24h | 7d | 30d

Overview

  • Meta
  • react-server-dom-webpack

03 Dec 2025
Published
11 Dec 2025
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
60.90%

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Statistics

  • 1 Post

Last activity: 3 hours ago

Bluesky

Profile picture fallback
📌 Critical Vulnerability React2Shell (CVE-2025-55182) Allows Unauthenticated Remote Code Execution https://www.cyberhub.blog/article/19399-critical-vulnerability-react2shell-cve-2025-55182-allows-unauthenticated-remote-code-execution
  • 0
  • 0
  • 0
  • 3h ago

Overview

  • Fortinet
  • FortiSandbox

10 Feb 2026
Published
10 Feb 2026
Updated

CVSS v3.1
HIGH (7.9)
EPSS
Pending

KEV

Description

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to execute commands via crafted requests.

Statistics

  • 1 Post

Last activity: 4 hours ago

Fediverse

Profile picture fallback

RE: infosec.exchange/@ozu/11604108

Another another vuln. CVE-2025-52436

  • 0
  • 0
  • 0
  • 4h ago

Overview

  • frangoteam
  • FUXA

09 Feb 2026
Published
09 Feb 2026
Updated

CVSS v4.0
CRITICAL (10.0)
EPSS
0.20%

KEV

Description

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the server. This issue has been patched in FUXA version 1.2.10.

Statistics

  • 1 Post

Last activity: 18 hours ago

Fediverse

Profile picture fallback

⚠️ CRITICAL: CVE-2026-25893 in frangoteam FUXA (<1.2.10) lets unauthenticated attackers gain admin rights via the heartbeat API & execute code. Immediate patching to 1.2.10+ is essential for all ICS/SCADA deployments. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 18h ago

Overview

  • kovidgoyal
  • calibre

06 Feb 2026
Published
09 Feb 2026
Updated

CVSS v3.1
HIGH (8.2)
EPSS
0.01%

KEV

Description

calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.

Statistics

  • 1 Post

Last activity: 10 hours ago

Bluesky

Profile picture fallback
calibre: apply fix for CVE-2026-25636 https://github.com/NixOS/nixpkgs/pull/488503 #security
  • 0
  • 0
  • 0
  • 10h ago

Overview

  • Flowring
  • Agentflow

10 Feb 2026
Published
10 Feb 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.17%

KEV

Description

Agentflow developed by Flowring has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to exploit a specific functionality to obtain arbitrary user authentication token and log into the system as any user.

Statistics

  • 1 Post

Last activity: 12 hours ago

Fediverse

Profile picture fallback

🚨 CVE-2026-2095: CRITICAL auth bypass in all Flowring Agentflow versions. Remote attackers can impersonate any user — no patch available. Restrict access & monitor for abnormal logins. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 12h ago

Overview

  • ImageMagick
  • ImageMagick

20 Jan 2026
Published
21 Jan 2026
Updated

CVSS v3.1
HIGH (8.1)
EPSS
0.06%

KEV

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. Versions 7.1.2-13 and 6.9.13-38 fix the issue.

Statistics

  • 1 Post

Last activity: 5 hours ago

Bluesky

Profile picture fallback
Critical vulnerability disclosure: CVE-2026-23876 in ImageMagick. Impacts the entire #Ubuntu LTS lineage . Read more: 👉 tinyurl.com/bdkk6j42 #Security
  • 0
  • 0
  • 0
  • 5h ago

Overview

  • @react-native-community/cli-server-api

03 Nov 2025
Published
06 Feb 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
6.95%

Description

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

Statistics

  • 1 Post

Last activity: 6 hours ago

Bluesky

Profile picture fallback
Metro4Shell Exposed: How a Default React Native Server Can Hand Over Your Network to Hackers + Video Introduction: A critical command injection vulnerability, dubbed Metro4Shell and tracked as CVE-2025-11953, has been discovered in the React Native Community CLI's Metro development server. By…
  • 0
  • 0
  • 0
  • 6h ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post

Last activity: 2 hours ago

Fediverse

Profile picture fallback

A critical arbitrary file upload vulnerability (CVE-2026-1357, CVSS 9.8) was discovered in the WPvivid Backup & Migration plugin, which is installed on over 800,000 WordPress sites.

The flaw allows unauthenticated attackers to upload arbitrary files, potentially achieving remote code execution and full site takeover.

Update to version 0.9.124. Wordfence Premium users received firewall protection on January 22.

wordfence.com/blog/2026/02/800

#WordPress #WebSecurity #Wordfence

  • 0
  • 0
  • 0
  • 2h ago

Overview

  • Apache Software Foundation
  • Apache HTTP Server

05 Dec 2025
Published
05 Dec 2025
Updated

CVSS
Pending
EPSS
0.15%

KEV

Description

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue.

Statistics

  • 1 Post

Last activity: 11 hours ago

Fediverse

Profile picture fallback
  • 0
  • 0
  • 0
  • 11h ago

Overview

  • Tinexta Infocert
  • GoSign Desktop

17 Nov 2025
Published
17 Nov 2025
Updated

CVSS v3.1
LOW (3.2)
EPSS
0.01%

KEV

Description

GoSign Desktop through 2.4.1 disables TLS certificate validation when configured to use a proxy server. This can be problematic if the GoSign Desktop user selects an arbitrary proxy server without consideration of whether outbound HTTPS connections from the proxy server to Internet servers succeed even for untrusted or invalid server certificates. In this scenario (which is outside of the product's design objectives), integrity protection could be bypassed. In typical cases of a proxy server for outbound HTTPS traffic from an enterprise, those connections would not succeed. (Admittedly, the usual expectation is that a client application is configured to trust an enterprise CA and does not set SSL_VERIFY_NONE.) Also, it is of course unsafe to place ~/.gosign in the home directory of an untrusted user and then have other users execute downloaded files.

Statistics

  • 1 Post

Last activity: 11 hours ago

Fediverse

Profile picture fallback
  • 0
  • 0
  • 0
  • 11h ago
Showing 31 to 40 of 47 CVEs