Overview
Description
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Statistics
- 1 Post
Last activity: 17 hours ago
Overview
- karutoil
- catalyst
10 Feb 2026
Published
10 Feb 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
Pending
KEV
Description
Catalyst is a platform built for enterprise game server hosts, game communities, and billing panel integrations. Install scripts defined in server templates execute directly on the host operating system as root via bash -c, with no sandboxing or containerization. Any user with template.create or template.update permission can define arbitrary shell commands that achieve full root-level remote code execution on every node machine in the cluster. This vulnerability is fixed in commit 11980aaf3f46315b02777f325ba02c56b110165d.
Statistics
- 1 Post
Last activity: 10 hours ago
Fediverse
🚨 karutoil catalyst (<11980aaf3f46315b02777f325ba02c56b110165d) faces CRITICAL OS command injection (CVE-2026-26009, CVSS 10.0). Users with template perms can execute root shell commands cluster-wide. Patch immediately! https://radar.offseq.com/threat/cve-2026-26009-cwe-78-improper-neutralization-of-s-ff7845bb #OffSeq #vuln #infosec #CVE202626009
Overview
- Fortinet
- FortiSandbox
10 Feb 2026
Published
11 Feb 2026
Updated
CVSS v3.1
HIGH (7.9)
EPSS
Pending
KEV
Description
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to execute commands via crafted requests.
Statistics
- 1 Post
Last activity: 18 hours ago
Fediverse
RE: https://infosec.exchange/@ozu/116041085922526875
Another another vuln. CVE-2025-52436
Overview
- Microsoft
- Windows Server 2022
13 Jan 2026
Published
30 Jan 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.06%
KEV
Description
Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally.
Statistics
- 1 Post
Last activity: 23 hours ago
Overview
- nko
- Custom Block Builder – Lazy Blocks
11 Feb 2026
Published
11 Feb 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
Pending
KEV
Description
The Custom Block Builder – Lazy Blocks plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.0 via multiple functions in the 'LazyBlocks_Blocks' class. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
Statistics
- 1 Post
Last activity: 2 hours ago
Fediverse
⚠️ HIGH severity: CVE-2026-1560 in Lazy Blocks (WordPress, ≤4.2.0) lets Contributor+ users run arbitrary code via improper code generation (CWE-94). No public exploits yet — restrict roles and monitor activity! https://radar.offseq.com/threat/cve-2026-1560-cwe-94-improper-control-of-generatio-655d2091 #OffSeq #WordPress #RCE #Vuln
Overview
- ImageMagick
- ImageMagick
20 Jan 2026
Published
21 Jan 2026
Updated
CVSS v3.1
HIGH (8.1)
EPSS
0.06%
KEV
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. Versions 7.1.2-13 and 6.9.13-38 fix the issue.
Statistics
- 1 Post
Last activity: 19 hours ago
Overview
Description
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
Statistics
- 1 Post
Last activity: 20 hours ago
Bluesky
Overview
- jquery-validation
15 Apr 2025
Published
15 Apr 2025
Updated
CVSS v4.0
MEDIUM (5.3)
EPSS
0.25%
KEV
Description
Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-site Scripting (XSS) in the showLabel() function, which may take input from a user-controlled placeholder value. This value will populate a message via $.validator.messages in a user localizable dictionary.
Statistics
- 1 Post
Last activity: 8 hours ago
Fediverse
Should be a lot more! They don't organise frontend and npm vuln that way. This doesn't even mention JavaScript:
https://www.cve.org/CVERecord?id=CVE-2025-3573
The search relies on descriptions for which standard terms are "an ongoing area of research" 🧐
https://www.cve.org/ResourcesSupport/FAQs#pc_cve_list_basicssearch_cve
Overview
- Microsoft
- GitHub Copilot Plugin for JetBrains IDEs
10 Feb 2026
Published
11 Feb 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
Pending
KEV
Description
Improper neutralization of special elements used in a command ('command injection') in Github Copilot allows an unauthorized attacker to execute code over a network.
Statistics
- 1 Post
Last activity: 2 hours ago
Bluesky
Overview
- SAP_SE
- SAP CRM and SAP S/4HANA (Scripting Editor)
10 Feb 2026
Published
11 Feb 2026
Updated
CVSS v3.1
CRITICAL (9.9)
EPSS
0.04%
KEV
Description
An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.
Statistics
- 1 Post
- 1 Interaction
Last activity: 20 hours ago