @albonycal

**CVE-2026-3143 copy.fail/**

  • 0
  • 1
  • 0
  • 8h ago

CVE-2026-21510

Overview

  • Microsoft
  • Windows 10 Version 1607
10 Feb 2026
Published
10 Apr 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
3.35%
KEV

Description

Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network.

Statistics

  • 2 Posts
  • 1 Interaction
Last activity: 16 hours ago

Bluesky

Profile picture fallback
Cybersecurity News Everyday @hendryadrian.bsky.social
CISA mandates federal agencies to patch a Windows zero-click vulnerability CVE-2026-32202 by May 12 under BOD 22-01. The flaw connects to APT28 and follows an incomplete Microsoft fix for CVE-2026-21510. #CVE2026 #APT28 #USA
  • 0
  • 1
  • 0
  • 16h ago
Profile picture fallback
CyberVeille @cyberveille-ch.bsky.social
📢 Patch incomplet d'APT28 : CVE-2026-21510 laisse place à CVE-2026-32202, coercition d'authentification zero-click 📝 ## 🔍 Contex… https://cyberveille.ch/posts/2026-04-29-patch-incomplet-d-apt28-cve-2026-21510-laisse-place-a-cve-2026-32202-coercition-d-authentification-zero-click/ #APT28 #Cyberveille
  • 0
  • 0
  • 0
  • 16h ago

CVE-2026-7164

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
Last activity: 1 hour ago

Fediverse

Profile picture fallback
Graham Perrin @grahamperrin

2/

CVE-2026-7164 <cve.org/CVERecord?id=CVE-2026-> FreeBSD-SA-26:14.pf <security.freebsd.org/advisorie> credited to Igor Gabriel Sousa e Souza.

I can't easily find any information about this person.

  • 0
  • 0
  • 0
  • 1h ago

CVE-2019-1367

Overview

  • Microsoft
  • Internet Explorer 9
23 Sep 2019
Published
21 Oct 2025
Updated
CVSS
Pending
EPSS
90.77%
KEV

Description

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.

Statistics

  • 1 Post
Last activity: 13 hours ago

Fediverse

Profile picture fallback
Anthony Powell @ajguides

Microsoft Update causing Print Spooler Problems - CVE-2019-1367 | techygeekshome.info/cve-2019-1 #Microsoft #News #security #Updates #Windows 
techygeekshome.info/cve-2019-1

  • 0
  • 0
  • 0
  • 13h ago

CVE-2026-32309

Overview

  • cryptomator
  • cryptomator
20 Mar 2026
Published
27 Mar 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.02%
KEV

Description

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, the Hub-based unlock flow explicitly supports hub+http and consumes Hub endpoints from vault metadata without enforcing HTTPS. As a result, a vault configuration can drive OAuth and key-loading traffic over plaintext HTTP or other insecure endpoint combinations. An active network attacker can tamper with or observe this traffic. Even when the vault key is encrypted for the device, bearer tokens and endpoint-level trust decisions are still exposed to downgrade and interception. This issue has been patched in version 1.19.1.

Statistics

  • 1 Post
Last activity: 19 hours ago

Bluesky

Profile picture fallback
topickapp (IT技術系ニュースサイト) @topickapp.bsky.social
https://zenn.dev/ao9s/articles/cryptomator-hub-http-downgrade 学生がCryptomatorの脆弱性(CVE-2026-32309)を発見し、CVEを取得した体験談です。 外部からの値の検証不足が原因で、HTTP通信へのダウングレード攻撃が可能でした。 報告から修正、CVE公開までの迅速な対応と、再現手順の重要性を解説しています。
  • 0
  • 0
  • 0
  • 19h ago

CVE-2026-34197

Overview

  • Apache Software Foundation
  • Apache ActiveMQ Broker
  • org.apache.activemq:activemq-broker
07 Apr 2026
Published
17 Apr 2026
Updated
CVSS
Pending
EPSS
65.07%
KEV

Description

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue

Statistics

  • 1 Post
Last activity: 16 hours ago

Fediverse

Profile picture fallback
Alexander Reelsen @spinscale

Remote Code Execution in Apache ActiveMQ

"By calling addNetworkConnector through Jolokia with a crafted URI, an attacker can chain these mechanisms together to force the broker to fetch and execute a remote Spring XML configuration file"

horizon3.ai/attack-research/di

  • 0
  • 0
  • 0
  • 16h ago

CVE-2026-26015

Overview

  • arc53
  • DocsGPT
29 Apr 2026
Published
29 Apr 2026
Updated
CVSS v4.0
CRITICAL (10.0)
EPSS
Pending
KEV

Description

DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve arbitrary remote code execution (RCE). This issue has been patched in version 0.16.0.

Statistics

  • 1 Post
Last activity: 5 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL: CVE-2026-26015 in DocsGPT 0.15.0-0.16.0 enables unauthenticated RCE via command injection (CVSS 10). All deployments at risk — patch to 0.16.0 or later now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 5h ago
Showing 11 to 20 of 43 CVEs