24h | 7d | 30d

CVE-2026-34458

Overview

  • sandboxie-plus
  • Sandboxie
05 May 2026
Published
05 May 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
Pending
KEV

Description

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to bypass configuration restrictions (EditAdminOnly and ConfigPassword) and inject arbitrary directives into the global Sandboxie.ini configuration file. The background service skips authorization checks for IPC messages targeting sections beginning with UserSettings_, but does not sanitize CRLF characters in either the value parameter (via MSGID_SBIE_INI_ADD_SETTING) or the setting name parameter (via MSGID_SBIE_INI_SET_SETTING). An attacker can inject a new sandbox section header with unrestricted permissions, enabling sandbox escape and SYSTEM privilege escalation. This issue has been fixed in version 1.17.3.

Statistics

  • 1 Post
Last activity: 4 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CVE-2026-34458: Sandboxie-Plus (<=1.17.2) has a CRITICAL CRLF injection bug. Local users can inject config, escape sandboxes, and escalate to SYSTEM. Patch to 1.17.3 ASAP! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 4h ago

CVE-2026-32710

Overview

  • MariaDB
  • server
20 Mar 2026
Published
27 Mar 2026
Updated
CVSS v3.1
HIGH (8.6)
EPSS
0.10%
KEV

Description

MariaDB server is a community developed fork of MySQL server. An authenticated user can crash MariaDB versions 11.4 before 11.4.10 and 11.8 before 11.8.6 via a bug in JSON_SCHEMA_VALID() function. Under certain conditions it might be possible to turn the crash into a remote code execution. These conditions require tight control over memory layout which is generally only attainable in a lab environment. This issue is fixed in MariaDB 11.4.10, MariaDB 11.8.6, and MariaDB 12.2.2.

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture fallback
Xint @xint

If you run MariaDB in production, take action now. Any user who can open a SQL session — whether through stolen credentials, SQL injection, or lateral movement — can reach this code path with a single function SQL statement: From our work with @wiz_io as part of zeroday.cloud looking into MariaDB, one of the most widely deployed open-source relational databases, powering production workloads across cloud providers, managed services, and on-prem infrastructure
zeroday.cloud/blog/mariadb-cve

  • 0
  • 0
  • 0
  • 7h ago

CVE-2026-3055

Overview

  • NetScaler
  • ADC
23 Mar 2026
Published
31 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
51.72%
KEV

Description

Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread

Statistics

  • 1 Post
Last activity: 3 hours ago

Bluesky

Profile picture fallback
piggo @pigondrugs.bsky.social
~Watchtowr~ Active exploitation of Citrix NetScaler CVE-2026-3055 leaks memory and admin session IDs via the /wsfed/passive endpoint. - IOCs: CVE-2026-3055 - #CVE2026_3055 #Citrix #ThreatIntel
  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-7334

Overview

  • Google
  • Chrome
28 Apr 2026
Published
30 Apr 2026
Updated
CVSS
Pending
EPSS
0.02%
KEV

Description

Use after free in Views in Google Chrome on Mac prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Statistics

  • 1 Post
Last activity: 17 hours ago

Bluesky

Profile picture fallback
ケイ | 副業Webライター📖 @keiwork35.bsky.social
【脆弱性情報】 CVE-2026-7334 Google Chrome for Macの脆弱性について Google Chrome for Mac の 147.0.7727.138 より前のバージョンにおいて、Views に Use after free の脆弱性が存在します。
  • 0
  • 0
  • 0
  • 17h ago

CVE-2026-6322

Overview

  • fast-uri
  • fast-uri
05 May 2026
Published
05 May 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.03%
KEV

Description

fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.

Statistics

  • 2 Posts
Last activity: 17 hours ago

Bluesky

Profile picture fallback
Ulises Gascón @ulisesgascon.com
🚨 High-severity security fix in fast-uri@3.1.2 just released! Patches CVE-2026-6322 — fast-uri vulnerable to host confusion via percent-encoded authority delimiters github.com/fastify/fast...
  • 0
  • 0
  • 1
  • 17h ago

CVE-2026-33324

Overview

  • dataease
  • SQLBot
05 May 2026
Published
05 May 2026
Updated
CVSS v4.0
CRITICAL (9.4)
EPSS
Pending
KEV

Description

SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vulnerable to prompt injection. The user-provided question parameter is directly concatenated into the LLM prompt without filtering or escaping, and the SQL extracted from the LLM response is executed against the database without validation or sanitization. An authenticated attacker can craft a malicious question to manipulate the LLM into generating and executing arbitrary SQL statements. When connected to a PostgreSQL data source, this can lead to remote code execution via COPY FROM PROGRAM. This issue has been fixed in version 1.7.1.

Statistics

  • 1 Post
Last activity: 1 hour ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL: dataease SQLBot <1.7.1 (CVE-2026-33324) is vulnerable to SQL injection via prompt injection. Authenticated users can trigger RCE on PostgreSQL. Upgrade to 1.7.1+ now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 1h ago

CVE-2026-5294

Overview

  • ahmadgb
  • GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content
05 May 2026
Published
05 May 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.19%
KEV

Description

The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips attacker-supplied ZIP files into wp-content/plugins/. This makes it possible for unauthenticated attackers to perform arbitrary plugin installation and achieve remote code execution.

Statistics

  • 1 Post
Last activity: 23 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL: CVE-2026-5294 in Geeky Bot WP plugin (≤1.2.2) allows unauthenticated RCE by installing arbitrary plugins via an exposed AJAX endpoint. Disable or remove plugin & monitor for patches. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 23h ago

CVE-2026-41925

Overview

  • Shenzhen Yipu Commercial and Trading Co., Ltd
  • WDR201A WiFi Extender
04 May 2026
Published
04 May 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.45%
KEV

Description

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the adm.cgi binary's reboot_time function that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboot_time POST parameter. Attackers can send a crafted request with shell metacharacters in the reboot_time parameter when reboot_enabled=1 to achieve remote code execution.

Statistics

  • 1 Post
Last activity: 19 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🛑 CRITICAL: CVE-2026-41925 in WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) enables unauth OS command injection via reboot_time param. No patch yet — disable remote mgmt or isolate device. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 19h ago

CVE-2026-25243

Overview

  • redis
  • redis
05 May 2026
Published
06 May 2026
Updated
CVSS v4.0
HIGH (7.7)
EPSS
Pending
KEV

Description

Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.

Statistics

  • 1 Post
  • 2 Interactions
Last activity: 12 hours ago

Fediverse

Profile picture fallback
Adhidarma Hadiwinoto :verifyc: @adhisimon

RE: mastodon.kodesumber.com/@redis

Yang punya redis, ada security patch buat CVE-2026-25243 dan CVE-2026-23479.

#redis #cve #infosec

  • 1
  • 1
  • 0
  • 12h ago

CVE-2026-23479

Overview

  • redis
  • redis
05 May 2026
Published
06 May 2026
Updated
CVSS v4.0
HIGH (7.7)
EPSS
Pending
KEV

Description

Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.

Statistics

  • 1 Post
  • 2 Interactions
Last activity: 12 hours ago

Fediverse

Profile picture fallback
Adhidarma Hadiwinoto :verifyc: @adhisimon

RE: mastodon.kodesumber.com/@redis

Yang punya redis, ada security patch buat CVE-2026-25243 dan CVE-2026-23479.

#redis #cve #infosec

  • 1
  • 1
  • 0
  • 12h ago
Showing 31 to 40 of 54 CVEs