24h | 7d | 30d

CVE-2026-48853

Overview

  • elixir-grpc
  • grpc
  • grpc
15 Jun 2026
Published
15 Jun 2026
Updated
CVSS v4.0
CRITICAL (9.2)
EPSS
Pending
KEV

Description

Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code execution on the server. 'Elixir.GRPC.Codec.Erlpack':decode/2 (lib/grpc/codec/erlpack.ex) calls :erlang.binary_to_term/1 on the raw gRPC message body without the :safe option, no size bound, and no type guard. Any unauthenticated peer that sends a request with Content-Type: application/grpc+erlpack can send a crafted payload that mints arbitrary new atoms (which are never garbage-collected, exhausting the bounded atom table and crashing the VM) or that encodes a fun term which, if applied anywhere downstream, executes attacker-controlled code inside the server process. This issue affects grpc from 0.4.0 before 1.0.0.

Statistics

  • 1 Post
Last activity: 8 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL: elixir-grpc grpc (0.4.0-<1.0.0) vulnerable to unauthenticated RCE & DoS via unsafe :erlang.binary_to_term/1 use. Patch status pending — restrict 'application/grpc+erlpack' inputs now! CVE-2026-48853 radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 8h ago

CVE-2026-44517

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
Last activity: 11 hours ago

Fediverse

Profile picture fallback
Can Artuc @canartuc

The Podman project released 5.8.3 on June 12, fixing CVE-2026-44517. The flaw let an ADD or COPY instruction pointed at a malicious Git repository or tar archive read files outside the intended build context. The release bundles Buildah 1.43.2. Build-context escapes are a reminder that the build step is itself an attack surface. How do you isolate image builds that pull from untrusted repos?
#containers #security

  • 0
  • 0
  • 0
  • 11h ago

CVE-2024-3094

Overview

  • xz
  • xz
29 Mar 2024
Published
20 Nov 2025
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
14.71%
KEV

Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Statistics

  • 1 Post
Last activity: 6 hours ago

Fediverse

Profile picture fallback
Michael Brazda @omnipotens

Is it time to rethink how we view Open Source in terms of security?

We’ve all heard it: open source is more secure because “many eyes” review the code. But is that true in 2026?

Proprietary software usually faces heavy scrutiny with dedicated security teams, formal audits, pentests, compliance, and corporate accountability. Bugs get fixed with real resources and vendor support behind them.

Open source powers the internet (Linux, XZ Utils, Log4j, etc.). Transparency helps when maintainers are active. But too many critical projects rest on a handful of volunteers — often just one overworked person. Burnout is common. Maintenance lags. Supply-chain attacks love those gaps.

Recent wake-up calls:
XZ Utils backdoor (CVE-2024-3094): A sophisticated multi-year attack by “Jia Tan” who built trust and slipped in an SSH backdoor. Luck (Andres Freund spotting it) saved us.
Log4Shell and ongoing dependency issues show how one vulnerable library can expose millions.

2025-2026 reports highlight exploding vuln counts, fast exploits, and rising attacks via compromised maintainers and AI-generated code.

Neither side is perfect — SolarWinds proved proprietary can fail too. But the “many eyes” story ignores maintainer fatigue and single points of failure.

Better path:
Support maintainers (sponsors, bounties)
Scan dependencies, use SBOMs, auto-updates
Defense-in-depth always
Question what you pull in
Open source drives innovation.

But security isn’t automatic — it needs vigilance and resources. Worth the trade-offs, or time to rethink volunteer-run critical infrastructure?

#OpenSource #CyberSecurity #SupplyChain

  • 0
  • 0
  • 0
  • 6h ago

CVE-2026-48714

Overview

  • i18next
  • i18next-http-middleware
15 Jun 2026
Published
15 Jun 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
Pending
KEV

Description

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys __proto__, constructor, and prototype (added in 3.9.3, see GHSA-5fgg-jcpf-8jjw), but did not reject dotted variants such as "__proto__.polluted". Downstream backends that split the missing-key string on a configured keySeparator (notably i18next-fs-backend ≤ 2.6.5) hand these keys to an unguarded setPath() walker that writes to Object.prototype. Applications that expose missingKeyHandler to untrusted input AND use i18next-fs-backend ≤ 2.6.5 are directly exploitable for remote prototype pollution. Other downstream backends that split the missing-key string the same way may be similarly affected. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. This issue has been fixed in version 3.9.7. If developers cannot upgrade immediately, they should do the following: do not expose missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), add a request-body filter ahead of the handler that rejects any top-level key containing __proto__, constructor, or prototype after splitting on their configured keySeparator, and disable missing-key persistence (saveMissing: false) when accepting writes from untrusted input.

