Overview
- fastify
- @fastify/express
15 Apr 2026
Published
15 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.1)
EPSS
0.11%
KEV
Description
Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path.
PatchesUpgrade to @fastify/express v4.0.5 or later.
Statistics
- 2 Posts
Last activity: 11 hours ago
Overview
- Meta
- react-server-dom-turbopack
08 Apr 2026
Published
08 Apr 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.42%
KEV
Description
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
Statistics
- 1 Post
Last activity: 16 hours ago
Overview
- NuGet
- NuGetGallery
14 Apr 2026
Published
15 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.6)
EPSS
0.26%
KEV
Description
NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within NuGet packages. An attacker can supply a crafted nuspec file with malicious metadata, leading to cross package metadata injection that may result in remote code execution (RCE) and/or arbitrary blob writes due to insufficient input validation. The issue is exploitable via URI fragment injection using unsanitized package identifiers, allowing an attacker to control the resolved blob path. This enables writes to arbitrary blobs within the storage container, not limited to .nupkg files, resulting in potential tampering of existing content. This issue has been patched in commit 0e80f87628349207cdcaf55358491f8a6f1ca276.
Statistics
- 1 Post
Last activity: 20 hours ago
Fediverse
⚠️ CRITICAL: NuGetGallery improper input validation (CVE-2026-39399, CVSS 9.6) allows crafted .nuspec files to trigger RCE & arbitrary blob writes. Update to commit 0e80f87628349207cdcaf55358491f8a6f1ca276. Details: https://radar.offseq.com/threat/cve-2026-39399-cwe-20-improper-input-validation-in-f5d85126 #OffSeq #NuGet #Vuln #infosec
Overview
- Microsoft
- Windows Server 2012
14 Apr 2026
Published
15 Apr 2026
Updated
CVSS v3.1
HIGH (7.7)
EPSS
0.06%
KEV
Description
Improper input validation in Windows BitLocker allows an unauthorized attacker to bypass a security feature locally.
Statistics
- 1 Post
Last activity: 11 hours ago
Bluesky
Overview
- SaturdayDrive
- Ninja Forms - File Uploads
07 Apr 2026
Published
08 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.09%
KEV
Description
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in version 3.3.27.
Statistics
- 1 Post
Last activity: 21 hours ago
Fediverse
50,000 WordPress Sites affected by Arbitrary File Upload Vulnerability in Ninja Forms - File Upload WordPress Plugin
Ninja Forms - File Upload (versions <= 3.3.26, CVE-2026-0740, CVSS 9.8 Critical) allows unauthenticated attackers to upload arbitrary files and achieve remote code execution on ~50,000 affected sites. Update to version 3.3.27 immediately.
Overview
- Python Software Foundation
- CPython
20 Mar 2026
Published
13 Apr 2026
Updated
CVSS v4.0
HIGH (7.0)
EPSS
0.03%
KEV
Description
The webbrowser.open() API would accept leading dashes in the URL which
could be handled as command line options for certain web browsers. New
behavior rejects leading dashes. Users are recommended to sanitize URLs
prior to passing to webbrowser.open().
Statistics
- 1 Post
Last activity: 8 hours ago
Overview
- Microsoft
- Windows Server 2012 R2
14 Apr 2026
Published
15 Apr 2026
Updated
CVSS v3.1
HIGH (8.0)
EPSS
0.36%
KEV
Description
Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network.
Statistics
- 1 Post
Last activity: 7 hours ago
Bluesky
Overview
Description
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
Statistics
- 1 Post
Last activity: 7 hours ago
Fediverse
📰 Black Shrantac Ransomware Targets Industrial Sector with Double Extortion and Living-off-the-Land Tactics
New ransomware threat: Black Shrantac uses double extortion & LOTL tactics. They exploit flaws like CVE-2024-3400 (PAN-OS) for access then use legit tools to hide. Industrial sector at high risk. 🏭 #Ransomware #CyberSecurity #BlackShrantac
Overview
- @fastify/reply-from
- @fastify/reply-from
15 Apr 2026
Published
15 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.0)
EPSS
0.04%
KEV
Description
@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from.
Upgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later.
Statistics
- 2 Posts
Last activity: 10 hours ago
Fediverse
🚨 Critical-severity security fix in @fastify/reply-from@12.6.2 and @fastify/http-proxy@11.4.4 just released!
Patches CVE-2026-33805 — connection header abuse enables stripping of proxy-added headers
https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37
Overview
- Red Hat
- Red Hat Enterprise Linux 10
- NetworkManager
13 Mar 2026
Published
13 Mar 2026
Updated
CVSS
Pending
EPSS
Pending
KEV
Description
A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.
Statistics
- 1 Post
Last activity: Last hour