Overview
- Go standard library
- crypto/tls
- crypto/tls
08 Apr 2026
Published
08 Apr 2026
Updated
CVSS
Pending
EPSS
0.01%
KEV
Description
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
Statistics
- 1 Post
Last activity: 3 hours ago
Overview
Description
Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Statistics
- 1 Post
Last activity: 12 hours ago
Overview
Description
Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory.
Statistics
- 1 Post
Last activity: 9 hours ago
Overview
- Go standard library
- archive/tar
- archive/tar
08 Apr 2026
Published
08 Apr 2026
Updated
CVSS
Pending
EPSS
0.01%
KEV
Description
tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
Statistics
- 1 Post
Last activity: 3 hours ago
Overview
- Microsoft
- Microsoft SharePoint Enterprise Server 2016
13 Jan 2026
Published
01 Apr 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.07%
KEV
Description
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally.
Statistics
- 1 Post
Last activity: 19 hours ago
Overview
- CERT/CC
- cveClient/cveInterface.js
02 Apr 2026
Published
03 Apr 2026
Updated
CVSS
Pending
EPSS
0.03%
KEV
Description
XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services
Statistics
- 1 Post
Last activity: 17 hours ago
Overview
- CERT/CC
- cveClient/encrypt-storage.js
02 Apr 2026
Published
03 Apr 2026
Updated
CVSS
Pending
EPSS
0.02%
KEV
Description
The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials.
Statistics
- 1 Post
Last activity: 17 hours ago
Overview
Description
Issue summary: An uncommon configuration of clients performing DANE TLSA-based
server authentication, when paired with uncommon server DANE TLSA records, may
result in a use-after-free and/or double-free on the client side.
Impact summary: A use after free can have a range of potential consequences
such as the corruption of valid data, crashes or execution of arbitrary code.
However, the issue only affects clients that make use of TLSA records with both
the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate
usage.
By far the most common deployment of DANE is in SMTP MTAs for which RFC7672
recommends that clients treat as 'unusable' any TLSA records that have the PKIX
certificate usages. These SMTP (or other similar) clients are not vulnerable
to this issue. Conversely, any clients that support only the PKIX usages, and
ignore the DANE-TA(2) usage are also not vulnerable.
The client would also need to be communicating with a server that publishes a
TLSA RRset with both types of TLSA records.
No FIPS modules are affected by this issue, the problem code is outside the
FIPS module boundary.
Statistics
- 1 Post
Last activity: 16 hours ago
Bluesky
Overview
Description
Issue summary: Applications using RSASVE key encapsulation to establish
a secret encryption key can send contents of an uninitialized memory buffer to
a malicious peer.
Impact summary: The uninitialized buffer might contain sensitive data from the
previous execution of the application process which leads to sensitive data
leakage to an attacker.
RSA_public_encrypt() returns the number of bytes written on success and -1
on error. The affected code tests only whether the return value is non-zero.
As a result, if RSA encryption fails, encapsulation can still return success to
the caller, set the output lengths, and leave the caller to use the contents of
the ciphertext buffer as if a valid KEM ciphertext had been produced.
If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an
attacker-supplied invalid RSA public key without first validating that key,
then this may cause stale or uninitialized contents of the caller-provided
ciphertext buffer to be disclosed to the attacker in place of the KEM
ciphertext.
As a workaround calling EVP_PKEY_public_check() or
EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate
the issue.
The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.
Statistics
- 1 Post
Last activity: 16 hours ago
Bluesky
Overview
Description
Issue summary: During processing of a crafted CMS EnvelopedData message
with KeyTransportRecipientInfo a NULL pointer dereference can happen.
Impact summary: Applications that process attacker-controlled CMS data may
crash before authentication or cryptographic operations occur resulting in
Denial of Service.
When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with
RSA-OAEP encryption is processed, the optional parameters field of
RSA-OAEP SourceFunc algorithm identifier is examined without checking
for its presence. This results in a NULL pointer dereference if the field
is missing.
Applications and services that call CMS_decrypt() on untrusted input
(e.g., S/MIME processing or CMS-based protocols) are vulnerable.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
Statistics
- 1 Post
Last activity: 16 hours ago