24h | 7d | 30d

Overview

  • Microsoft
  • Microsoft 365 Apps for Enterprise

10 Mar 2026
Published
14 Apr 2026
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.10%

KEV

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 17 hours ago

Bluesky

Profile picture fallback
Microsoft patched CVE-2026-26144, an XSS flaw in Excel that exploits Copilot Agent to silently exfiltrate data. AI amplifies classic vulnerabilities, requiring new monitoring and egress controls. #AIExploits #DataLeak #USA
  • 0
  • 1
  • 0
  • 17h ago

Overview

  • turn2honey
  • EMC – Easily Embed Calendly Scheduling

19 Apr 2026
Published
19 Apr 2026
Updated

CVSS v3.1
MEDIUM (6.4)
EPSS
0.01%

KEV

Description

The EMC – Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's calendly shortcode in all versions up to, and including, 4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Statistics

  • 1 Post

Last activity: 22 hours ago

Fediverse

Profile picture fallback

MEDIUM severity alert: CVE-2026-0868 (CVSS 6.4) in EMC – Easily Embed Calendly Scheduling WP plugin (≤4.4) allows contributor-level XSS attacks. No patch yet — restrict access, monitor updates. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 22h ago

Overview

  • Tinyproxy Project
  • Tinyproxy

07 Apr 2026
Published
07 Apr 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.06%

KEV

Description

Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against "chunked", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass.

Statistics

  • 1 Post

Last activity: 10 hours ago

Bluesky

Profile picture fallback
[Backport release-25.11] tinyproxy: 1.11.2 -> 1.11.3, tinyproxy: add patch for CVE-2026-31842 https://github.com/NixOS/nixpkgs/pull/511418 https://tracker.security.nixos.org/issues/NIXPKGS-2026-0995 #security
  • 0
  • 0
  • 0
  • 10h ago

Overview

  • composer
  • composer

15 Apr 2026
Published
16 Apr 2026
Updated

CVSS v3.1
HIGH (7.8)
EPSS
0.01%

KEV

Description

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline).

Statistics

  • 1 Post

Last activity: 6 hours ago

Bluesky

Profile picture fallback
📢 PHP Composer : deux failles critiques permettent l'exécution de commandes via le pilote Perforce VCS 📝 ## 🗓️ Contexte Publié le … https://cyberveille.ch/posts/2026-04-19-php-composer-deux-failles-critiques-permettent-l-execution-de-commandes-via-le-pilote-perforce-vcs/ #CVE_2026_40176 #Cyberveille
  • 0
  • 0
  • 0
  • 6h ago

Overview

  • H3C
  • Magic B1

19 Apr 2026
Published
19 Apr 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.04%

KEV

Description

A vulnerability has been found in H3C Magic B1 up to 100R004. The affected element is the function SetAPWifiorLedInfoById of the file /goform/aspForm. The manipulation of the argument param leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 1 Post

Last activity: 18 hours ago

Fediverse

Profile picture fallback

🚨 CVE-2026-6563: HIGH severity buffer overflow in H3C Magic B1 ≤100R004 (SetAPWifiorLedInfoById, /goform/aspForm). Public exploit out, vendor silent. Audit exposure, restrict access! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 18h ago

Overview

  • osuuu
  • LightPicture

19 Apr 2026
Published
19 Apr 2026
Updated

CVSS v4.0
MEDIUM (6.9)
EPSS
Pending

KEV

Description

A vulnerability has been found in osuuu LightPicture up to 1.2.2. This issue affects some unknown processing of the file /public/install/lp.sql of the component API Upload Endpoint. Such manipulation of the argument key leads to hard-coded credentials. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 1 Post

Last activity: 12 hours ago

Fediverse

Profile picture fallback

📢 CVE-2026-6574 (MEDIUM): osuuu LightPicture 1.2.0 – 1.2.2 has hard-coded credentials in API Upload Endpoint (/public/install/lp.sql). No vendor patch yet. Restrict endpoint access & monitor for misuse. More info: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 12h ago

Overview

  • Microsoft
  • .NET 10.0

14 Apr 2026
Published
17 Apr 2026
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.05%

KEV

Description

Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network.

Statistics

  • 1 Post

Last activity: 10 hours ago

Bluesky

Profile picture fallback
.NET vulns keep coming because teams patch but don't learn. Here's the patch script for CVE-2026-32178 (SMTP injection) + the book that teaches secure memory mgmt on Linux. Stop reacting. Start preventing. Read more: 👉 tinyurl.com/5n8mzxaw #Rocky_Linux
  • 0
  • 0
  • 0
  • 10h ago

Overview

  • H3C
  • Magic B0

19 Apr 2026
Published
19 Apr 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.04%

KEV

Description

A security vulnerability has been detected in H3C Magic B0 up to 100R002. This vulnerability affects the function Edit_BasicSSID of the file /goform/aspForm. Such manipulation of the argument param leads to buffer overflow. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 1 Post

Last activity: 19 hours ago

Fediverse

Profile picture fallback

⚠️ HIGH-severity buffer overflow (CVE-2026-6560) in H3C Magic B0 (100R002) allows remote code execution or DoS via Edit_BasicSSID in /goform/aspForm. No patch yet; restrict access & monitor updates. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 19h ago

Overview

  • Collabora
  • KodExplorer

19 Apr 2026
Published
19 Apr 2026
Updated

CVSS v4.0
MEDIUM (6.3)
EPSS
Pending

KEV

Description

A security vulnerability has been detected in Collabora KodExplorer up to 4.52. Affected by this issue is some unknown functionality of the file /app/controller/share.class.php of the component fileUpload Endpoint. The manipulation of the argument fileUpload leads to improper authorization. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 1 Post

Last activity: 10 hours ago

Fediverse

Profile picture fallback

🔔 CVE-2026-6572: Collabora KodExplorer (4.0 – 4.52) has a MEDIUM improper authorization bug in fileUpload. High attack complexity, no patch, vendor silent. Restrict endpoint access & monitor for updates. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 10h ago

Overview

  • Fortinet
  • FortiClientEMS

06 Feb 2026
Published
14 Apr 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
33.91%

Description

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

Statistics

  • 1 Post

Last activity: 10 hours ago

Bluesky

Profile picture fallback
Critical Pre-Auth SQL Injection in FortiClient EMS (CVE-2026-21643): From Zero to RCE – Patch Now! + Video Introduction: FortiClient EMS (Endpoint Management Server) is a centralized management console used by organizations to deploy, monitor, and secure endpoint security policies across thousands…
  • 0
  • 0
  • 0
  • 10h ago
Showing 11 to 20 of 38 CVEs