Overview
Description
Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration.
This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1.
BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.
Statistics
- 3 Posts
- 1 Interaction
Last activity: 4 hours ago
Fediverse
es gibt neue BIND 9 Versionen, in denen wurden Sicherheitsprobleme vorheriger Versionen gefixed:
https://kb.isc.org/docs/cve-2026-1519
https://kb.isc.org/docs/cve-2026-3104
https://kb.isc.org/docs/cve-2026-3119
https://kb.isc.org/docs/cve-2026-3591
u.a. Denial-of-Service bei BIND 9 Revolvern (CPU-Auslastung, Speicherauslastung, Crash).
Die ISC-Repositories haben die neuen Versionen
- 9.18.47
- 9.20.21
Ich empfehle ein Update, sobald die neuen BIND 9 Versionen in den Repositories der Linux-Distribution verfügbar ist.
Bluesky
BIND 9.20.xの脆弱性(DNSサービスの停止)について(CVE-2026-3119) - フルリゾルバー(キャッシュDNSサーバー)/権威DNSサーバーの双方が対象、 バージョンアップを強く推奨 - https://jprs.jp/tech/security/2026-03-26-bind9-vuln-tkey.html
Overview
Description
Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.
Statistics
- 2 Posts
Last activity: 7 hours ago
Bluesky
Pawn Storm (APT28) deployed PRISMEX malware targeting Ukraine’s defense supply chain and NATO logistics. The campaign uses steganography, COM hijacking, cloud abuse, and exploits CVE-2026-21509/21513. #PawnStorm #Ukraine #APT
Overview
Description
In the Linux kernel, the following vulnerability has been resolved:
net/packet: fix a race in packet_set_ring() and packet_notifier()
When packet_set_ring() releases po->bind_lock, another thread can
run packet_notifier() and process an NETDEV_UP event.
This race and the fix are both similar to that of commit 15fe076edea7
("net/packet: fix a race in packet_bind() and packet_notifier()").
There too the packet_notifier NETDEV_UP event managed to run while a
po->bind_lock critical section had to be temporarily released. And
the fix was similarly to temporarily set po->num to zero to keep
the socket unhooked until the lock is retaken.
The po->bind_lock in packet_set_ring and packet_notifier precede the
introduction of git history.
Statistics
- 1 Post
- 4 Interactions
Last activity: 2 hours ago
Overview
- magic-wormhole
- magic-wormhole
12 Mar 2026
Published
13 Mar 2026
Updated
CVSS v4.0
HIGH (8.2)
EPSS
0.08%
KEV
Description
Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys and .bashrc. This could be used to compromise the receiver's computer. Only the sender of the file (the party who runs wormhole send) can mount the attack. Other parties (including the transit/relay servers) are excluded by the wormhole protocol. This vulnerability is fixed in 0.23.0.
Statistics
- 1 Post
- 1 Interaction
Last activity: 21 hours ago
Fediverse
This month's exciting release fixes our first official[1] CVE for magic wormhole!
To improve your local machine's safety, please upgrade to magic wormhole 0.23.0
Overview
- RATOC Systems, Inc.
- RATOC RAID Monitoring Manager for Windows
26 Mar 2026
Published
26 Mar 2026
Updated
CVSS v3.0
HIGH (7.8)
EPSS
0.01%
KEV
Description
The installer of RATOC RAID Monitoring Manager for Windows searches the current directory to load certain DLLs. If a user is directed to place a crafted DLL with the installer, an arbitrary code may be executed with the administrator privilege.
Statistics
- 1 Post
- 1 Interaction
Last activity: 8 hours ago
Fediverse
🛡️ HIGH-severity: CVE-2026-28760 in RATOC RAID Monitoring Manager for Windows (<2.00.009.260220) allows DLL hijacking — local attackers may run code as admin. Patch ASAP, restrict installer access, and audit installs. https://radar.offseq.com/threat/cve-2026-28760-uncontrolled-search-path-element-in-f4dfdefd #OffSeq #infosec #vuln #windows
Overview
Description
n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could use the Merge node's "Combine by SQL" mode to read local files on the n8n host and achieve remote code execution. The AlaSQL sandbox did not sufficiently restrict certain SQL statements, allowing an attacker to access sensitive files on the server or even compromise the instance. The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.26. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Statistics
- 1 Post
- 1 Interaction
Last activity: 14 hours ago
Fediverse
⚠️ CRITICAL RCE in n8n (CVE-2026-33660): Auth'd users can exploit Merge node SQL to read files & execute code on n8n host. Patch to 2.14.1/2.13.3/1.123.26 ASAP. Limit permissions if you can't patch yet. https://radar.offseq.com/threat/cve-2026-33660-cwe-94-improper-control-of-generati-e1c73d20 #OffSeq #n8n #infosec #CVE202633660
Overview
- Lenovo
- ThinkPad T14 Gen 5 BIOS
11 Mar 2026
Published
13 Mar 2026
Updated
CVSS v4.0
HIGH (8.4)
EPSS
0.02%
KEV
Description
A potential improper initialization vulnerability was reported in the BIOS of some ThinkPads that could allow a local privileged user to modify data and execute arbitrary code.
Statistics
- 1 Post
- 1 Interaction
Last activity: 15 hours ago
Overview
- WHILL
- Model C2 Electric Wheelchair
05 Jan 2026
Published
05 Jan 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.12%
KEV
Description
WHILL Model C2 Electric Wheelchairs and Model F Power Chairs do not enforce authentication for Bluetooth connections. An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulate configuration profiles without any credentials or user interaction.
Statistics
- 1 Post
- 1 Interaction
Last activity: 20 hours ago
Overview
Description
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer
performs a redirect to a second URL, curl could leak that token to the second
hostname under some circumstances.
If the hostname that the first request is redirected to has information in the
used .netrc file, with either of the `machine` or `default` keywords, curl
would pass on the bearer token set for the first host also to the second one.
Statistics
- 1 Post
Last activity: 9 hours ago
Overview
Description
Race Condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server leading to User Session Mixup
Statistics
- 2 Posts
Last activity: 21 hours ago
Bluesky
Citrix has patched critical vulnerabilities CVE-2026-3055 and CVE-2026-4368 in NetScaler ADC and Gateway appliances, exposing risks of session token theft and session mix-ups. #NetScaler #SAML #USA