24h | 7d | 30d

Overview

  • strategy11team
  • Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

13 Mar 2026
Published
13 Mar 2026
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.05%

KEV

Description

The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a high-value payment as complete, effectively bypassing payment for goods or services.

Statistics

  • 1 Post
  • 2 Interactions

Last activity: 18 hours ago

Fediverse

Profile picture fallback

Formidable Forms Vulnerability Let Attackers Reuse Low-Value Stripe Payments for Higher-Cost Purchases boldoutlook.com/formidable-for

#wordpress #WordPressSecurity #cybersecurity #blogging #webdevelopment

  • 0
  • 2
  • 0
  • 18h ago

Overview

  • GNU
  • inetutils

13 Mar 2026
Published
14 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.04%

KEV

Description

telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 13 hours ago

Fediverse

Profile picture fallback

⚠️ CRITICAL: CVE-2026-32746 in GNU inetutils telnetd (<=2.7) enables remote buffer overflow — unauthenticated code execution or DoS possible. Disable telnet, restrict access, monitor for threats. No patch yet! radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 0
  • 13h ago

Overview

  • PX4
  • PX4-Autopilot

13 Mar 2026
Published
13 Mar 2026
Updated

CVSS v3.1
HIGH (7.8)
EPSS
0.01%

KEV

Description

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, the Zenoh uORB subscriber allocates a stack VLA directly from the incoming payload length without bounds. A remote Zenoh publisher can send an oversized fragmented message to force an unbounded stack allocation and copy, causing a stack overflow and crash of the Zenoh bridge task. This vulnerability is fixed in 1.17.0-rc2.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 7 hours ago

Fediverse

Profile picture fallback

🚁 CVE-2026-32708 (HIGH): Stack-based buffer overflow in PX4-Autopilot (<1.17.0-rc2) via Zenoh uORB subscriber. Exploitable w/ local privileges; could crash or compromise drones. Upgrade ASAP. radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 0
  • 7h ago

Overview

  • @apollo
  • federation-internals

13 Mar 2026
Published
13 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.9)
EPSS
0.03%

KEV

Description

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute Object.prototype in gateway by crafting JSON response payloads that target prototype-inheritable properties. This vulnerability is fixed in 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 17 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL: CVE-2026-32621 in @Apollo federation-internals enables prototype pollution — risking code execution & data compromise. Affects versions <2.9.6, <2.10.5, <2.11.6, <2.12.3, <2.13.2. Patch now! radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 0
  • 17h ago

Overview

  • Mintplex-Labs
  • anything-llm

13 Mar 2026
Published
13 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.7)
EPSS
0.15%

KEV

Description

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vulnerability in the chat rendering pipeline that escalates to Remote Code Execution on the host OS due to insecure Electron configuration. This works with default settings and requires no user interaction beyond normal chat usage. The custom markdown-it image renderer in frontend/src/utils/chat/markdown.js interpolates token.content directly into the alt attribute without HTML entity escaping. The PromptReply component renders this output via dangerouslySetInnerHTML without DOMPurify sanitization — unlike HistoricalMessage which correctly applies DOMPurify.sanitize().

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 16 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL: CVE-2026-32626 in AnythingLLM Desktop ≤1.11.1 lets attackers run code via XSS → RCE (CVSS 9.7). No patch yet. Restrict chat, harden Electron, sanitize input. High risk, act now! More: radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 0
  • 16h ago

Overview

  • UTT
  • HiPER 810G

08 Mar 2026
Published
10 Mar 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.08%

KEV

Description

A weakness has been identified in UTT HiPER 810G up to 1.7.7-171114. Affected is the function strcpy of the file /goform/formConfigDnsFilterGlobal. This manipulation causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

Statistics

  • 1 Post

Last activity: 15 hours ago

Bluesky

Profile picture fallback
CVE-2026-3700 - UTT HiPER 810G formConfigDnsFilterGlobal strcpy buffer overflow scq.ms/4le9cyV
  • 0
  • 0
  • 0
  • 15h ago

Overview

  • curl
  • curl

08 Jan 2026
Published
08 Jan 2026
Updated

CVSS
Pending
EPSS
0.01%

KEV

Description

When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.

Statistics

  • 1 Post

Last activity: 5 hours ago

Bluesky

Profile picture fallback
🔍 Lambda Watchdog detected that CVE-2025-13034 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/408 #AWS #Lambda #Security #CVE #DevOps #SecOps
  • 0
  • 0
  • 0
  • 5h ago

Overview

  • nltk
  • nltk/nltk

04 Mar 2026
Published
04 Mar 2026
Updated

CVSS v3.0
HIGH (8.6)
EPSS
0.25%

KEV

Description

A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader. These classes fail to properly sanitize or validate file paths, enabling attackers to traverse directories and access sensitive files on the server. This issue is particularly critical in scenarios where user-controlled file inputs are processed, such as in machine learning APIs, chatbots, or NLP pipelines. Exploitation of this vulnerability can lead to unauthorized access to sensitive files, including system files, SSH private keys, and API tokens, and may potentially escalate to remote code execution when combined with other vulnerabilities.

Statistics

  • 1 Post

Last activity: 4 hours ago

Bluesky

Profile picture fallback
🚨 URGENT SECURITY PATCH FOR MAGEIA 9 USERS 🚨 A new path traversal vulnerability (CVE-2026-0847) has been discovered in the popular #Python Natural Language Toolkit (NLTK). Read more: 👉 tinyurl.com/chrh5ckn #Security #Mageia
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • OpenSSL
  • OpenSSL

27 Jan 2026
Published
29 Jan 2026
Updated

CVSS
Pending
EPSS
0.05%

KEV

Description

Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service. Some applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue was assessed as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of the QUIC protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the QUIC implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

Statistics

  • 1 Post

Last activity: 5 hours ago

Bluesky

Profile picture fallback
🔍 Lambda Watchdog detected that CVE-2025-15468 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/415 #AWS #Lambda #Security #CVE #DevOps #SecOps
  • 0
  • 0
  • 0
  • 5h ago

Overview

  • curl
  • curl

08 Jan 2026
Published
09 Jan 2026
Updated

CVSS
Pending
EPSS
0.03%

KEV

Description

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

Statistics

  • 1 Post

Last activity: 5 hours ago

Bluesky

Profile picture fallback
🔍 Lambda Watchdog detected that CVE-2025-14524 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/410 #AWS #Lambda #Security #CVE #DevOps #SecOps
  • 0
  • 0
  • 0
  • 5h ago
Showing 11 to 20 of 45 CVEs