Description
A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.
Statistics
- 1 Post
Last activity: 9 hours ago
Overview
- Microsoft
- Windows Server 2012 R2
14 Apr 2026
Published
16 Apr 2026
Updated
CVSS v3.1
HIGH (8.0)
EPSS
0.36%
KEV
Description
Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network.
Statistics
- 1 Post
Last activity: 18 hours ago
Bluesky
Overview
- Digital Knowledge
- KnowledgeDeliver
16 Apr 2026
Published
16 Apr 2026
Updated
CVSS
Pending
EPSS
Pending
KEV
Description
Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks
Statistics
- 1 Post
Last activity: 6 hours ago
Fediverse
π¨ CRITICAL: CVE-2026-5426 in Digital Knowledge KnowledgeDeliver (pre-Feb 2026) allows RCE via hard-coded ASP.NET machineKey & ViewState. No patch yet. Restrict access & monitor for ViewState abuse. https://radar.offseq.com/threat/cve-2026-5426-cwe-321-use-of-hard-coded-cryptograp-c04eb03f #OffSeq #Vuln #AppSec #InfoSec
Overview
- HAProxy
- HAProxy
13 Apr 2026
Published
14 Apr 2026
Updated
CVSS v3.1
MEDIUM (4.0)
EPSS
0.01%
KEV
Description
An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.
Statistics
- 1 Post
Last activity: 10 hours ago
Overview
- @fastify/static
- @fastify/static
16 Apr 2026
Published
16 Apr 2026
Updated
CVSS v3.1
MEDIUM (5.9)
EPSS
Pending
KEV
Description
@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.
Statistics
- 3 Posts
Last activity: 17 hours ago
Fediverse
π¨ Medium-severity security fix in @fastify/static@9.1.1 just released!
Patches CVE-2026-6414 β route guard bypass via encoded path separators
https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92
Overview
- Meta
- react-server-dom-turbopack
08 Apr 2026
Published
08 Apr 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.69%
KEV
Description
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
Statistics
- 1 Post
Last activity: 15 hours ago
Overview
Description
TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
Statistics
- 1 Post
Last activity: 12 hours ago
Overview
Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.
Statistics
- 1 Post
Last activity: 9 hours ago
Fediverse
π° Critical Flaw in Axios Library Puts Countless Web Apps at Risk of RCE
π¨ CRITICAL VULNERABILITY (CVSS 10.0) in Axios JS library! CVE-2026-40175 is an SSRF flaw that can lead to RCE and full cloud compromise. PoC is public. If you use Axios, update to v1.13.2 NOW! π #SupplyChain #RCE #SSRF
Overview
- Simopro Technology
- WinMatrix
16 Apr 2026
Published
16 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.01%
KEV
Description
WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on the local machine as well as on all hosts within the environment where the agent is installed.
Statistics
- 1 Post
Last activity: 22 hours ago
Fediverse
π΄ CRITICAL: CVE-2026-6348 in Simopro WinMatrix 3.5.13 lets local authenticated users execute code as SYSTEM. No patch yet β restrict access & monitor usage. Details: https://radar.offseq.com/threat/cve-2026-6348-cwe-306-missing-authentication-for-c-2cb15b3d #OffSeq #CVE20266348 #Infosec #Vulnerability
Overview
- LibRaw
- LibRaw
07 Apr 2026
Published
08 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.05%
KEV
Description
A heap-based buffer overflow vulnerability exists in the HuffTable::initval functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.
Statistics
- 1 Post
- 1 Interaction
Last activity: 10 hours ago