Overview
- tolgee
- tolgee-platform
12 Mar 2026
Published
13 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.04%
KEV
Description
Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don't disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files from the server and make server-side requests to internal services. This vulnerability is fixed in 3.166.3.
Statistics
- 2 Posts
Last activity: 17 hours ago
Overview
Description
In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
Statistics
- 1 Post
Last activity: 3 hours ago
Overview
- Go standard library
- crypto/tls
- crypto/tls
08 Apr 2026
Published
08 Apr 2026
Updated
CVSS
Pending
EPSS
0.01%
KEV
Description
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
Statistics
- 1 Post
Last activity: 16 hours ago
Overview
Description
Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory.
Statistics
- 1 Post
Last activity: 22 hours ago
Overview
- Go standard library
- archive/tar
- archive/tar
08 Apr 2026
Published
08 Apr 2026
Updated
CVSS
Pending
EPSS
0.01%
KEV
Description
tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
Statistics
- 1 Post
Last activity: 16 hours ago
Overview
- davidfcarr
- Quick Playground
09 Apr 2026
Published
09 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
Pending
KEV
Description
The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.
Statistics
- 1 Post
Last activity: Last hour
Fediverse
🚨 CVE-2026-1830: CRITICAL RCE in davidfcarr Quick Playground (WordPress ≤1.3.1). Unauthenticated users can upload PHP files via REST API flaw — patch or disable plugin now! https://radar.offseq.com/threat/cve-2026-1830-cwe-862-missing-authorization-in-dav-233f04bb #OffSeq #WordPress #Infosec #CVE20261830
Overview
- Go standard library
- crypto/x509
- crypto/x509
08 Apr 2026
Published
08 Apr 2026
Updated
CVSS
Pending
EPSS
0.01%
KEV
Description
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Statistics
- 1 Post
Last activity: 16 hours ago
Overview
Description
Integer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Statistics
- 1 Post
Last activity: 1 hour ago
Fediverse
⚠️ CRITICAL: CVE-2026-5859 in Chrome WebML (<147.0.7727.55) allows heap corruption via integer overflow. Remote code execution possible if exploited. Patch not fully confirmed — check vendor advisory for updates: https://radar.offseq.com/threat/cve-2026-5859-integer-overflow-in-google-chrome-baee9cba #OffSeq #Chrome #Vuln #InfoSec
Overview
- obsidianforensics
- unfurl
- dfir-unfurl
08 Apr 2026
Published
08 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
Pending
KEV
Description
Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed directly to app.run(), causing any non-empty string to evaluate truthy, allowing attackers to access the Werkzeug debugger and disclose sensitive information or achieve remote code execution.
Statistics
- 1 Post
Last activity: 3 hours ago
Fediverse
⚠️ CRITICAL: obsidianforensics unfurl up to 2025.08 enables Flask debug mode by default. Attackers can exploit CVE-2026-40035 for RCE & info disclosure. Avoid production use, disable debug mode, monitor for fixes. https://radar.offseq.com/threat/cve-2026-40035-cwe-489-active-debug-code-in-obsidi-883d1265 #OffSeq #Vuln #Flask #CVE202640035