CVE-2026-2696

Overview

Unknown
Export All URLs

01 Apr 2026

Published

01 Apr 2026

Updated

CVSS

Pending

EPSS

Pending

MITRE

KEV

Description

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS (including private posts) in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can brute-force the filenames to gain access to sensitive data contained within the exported files.

Statistics

1 Post

Last activity: 1 hour ago

Fediverse

Offensive Sequence @offseq

🚨 CVE-2026-2696: HIGH severity flaw in Export All URLs WP plugin (<5.1) leaks private post URLs via brute-forcible CSV files in uploads/. No auth needed. Upgrade ASAP & restrict dir access! https://radar.offseq.com/threat/cve-2026-2696-cwe-200-information-exposure-in-expo-c6c7420f #OffSeq #WordPress #CVE20262696

0
0
0
1h ago

CVE-2026-5286

Overview

Google
Chrome

01 Apr 2026

Published

01 Apr 2026

Updated

CVSS

Pending

EPSS

Pending

MITRE

KEV

Description

Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Statistics

1 Post

Last activity: 2 hours ago

Fediverse

Offensive Sequence @offseq

⚠️ CVE-2026-5286: HIGH severity use-after-free in Chrome’s Dawn component <146.0.7680.178. Remote code execution possible via crafted HTML. Patch now to stay protected! https://radar.offseq.com/threat/cve-2026-5286-use-after-free-in-google-chrome-34aabe80 #OffSeq #Chrome #Vuln #InfoSec

0
0
0
2h ago

CVE-2026-24018

Overview

Fortinet
FortiClientLinux

10 Mar 2026

Published

11 Mar 2026

Updated

CVSS v3.1

HIGH (7.4)

EPSS

0.02%

MITRE

KEV

Description

A UNIX symbolic link (Symlink) following vulnerability in Fortinet FortiClientLinux 7.4.0 through 7.4.4, FortiClientLinux 7.2.2 through 7.2.12 may allow a local and unprivileged user to escalate their privileges to root.

Statistics

1 Post

Last activity: Last hour

Bluesky

Securitycipher @securitycipher.bsky.social

CVE-2026–24018: A Logic flaw to Local Privilege Escalation 0day $$ https://febinj.medium.com/cve-2026-24018-a-logic-flaw-to-local-privilege-escalation-0day-ff3a3b5bba69?source=rss------bug_bounty-5

0
0
0
Last hour

CVE-2026-25172

Overview

Microsoft
Windows 10 Version 1607

10 Mar 2026

Published

27 Mar 2026

Updated

CVSS v3.1

HIGH (8.0)

EPSS

0.07%

MITRE

KEV

Description

Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network.

Statistics

1 Post

Last activity: 20 hours ago

Bluesky

NEWSTECNICAS | Tecnología , IA y Gaming @newstecnicas.info.ve

#Alerta Crítica CVE-2026-25172: Manual de aplicación del #Hotpatch para RRAS en #Windows11 (+DETALLES) www.newstecnicas.info.ve/2026/03/micr...

0
0
0
20h ago

CVE-2026-26954

Overview

nyariv
SandboxJS

13 Mar 2026

Published

16 Mar 2026

Updated

CVSS v3.1

CRITICAL (10.0)

EPSS

0.06%

MITRE

KEV

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34.

Statistics

1 Post

Last activity: 7 hours ago

Bluesky

SecQube | Harvey | AI Platform for MS Graph @secqube.com

CVE-2026-26954 - SandboxJS Function Injection Vulnerability scq.ms/4bjjp8M

0
0
0
7h ago

CVE-2026-4342

Overview

Kubernetes
ingress-nginx

19 Mar 2026

Published

21 Mar 2026

Updated

CVSS v3.1

HIGH (8.8)

EPSS

0.04%

MITRE

KEV

Description

A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Statistics

1 Post

Last activity: 18 hours ago

Fediverse

Vito Botta @vitobotta

CVE-2026-4342 in Kubernetes ingress-nginx: annotation combo = config injection = RCE + Secrets leak. CVSS 8.8. Default controller sees ALL cluster Secrets. Patch now.

