Overview
Description
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
Statistics
- 1 Post
- 1 Interaction
Last activity: 4 hours ago
Overview
Description
A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.
Statistics
- 1 Post
Last activity: 19 hours ago
Overview
Description
Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0.
Statistics
- 1 Post
Last activity: 20 hours ago
Overview
- Go standard library
- net/url
- net/url
28 Jan 2026
Published
29 Jan 2026
Updated
CVSS
Pending
EPSS
0.03%
KEV
Description
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
Statistics
- 1 Post
Last activity: 6 hours ago
Overview
- WatchGuard
- Fireware OS
30 Jan 2026
Published
02 Feb 2026
Updated
CVSS v4.0
HIGH (7.0)
EPSS
0.20%
KEV
Description
An LDAP Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from a connected LDAP authentication server through an exposed authentication or management web interface. This vulnerability may also allow a remote attacker to authenticate as an LDAP user with a partial identifier if they additionally have that user's valid passphrase.This issue affects Fireware OS: from 12.0 through 12.11.6, from 12.5 through 12.5.15, from 2025.1 through 2026.0.
Statistics
- 2 Posts
Last activity: 18 hours ago
Fediverse
#WatchGuard #Firebox LDAP Injection Schwachstelle #cve-2026-1498
Overview
- sebastianbergmann
- phpunit
27 Jan 2026
Published
06 Feb 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.08%
KEV
Description
PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `['allowed_classes' => false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control.
Statistics
- 1 Post
Last activity: 7 hours ago
Overview
- Go standard library
- crypto/tls
- crypto/tls
28 Jan 2026
Published
02 Feb 2026
Updated
CVSS
Pending
EPSS
0.02%
KEV
Description
During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.
Statistics
- 1 Post
Last activity: 6 hours ago
Overview
- Microsoft
- Microsoft Edge (Chromium-based)
05 Feb 2026
Published
05 Feb 2026
Updated
CVSS v3.1
MEDIUM (6.5)
EPSS
0.06%
KEV
Description
User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.
Statistics
- 1 Post
Last activity: 5 hours ago
Fediverse
https://winbuzzer.com/2026/02/06/cve-2026-0391-microsoft-edge-android-ui-spoofing-xcxwbn/
CVE-2026-0391: Edge Android Flaw Enables Spoofing Attacks
#MicrosoftEdge #Security #Cybersecurity #Microsoft #Android #WebBrowsers #Phishing #CredentialTheft #ZeroDayVulnerabilities #Chromium
Overview
- NixOS
- nixpkgs
02 Feb 2026
Published
04 Feb 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.03%
KEV
Description
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05.
Statistics
- 1 Post
Last activity: 17 hours ago
Overview
- Lodash
- Lodash
- lodash
21 Jan 2026
Published
21 Jan 2026
Updated
CVSS v4.0
MEDIUM (6.9)
EPSS
0.06%
KEV
Description
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Statistics
- 1 Post
Last activity: 6 hours ago