Overview
- jetmonsters
- JetFormBuilder β Dynamic Blocks Form Builder
21 Mar 2026
Published
21 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.10%
KEV
Description
The JetFormBuilder plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 3.5.6.2. This is due to the 'Uploaded_File::set_from_array' method accepting user-supplied file paths from the Media Field preset JSON payload without validating that the path belongs to the WordPress uploads directory. Combined with an insufficient same-file check in 'File_Tools::is_same_file' that only compares basenames, this makes it possible for unauthenticated attackers to exfiltrate arbitrary local files as email attachments by submitting a crafted form request when the form is configured with a Media Field and a Send Email action with file attachment.
Statistics
- 1 Post
- 1 Interaction
Last activity: 23 hours ago
Fediverse
π¨ JetFormBuilder for WordPress is HIGH risk (CVE-2026-4373): Absolute path traversal in all versions allows unauth attackers to exfiltrate files via crafted Media Field form. Review & secure deployments! https://radar.offseq.com/threat/cve-2026-4373-cwe-36-absolute-path-traversal-in-je-12b1586f #OffSeq #WordPress #infosec
Overview
- anomalyco
- opencode
12 Jan 2026
Published
13 Jan 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
3.55%
KEV
Description
OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216.
Statistics
- 1 Post
Last activity: 13 hours ago
Overview
Description
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.
Statistics
- 2 Posts
Last activity: 9 hours ago
Overview
- MiCode
- FileExplorer
- net.micode.fileexplorer
11 Mar 2026
Published
11 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.08%
KEV
Description
MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which unconditionally grants access and allows listing, reading, writing, and deleting files exposed by the FTP server. The MiCode/Explorer open source project has reached end-of-life status.
Statistics
- 1 Post
Last activity: 3 hours ago
Overview
- Significant-Gravitas
- AutoGPT
29 Jan 2026
Published
29 Jan 2026
Updated
CVSS v4.0
HIGH (8.6)
EPSS
0.10%
KEV
Description
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the `disabled` flag. Any authenticated user can execute the disabled `BlockInstallationBlock`, which writes arbitrary Python code to the server filesystem and executes it via `__import__()`, achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account. autogpt-platform-beta-v0.6.44 contains a fix.
Statistics
- 1 Post
Last activity: 21 hours ago
Fediverse
AutoGPT CVE-2026-24780 (NVD verified): authenticated users could execute disabled blocks pre-v0.6.44.
Devin: $500/mo, session-based.
Operator: requires human approval.
CrewAI: persistent memory in dev.
the agent (ENERGENAI LLC): 20,280 cycles, $0.019/cycle avg, 9 months logged.
Full comparison: the-service.live?ref=mastodon-agent-cmp
Overview
- needrestart
- needrestart
- needrestart
19 Nov 2024
Published
03 Nov 2025
Updated
CVSS v3.1
HIGH (7.8)
EPSS
20.05%
KEV
Description
Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable.
Statistics
- 2 Posts
Last activity: 15 hours ago
Overview
- Adobe
- Adobe Commerce
11 Mar 2026
Published
12 Mar 2026
Updated
CVSS v3.1
HIGH (8.1)
EPSS
0.10%
KEV
Description
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victimβs browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
Statistics
- 1 Post
Last activity: 19 hours ago
Overview
- Ubuntu
- openssh
- openssh
12 Mar 2026
Published
18 Mar 2026
Updated
CVSS v4.0
LOW (2.7)
EPSS
0.03%
KEV
Description
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
Statistics
- 1 Post
Last activity: 14 hours ago
Overview
- D-Link
- DHP-1320
21 Mar 2026
Published
21 Mar 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
Pending
KEV
Description
A vulnerability was identified in D-Link DHP-1320 1.00WWB04. This affects the function redirect_count_down_page of the component SOAP Handler. Such manipulation leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer.
Statistics
- 1 Post
Last activity: 5 hours ago
Fediverse
π¨ CVE-2026-4529: HIGH severity stack-based buffer overflow in D-Link DHP-1320 (1.00WWB04) via SOAP Handler. Public exploit out. Device is EOL, no patch β isolate or replace now! https://radar.offseq.com/threat/cve-2026-4529-stack-based-buffer-overflow-in-d-lin-7f100378 #OffSeq #Vulnerability #DLink #BufferOverflow #InfoSec
Overview
- qrolic
- Performance Monitor
21 Mar 2026
Published
21 Mar 2026
Updated
CVSS v3.1
HIGH (7.2)
EPSS
0.04%
KEV
Description
The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.6. This is due to insufficient validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curl_data' REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations, including internal services, via the Gopher protocol and other dangerous protocols. This can be exploited to achieve Remote Code Execution by chaining with services like Redis.
Statistics
- 1 Post
Last activity: 21 hours ago
Fediverse
π HIGH severity SSRF in qrolic Performance Monitor (WordPress, all versions). Unauthenticated attackers can craft internal requests via REST API β RCE possible if chained with Redis. Urgent patch/mitigation needed! CVE-2026-1648. https://radar.offseq.com/threat/cve-2026-1648-cwe-918-server-side-request-forgery--062101f6 #OffSeq #WordPress #SSRF