0
0
0
18h ago

CVE-2026-33750

Overview

juliangruber
brace-expansion

27 Mar 2026

Published

27 Mar 2026

Updated

CVSS v3.1

MEDIUM (6.5)

EPSS

0.05%

MITRE

KEV

Description

The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.

Statistics

1 Post

Last activity: 20 hours ago

Bluesky

Lambda Watchdog @lambdawatchdog.bsky.social

🚨 New MEDIUM CVE detected in AWS Lambda 🚨 CVE-2026-33750 impacts brace-expansion in 4 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/451 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless

0
0
0
20h ago

CVE-2026-2950

Overview

lodash
lodash

31 Mar 2026

Published

31 Mar 2026

Updated

CVSS v3.1

MEDIUM (6.5)

EPSS

Pending

MITRE

KEV

Description

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.

Statistics

2 Posts

Last activity: 12 hours ago

Fediverse

Ulises Gascon @ulisesgascon

🚨 Medium-severity security fix in lodash@4.18.0 just released!

Patches CVE-2026-2950 — lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit

https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh

0
0
1
12h ago

CVE-2025-29927

Overview

vercel
next.js

21 Mar 2025

Published

08 Apr 2025

Updated

CVSS v3.1

CRITICAL (9.1)

EPSS

92.96%

MITRE

KEV

Description

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

Statistics

1 Post
3 Interactions

Last activity: 14 hours ago

Fediverse

GreyNoise @greynoise

NEW: GreyNoise At The Edge Intel Brief (March 23-30)

187,998,900 sessions from 100 top source IPs observed by GreyNoise sensors between March 23-30, 2026. Daily volumes surged 4x mid-week — from 8.5M to 36.6M in 72 hours.

1. VPSVAULT IoT botnet recruitment across 22 CVEs — 3,347,443 sessions from 4 Brazilian IPs targeting Hikvision, MikroTik, TP-Link, D-Link devices. Includes CVE-2026-24061, now on CISA KEV.

2. VisionHeight fleet of 6 AWS IPs generated 5,892,055 sessions mapping enterprise perimeters across Palo Alto, Sophos, Ivanti, Citrix, F5, and ConnectWise — probing CVE-2024-1709 (CVSS 10.0).

3. React/Next.js exploit chaining (CVE-2025-55182 + CVE-2025-29927) produced 1,338,336 sessions, with attackers spoofing GoogleBot user-agents to bypass detection.

4. At least 4 new scanning operations activated simultaneously mid-week, driving the sharp volume surge across the observation period.

Here's what we found: 🔗 https://www.greynoise.io/resources/at-the-edge-clear-033026

#ThreatIntel #CyberSecurity #InfoSec #GreyNoise

2
1
0
14h ago

CVE-2025-55182

Overview

Meta
react-server-dom-webpack

03 Dec 2025

Published

26 Feb 2026

Updated

CVSS v3.1

CRITICAL (10.0)

EPSS

65.08%

MITRE

KEV

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Statistics

1 Post
3 Interactions

Last activity: 14 hours ago

Fediverse

GreyNoise @greynoise

NEW: GreyNoise At The Edge Intel Brief (March 23-30)

187,998,900 sessions from 100 top source IPs observed by GreyNoise sensors between March 23-30, 2026. Daily volumes surged 4x mid-week — from 8.5M to 36.6M in 72 hours.

1. VPSVAULT IoT botnet recruitment across 22 CVEs — 3,347,443 sessions from 4 Brazilian IPs targeting Hikvision, MikroTik, TP-Link, D-Link devices. Includes CVE-2026-24061, now on CISA KEV.

2. VisionHeight fleet of 6 AWS IPs generated 5,892,055 sessions mapping enterprise perimeters across Palo Alto, Sophos, Ivanti, Citrix, F5, and ConnectWise — probing CVE-2024-1709 (CVSS 10.0).

3. React/Next.js exploit chaining (CVE-2025-55182 + CVE-2025-29927) produced 1,338,336 sessions, with attackers spoofing GoogleBot user-agents to bypass detection.

4. At least 4 new scanning operations activated simultaneously mid-week, driving the sharp volume surge across the observation period.

Here's what we found: 🔗 https://www.greynoise.io/resources/at-the-edge-clear-033026

#ThreatIntel #CyberSecurity #InfoSec #GreyNoise

2
1
0
14h ago