24h | 7d | 30d

CVE-2026-33870

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 16 hours ago

Fediverse

Profile picture fallback
Chris @chrisvest

We're released Netty 4.2.11 and 4.1.132. These contain many bug fixes, and fixes for two CVEs both rated *high*:

- CVE-2026-33871: HTTP/2 CONTINUATION frame flood Denial of Service.
- CVE-2026-33870: HTTP/1.1 Request Smuggling vulnerability in chunked encoding parsing.

Release notes for 4.2.11: netty.io/news/2026/03/24/4-2-1
Release notes for 4.1.132: netty.io/news/2026/03/24/4-1-1

Also of note: We had 17 people contribute to Netty 4.2.11, of which 5 are new first time contributors 😲

#netty #java

  • 0
  • 1
  • 0
  • 16h ago

CVE-2025-43529

Overview

  • Apple
  • iOS and iPadOS
17 Dec 2025
Published
26 Feb 2026
Updated
CVSS
Pending
EPSS
0.20%
KEV

Description

A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 18 hours ago

Fediverse

Profile picture fallback
Taggart @mttaggart

@gknauss I think the thing is to move to 18.7.3, which is patched.

For devices running versions of iOS prior to 18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in iOS 18.6. For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG. Both exploits develop their own fakeobj/addrof primitives, and then build arbitrary read/write primitives the same way on top of them.

I'm unaware of a compelling reason or hardware limitation to not upgrade from 18.6 to 18.7

cloud.google.com/blog/topics/t

  • 0
  • 1
  • 0
  • 18h ago

CVE-2026-33871

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 16 hours ago

Fediverse

Profile picture fallback
Chris @chrisvest

We're released Netty 4.2.11 and 4.1.132. These contain many bug fixes, and fixes for two CVEs both rated *high*:

- CVE-2026-33871: HTTP/2 CONTINUATION frame flood Denial of Service.
- CVE-2026-33870: HTTP/1.1 Request Smuggling vulnerability in chunked encoding parsing.

Release notes for 4.2.11: netty.io/news/2026/03/24/4-2-1
Release notes for 4.1.132: netty.io/news/2026/03/24/4-1-1

Also of note: We had 17 people contribute to Netty 4.2.11, of which 5 are new first time contributors 😲

#netty #java

  • 0
  • 1
  • 0
  • 16h ago

CVE-2026-21262

Overview

  • Microsoft
  • Microsoft SQL Server 2016 Service Pack 3 (GDR)
10 Mar 2026
Published
24 Mar 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.13%
KEV

Description

Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.

Statistics

  • 1 Post
Last activity: 21 hours ago

Fediverse

Profile picture fallback
Jeremy Morgan @jeremymorgan

Two things that need patching this week: Azure DevOps Server has a CVSS 8.6 privilege escalation, and Azure's MCP Server has a separate privilege escalation from crafted input. That second one should concern everyone rushing to deploy MCP servers everywhere. Audit your input validation now.

securityboulevard.com/2026/03/

  • 0
  • 0
  • 0
  • 21h ago

CVE-2026-27739

Overview

  • angular
  • angular-cli
25 Feb 2026
Published
27 Feb 2026
Updated
CVSS v4.0
CRITICAL (9.2)
EPSS
0.05%
KEV

Description

The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the host domain, path and character sanitization, and port validation. This vulnerability manifests in two primary ways: implicit relative URL resolution and explicit manual construction. When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to credential exfiltration, internal network probing, and a confidentiality breach. In order to be vulnerable, the victim application must use Angular SSR (Server-Side Rendering), the application must perform `HttpClient` requests using relative URLs OR manually construct URLs using the unvalidated `Host` / `X-Forwarded-*` headers using the `REQUEST` object, the application server must be reachable by an attacker who can influence these headers without strict validation from a front-facing proxy, and the infrastructure (Cloud, CDN, or Load Balancer) must not sanitize or validate incoming headers. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Some workarounds are available. Avoid using `req.headers` for URL construction. Instead, use trusted variables for base API paths. Those who cannot upgrade immediately should implement a middleware in their `server.ts` to enforce numeric ports and validated hostnames.

