24h | 7d | 30d

Overview

  • huggingface
  • huggingface/text-generation-inference

02 Feb 2026
Published
02 Feb 2026
Updated

CVSS v3.0
HIGH (7.5)
EPSS
0.27%

KEV

Description

A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploit unbounded external image fetching during input validation in VLM mode. The issue arises when the router scans inputs for Markdown image links and performs a blocking HTTP GET request, reading the entire response body into memory and cloning it before decoding. This behavior can lead to resource exhaustion, including network bandwidth saturation, memory inflation, and CPU overutilization. The vulnerability is triggered even if the request is later rejected for exceeding token limits. The default deployment configuration, which lacks memory usage limits and authentication, exacerbates the impact, potentially crashing the host machine. The issue is resolved in version 3.3.7.

Statistics

  • 1 Post

Last activity: 20 hours ago

Fediverse

Profile picture

🟠 CVE-2026-0599 - High (7.5)

A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploit unbounded external image fetching during input validation in VLM mode. The issue arises when the router scans inputs for Mark...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 20h ago

Overview

  • Microsoft
  • Windows Server 2019

14 Oct 2025
Published
02 Jan 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
71.08%

Description

Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

Statistics

  • 1 Post

Last activity: 3 hours ago

Bluesky

Profile picture
Weekly Purple Team Episode: CVE-2025-59287 - Exploiting & Detecting the Critical WSUS RCE
  • 0
  • 0
  • 0
  • 3h ago

Overview

  • AKCE Software Technology R&D Industry and Trade Inc.
  • SKSPro

02 Feb 2026
Published
02 Feb 2026
Updated

CVSS v3.1
HIGH (8.6)
EPSS
Pending

KEV

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows SQL Injection.This issue affects SKSPro: through 07012026.

Statistics

  • 1 Post

Last activity: 19 hours ago

Fediverse

Profile picture

🟠 CVE-2025-8587 - High (8.6)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows SQL Injection.This issue affects SKSPro: through 07012026.

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 19h ago

Overview

  • Samsung Electronics
  • MagicINFO 9 Server

02 Feb 2026
Published
03 Feb 2026
Updated

CVSS v3.1
HIGH (8.8)
EPSS
0.07%

KEV

Description

An unauthenticated user can upload arbitrary files to execute remote code, leading to privilege escalation in MagicInfo9 Server. This issue affects MagicINFO 9 Server: less than 21.1090.1.

Statistics

  • 1 Post

Last activity: 22 hours ago

Bluesky

Profile picture
🚨 Critical Samsung MagicINFO flaw disclosed: CVE-2026-25201 allows unauthenticated attackers to upload arbitrary files, leading to remote code execution on MagicINFO 9 Server. Full report: basefortify.eu/cve_reports/... #CVE #Samsung #MagicINFO 🔐
  • 0
  • 0
  • 0
  • 22h ago

Overview

  • Unknown
  • User Profile Builder

02 Feb 2026
Published
02 Feb 2026
Updated

CVSS
Pending
EPSS
0.00%

KEV

Description

The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account

Statistics

  • 1 Post

Last activity: 15 hours ago

Fediverse

Profile picture

🔴 CVE-2025-15030 - Critical (9.8)

The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore ...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 15h ago

Overview

  • Pending

20 Apr 2022
Published
21 Oct 2025
Updated

CVSS
Pending
EPSS
94.11%

Description

A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.

Statistics

  • 2 Posts
  • 2 Interactions

Last activity: 18 hours ago

Fediverse

Profile picture

🚨 This week’s CrowdSec Threat Alert article highlights CVE-2025-68645 (LFI) and CVE-2022-27926 (XSS), actively exploited in the wild against Zimbra Collaboration servers.

Explore attack details, threat trends, and mitigation steps in the article 👉 crowdsec.net/vulntracking-repo

  • 2
  • 0
  • 1
  • 18h ago

Overview

  • Pending

22 Dec 2025
Published
23 Jan 2026
Updated

CVSS
Pending
EPSS
23.30%

Description

A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.

Statistics

  • 2 Posts
  • 2 Interactions

Last activity: 18 hours ago

Fediverse

Profile picture

🚨 This week’s CrowdSec Threat Alert article highlights CVE-2025-68645 (LFI) and CVE-2022-27926 (XSS), actively exploited in the wild against Zimbra Collaboration servers.

Explore attack details, threat trends, and mitigation steps in the article 👉 crowdsec.net/vulntracking-repo

  • 2
  • 0
  • 1
  • 18h ago

Overview

  • OpenSSL
  • OpenSSL

27 Jan 2026
Published
29 Jan 2026
Updated

CVSS
Pending
EPSS
0.00%

KEV

Description

Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16MB remains unauthenticated. When the 'openssl dgst' command is used with algorithms that only support one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input is buffered with a 16MB limit. If the input exceeds this limit, the tool silently truncates to the first 16MB and continues without signaling an error, contrary to what the documentation states. This creates an integrity gap where trailing bytes can be modified without detection if both signing and verification are performed using the same affected codepath. The issue affects only the command-line tool behavior. Verifiers that process the full message using library APIs will reject the signature, so the risk primarily affects workflows that both sign and verify with the affected 'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and library users are unaffected. The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the command-line tools are outside the OpenSSL FIPS module boundary. OpenSSL 3.5 and 3.6 are vulnerable to this issue. OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

Statistics

  • 1 Post

Last activity: 8 hours ago

Bluesky

Profile picture
AISLE's autonomous analysis discovered 12 previously undisclosed OpenSSL vulnerabilities and flagged six more, including CVE-2025-15467 and CVE-2025-15469, and OpenSSL maintainers praised high quality of the reports and constructive collaboration.
  • 0
  • 0
  • 0
  • 8h ago

Overview

  • n8n

18 Jan 2026
Published
23 Jan 2026
Updated

CVSS v3.1
HIGH (8.5)
EPSS
0.06%

KEV

Description

Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system. The vulnerability can be exploited via the Code block by an authenticated user with basic permissions and can lead to a full n8n instance takeover on instances operating under "Internal" execution mode. If the instance is operating under the "External" execution mode (ex. n8n's official Docker image) - arbitrary code execution occurs inside a Sidecar container and not the main node, which significantly reduces the vulnerability impact.

Statistics

  • 1 Post

Last activity: 10 hours ago

Bluesky

Profile picture
n8nでリモートコード実行が可能になる脆弱性(CVE-2026-1470,CVE-2026-0863) rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #セキュリティ #Security #CybersecurityNews
  • 0
  • 0
  • 0
  • 10h ago

Overview

  • tornadoweb
  • tornado

12 Dec 2025
Published
18 Dec 2025
Updated

CVSS v3.1
MEDIUM (5.4)
EPSS
0.06%

KEV

Description

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.

Statistics

  • 1 Post

Last activity: 16 hours ago

Bluesky

Profile picture
🚨 Critical security update for #Debian 11 #Bullseye. Patch #Python #Tornado now for CVE-2025-67724 (Header Injection/XSS), CVE-2025-67725/26 (DoS). Read more: 👉 tinyurl.com/4f674wpz #Security
  • 0
  • 0
  • 0
  • 16h ago
Showing 31 to 40 of 42 CVEs