24h | 7d | 30d

CVE-2026-4208

Overview

  • TYPO3
  • Extension "E-Mail MFA Provider"
  • ralffreit/mfa-email
17 Mar 2026
Published
17 Mar 2026
Updated
CVSS v4.0
HIGH (7.7)
EPSS
0.05%
KEV

Description

The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.

Statistics

  • 1 Post
Last activity: 12 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ HIGH severity: CVE-2026-4208 in TYPO3 "E-Mail MFA Provider" lets attackers bypass MFA by reusing/omitting codes due to faulty state reset. Patch or disable the extension and monitor logs for abuse. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 12h ago

CVE-2025-15573

Overview

  • SolaX Power
  • Pocket WiFi 3.0
12 Feb 2026
Published
12 Feb 2026
Updated
CVSS
Pending
EPSS
0.03%
KEV

Description

The affected devices do not validate the server certificate when connecting to the SolaX Cloud MQTTS server hosted in the Alibaba Cloud (mqtt001.solaxcloud.com, TCP 8883). This allows attackers in a man-in-the-middle position to act as the legitimate MQTT server and issue arbitrary commands to devices.

Statistics

  • 1 Post
Last activity: 12 hours ago

Fediverse

Profile picture fallback
Michael @themimitoof

Dans mon expérimentation solaire à la maison, je découvre que mon onduleur SolaX X1-Micro 2 en 1 est une petite merguez :
- qui n'expose pas API (voila pourquoi l'app est bancale)
- les settings ne sont pas accessibles
- probablement incapable de ce mettre à jour
- force l'utilisation du cloud SolaX et son MQTT pas très sécurisé (CVE-2025-15573) et avec une métrique toutes les 5 minutes.

J'ai trouvé ces deux ressources pour le moment :
- github.com/squishykid/solax/is
- forum.hacf.fr/t/integration-po

  • 0
  • 0
  • 0
  • 12h ago

CVE-2026-3814

Overview

  • UTT
  • HiPER 810G
09 Mar 2026
Published
10 Mar 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.08%
KEV

Description

A security flaw has been discovered in UTT HiPER 810G up to 1.7.7-1711. Affected by this issue is the function strcpy of the file /goform/getOneApConfTempEntry. Performing a manipulation results in buffer overflow. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.

Statistics

  • 1 Post
Last activity: 20 hours ago

Bluesky

Profile picture fallback
SecQube | Harvey | AI Platform for MS Graph @secqube.com
CVE-2026-3814 - UTT HiPER 810G getOneApConfTempEntry strcpy buffer overflow scq.ms/3N8bDqk
  • 0
  • 0
  • 0
  • 20h ago

CVE-2026-25866

Overview

  • Mobatek
  • MobaXterm
09 Mar 2026
Published
11 Mar 2026
Updated
CVSS v4.0
HIGH (8.5)
EPSS
0.02%
KEV

Description

MobaXterm versions prior to 26.1 contain an uncontrolled search path element vulnerability. The application calls WinExec to execute Notepad++ without a fully qualified executable path when opening remote files. An attacker can exploit the search path behavior by placing a malicious executable earlier in the search order, resulting in arbitrary code execution in the context of the affected user.

Statistics

  • 1 Post
Last activity: 12 hours ago

Bluesky

Profile picture fallback
SecQube | Harvey | AI Platform for MS Graph @secqube.com
CVE-2026-25866 - MobaXterm < 26.1 Notepad++ Unquoted Service Path scq.ms/3Nuc1zv
  • 0
  • 0
  • 0
  • 12h ago

CVE-2026-2413

Overview

  • elemntor
  • Ally – Web Accessibility & Usability
11 Mar 2026
Published
11 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
14.93%
KEV

Description

The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account.

Statistics

  • 1 Post
Last activity: 4 hours ago

Fediverse

Profile picture fallback
RS Web Solutions (RSWEBSOLS) @rswebsols

SQL Injection Vulnerability in Elementor Ally Plugin Affects Over 250,000 WordPress Websites #wordpress

A critical SQL injection vulnerability in the Elementor Ally plugin could affect over 250,000 WordPress sites. Upgrade to Ally 4.1.0 and update WordPress to 6.9.2 to mitigate CVE-2026-2413 and related risks. Learn more: ift.tt/VzNblEM

Source: ift.tt/VzNblEM | Image: ift.tt/ONFHV64

  • 0
  • 0
  • 0
  • 4h ago

CVE-2026-31386

Overview

  • LiteSpeed Technologies
  • OpenLiteSpeed
16 Mar 2026
Published
16 Mar 2026
Updated
CVSS v3.0
HIGH (7.2)
EPSS
0.16%
KEV

Description

OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege.

Statistics

  • 1 Post
Last activity: Last hour

Bluesky

Profile picture fallback
セキュリティ対策Lab @securitylab-jp.bsky.social
LiteSpeed Web Serverに高深刻度のOSコマンドインジェクションの脆弱性(CVE-2026-31386) rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #セキュリティ #Security #CybersecurityNews
  • 0
  • 0
  • 0
  • Last hour

CVE-2025-32463

Overview

  • Sudo project
  • Sudo
30 Jun 2025
Published
26 Feb 2026
Updated
CVSS v3.1
CRITICAL (9.3)
EPSS
26.52%
KEV

Description

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.

Statistics

  • 1 Post
Last activity: 4 hours ago

Fediverse

Profile picture fallback
KL3FT3Z @toxy4ny

Internal redteam, 8h, no tools except one exploit.
Result: VP account, full AD control. SOC: 0 alerts.

github.com/toxy4ny/semetsky---

Why it matters: PXE-boot Linux, unmonitored, unpatched since 2023.
CVE-2025-32463 → bash_history with plaintext creds → RDP hop →
custom AD delegation. All "legitimate" actions, no SOC triggers.

What's your "Yuri Semetsky" story? (obfuscated, of course)

#redteam #internalpentest #ad #soc #linux

  • 0
  • 0
  • 0
  • 4h ago
Showing 21 to 27 of 27 CVEs