24h | 7d | 30d

CVE-2026-6235

Overview

  • sendmachine
  • Sendmachine for WordPress
22 Apr 2026
Published
23 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.02%
KEV

Description

The Sendmachine for WordPress plugin for WordPress is vulnerable to authorization bypass via the 'manage_admin_requests' function in all versions up to, and including, 1.0.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the plugin's SMTP configuration, which can be leveraged to intercept all outbound emails from the site (including password reset emails).

Statistics

  • 1 Post
Last activity: 20 hours ago

Bluesky

Profile picture fallback
ケイ | 副業Webライター📖 @keiwork35.bsky.social
【脆弱性情報】 CVE-2026-6235 Sendmachine for WordPress の脆弱性について WordPress向けの Sendmachine for WordPress plugin には、'manage_admin_requests' 関数に起因する認可バイパスの脆弱性があります。
  • 0
  • 0
  • 0
  • 20h ago

CVE-2026-21637

Overview

  • nodejs
  • node
20 Jan 2026
Published
21 Jan 2026
Updated
CVSS v3.0
MEDIUM (5.9)
EPSS
0.04%
KEV

Description

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.

Statistics

  • 1 Post
Last activity: 10 hours ago

Bluesky

Profile picture fallback
Securitycipher @securitycipher.bsky.social
Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS https://hackerone.com/reports/3556769
  • 0
  • 0
  • 0
  • 10h ago

CVE-2026-5752

Overview

  • Cohere
  • cohere-terrarium
14 Apr 2026
Published
23 Apr 2026
Updated
CVSS
Pending
EPSS
0.02%
KEV

Description

Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal.

Statistics

  • 1 Post
Last activity: 14 hours ago

Fediverse

Profile picture fallback
AI Sight @aisight

Projekt Terrarium, który miał uruchamiać kod generowany przez modele AI w bezpiecznej piaskownicy, okazał się śmiertelną pułapką. Luka CVE-2026-5752 pozwala napastnikom na przejęcie pełnej kontroli nad systemem, a najgorsze jest to, że projekt nie jest już rozwijany.

#si #ai #sztucznainteligencja #wiadomości #informacje #technologia

aisight.pl/cyberbezpieczenstwo

  • 0
  • 0
  • 0
  • 14h ago

CVE-2026-25775

Overview

  • SenseLive
  • X3050
24 Apr 2026
Published
24 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
Pending
KEV

Description

A vulnerability in SenseLive X3050’s remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-related requests from any reachable host and does not verify user privileges, integrity of uploaded images, or the authenticity of provided firmware.

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🔍 CVE-2026-25775: SenseLive X3050 (V1.523) critical vuln — remote firmware updates possible without auth! Patch unavailable. Restrict access & monitor for unauthorized firmware actions. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 7h ago

CVE-2026-24061

Overview

  • GNU
  • Inetutils
21 Jan 2026
Published
25 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
87.01%
KEV

Description

telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.

Statistics

  • 1 Post
  • 3 Interactions
Last activity: 12 hours ago

Fediverse

Profile picture fallback
GreyNoise @greynoise

GreyNoise At The Edge — April 13–20, 2026. Four themes dominated activity on the GreyNoise sensor network this week — spanning reconnaissance, exploitation attempts, credential brute-forcing, and botnet recruitment.

1. A broad credential and configuration discovery campaign ran at ~6.2M sessions across hundreds of IPs — ENV files, .git/config, AWS metadata, path traversal, sensitive file access. The biggest real story, distributed rather than concentrated.

2. VNC scanning surged to the third-most-targeted port on the internet — port 5900 at 17.4M sessions. Not in prior briefs.

3. A new multi-cloud Masscan framework activated this week. Shared JA3 across a new Poland IP and an existing DigitalOcean Singapore cluster.

4. VPSVAULT IoT worm weaponized CVE-2025-54322 (Xspeeder SXZOS, CVSS 10.0). CVE-2026-24061 (GNU telnetd, CVSS 9.8, CISA KEV) also in payload.

Full Report: greynoise.io/resources/at-the-

  • 2
  • 1
  • 0
  • 12h ago

CVE-2025-54322

Overview

  • Xspeeder
  • SXZOS
27 Dec 2025
Published
29 Dec 2025
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.26%
KEV

Description

Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.

