24h | 7d | 30d

Overview

  • SECCN Dingcheng
  • G10

19 Feb 2026
Published
19 Feb 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.15%

KEV

Description

A security vulnerability has been detected in SECCN Dingcheng G10 3.1.0.181203. This impacts the function qq of the file /cgi-bin/session_login.cgi. The manipulation of the argument User leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.

Statistics

  • 1 Post

Last activity: 15 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL: CVE-2026-2686 in SECCN Dingcheng G10 (v3.1.0.181203) enables unauthenticated remote OS command injection via the 'User' param in /cgi-bin/session_login.cgi. Exploit code is public. Restrict access & monitor! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 15h ago

Overview

  • curl
  • curl

08 Jan 2026
Published
08 Jan 2026
Updated

CVSS
Pending
EPSS
0.07%

KEV

Description

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.

Statistics

  • 1 Post

Last activity: 4 hours ago

Bluesky

Profile picture fallback
🚨 New MEDIUM CVE detected in AWS Lambda 🚨 CVE-2025-15224 impacts curl-minimal in 40 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/413 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • Moxa
  • UC-1200A Series

05 Feb 2026
Published
05 Feb 2026
Updated

CVSS v4.0
HIGH (7.0)
EPSS
0.01%

KEV

Description

A physical attack vulnerability exists in certain Moxa industrial computers using TPM-backed LUKS full-disk encryption on Moxa Industrial Linux 3, where the discrete TPM is connected to the CPU via an SPI bus. Exploitation requires invasive physical access, including opening the device and attaching external equipment to the SPI bus to capture TPM communications. If successful, the captured data may allow offline decryption of eMMC contents. This attack cannot be performed through brief or opportunistic physical access and requires extended physical access, possession of the device, appropriate equipment, and sufficient time for signal capture and analysis. Remote exploitation is not possible.

Statistics

  • 2 Posts

Last activity: Last hour

Bluesky

Profile picture fallback
[CVE-2026-0714] TPM-sniffing LUKS Keys on an Embedded Device
  • 0
  • 0
  • 1
  • Last hour

Overview

  • OpenSSL
  • OpenSSL

27 Jan 2026
Published
29 Jan 2026
Updated

CVSS
Pending
EPSS
0.05%

KEV

Description

Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service. Some applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue was assessed as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of the QUIC protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the QUIC implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

Statistics

  • 1 Post

Last activity: 4 hours ago

Bluesky

Profile picture fallback
🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2025-15468 impacts openssl-fips-provider-latest in 40 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/415 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • GnuPG
  • GnuPG

27 Jan 2026
Published
28 Jan 2026
Updated

CVSS v3.1
HIGH (8.4)
EPSS
0.01%

KEV

Description

In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.

Statistics

  • 1 Post

Last activity: 4 hours ago

Bluesky

Profile picture fallback
🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2026-24882 impacts gnupg2-minimal in 20 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/414 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • curl
  • curl

08 Jan 2026
Published
09 Jan 2026
Updated

CVSS
Pending
EPSS
0.03%

KEV

Description

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

Statistics

  • 1 Post

Last activity: 4 hours ago

Bluesky

Profile picture fallback
🚨 New MEDIUM CVE detected in AWS Lambda 🚨 CVE-2025-14524 impacts curl-minimal in 40 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/410 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • OpenSSL
  • OpenSSL

27 Jan 2026
Published
28 Jan 2026
Updated

CVSS
Pending
EPSS
0.07%

KEV

Description

Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.

Statistics

  • 1 Post

Last activity: 4 hours ago

Bluesky

Profile picture fallback
🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2025-69420 impacts openssl-fips-provider-latest in 40 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/420 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • OpenSSL
  • OpenSSL

27 Jan 2026
Published
29 Jan 2026
Updated

CVSS
Pending
EPSS
0.00%

KEV

Description

Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.

Statistics

  • 1 Post

Last activity: 4 hours ago

Bluesky

Profile picture fallback
🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2025-69418 impacts openssl-fips-provider-latest in 40 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/418 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • OpenStack
  • Nova

18 Feb 2026
Published
18 Feb 2026
Updated

CVSS v3.1
HIGH (8.2)
EPSS
0.04%

KEV

Description

An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's Flat image backend to call qemu-img without a format restriction, resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected.

Statistics

  • 1 Post

Last activity: 21 hours ago

Bluesky

Profile picture fallback
CVE Alert: CVE-2026-24708 - CVSS 8.2/10 An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize,... https://www.cyberhub.blog/cves/CVE-2026-24708
  • 0
  • 0
  • 0
  • 21h ago

Overview

  • sergejey
  • MajorDoMo

18 Feb 2026
Published
18 Feb 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.09%

KEV

Description

MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method through the /objects/?module=saverestore endpoint without authentication because it uses gr('mode') (which reads directly from $_REQUEST) instead of the framework's $this->mode. An attacker can poison the system update URL via the auto_update_settings mode handler, then trigger the force_update handler to initiate the update chain. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with trivial validation, downloads a tarball via curl with TLS verification disabled (CURLOPT_SSL_VERIFYPEER set to FALSE), extracts it using exec('tar xzvf ...'), and copies all extracted files to the document root using copyTree(). This allows an attacker to deploy arbitrary PHP files, including webshells, to the webroot with two GET requests.

Statistics

  • 1 Post

Last activity: 19 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL: CVE-2026-27180 in sergejey MajorDoMo allows unauthenticated RCE via poisoned update URLs. Attackers can deploy arbitrary PHP files to webroot with 2 GETs. Patch urgently! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 19h ago
Showing 31 to 40 of 69 CVEs