Overview
Description
A vulnerability has been found in UTT HiPER 810G up to 1.7.7-1711. Impacted is the function strcpy of the file /goform/setSysAdm. The manipulation of the argument passwd1 leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Statistics
- 1 Post
Last activity: 18 hours ago
Fediverse
⚠️ HIGH severity buffer overflow in UTT HiPER 810G (≤1.7.7-1711) — remote exploitation possible via passwd1 in /goform/setSysAdm. Exploit is public. Monitor devices & restrict access until patch available. CVE-2026-2980 https://radar.offseq.com/threat/cve-2026-2980-buffer-overflow-in-utt-hiper-810g-30621ae4 #OffSeq #Vuln #Infosec
Overview
Description
Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE is unique from CVE-2018-0797 and CVE-2018-0812.
Statistics
- 1 Post
Last activity: 14 hours ago
Fediverse
A new phishing campaign is using a malicious Excel exploit (CVE-2018-0802) to hide the XWorm 7.2 malware within seemingly normal JPEG files, which then hijacks PCs by using a technique called process hollowing to disguise itself as a legitimate Windows program.
https://hackread.com/hackers-excel-exploit-xworm-7-2-jpeg-files-hijack-pcs/
Overview
- NaturalIntelligence
- fast-xml-parser
30 Jan 2026
Published
11 Feb 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.03%
KEV
Description
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
Statistics
- 1 Post
Last activity: 15 hours ago
Overview
- NixOS
- nixpkgs
02 Feb 2026
Published
04 Feb 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.04%
KEV
Description
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05.
Statistics
- 1 Post
Last activity: 3 hours ago
Bluesky
Overview
- Red Hat
- Red Hat Enterprise Linux 10
- libxml2
15 Jan 2026
Published
15 Jan 2026
Updated
CVSS
Pending
EPSS
0.02%
KEV
Description
A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.
Statistics
- 1 Post
Last activity: 15 hours ago
Overview
Description
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Statistics
- 2 Posts
Last activity: 2 hours ago
Bluesky
Two RoundCube Webmail vulnerabilities (CVE-2025-49113 and CVE-2025-68461) are being actively exploited; organizations must apply available patches immediately.
Overview
- Artifex Software
- MuPDF
06 Feb 2026
Published
06 Feb 2026
Updated
CVSS v4.0
MEDIUM (5.9)
EPSS
0.06%
KEV
Description
MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.
Statistics
- 3 Posts
Last activity: 13 hours ago
Bluesky
Critical security patch for #Fedora 43: MuPDF 1.27.1 is out. This update addresses CVE-2026-25556, a denial-of-service vulnerability triggered by malicious files during barcode decoding. Read more: 👉 tinyurl.com/2neuuw7p #Security
Critical security advisory for the Fedora community: CVE-2026-25556 is a DoS vulnerability in PyMuPDF that can be triggered via crafted barcode decoding.
If you're running #Fedora 43, the path to mitigation is upgrading to mupdf 1.27.1. Read more: 👉 tinyurl.com/39bk5rw7 #Security
Overview
- Kubernetes
- Kubernetes
22 Apr 2024
Published
10 Sep 2024
Updated
CVSS v3.1
LOW (2.7)
EPSS
6.40%
KEV
Description
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.
Statistics
- 1 Post
Last activity: 12 hours ago
Bluesky
Overview
- Microsoft
- Windows Notepad
10 Feb 2026
Published
23 Feb 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.10%
KEV
Description
Improper neutralization of special elements used in a command ('command injection') in Windows Notepad App allows an unauthorized attacker to execute code locally.
Statistics
- 1 Post
Last activity: 20 hours ago
Overview
Description
A vulnerability was detected in Tenda HG9 300001138. This affects an unknown part of the file /boaform/formPing of the component Diagnostic Ping Endpoint. Performing a manipulation of the argument pingAddr results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used.
Statistics
- 1 Post
Last activity: 3 hours ago