Statistics

  • 1 Post
  • 3 Interactions
Last activity: 12 hours ago

Fediverse

Profile picture fallback
GreyNoise @greynoise

GreyNoise At The Edge — April 13–20, 2026. Four themes dominated activity on the GreyNoise sensor network this week — spanning reconnaissance, exploitation attempts, credential brute-forcing, and botnet recruitment.

1. A broad credential and configuration discovery campaign ran at ~6.2M sessions across hundreds of IPs — ENV files, .git/config, AWS metadata, path traversal, sensitive file access. The biggest real story, distributed rather than concentrated.

2. VNC scanning surged to the third-most-targeted port on the internet — port 5900 at 17.4M sessions. Not in prior briefs.

3. A new multi-cloud Masscan framework activated this week. Shared JA3 across a new Poland IP and an existing DigitalOcean Singapore cluster.

4. VPSVAULT IoT worm weaponized CVE-2025-54322 (Xspeeder SXZOS, CVSS 10.0). CVE-2026-24061 (GNU telnetd, CVSS 9.8, CISA KEV) also in payload.

Full Report: greynoise.io/resources/at-the-

  • 2
  • 1
  • 0
  • 12h ago

CVE-2024-21887

Overview

  • Ivanti
  • ICS
12 Jan 2024
Published
21 Oct 2025
Updated
CVSS v3.0
CRITICAL (9.1)
EPSS
94.41%
KEV

Description

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture fallback
Michael I Ransier @thecybermind

CVE-2023-46805 is actively exploited in Ivanti Connect Secure and Policy Secure gateways. When chained with CVE-2024-21887, attackers gain unauthenticated RCE and full VPN appliance compromise, posing critical enterprise perimeter risk.

Read the full threat brief:
thecybermind.co/i1n8

thecybermind.co/2026/04/23/iva

  • 0
  • 0
  • 0
  • 7h ago

CVE-2026-29145

Overview

  • Apache Software Foundation
  • Apache Tomcat
09 Apr 2026
Published
10 Apr 2026
Updated
CVSS
Pending
EPSS
0.12%
KEV

Description

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

Statistics

  • 1 Post
Last activity: 5 hours ago

Bluesky

Profile picture fallback
OpsMatters @opsmatters.com
The latest update for #CyCognito includes "Emerging Threat: (CVE-2026-40372) ASP.NET Core Privilege Escalation via Signature Bypass" and "Emerging Threat: (CVE-2026-29145) Apache Tomcat Authentication Bypass". #cybersecurity #AttackSurfaceManagement #EASM https://opsmtrs.com/44Srq0X
  • 0
  • 0
  • 0
  • 5h ago

CVE-2023-46805

Overview

  • Ivanti
  • ICS
12 Jan 2024
Published
21 Oct 2025
Updated
CVSS v3.0
HIGH (8.2)
EPSS
94.41%
KEV

Description

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture fallback
Michael I Ransier @thecybermind

CVE-2023-46805 is actively exploited in Ivanti Connect Secure and Policy Secure gateways. When chained with CVE-2024-21887, attackers gain unauthenticated RCE and full VPN appliance compromise, posing critical enterprise perimeter risk.

Read the full threat brief:
thecybermind.co/i1n8

thecybermind.co/2026/04/23/iva

  • 0
  • 0
  • 0
  • 7h ago

CVE-2026-41167

Overview

  • CyferShepard
  • Jellystat
22 Apr 2026
Published
23 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.08%
KEV

Description

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via `POST /api/getUserDetails` and `POST /api/getLibrary`, enabling full read of any table in the database - including `app_config`, which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL. Because the vulnerable call site dispatches via `node-postgres`'s simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via `COPY ... TO PROGRAM`. Under the role shipped by the project's `docker-compose.yml` (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive. Version 1.1.10 contains a fix.

Statistics

  • 1 Post
Last activity: 17 hours ago

Fediverse

Profile picture fallback
Can Artuc @canartuc

Five critical self-hosted flaws landed April 20-22. Marimo pre-auth remote takeover (CVE-2026-39987, CVSS 9.3), exploited in 10 hours. Apache Airflow XCom. Spinnaker Echo. Jellystat SQL injection to takeover (CVE-2026-41167, 9.1). OpenVPN 2.7.2 fixed two. Three trace to injection. Across 14 compliant platforms I have architected, the audit finding is patch cadence, not availability. A 10-hour window makes quarterly cadence a breach timeline.

#CyberSecurity #SelfHosted #OpenSource #InfoSec

  • 0
  • 0
  • 0
  • 17h ago
Showing 31 to 40 of 40 CVEs