Overview
- Microsoft
- Windows Server 2012 R2
14 Apr 2026
Published
16 Apr 2026
Updated
CVSS v3.1
HIGH (8.0)
EPSS
0.36%
KEV
Description
Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network.
Statistics
- 1 Post
Last activity: 19 hours ago
Bluesky
Overview
- Digital Knowledge
- KnowledgeDeliver
16 Apr 2026
Published
16 Apr 2026
Updated
CVSS
Pending
EPSS
Pending
KEV
Description
Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks
Statistics
- 1 Post
Last activity: 8 hours ago
Fediverse
π¨ CRITICAL: CVE-2026-5426 in Digital Knowledge KnowledgeDeliver (pre-Feb 2026) allows RCE via hard-coded ASP.NET machineKey & ViewState. No patch yet. Restrict access & monitor for ViewState abuse. https://radar.offseq.com/threat/cve-2026-5426-cwe-321-use-of-hard-coded-cryptograp-c04eb03f #OffSeq #Vuln #AppSec #InfoSec
Overview
- HAProxy
- HAProxy
13 Apr 2026
Published
14 Apr 2026
Updated
CVSS v3.1
MEDIUM (4.0)
EPSS
0.01%
KEV
Description
An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.
Statistics
- 1 Post
Last activity: 11 hours ago
Overview
- @fastify/static
- @fastify/static
16 Apr 2026
Published
16 Apr 2026
Updated
CVSS v3.1
MEDIUM (5.9)
EPSS
Pending
KEV
Description
@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.
Statistics
- 3 Posts
Last activity: 18 hours ago
Fediverse
π¨ Medium-severity security fix in @fastify/static@9.1.1 just released!
Patches CVE-2026-6414 β route guard bypass via encoded path separators
https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92
Overview
- Meta
- react-server-dom-turbopack
08 Apr 2026
Published
08 Apr 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.69%
KEV
Description
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
Statistics
- 1 Post
Last activity: 16 hours ago
Overview
- essentialplugin
- Accordion and Accordion Slider
17 Apr 2026
Published
17 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
Pending
KEV
Description
The Accordion and Accordion Slider plugin for WordPress is vulnerable to an injected backdoor in version 1.4.6. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.
Statistics
- 1 Post
Last activity: Last hour
Fediverse
π¨ CVE-2026-6443 (CRITICAL): WordPress Accordion & Accordion Slider v1.4.6 embeds a backdoor (CWE-506), enabling persistent unauthorized access & spam. No patch β remove or disable plugin now! https://radar.offseq.com/threat/cve-2026-6443-cwe-506-embedded-malicious-code-in-e-b2b69859 #OffSeq #WordPress #Infosec #Vuln
Overview
Description
TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
Statistics
- 1 Post
Last activity: 13 hours ago
Overview
Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.
Statistics
- 1 Post
Last activity: 11 hours ago
Fediverse
π° Critical Flaw in Axios Library Puts Countless Web Apps at Risk of RCE
π¨ CRITICAL VULNERABILITY (CVSS 10.0) in Axios JS library! CVE-2026-40175 is an SSRF flaw that can lead to RCE and full cloud compromise. PoC is public. If you use Axios, update to v1.13.2 NOW! π #SupplyChain #RCE #SSRF
Overview
- sooperset
- mcp-atlassian
10 Mar 2026
Published
10 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.05%
KEV
Description
MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, the `confluence_download_attachment` MCP tool accepts a `download_path` parameter that is written to without any directory boundary enforcement. An attacker who can call this tool and supply or access a Confluence attachment with malicious content can write arbitrary content to any path the server process has write access to. Because the attacker controls both the write destination and the written content (via an uploaded Confluence attachment), this constitutes for arbitrary code execution (for example, writing a valid cron entry to `/etc/cron.d/` achieves code execution within one scheduler cycle with no server restart required). Version 0.17.0 fixes the issue.
Statistics
- 1 Post
Last activity: 1 hour ago
Overview
- LibRaw
- LibRaw
07 Apr 2026
Published
08 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.05%
KEV
Description
A heap-based buffer overflow vulnerability exists in the HuffTable::initval functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.
Statistics
- 1 Post
- 1 Interaction
Last activity: 12 hours ago