Overview
Description
OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.
Statistics
- 1 Post
Last activity: Last hour
Fediverse
Who still remembers the #Debian RNG patch disaster??
https://nvd.nist.gov/vuln/detail/cve-2008-0166
I just realized this will very soon be 18 (eighteen) years ago! 😲 Feeling old yet?
Overview
- nyariv
- SandboxJS
06 Apr 2026
Published
06 Apr 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.06%
KEV
Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36.
Statistics
- 1 Post
Last activity: 21 hours ago
Overview
Description
A vulnerability was found in D-Link DIR-882 1.01B02. Impacted is the function sprintf of the file prog.cgi of the component HNAP1 SetNetworkSettings Handler. The manipulation of the argument IPAddress results in os command injection. The attack may be performed from remote. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.
Statistics
- 1 Post
Last activity: 15 hours ago
Fediverse
🔒 CVE-2026-5844: HIGH-severity OS command injection in D-Link DIR-882 (v1.01B02). Remote attackers can execute arbitrary OS commands. No official fix — upgrade or restrict remote access. Details: https://radar.offseq.com/threat/cve-2026-5844-os-command-injection-in-d-link-dir-8-643de94e #OffSeq #DLink #Vuln #RouterSecurity
Overview
Description
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
Statistics
- 1 Post
Last activity: 3 hours ago
Overview
Description
An out-of-bounds write issue in the virtio PCI transport in Amazon Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 might allow a local guest user with root privileges to crash the Firecracker VMM process or potentially execute arbitrary code on the host via modification of virtio queue configuration registers after device activation. Achieving code execution on the host requires additional preconditions, such as the use of a custom guest kernel or specific snapshot configurations.
To remediate this, users should upgrade to Firecracker 1.14.4 or 1.15.1 and later.
Statistics
- 1 Post
Last activity: 1 hour ago
Overview
Description
Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.
Statistics
- 1 Post
Last activity: Last hour
Overview
- Totolink
- A7100RU
09 Apr 2026
Published
09 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.89%
KEV
Description
A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable results in os command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
Statistics
- 1 Post
Last activity: 14 hours ago
Fediverse
🔒 CVE-2026-5851: CRITICAL OS command injection in Totolink A7100RU (7.4cu.2313_b20191024). Remote, unauthenticated RCE possible via /cgi-bin/cstecgi.cgi. Exploit public, no patch. Isolate device and check for updates! https://radar.offseq.com/threat/cve-2026-5851-os-command-injection-in-totolink-a71-cec71662 #OffSeq #CVE20265851 #IoTSec
Overview
Description
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Statistics
- 1 Post
Last activity: 21 hours ago
Overview
Description
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.
Statistics
- 1 Post
Last activity: 1 hour ago
Overview
- Sonatype
- Nexus Repository
08 Apr 2026
Published
09 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.4)
EPSS
0.07%
KEV
Description
A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control.
Statistics
- 1 Post
Last activity: 21 hours ago
Fediverse
⚠️ CRITICAL: CVE-2026-3199 in Sonatype Nexus Repository (3.22.1-3.90.2) enables arbitrary code execution via task deserialization by authenticated users. Restrict permissions & monitor activity. Patch pending. https://radar.offseq.com/threat/cve-2026-3199-cwe-502-deserialization-of-untrusted-067114aa #OffSeq #Vuln #Nexus #Infosec