24h | 7d | 30d

Overview

  • Microsoft
  • Microsoft SharePoint Enterprise Server 2016

14 Apr 2026
Published
27 Apr 2026
Updated

CVSS v3.1
MEDIUM (6.5)
EPSS
7.94%

Description

Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.

Statistics

  • 3 Posts

Last activity: 4 hours ago

Bluesky

Profile picture fallback
⚠️ #SharePoint CVE-2026-32201 #Alerta: Guía de mitigación para bloquear el exploit sin romper tu flujo de trabajo | #Ciberseguridad www.newstecnicas.info.ve/2026/04/shar...
  • 0
  • 0
  • 2
  • 4h ago

Overview

  • Totolink
  • A8000RU

28 Apr 2026
Published
28 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.89%

KEV

Description

A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setUrlFilterRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable results in os command injection. The attack can be launched remotely. The exploit has been made public and could be used.

Statistics

  • 1 Post

Last activity: 14 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL: Totolink A8000RU (7.1cu.643_b20200521) suffers from OS command injection (CVE-2026-7203). Remote, unauthenticated attackers can fully compromise affected routers. No patch confirmed — disable remote mgmt & isolate. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 14h ago

Overview

  • Totolink
  • A8000RU

27 Apr 2026
Published
28 Apr 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.89%

KEV

Description

A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setLoginPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument admpass leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.

Statistics

  • 1 Post

Last activity: 17 hours ago

Fediverse

Profile picture fallback

💥 CVE-2026-7155: CRITICAL OS command injection in Totolink A8000RU (7.1cu.643_b20200521). Exploitable remotely, no auth needed. Disable remote mgmt & restrict access until patch. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 17h ago

Overview

  • rustfs
  • rustfs

07 Jan 2026
Published
07 Jan 2026
Updated

CVSS v4.0
HIGH (8.8)
EPSS
0.04%

KEV

Description

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.78, RustFS contains a path traversal vulnerability in the /rustfs/rpc/read_file_stream endpoint. This issue has been patched in version 1.0.0-alpha.79.

Statistics

  • 1 Post

Last activity: 1 hour ago

Fediverse

Profile picture fallback

@addison Great points on maintainability, security, and sustainability! Here are my thoughts on this.

First, the security issues. These can come in two variants: an LLM introduces a bug into a library where no bug existed before, or an LLM faithfully translates buggy behavior from the original to the reimplemented library. IMO, the latter case is hard to fault the translator for and an argument can be made that, for “load bearing bugs”, the correct action here isn’t so clear. My gut feeling is that the right thing to do in this case is to fix the bug into the original and update/regenerate the translation.

The former case is by no means unique to LLMs. For example, (human-executed) rust reimplementations of archiving utilities have introduced Zip Slip vulnerabilities such as CVE-2025-29787 or CVE-2025-68705. We tend to hold coding agents to a significantly higher standard than humans here (which I think they eventually _will_ reach anyways), but I think the question of who introduces more bugs in reimplementations is far from a foregone conclusion already.

This brings us to maintainability. Again, there are two issues here: first, that no one knows the generated code and second, the question of updating it. I think that, regardless of our feelings about the matter, slopped code is here to stay. It’s already accounting for significant chunks of open source code out there (newsletter.semianalysis.com/p/), and as these agents continue to improve astronomically, this number will increase. We have, unfortunately, left the era of aggregations of developers knowing all of their code (although it can also be argued that this was never true in the first place, given maintainer drift and so on).

The fact that this code is truly “write only” in that no human reads it at all takes this a bit further for sure. I’m not sure what the eventual implications of this are (such as dpc.pw/posts/i-dont-want-your-), and it personally makes me sad, but I do think that code is somewhere on the path to becoming mostly an intermediate representation between specification and compilation. People used to write assembly, then in earlier days of compilers, they would sometimes hand-optimize compiler-produced assembly, but even this gradually stopped as compilers improved (e.g., the latest reference to this practice I can find is 2006 cs.fsu.edu/~whalley/papers/tec). We still learn assembly and the compilation process in Computer Organization in undergrad, and it’s important for some disciplines of Computer Science, but it’s definitely a somewhat niche topic. Source code seems to be on a similar trajectory.

