Overview
- Apache Software Foundation
- Apache Tomcat
09 Apr 2026
Published
10 Apr 2026
Updated
CVSS
Pending
EPSS
0.01%
KEV
Description
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.
This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
Statistics
- 2 Posts
Last activity: 5 hours ago
Fediverse
Multiple Apache Tomcat vulnerabilities have been disclosed, including a critical EncryptInterceptor bypass (CVE-2026-34486) resulting from a flawed security patch, and issues related to padding oracle attacks and certificate authentication (CVE-2026-34500). Administrators are urged to update to the latest secure releases to mitigate these risks.
https://cybersecuritynews.com/apache-tomcat-vulnerabilities-encryptinterceptor/
Bluesky
⚠️CVE-2026-34486: Fail-open regression in Tomcat Tribes may lead to unauth RCE. If TCP/4000 is reachable & gadget classes exist on the classpath, unencrypted packets can trigger code execution via bypassed encryption. Affected: 11.0.20, 10.1.53, 9.0.116. Update now! Query: technology="Apache Tomcat"
Overview
Description
Microsoft Exchange Server Remote Code Execution Vulnerability
Statistics
- 2 Posts
- 3 Interactions
Last activity: 7 hours ago
Fediverse
CISA Adds Seven Known Exploited Vulnerabilities to Catalog
CVE-2012-1854 Visual Basic for Applications Insecure Library Loading
CVE-2020-9715 Adobe Acrobat Use-After-Free
CVE-2023-21529 Microsoft Exchange Deserialization of Untrusted
CVE-2023-36424 Microsoft Windows Out-of-Bounds Read
CVE-2025-60710 Microsoft Windows Link Following
CVE-2026-21643 Fortinet SQL Injection
CVE-2026-34621 Adobe Acrobat Reader Prototype
Overview
- Microsoft
- Windows Server 2008 R2 Service Pack 1
13 Jan 2026
Published
01 Apr 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.07%
KEV
Description
Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network.
Statistics
- 2 Posts
- 1 Interaction
Last activity: 4 hours ago
Fediverse
Patchday am 14. April: Microsoft deaktiviert WDS-Autoinstallationen via Unattend.xml von Netzlaufwerken. Hintergrund ist CVE-2026-0386. Mehr Sicherheit, weniger Komfort. #Windows #Microsoft https://winfuture.de/news,158089.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia
Overview
Description
Issue summary: During processing of a crafted CMS EnvelopedData message
with KeyAgreeRecipientInfo a NULL pointer dereference can happen.
Impact summary: Applications that process attacker-controlled CMS data may
crash before authentication or cryptographic operations occur resulting in
Denial of Service.
When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is
processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier
is examined without checking for its presence. This results in a NULL
pointer dereference if the field is missing.
Applications and services that call CMS_decrypt() on untrusted input
(e.g., S/MIME processing or CMS-based protocols) are vulnerable.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
Statistics
- 1 Post
Last activity: 4 hours ago
Overview
- axios
- axios
10 Apr 2026
Published
14 Apr 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.24%
KEV
Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.
Statistics
- 2 Posts
Last activity: 2 hours ago
Overview
- Python Software Foundation
- CPython
13 Apr 2026
Published
14 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.1)
EPSS
0.05%
KEV
Description
Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.
The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.
Statistics
- 1 Post
Last activity: 20 hours ago
Fediverse
🚨 🚨 A critical #CPython #CVE today took less than 45mins of human work to find, triage & fix because of Xint:
🚄 Xint Code found it in a Fast scan on the repo w/no prompting
💥 Coding assistant reproduced it on first try
🛠️ Maintainers pushed a fix 30 minutes after the report.
https://theori.io/blog/finding-and-patching-a-cpython-0day-in-hours-cve20266100--157979
Overview
Description
Issue summary: During processing of a crafted CMS EnvelopedData message
with KeyTransportRecipientInfo a NULL pointer dereference can happen.
Impact summary: Applications that process attacker-controlled CMS data may
crash before authentication or cryptographic operations occur resulting in
Denial of Service.
When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with
RSA-OAEP encryption is processed, the optional parameters field of
RSA-OAEP SourceFunc algorithm identifier is examined without checking
for its presence. This results in a NULL pointer dereference if the field
is missing.
Applications and services that call CMS_decrypt() on untrusted input
(e.g., S/MIME processing or CMS-based protocols) are vulnerable.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
Statistics
- 1 Post
Last activity: 4 hours ago
Overview
- MervinPraison
- PraisonAI
14 Apr 2026
Published
14 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.03%
KEV
Description
PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the GITHUB_TOKEN (and sometimes ACTIONS_RUNTIME_TOKEN) into the .git/config file for persistence, and if any subsequent workflow step uploads artifacts (build outputs, logs, test results, etc.), these tokens can be inadvertently included. Since PraisonAI is a public repository, any user with read access can download these artifacts and extract the leaked tokens, potentially enabling an attacker to push malicious code, poison releases and PyPI/Docker packages, steal repository secrets, and execute a full supply chain compromise affecting all downstream users. The issue spans numerous workflow and action files across .github/workflows/ and .github/actions/. This issue has been fixed in version 4.5.140.
Statistics
- 1 Post
Last activity: 12 hours ago
Fediverse
🚩 CRITICAL CVE-2026-40313: PraisonAI ≤ 4.5.139 exposes GITHUB_TOKEN in workflow artifacts. Attackers can push malicious code & steal secrets. Upgrade to 4.5.140+ & set persist-credentials: false. https://radar.offseq.com/threat/cve-2026-40313-cwe-829-inclusion-of-functionality--2d33a73b #OffSeq #SupplyChain #CVE202640313
Overview
Description
Issue summary: An uncommon configuration of clients performing DANE TLSA-based
server authentication, when paired with uncommon server DANE TLSA records, may
result in a use-after-free and/or double-free on the client side.
Impact summary: A use after free can have a range of potential consequences
such as the corruption of valid data, crashes or execution of arbitrary code.
However, the issue only affects clients that make use of TLSA records with both
the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate
usage.
By far the most common deployment of DANE is in SMTP MTAs for which RFC7672
recommends that clients treat as 'unusable' any TLSA records that have the PKIX
certificate usages. These SMTP (or other similar) clients are not vulnerable
to this issue. Conversely, any clients that support only the PKIX usages, and
ignore the DANE-TA(2) usage are also not vulnerable.
The client would also need to be communicating with a server that publishes a
TLSA RRset with both types of TLSA records.
No FIPS modules are affected by this issue, the problem code is outside the
FIPS module boundary.
Statistics
- 1 Post
Last activity: 4 hours ago
Overview
- wpchill
- Kali Forms — Contact Form & Drag-and-Drop Builder
20 Mar 2026
Published
08 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
17.09%
KEV
Description
The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.
Statistics
- 1 Post
Last activity: 21 hours ago