24h | 7d | 30d

Overview

  • Totolink
  • A7100RU

09 Apr 2026
Published
09 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
Pending

KEV

Description

A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument pptpPassThru leads to os command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

Statistics

  • 1 Post

Last activity: 3 hours ago

Fediverse

Profile picture fallback

🛑 CRITICAL: CVE-2026-5850 in Totolink A7100RU (fw 7.4cu.2313_b20191024) enables unauthenticated OS command injection via pptpPassThru. No patch yet — restrict access & monitor advisories. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 3h ago

Overview

  • Google
  • Chrome

08 Apr 2026
Published
08 Apr 2026
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

Integer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

Statistics

  • 1 Post

Last activity: 9 hours ago

Fediverse

Profile picture fallback

⚠️ CRITICAL: CVE-2026-5859 in Chrome WebML (<147.0.7727.55) allows heap corruption via integer overflow. Remote code execution possible if exploited. Patch not fully confirmed — check vendor advisory for updates: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 9h ago

Overview

  • obsidianforensics
  • unfurl
  • dfir-unfurl

08 Apr 2026
Published
08 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
Pending

KEV

Description

Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed directly to app.run(), causing any non-empty string to evaluate truthy, allowing attackers to access the Werkzeug debugger and disclose sensitive information or achieve remote code execution.

Statistics

  • 1 Post

Last activity: 10 hours ago

Fediverse

Profile picture fallback

⚠️ CRITICAL: obsidianforensics unfurl up to 2025.08 enables Flask debug mode by default. Attackers can exploit CVE-2026-40035 for RCE & info disclosure. Avoid production use, disable debug mode, monitor for fixes. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 10h ago

Overview

  • Fortinet
  • FortiClientEMS

04 Apr 2026
Published
07 Apr 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
5.95%

Description

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

Statistics

  • 1 Post

Last activity: 13 hours ago

Bluesky

Profile picture fallback
FortiClient EMSの脆弱性 CVE-2026-35616を各国当局が警告 rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #セキュリティ #Security #CybersecurityNews
  • 0
  • 0
  • 0
  • 13h ago

Overview

  • OpenPrinting
  • cups

03 Apr 2026
Published
06 Apr 2026
Updated

CVSS v4.0
MEDIUM (6.1)
EPSS
0.04%

KEV

Description

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches.

Statistics

  • 1 Post

Last activity: 20 hours ago

Bluesky

Profile picture fallback
~Cybergcca~ CCCS issued 3 advisories, highlighting a critical unauthenticated RCE-to-root chain in CUPS alongside GitLab and HPE updates. - IOCs: CVE-2026-34990, CVE-2026-34980 - #CUPS #ThreatIntel #Vulnerability
  • 0
  • 0
  • 0
  • 20h ago

Overview

  • OpenPrinting
  • cups

03 Apr 2026
Published
06 Apr 2026
Updated

CVSS v4.0
MEDIUM (5.0)
EPSS
0.01%

KEV

Description

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local ... token. That token is enough to drive /admin/ requests on localhost, and the attacker can combine CUPS-Create-Local-Printer with printer-is-shared=true to persist a file:///... queue even though the normal FileDevice policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; the PoC below uses that primitive to drop a sudoers fragment and demonstrate root command execution. At time of publication, there are no publicly available patches.

Statistics

  • 1 Post

Last activity: 20 hours ago

Bluesky

Profile picture fallback
~Cybergcca~ CCCS issued 3 advisories, highlighting a critical unauthenticated RCE-to-root chain in CUPS alongside GitLab and HPE updates. - IOCs: CVE-2026-34990, CVE-2026-34980 - #CUPS #ThreatIntel #Vulnerability
  • 0
  • 0
  • 0
  • 20h ago