Statistics

  • 1 Post
Last activity: 6 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL: CVE-2026-48714 in i18next-http-middleware (<3.9.7) enables remote prototype pollution via missingKeyHandler. Impacts: app crashes, translation corruption, config poisoning. Upgrade to 3.9.7 or apply mitigations! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 6h ago

CVE-2026-11850

Overview

  • Red Hat
  • Red Hat Hardened Images
  • krb5-main
11 Jun 2026
Published
12 Jun 2026
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

An integer underflow vulnerability was found in MIT krb5 in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction (bv_len - 2) without a prior bounds check. When bv_len is 0 or 1, the subtraction wraps to a large value which is then truncated to uint16_t, yielding 0xFFFE (65534) or 0xFFFF (65535). The subsequent malloc succeeds and memcpy reads up to 65534 bytes from a 0-1 byte buffer, resulting in a heap out-of-bounds read. The attack vector involves a malicious or compromised LDAP KDB backend returning a krbExtraData attribute with bv_len < 2, triggering the underflow when the KDC or kadmind reads principal data.

Statistics

  • 1 Post
Last activity: 9 hours ago

Bluesky

Profile picture fallback
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
krb5: patch CVE-2026-11850 https://github.com/NixOS/nixpkgs/pull/531513 https://tracker.security.nixos.org/issues/NIXPKGS-2026-1911 #security
  • 0
  • 0
  • 0
  • 9h ago

CVE-2026-5038

Overview

  • multer
  • multer
15 Jun 2026
Published
15 Jun 2026
Updated
CVSS v3.1
MEDIUM (5.3)
EPSS
Pending
KEV

Description

Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to the underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required. Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path. Workarounds: None.

Statistics

  • 2 Posts
Last activity: 17 hours ago

Fediverse

Profile picture fallback
Ulises Gascon @ulisesgascon

🚨 Medium-severity security fix in multer@2.2.0 and multer@3.0.0-alpha.2 just released!

Patches CVE-2026-5038. multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads.

github.com/expressjs/multer/se

  • 0
  • 0
  • 1
  • 17h ago

CVE-2026-47670

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
Last activity: 11 hours ago

Fediverse

Profile picture fallback
halil deniz @halildeniz

🚨 New Vulnerability Analysis: CVE-2026-47670 🚨

In my latest technical deep dive, I break down a critical authenticated Remote Code Execution (RCE) vulnerability in DbGate (v7.1.8). Discover why relying on pseudo-sandboxing like require = null fails inherently inside Node.js environments when confronted with native, unblockable dynamic import() constructs.

👉 denizhalil.com/2026/06/15/cve-

#Cybersecurity #Infosec #NodeJS #VulnerabilityResearch #ApplicationSecurity #RCE

  • 0
  • 0
  • 0
  • 11h ago

CVE-2026-33590

Overview

  • Portainer
  • Portainer Community Edition
28 May 2026
Published
12 Jun 2026
Updated
CVSS v4.0
HIGH (8.5)
EPSS
Pending
KEV

Description

Insecure default settings of Portainer CE grant regular (non-admin) users privileges that allow host filesystem access and host-level code execution. An authenticated non-administrative user with endpoint access can exploit these settings to read host files or obtain root equivalent access on the host.

Statistics

  • 2 Posts
Last activity: 7 hours ago

Fediverse

Profile picture fallback
Can Artuc @canartuc

CVE-2026-33590: Portainer releases before 2.38.0 shipped insecure defaults that permitted bind mounts and privileged mode on user containers. An authenticated non-admin user could use those to reach root-equivalent access on the host, a flaw rated CVSS 8.2. The fix is in 2.38.0 (STS) and 2.39.0 (LTS). Secure defaults matter most for the people who never touch the config. Why was privileged mode ever on by default here?
#containers #security

  • 0
  • 0
  • 1
  • 7h ago

CVE-2026-49781

Overview

  • Brainstorm Force
  • OttoKit
  • suretriggers
15 Jun 2026
Published
16 Jun 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
Pending
KEV

Description

Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions.

Statistics

  • 1 Post
Last activity: Last hour

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CVE-2026-49781 (CRITICAL): Brainstorm Force OttoKit <=1.1.27 is vulnerable to unauthenticated PHP object injection (CWE-502). Full system compromise possible. No patch — restrict access & monitor for threats. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • Last hour

CVE-2026-11860

Overview

  • OpenSolution
  • Quick.CMS
15 Jun 2026
Published
15 Jun 2026
Updated
CVSS v4.0
HIGH (7.5)
EPSS
0.36%
KEV

Description

Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class restrictions, crafted payloads can trigger dangerous magic methods (e.g., __wakeup() and __destruct()) and leverage gadget chains, resulting in arbitrary code execution. Exploitation is triggered automatically when an administrator accesses the admin panel. When successfully exploited, this vulnerability allows attackers to execute arbitrary code on the server via manipulated serialized data transmitted over an unprotected channel. This issue was mitigated by limiting the communication to HTTPS in a patch for version 6.8 published on 14.05.2026, deployments without this patch remain vulnerable.

Statistics

  • 1 Post
Last activity: 21 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

⚠️ CVE-2026-11860 (HIGH): OpenSolution Quick.CMS vulnerable to deserialization of untrusted data over HTTP. Remote code execution possible if admin accesses panel. Upgrade to v6.8+ to enforce HTTPS and mitigate risk. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 21h ago
Showing 21 to 30 of 63 CVEs