Upgradeability is very related to this. IMO, upgrading this “write only” reimplementation with new features beyond what’s in the upstream library is a bad idea. Development should continue on the original library that the original developers are familiar with. Then the translation could be fully regenerated on demand. This process exists already, but is obviously wasteful. I don’t personally see big issues with translating diffs instead, but it certainly could be that I’m missing something. After all, this whole thing is experimental!

Finally, sustainability is a tricky one. There are a lot of pieces to this: fair use of training data, energy, brainrot, economic shockwaves, etc. That’s all hard to pick apart. But dispatching agents can be the right _technical_ solution to many tasks, and I personally don’t feel that properly using them is antithetical to the research process (for example, it can lead to MUCH better implemented and more reliable experiment harnesses).

Thanks again for taking the time to write your thoughts down; looking forward to more discussion!

  • 0
  • 0
  • 0
  • 1h ago

Overview

  • zip-rs
  • zip2

17 Mar 2025
Published
19 Mar 2025
Updated

CVSS v4.0
HIGH (7.3)
EPSS
0.33%

KEV

Description

`zip` is a zip library for rust which supports reading and writing of simple ZIP files. In the archive extraction routine of affected versions of the `zip` crate starting with version 1.3.0 and prior to version 2.3.0, symbolic links earlier in the archive are allowed to be used for later files in the archive without validation of the final canonicalized path, allowing maliciously crafted archives to overwrite arbitrary files in the file system when extracted. Users who extract untrusted archive files using the following high-level API method may be affected and critical files on the system may be overwritten with arbitrary file permissions, which can potentially lead to code execution. Version 2.3.0 fixes the issue.

Statistics

  • 1 Post

Last activity: 1 hour ago

Fediverse

Profile picture fallback

@addison Great points on maintainability, security, and sustainability! Here are my thoughts on this.

First, the security issues. These can come in two variants: an LLM introduces a bug into a library where no bug existed before, or an LLM faithfully translates buggy behavior from the original to the reimplemented library. IMO, the latter case is hard to fault the translator for and an argument can be made that, for “load bearing bugs”, the correct action here isn’t so clear. My gut feeling is that the right thing to do in this case is to fix the bug into the original and update/regenerate the translation.

The former case is by no means unique to LLMs. For example, (human-executed) rust reimplementations of archiving utilities have introduced Zip Slip vulnerabilities such as CVE-2025-29787 or CVE-2025-68705. We tend to hold coding agents to a significantly higher standard than humans here (which I think they eventually _will_ reach anyways), but I think the question of who introduces more bugs in reimplementations is far from a foregone conclusion already.

This brings us to maintainability. Again, there are two issues here: first, that no one knows the generated code and second, the question of updating it. I think that, regardless of our feelings about the matter, slopped code is here to stay. It’s already accounting for significant chunks of open source code out there (newsletter.semianalysis.com/p/), and as these agents continue to improve astronomically, this number will increase. We have, unfortunately, left the era of aggregations of developers knowing all of their code (although it can also be argued that this was never true in the first place, given maintainer drift and so on).

The fact that this code is truly “write only” in that no human reads it at all takes this a bit further for sure. I’m not sure what the eventual implications of this are (such as dpc.pw/posts/i-dont-want-your-), and it personally makes me sad, but I do think that code is somewhere on the path to becoming mostly an intermediate representation between specification and compilation. People used to write assembly, then in earlier days of compilers, they would sometimes hand-optimize compiler-produced assembly, but even this gradually stopped as compilers improved (e.g., the latest reference to this practice I can find is 2006 cs.fsu.edu/~whalley/papers/tec). We still learn assembly and the compilation process in Computer Organization in undergrad, and it’s important for some disciplines of Computer Science, but it’s definitely a somewhat niche topic. Source code seems to be on a similar trajectory.

Upgradeability is very related to this. IMO, upgrading this “write only” reimplementation with new features beyond what’s in the upstream library is a bad idea. Development should continue on the original library that the original developers are familiar with. Then the translation could be fully regenerated on demand. This process exists already, but is obviously wasteful. I don’t personally see big issues with translating diffs instead, but it certainly could be that I’m missing something. After all, this whole thing is experimental!

