Overview
Description
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Statistics
- 1 Post
Last activity: 3 hours ago
Overview
- Fortinet
- FortiSandbox
10 Feb 2026
Published
10 Feb 2026
Updated
CVSS v3.1
HIGH (7.9)
EPSS
Pending
KEV
Description
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to execute commands via crafted requests.
Statistics
- 1 Post
Last activity: 4 hours ago
Fediverse
RE: https://infosec.exchange/@ozu/116041085922526875
Another another vuln. CVE-2025-52436
Overview
- frangoteam
- FUXA
09 Feb 2026
Published
09 Feb 2026
Updated
CVSS v4.0
CRITICAL (10.0)
EPSS
0.20%
KEV
Description
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the server. This issue has been patched in FUXA version 1.2.10.
Statistics
- 1 Post
Last activity: 18 hours ago
Fediverse
⚠️ CRITICAL: CVE-2026-25893 in frangoteam FUXA (<1.2.10) lets unauthenticated attackers gain admin rights via the heartbeat API & execute code. Immediate patching to 1.2.10+ is essential for all ICS/SCADA deployments. https://radar.offseq.com/threat/cve-2026-25893-cwe-285-improper-authorization-in-f-a5914f35 #OffSeq #ICS #SCADA #Vuln
Overview
- kovidgoyal
- calibre
06 Feb 2026
Published
09 Feb 2026
Updated
CVSS v3.1
HIGH (8.2)
EPSS
0.01%
KEV
Description
calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.
Statistics
- 1 Post
Last activity: 10 hours ago
Overview
- Flowring
- Agentflow
10 Feb 2026
Published
10 Feb 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.17%
KEV
Description
Agentflow developed by Flowring has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to exploit a specific functionality to obtain arbitrary user authentication token and log into the system as any user.
Statistics
- 1 Post
Last activity: 12 hours ago
Fediverse
🚨 CVE-2026-2095: CRITICAL auth bypass in all Flowring Agentflow versions. Remote attackers can impersonate any user — no patch available. Restrict access & monitor for abnormal logins. https://radar.offseq.com/threat/cve-2026-2095-cwe-288-authentication-bypass-using--1f37d3de #OffSeq #Cybersecurity #Vulnerability #Agentflow
Overview
- ImageMagick
- ImageMagick
20 Jan 2026
Published
21 Jan 2026
Updated
CVSS v3.1
HIGH (8.1)
EPSS
0.06%
KEV
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. Versions 7.1.2-13 and 6.9.13-38 fix the issue.
Statistics
- 1 Post
Last activity: 5 hours ago
Overview
Description
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
Statistics
- 1 Post
Last activity: 6 hours ago
Bluesky
Overview
Description
This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.
Statistics
- 1 Post
Last activity: 2 hours ago
Fediverse
A critical arbitrary file upload vulnerability (CVE-2026-1357, CVSS 9.8) was discovered in the WPvivid Backup & Migration plugin, which is installed on over 800,000 WordPress sites.
The flaw allows unauthenticated attackers to upload arbitrary files, potentially achieving remote code execution and full site takeover.
Update to version 0.9.124. Wordfence Premium users received firewall protection on January 22.
Overview
- Apache Software Foundation
- Apache HTTP Server
05 Dec 2025
Published
05 Dec 2025
Updated
CVSS
Pending
EPSS
0.15%
KEV
Description
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs.
This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
Users are recommended to upgrade to version 2.4.66 which fixes the issue.
Statistics
- 1 Post
Last activity: 11 hours ago
Overview
- Tinexta Infocert
- GoSign Desktop
17 Nov 2025
Published
17 Nov 2025
Updated
CVSS v3.1
LOW (3.2)
EPSS
0.01%
KEV
Description
GoSign Desktop through 2.4.1 disables TLS certificate validation when configured to use a proxy server. This can be problematic if the GoSign Desktop user selects an arbitrary proxy server without consideration of whether outbound HTTPS connections from the proxy server to Internet servers succeed even for untrusted or invalid server certificates. In this scenario (which is outside of the product's design objectives), integrity protection could be bypassed. In typical cases of a proxy server for outbound HTTPS traffic from an enterprise, those connections would not succeed. (Admittedly, the usual expectation is that a client application is configured to trust an enterprise CA and does not set SSL_VERIFY_NONE.) Also, it is of course unsafe to place ~/.gosign in the home directory of an untrusted user and then have other users execute downloaded files.
Statistics
- 1 Post
Last activity: 11 hours ago