24h | 7d | 30d

CVE-2026-33555

Overview

  • HAProxy
  • HAProxy
13 Apr 2026
Published
14 Apr 2026
Updated
CVSS v3.1
MEDIUM (4.0)
EPSS
0.01%
KEV

Description

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.

Statistics

  • 1 Post
Last activity: 3 hours ago

Bluesky

Profile picture fallback
/r/netsec @r-netsec-bot.bsky.social
HAProxy HTTP/3 -> HTTP/1 Desync: Cross-Protocol Smuggling via a Standalone QUIC FIN (CVE-2026-33555)
  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-3596

Overview

  • imprintnext
  • Riaxe Product Customizer
16 Apr 2026
Published
16 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.04%
KEV

Description

The Riaxe Product Customizer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.2. The plugin registers an unauthenticated AJAX action ('wp_ajax_nopriv_install-imprint') that maps to the ink_pd_add_option() function. This function reads 'option' and 'opt_value' from $_POST, then calls delete_option() followed by add_option() using these attacker-controlled values without any nonce verification, capability checks, or option name allowlist. This makes it possible for unauthenticated attackers to update arbitrary WordPress options, which can be leveraged for privilege escalation by enabling user registration and setting the default user role to administrator.

Statistics

  • 1 Post
Last activity: 18 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CVE-2026-3596 (CRITICAL): imprintnext Riaxe Product Customizer ≀2.1.2 lets unauthenticated users update WordPress options, enabling privilege escalation (admin creation). Disable or update plugin ASAP! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 18h ago

CVE-2026-6414

Overview

  • @fastify/static
  • @fastify/static
16 Apr 2026
Published
16 Apr 2026
Updated
CVSS v3.1
MEDIUM (5.9)
EPSS
Pending
KEV

Description

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.

Statistics

  • 3 Posts
Last activity: 10 hours ago

Fediverse

Profile picture fallback
Ulises Gascon @ulisesgascon

🚨 Medium-severity security fix in @fastify/static@9.1.1 just released!

Patches CVE-2026-6414 β€” route guard bypass via encoded path separators

github.com/fastify/fastify-sta

  • 0
  • 0
  • 2
  • 10h ago

CVE-2026-39808

Overview

  • Fortinet
  • FortiSandbox
14 Apr 2026
Published
15 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.29%
KEV

Description

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>

Statistics

  • 2 Posts
Last activity: 3 hours ago

Fediverse

Profile picture fallback
CyberNetsecIO @netsecio

πŸ“° Fortinet Patches Critical Authentication Bypass and RCE Flaws in FortiSandbox

Fortinet patches two critical (CVSS 9.1) flaws in FortiSandbox. 🚨 CVE-2026-39813 (auth bypass) & CVE-2026-39808 (RCE) can be exploited by an unauthenticated attacker. Patch immediately! #Fortinet #Vulnerability #CyberSecurity

πŸ”— cyber.netsecops.io/articles/fo

  • 0
  • 0
  • 0
  • 3h ago

Bluesky

Profile picture fallback
Help Net Security @helpnetsecurity.com
Fortinet fixes critical FortiSandbox vulnerabilities (CVE-2026-39813, CVE-2026-39808) πŸ“– Read more: www.helpnetsecurity.com/2026/04/16/f... #cybersecurity #cybersecuritynews #sandbox #securityupdate #vulnerability
  • 0
  • 0
  • 0
  • 10h ago

CVE-2023-33538

Overview

  • Pending
07 Jun 2023
Published
20 Dec 2025
Updated
CVSS
Pending
EPSS
91.47%
KEV

Description

TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm .

Statistics

  • 1 Post
Last activity: 1 hour ago

Bluesky

Profile picture fallback
Cyber Threat Feeds @montxt.bsky.social
A Deep Dive Into Attempted Exploitation of CVE-2023-33538 https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/
  • 0
  • 0
  • 0
  • 1h ago

CVE-2026-23869

Overview

  • Meta
  • react-server-dom-turbopack
08 Apr 2026
Published
08 Apr 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.69%
KEV

Description

A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.

Statistics

  • 1 Post
Last activity: 8 hours ago

Bluesky

Profile picture fallback
OpsMatters @handle.invalid
The latest update for #CyCognito includes "Emerging Threat: (CVE-2026-23869) React Server Components Denial of Service" and "Mythos, MOAK, CTEM and the End of CVE Chasing". #cybersecurity #AttackSurfaceManagement #EASM https://opsmtrs.com/44Srq0X
  • 0
  • 0
  • 0
  • 8h ago

CVE-2026-3502

Overview

  • TrueConf
  • TrueConf Client
30 Mar 2026
Published
03 Apr 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
1.48%
KEV

Description

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.

Statistics

  • 1 Post
Last activity: 5 hours ago

Bluesky

Profile picture fallback
CySecurity News @cysecuritynews.bsky.social
Zero-Day Flaw in TrueConf Servers Exploited to Deliver Malicious Updates Across Networks #CheckPointresearch #CVE20263502 #cybersecuritythreat
  • 0
  • 0
  • 0
  • 5h ago

CVE-2026-40175

Overview

  • axios
  • axios
10 Apr 2026
Published
16 Apr 2026
Updated
CVSS v3.1
MEDIUM (4.8)
EPSS
0.53%
KEV

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.

Statistics

  • 1 Post
Last activity: 3 hours ago

Fediverse

Profile picture fallback
CyberNetsecIO @netsecio

πŸ“° Critical Flaw in Axios Library Puts Countless Web Apps at Risk of RCE

🚨 CRITICAL VULNERABILITY (CVSS 10.0) in Axios JS library! CVE-2026-40175 is an SSRF flaw that can lead to RCE and full cloud compromise. PoC is public. If you use Axios, update to v1.13.2 NOW! 🌐 #SupplyChain #RCE #SSRF

πŸ”— cyber.netsecops.io/articles/cr

  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-6348

Overview

  • Simopro Technology
  • WinMatrix
16 Apr 2026
Published
16 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.01%
KEV

Description

WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on the local machine as well as on all hosts within the environment where the agent is installed.

Statistics

  • 1 Post
Last activity: 16 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

πŸ”΄ CRITICAL: CVE-2026-6348 in Simopro WinMatrix 3.5.13 lets local authenticated users execute code as SYSTEM. No patch yet β€” restrict access & monitor usage. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 16h ago

CVE-2025-49760

Overview

  • Microsoft
  • Windows 10 Version 1507
08 Jul 2025
Published
13 Feb 2026
Updated
CVSS v3.1
LOW (3.5)
EPSS
0.44%
KEV

Description

External control of file name or path in Windows Storage allows an authorized attacker to perform spoofing over a network.

Statistics

  • 1 Post
Last activity: 18 hours ago

Bluesky

Profile picture fallback
Undercode Testing @undercode.bsky.social
CVE-2025-49760 & CVE-2025-49716: Windows RPC Poisoning and Netlogon Hardening – The Active Directory Takeover Threat +Β Video Introduction: Remote Procedure Call (RPC) is the backbone of inter-process communication in Windows environments, widely used for everything from file sharing to…
  • 0
  • 0
  • 0
  • 18h ago
Showing 31 to 40 of 47 CVEs