Finally, sustainability is a tricky one. There are a lot of pieces to this: fair use of training data, energy, brainrot, economic shockwaves, etc. That’s all hard to pick apart. But dispatching agents can be the right _technical_ solution to many tasks, and I personally don’t feel that properly using them is antithetical to the research process (for example, it can lead to MUCH better implemented and more reliable experiment harnesses).

Thanks again for taking the time to write your thoughts down; looking forward to more discussion!

  • 0
  • 0
  • 0
  • 1h ago

Overview

  • Cisco
  • Cisco Secure Firewall Adaptive Security Appliance (ASA) Software

25 Sep 2025
Published
26 Feb 2026
Updated

CVSS v3.1
MEDIUM (6.5)
EPSS
57.00%

Description

Update: On November 5, 2025, Cisco became aware of a new attack variant against devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases that are affected by CVE-2025-20333 and CVE-2025-20362. This attack can cause unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions. Cisco strongly recommends that all customers upgrade to the fixed software releases that are listed in the Fixed Software ["#fs"] section of this advisory. A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints that are related to remote access VPN that should otherwise be inaccessible without authentication. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device. A successful exploit could allow the attacker to access a restricted URL without authentication.

Statistics

  • 1 Post

Last activity: 1 hour ago

Fediverse

Profile picture fallback

📰 CISA Discovers 'FIRESTARTER' Backdoor on Federal Cisco Firewall; Malware Survives Patches

🔥 CISA finds new 'FIRESTARTER' backdoor on a federal agency's Cisco firewall. The malware survives patches and firmware updates, allowing persistent access. Exploited CVE-2025-20333 & CVE-2025-20362. #CyberSecurity #CISA #Backdoor #Cisco

🔗 cyber.netsecops.io

  • 0
  • 0
  • 0
  • 1h ago

Overview

  • netty
  • netty

27 Mar 2026
Published
31 Mar 2026
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.02%

KEV

Description

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

Statistics

  • 1 Post

Last activity: 22 hours ago

Bluesky

Profile picture fallback
This addresses the following vulnerabilities: CVE-2026-33871 CVE-2026-33870 N/A Security fixes for apigee-open-telemetry-collector
  • 0
  • 0
  • 0
  • 22h ago

Overview

  • Cisco
  • Cisco Secure Firewall Adaptive Security Appliance (ASA) Software

25 Sep 2025
Published
26 Feb 2026
Updated

CVSS v3.1
CRITICAL (9.9)
EPSS
24.78%

Description

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device.

Statistics

  • 1 Post

Last activity: 1 hour ago

Fediverse

Profile picture fallback

📰 CISA Discovers 'FIRESTARTER' Backdoor on Federal Cisco Firewall; Malware Survives Patches

🔥 CISA finds new 'FIRESTARTER' backdoor on a federal agency's Cisco firewall. The malware survives patches and firmware updates, allowing persistent access. Exploited CVE-2025-20333 & CVE-2025-20362. #CyberSecurity #CISA #Backdoor #Cisco

🔗 cyber.netsecops.io

  • 0
  • 0
  • 0
  • 1h ago

Overview

  • netty
  • netty

27 Mar 2026
Published
31 Mar 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.03%

KEV

Description

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

Statistics

  • 1 Post

Last activity: 22 hours ago

Bluesky

Profile picture fallback
This addresses the following vulnerabilities: CVE-2026-33871 CVE-2026-33870 N/A Security fixes for apigee-open-telemetry-collector
  • 0
  • 0
  • 0
  • 22h ago

Overview

  • Pending

22 Dec 2022
Published
04 Nov 2025
Updated

CVSS
Pending
EPSS
0.51%

KEV

Description

Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.

Statistics

  • 1 Post

Last activity: 22 hours ago

Bluesky

Profile picture fallback
This addresses the following vulnerabilities: CVE-2022-40897 CVE-2023-2976 CVE-2025-47273 451224723, 451224123 Security fixes for apigee-fluent-bit
  • 0
  • 0
  • 0
  • 22h ago
Showing 31 to 40 of 134 CVEs