Overview
- Everon
- api.everon.io
06 Mar 2026
Published
06 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.4)
EPSS
Pending
KEV
Description
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Statistics
- 1 Post
Last activity: 7 hours ago
Fediverse
🚨 CRITICAL: CVE-2026-26288 in Everon api.everon.io (all versions) allows unauthenticated WebSocket access — attackers can impersonate charging stations & control backend data. Restrict access & implement auth now! https://radar.offseq.com/threat/cve-2026-26288-cwe-306-in-everon-apieveronio-4db274ef #OffSeq #Cybersecurity #EVCharging #CVE
Overview
- Python Software Foundation
- CPython
20 Jan 2026
Published
03 Mar 2026
Updated
CVSS v4.0
MEDIUM (5.9)
EPSS
Pending
KEV
Description
User-controlled header names and values containing newlines can allow injecting HTTP headers.
Statistics
- 1 Post
Last activity: Last hour
Overview
- Python Software Foundation
- CPython
20 Jan 2026
Published
03 Mar 2026
Updated
CVSS v4.0
MEDIUM (6.0)
EPSS
Pending
KEV
Description
User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.
Statistics
- 1 Post
Last activity: Last hour
Overview
- ryscript
- WP App Bar
07 Mar 2026
Published
07 Mar 2026
Updated
CVSS v3.1
HIGH (7.2)
EPSS
Pending
KEV
Description
The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'app-bar-features' parameter in all versions up to, and including, 1.5. This is due to insufficient input sanitization and output escaping combined with a missing authorization check in the `App_Bar_Settings` class constructor. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into multiple plugin settings that will execute whenever a user accesses the admin settings page.
Statistics
- 1 Post
Last activity: 3 hours ago
Fediverse
🚨 CVE-2026-1074: High-severity stored XSS in WP App Bar plugin (all versions). No auth needed — attackers inject scripts via 'app-bar-features' & compromise admin sessions. Patch or disable urgently! https://radar.offseq.com/threat/cve-2026-1074-cwe-79-improper-neutralization-of-in-ed135d09 #OffSeq #WordPress #XSS #Vuln
Overview
Description
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
Please see the MSRC Blog Entry for important information about steps you can take to protect your system from this vulnerability.
Statistics
- 1 Post
Last activity: 19 hours ago
Overview
- Eclipse Foundation
- Eclipse Jetty
05 Mar 2026
Published
05 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.04%
KEV
Description
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed.
This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.
In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
Statistics
- 1 Post
Last activity: 11 hours ago
Overview
- dani-garcia
- vaultwarden
04 Mar 2026
Published
05 Mar 2026
Updated
CVSS v3.1
HIGH (8.3)
EPSS
0.04%
KEV
Description
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, when a Manager has manage=false for a given collection, they can still perform several management operations as long as they have access to the collection. This issue has been patched in version 1.35.4.
Statistics
- 1 Post
Last activity: 7 hours ago
Overview
- Galaxy Software Services Corporation
- iota C.ai Conversational Platform
27 Nov 2024
Published
27 Nov 2024
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.39%
KEV
Description
A Improper Control of Generation of Code ('Code Injection') vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to perform arbitrary system commands via a DLL file.
Statistics
- 1 Post
Last activity: 15 hours ago
Overview
- Huawei
- HarmonyOS
05 Mar 2026
Published
05 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.6)
EPSS
0.01%
KEV
Description
Authentication bypass vulnerability in the device authentication module. Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality.
Statistics
- 1 Post
Last activity: 14 hours ago
Overview
- openlit
- openlit
26 Feb 2026
Published
26 Feb 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.05%
KEV
Description
OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the `pull_request_target` event while checking out and executing untrusted code from forked pull requests. These workflows run with the security context of the base repository, including a write-privileged `GITHUB_TOKEN` and numerous sensitive secrets (API keys, database/vector store tokens, and a Google Cloud service account key). Version 1.37.1 contains a fix.
Statistics
- 1 Post
Last activity: 15 hours ago