24h | 7d | 30d

Overview

  • fastify
  • @fastify/express

15 Apr 2026
Published
15 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.1)
EPSS
0.11%

KEV

Description

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path. PatchesUpgrade to @fastify/express v4.0.5 or later.

Statistics

  • 2 Posts

Last activity: 11 hours ago

Bluesky

Profile picture fallback
🚨 Critical-severity security fix in @fastify/express@4.0.5 just released! Patches CVE-2026-33808 — middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) github.com/fastify/fast...
  • 0
  • 0
  • 1
  • 11h ago

Overview

  • Meta
  • react-server-dom-turbopack

08 Apr 2026
Published
08 Apr 2026
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.42%

KEV

Description

A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.

Statistics

  • 1 Post

Last activity: 16 hours ago

Bluesky

Profile picture fallback
React Server ComponentsにDoS脆弱性 CVE-2026-23869 rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #セキュリティ #Security #CybersecurityNews
  • 0
  • 0
  • 0
  • 16h ago

Overview

  • NuGet
  • NuGetGallery

14 Apr 2026
Published
15 Apr 2026
Updated

CVSS v3.1
CRITICAL (9.6)
EPSS
0.26%

KEV

Description

NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within NuGet packages. An attacker can supply a crafted nuspec file with malicious metadata, leading to cross package metadata injection that may result in remote code execution (RCE) and/or arbitrary blob writes due to insufficient input validation. The issue is exploitable via URI fragment injection using unsanitized package identifiers, allowing an attacker to control the resolved blob path. This enables writes to arbitrary blobs within the storage container, not limited to .nupkg files, resulting in potential tampering of existing content. This issue has been patched in commit 0e80f87628349207cdcaf55358491f8a6f1ca276.

Statistics

  • 1 Post

Last activity: 20 hours ago

Fediverse

Profile picture fallback

⚠️ CRITICAL: NuGetGallery improper input validation (CVE-2026-39399, CVSS 9.6) allows crafted .nuspec files to trigger RCE & arbitrary blob writes. Update to commit 0e80f87628349207cdcaf55358491f8a6f1ca276. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 20h ago

Overview

  • Microsoft
  • Windows Server 2012

14 Apr 2026
Published
15 Apr 2026
Updated

CVSS v3.1
HIGH (7.7)
EPSS
0.06%

KEV

Description

Improper input validation in Windows BitLocker allows an unauthorized attacker to bypass a security feature locally.

Statistics

  • 1 Post

Last activity: 11 hours ago

Bluesky

Profile picture fallback
Critical Windows BitLocker CVE-2026-27913 Bypass – Enterprise Security Hardening Guide + Video Introduction A newly disclosed vulnerability in Windows BitLocker, tracked as CVE-2026-27913, allows attackers to bypass the full-disk encryption security feature on affected systems. While there is…
  • 0
  • 0
  • 0
  • 11h ago

Overview

  • SaturdayDrive
  • Ninja Forms - File Uploads

07 Apr 2026
Published
08 Apr 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.09%

KEV

Description

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in version 3.3.27.

Statistics

  • 1 Post

Last activity: 21 hours ago

Fediverse

Profile picture fallback

50,000 WordPress Sites affected by Arbitrary File Upload Vulnerability in Ninja Forms - File Upload WordPress Plugin

Ninja Forms - File Upload (versions <= 3.3.26, CVE-2026-0740, CVSS 9.8 Critical) allows unauthenticated attackers to upload arbitrary files and achieve remote code execution on ~50,000 affected sites. Update to version 3.3.27 immediately.

youtube.com/shorts/dK4UeCkbc4k

#WordPress #WordPressSecurity #Cybersecurity

  • 0
  • 0
  • 0
  • 21h ago

Overview

  • Python Software Foundation
  • CPython

20 Mar 2026
Published
13 Apr 2026
Updated

CVSS v4.0
HIGH (7.0)
EPSS
0.03%

KEV

Description

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

Statistics

  • 1 Post

Last activity: 8 hours ago

Bluesky

Profile picture fallback
🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2026-4519 impacts python in 6 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/477 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 8h ago

Overview

  • Microsoft
  • Windows Server 2012 R2

14 Apr 2026
Published
15 Apr 2026
Updated

CVSS v3.1
HIGH (8.0)
EPSS
0.36%

KEV

Description

Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network.

Statistics

  • 1 Post

Last activity: 7 hours ago

Bluesky

Profile picture fallback
CVE-2026-33826: Unpatched Active Directory RPC Flaw Puts Enterprise Domains at Immediate Risk of Total Compromise + Video Introduction: A recently disclosed critical vulnerability in Microsoft Windows Active Directory (CVE-2026-33826) allows an authenticated attacker to execute arbitrary code…
  • 0
  • 0
  • 0
  • 7h ago

Overview

  • Palo Alto Networks
  • PAN-OS

12 Apr 2024
Published
21 Oct 2025
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
94.30%

Description

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

Statistics

  • 1 Post

Last activity: 7 hours ago

Fediverse

Profile picture fallback

📰 Black Shrantac Ransomware Targets Industrial Sector with Double Extortion and Living-off-the-Land Tactics

New ransomware threat: Black Shrantac uses double extortion & LOTL tactics. They exploit flaws like CVE-2024-3400 (PAN-OS) for access then use legit tools to hide. Industrial sector at high risk. 🏭 #Ransomware #CyberSecurity #BlackShrantac

🔗 cyber.netsecops.io/articles/bl

  • 0
  • 0
  • 0
  • 7h ago

Overview

  • @fastify/reply-from
  • @fastify/reply-from

15 Apr 2026
Published
15 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.0)
EPSS
0.04%

KEV

Description

@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from. Upgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later.

Statistics

  • 2 Posts

Last activity: 10 hours ago

Fediverse

Profile picture fallback

🚨 Critical-severity security fix in @fastify/reply-from@12.6.2 and @fastify/http-proxy@11.4.4 just released!

Patches CVE-2026-33805 — connection header abuse enables stripping of proxy-added headers

github.com/fastify/fastify-rep

  • 0
  • 0
  • 1
  • 10h ago

Overview

  • Red Hat
  • Red Hat Enterprise Linux 10
  • NetworkManager

13 Mar 2026
Published
13 Mar 2026
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.

Statistics

  • 1 Post

Last activity: Last hour

Bluesky

Profile picture fallback
Stop chasing CVE dates. Here’s how to detect systemd D-Bus privilege escalation (CVE-2026-4105) on ANY distro – with a one-line test and an automation script. busctl call org.freedesktop.machine1 ... Read more: 👉 tinyurl.com/3fefnym8 #Security
  • 0
  • 0
  • 0
  • Last hour
Showing 31 to 40 of 63 CVEs