Overview

  • OpenSSL
  • OpenSSL

13 Mar 2026
Published
17 Mar 2026
Updated

CVSS
Pending
EPSS
0.04%

KEV

Description

Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword. Impact summary: A less preferred key exchange may be used even when a more preferred group is supported by both client and server, if the group was not included among the client's initial predicated keyshares. This will sometimes be the case with the new hybrid post-quantum groups, if the client chooses to defer their use until specifically requested by the server. If an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to interpolate the built-in default group list into its own configuration, perhaps adding or removing specific elements, then an implementation defect causes the 'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups were treated as a single sufficiently secure 'tuple', with the server not sending a Hello Retry Request (HRR) even when a group in a more preferred tuple was mutually supported. As a result, the client and server might fail to negotiate a mutually supported post-quantum key agreement group, such as 'X25519MLKEM768', if the client's configuration results in only 'classical' groups (such as 'X25519' being the only ones in the client's initial keyshare prediction). OpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS 1.3 key agreement group on TLS servers. The old syntax had a single 'flat' list of groups, and treated all the supported groups as sufficiently secure. If any of the keyshares predicted by the client were supported by the server the most preferred among these was selected, even if other groups supported by the client, but not included in the list of predicted keyshares would have been more preferred, if included. The new syntax partitions the groups into distinct 'tuples' of roughly equivalent security. Within each tuple the most preferred group included among the client's predicted keyshares is chosen, but if the client supports a group from a more preferred tuple, but did not predict any corresponding keyshares, the server will ask the client to retry the ClientHello (by issuing a Hello Retry Request or HRR) with the most preferred mutually supported group. The above works as expected when the server's configuration uses the built-in default group list, or explicitly defines its own list by directly defining the various desired groups and group 'tuples'. No OpenSSL FIPS modules are affected by this issue, the code in question lies outside the FIPS boundary. OpenSSL 3.6 and 3.5 are vulnerable to this issue. OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released. OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released. OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.

Statistics

  • 1 Post
  • 2 Interactions

Last activity: Last hour

Fediverse

Profile picture fallback

mail-index.netbsd.org/source-c
> Import OpenSSL-3.5.6 (previous was 3.5.5)
CVE-2026-31790, CVE-2026-2673, CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789

mail-index.netbsd.org/source-c
> Import OpenSSH-10.3 (previous was 10.2)
これは CVE はなくて Security 関連仕様変更のみ?

mail-index.netbsd.org/source-c
> Import xz-5.8.3 (previous was 5.2.4)

> Fix a buffer overflow in lzma_index_append()
はあるけど、そもそも backdoor 以前のバージョンからの更新なのか?

少なくとも bind に加えて openssl は 11.0_RC4 不可避なのか

  • 1
  • 1
  • 0
  • Last hour

Overview

  • OpenSSL
  • OpenSSL

07 Apr 2026
Published
09 Apr 2026
Updated

CVSS
Pending
EPSS
0.02%

KEV

Description

Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.

Statistics

  • 1 Post
  • 2 Interactions

Last activity: Last hour

Fediverse

Profile picture fallback

mail-index.netbsd.org/source-c
> Import OpenSSL-3.5.6 (previous was 3.5.5)
CVE-2026-31790, CVE-2026-2673, CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789

mail-index.netbsd.org/source-c
> Import OpenSSH-10.3 (previous was 10.2)
これは CVE はなくて Security 関連仕様変更のみ?

mail-index.netbsd.org/source-c
> Import xz-5.8.3 (previous was 5.2.4)

> Fix a buffer overflow in lzma_index_append()
はあるけど、そもそも backdoor 以前のバージョンからの更新なのか?

少なくとも bind に加えて openssl は 11.0_RC4 不可避なのか

  • 1
  • 1
  • 0
  • Last hour

Overview

  • OpenSSL
  • OpenSSL

07 Apr 2026
Published
07 Apr 2026
Updated

CVSS
Pending
EPSS
0.03%

KEV

Description

Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Statistics

  • 1 Post
  • 2 Interactions

Last activity: Last hour

Fediverse

Profile picture fallback

mail-index.netbsd.org/source-c
> Import OpenSSL-3.5.6 (previous was 3.5.5)
CVE-2026-31790, CVE-2026-2673, CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789

mail-index.netbsd.org/source-c
> Import OpenSSH-10.3 (previous was 10.2)
これは CVE はなくて Security 関連仕様変更のみ?

mail-index.netbsd.org/source-c
> Import xz-5.8.3 (previous was 5.2.4)

> Fix a buffer overflow in lzma_index_append()
はあるけど、そもそも backdoor 以前のバージョンからの更新なのか?

少なくとも bind に加えて openssl は 11.0_RC4 不可避なのか

  • 1
  • 1
  • 0
  • Last hour

Overview

  • OpenSSL
  • OpenSSL

07 Apr 2026
Published
07 Apr 2026
Updated

CVSS
Pending
EPSS
0.01%

KEV

Description

Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference. Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Statistics

  • 1 Post
  • 2 Interactions

Last activity: Last hour

Fediverse

Profile picture fallback

mail-index.netbsd.org/source-c
> Import OpenSSL-3.5.6 (previous was 3.5.5)
CVE-2026-31790, CVE-2026-2673, CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789

mail-index.netbsd.org/source-c
> Import OpenSSH-10.3 (previous was 10.2)
これは CVE はなくて Security 関連仕様変更のみ?

mail-index.netbsd.org/source-c
> Import xz-5.8.3 (previous was 5.2.4)

> Fix a buffer overflow in lzma_index_append()
はあるけど、そもそも backdoor 以前のバージョンからの更新なのか?

少なくとも bind に加えて openssl は 11.0_RC4 不可避なのか

  • 1
  • 1
  • 0
  • Last hour
Showing 31 to 40 of 42 CVEs