24h | 7d | 30d

CVE-2026-41316

Overview

  • ruby
  • erb
24 Apr 2026
Published
25 Apr 2026
Updated
CVSS v3.1
HIGH (8.1)
EPSS
0.08%
KEV

Description

ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.

Statistics

  • 1 Post
Last activity: 19 hours ago

Bluesky

Profile picture fallback
Lambda Watchdog @lambdawatchdog.bsky.social
🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2026-41316 impacts erb in 3 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/484 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 19h ago

CVE-2026-6992

Overview

  • Linksys
  • MR9600
25 Apr 2026
Published
25 Apr 2026
Updated
CVSS v4.0
HIGH (8.6)
EPSS
Pending
KEV

Description

A vulnerability was identified in Linksys MR9600 2.0.6.206937. This affects the function BTRequestGetSmartConnectStatus of the file /etc/init.d/run_central2.sh of the component JNAP Action Handler. The manipulation of the argument pin leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 HIGH severity (CVSS 8.6) OS command injection in Linksys MR9600 (2.0.6.206937) — CVE-2026-6992. Remote attackers can gain control via the 'pin' argument. Exploit is public, no fix yet. Restrict remote access & monitor closely. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 7h ago

CVE-2026-20931

Overview

  • Microsoft
  • Windows 10 Version 1607
13 Jan 2026
Published
01 Apr 2026
Updated
CVSS v3.1
HIGH (8.0)
EPSS
0.79%
KEV

Description

External control of file name or path in Windows Telephony Service allows an authorized attacker to elevate privileges over an adjacent network.

Statistics

  • 2 Posts
Last activity: 9 hours ago

Fediverse

Profile picture fallback
Günter Born @gborn

Windows Server Telephony Schwachstelle CVE-2026-20931 bekommt inoffiziellen 0patch Fix

borncity.com/blog/2026/04/25/0

  • 0
  • 0
  • 1
  • 9h ago

CVE-2026-35535

Overview

  • Sudo project
  • Sudo
03 Apr 2026
Published
04 Apr 2026
Updated
CVSS v3.1
HIGH (7.4)
EPSS
0.00%
KEV

Description

In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.

Statistics

  • 2 Posts
Last activity: 12 hours ago

Bluesky

Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
How to check CVE-2026-35535 on Fedora: $ sudo -u '#-1' id If it prints uid=0(root) → VULNERABLE. Update sudo to 1.9.17-8.p2.fc44 or use the iptables block. Read more-> tinyurl.com/bbfzmmph
  • 0
  • 0
  • 0
  • 16h ago
Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
#Fedora just patched sudo (CVE-2026-35535). You updated. Great. Now learn how that patch works -> tinyurl.com/48jmxp7m
  • 0
  • 0
  • 0
  • 12h ago

CVE-2026-40192

Overview

  • python-pillow
  • Pillow
15 Apr 2026
Published
16 Apr 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.02%
KEV

Description

Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.

Statistics

  • 1 Post
Last activity: 17 hours ago

Bluesky

Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
CVE-2026-40192 (Pillow decompression bomb) is old news. But your next CVE isn’t. Here’s a bash script to auto-patch this image DoS bug on Fedora. And the book to crush future CVEs before they hit. Read more -> tinyurl.com/4p4vpk4d #Fedora
  • 0
  • 0
  • 0
  • 17h ago

CVE-2026-7026

Overview

  • D-Link
  • DGS-3420
26 Apr 2026
Published
26 Apr 2026
Updated
CVSS v4.0
MEDIUM (6.8)
EPSS
Pending
KEV

Description

A vulnerability was determined in D-Link DGS-3420 1.50.018. This issue affects some unknown processing of the component System Information Settings Page. This manipulation of the argument System Name causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

Statistics

  • 1 Post
Last activity: Last hour

Fediverse

Profile picture fallback
OffSequence @offseq

MEDIUM severity alert: CVE-2026-7026 in D-Link DGS-3420 v1.50.018 allows remote XSS via System Info Settings Page. Exploit is public. Assess your devices and monitor for abuse. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • Last hour

CVE-2026-42255

Overview

  • Technitium
  • DnsServer
26 Apr 2026
Published
26 Apr 2026
Updated
CVSS v3.1
HIGH (7.2)
EPSS
Pending
KEV

Description

Technitium DNS Server before 15.0 allows DNS traffic amplification via cyclic name server delegation.

Statistics

  • 1 Post
Last activity: 3 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

⚠️ CVE-2026-42255 (HIGH): Technitium DNS Server <15.0 is vulnerable to DNS amplification via cyclic delegation (CWE-684). No patch yet — monitor DNS traffic & apply filtering. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-7015

Overview

  • MaxSite
  • CMS
26 Apr 2026
Published
26 Apr 2026
Updated
CVSS v4.0
MEDIUM (4.8)
EPSS
Pending
KEV

Description

A vulnerability has been found in MaxSite CMS up to 109.3. This issue affects some unknown processing of the component Guestbook Plugin. Such manipulation of the argument f_text/f_slug/f_limit/f_email leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 109.4 is capable of addressing this issue. The name of the patch is 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. It is suggested to upgrade the affected component. The vendor was informed early about this issue. They classify it as a "Self-XSS". They deployed a countermeasure: "Nevertheless, we consider this a violation of secure coding standards. The lack of filtering via `htmlspecialchars()` has already been fixed in the latest patch to prevent incorrect data display."

Statistics

  • 1 Post
Last activity: 4 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

⚠️ CVE-2026-7015: MEDIUM XSS in MaxSite CMS (109.0 – 109.3) via Guestbook Plugin. Exploit public — remote attackers can target f_text/f_slug/f_limit/f_email. Patch in 109.4 (8a3946bd...). Upgrade now. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 4h ago

CVE-2026-33519

Overview

  • Esri
  • Portal for ArcGIS
21 Apr 2026
Published
23 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.04%
KEV

Description

An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials.

Statistics

  • 1 Post
Last activity: 20 hours ago

Bluesky

Profile picture fallback
ケイ | 副業Webライター📖 @keiwork35.bsky.social
【脆弱性情報】 CVE-2026-33519 Esri Portal for ArcGISの脆弱性について Esri Portal for ArcGIS 11.4、11.5、12.0 の Windows、Linux、Kubernetes 向け環境には、
  • 0
  • 0
  • 0
  • 20h ago

CVE-2025-20362

Overview

  • Cisco
  • Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
25 Sep 2025
Published
26 Feb 2026
Updated
CVSS v3.1
MEDIUM (6.5)
EPSS
50.69%
KEV

Description

Update: On November 5, 2025, Cisco became aware of a new attack variant against devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases that are affected by CVE-2025-20333 and CVE-2025-20362. This attack can cause unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions. Cisco strongly recommends that all customers upgrade to the fixed software releases that are listed in the Fixed Software ["#fs"] section of this advisory. A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints that are related to remote access VPN that should otherwise be inaccessible without authentication. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device. A successful exploit could allow the attacker to access a restricted URL without authentication.

Statistics

  • 1 Post
Last activity: 16 hours ago

Fediverse

Profile picture fallback
ThreatNoir @threatnoir

⚠️ CRITICAL: FIRESTARTER Backdoor

APT actors deployed FIRESTARTER, a persistent Linux backdoor on Cisco Firepower and Secure Firewall devices via CVE-2025-20333 and CVE-2025-20362. The malware survives firmware patches and works with LINE VIPER to maintain remote access. Any organization running these devices is at risk of undetect…

threatnoir.com/focus

  • 0
  • 0
  • 0
  • 16h ago
Showing 11 to 20 of 28 CVEs