Statistics

  • 1 Post
Last activity: 12 hours ago

Bluesky

Profile picture fallback
OpsMatters @opsmatters.com
The latest update for #Indusface includes "CVE-2026-20963: SharePoint Deserialization Remote Code Execution Vulnerability" and "CVE-2026-27739: Angular SSR Request Vulnerability Enabling Server-Side Request Forgery". #cybersecurity #infosec https://opsmtrs.com/3ySs2VF
  • 0
  • 0
  • 0
  • 12h ago

CVE-2026-26127

Overview

  • Microsoft
  • .NET 10.0
10 Mar 2026
Published
24 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.08%
KEV

Description

Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.

Statistics

  • 1 Post
Last activity: 21 hours ago

Fediverse

Profile picture fallback
Jeremy Morgan @jeremymorgan

Two things that need patching this week: Azure DevOps Server has a CVSS 8.6 privilege escalation, and Azure's MCP Server has a separate privilege escalation from crafted input. That second one should concern everyone rushing to deploy MCP servers everywhere. Audit your input validation now.

securityboulevard.com/2026/03/

  • 0
  • 0
  • 0
  • 21h ago

CVE-2026-4673

Overview

  • Google
  • Chrome
24 Mar 2026
Published
25 Mar 2026
Updated
CVSS
Pending
EPSS
0.07%
KEV

Description

Heap buffer overflow in WebAudio in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

Statistics

  • 1 Post
Last activity: 23 hours ago

Bluesky

Profile picture fallback
Cybersecurity News Everyday @hendryadrian.bsky.social
Google Chrome 146 patches eight high-severity memory-safety flaws including heap buffer overflows, use-after-free, and integer overflow bugs. Notable fixes: CVE-2026-4673 & CVE-2026-4677 in WebAudio. #Chrome146 #BugBounty #USA
  • 0
  • 0
  • 0
  • 23h ago

CVE-2026-4677

Overview

  • Google
  • Chrome
24 Mar 2026
Published
25 Mar 2026
Updated
CVSS
Pending
EPSS
0.07%
KEV

Description

Inappropriate implementation in WebAudio in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

Statistics

  • 1 Post
Last activity: 23 hours ago

Bluesky

Profile picture fallback
Cybersecurity News Everyday @hendryadrian.bsky.social
Google Chrome 146 patches eight high-severity memory-safety flaws including heap buffer overflows, use-after-free, and integer overflow bugs. Notable fixes: CVE-2026-4673 & CVE-2026-4677 in WebAudio. #Chrome146 #BugBounty #USA
  • 0
  • 0
  • 0
  • 23h ago

CVE-2026-3104

Overview

  • ISC
  • BIND 9
25 Mar 2026
Published
25 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
Pending
KEV

Description

A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.

Statistics

  • 1 Post
  • 3 Interactions
Last activity: 3 hours ago

Fediverse

Profile picture fallback
ISC.org @iscdotorg

ISC's March 2026 maintenance releases of BIND 9 are available at isc.org/download : stable branches 9.18.47 and 9.20.21, and development branch 9.21.20.

Packages and container images provided by ISC will be updated later today.

In addition to bug fixes and feature improvements, these releases also contain fixes for security vulnerabilities:

kb.isc.org/docs/cve-2026-1519
kb.isc.org/docs/cve-2026-3104
kb.isc.org/docs/cve-2026-3119
kb.isc.org/docs/cve-2026-3591

Thanks for using ISC's software!

  • 2
  • 1
  • 0
  • 3h ago

CVE-2026-1519

Overview

  • ISC
  • BIND 9
25 Mar 2026
Published
25 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
Pending
KEV

Description

If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.

Statistics

  • 1 Post
  • 3 Interactions
Last activity: 3 hours ago

Fediverse

Profile picture fallback
ISC.org @iscdotorg

ISC's March 2026 maintenance releases of BIND 9 are available at isc.org/download : stable branches 9.18.47 and 9.20.21, and development branch 9.21.20.

Packages and container images provided by ISC will be updated later today.

In addition to bug fixes and feature improvements, these releases also contain fixes for security vulnerabilities:

kb.isc.org/docs/cve-2026-1519
kb.isc.org/docs/cve-2026-3104
kb.isc.org/docs/cve-2026-3119
kb.isc.org/docs/cve-2026-3591

Thanks for using ISC's software!

  • 2
  • 1
  • 0
  • 3h ago
Showing 31 to 40 of 47 CVEs