Overview
Description
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
Statistics
- 1 Post
Last activity: 9 hours ago
Overview
- Palo Alto Networks
- Chronosphere Chronocollector
13 May 2026
Published
13 May 2026
Updated
CVSS v4.0
MEDIUM (4.9)
EPSS
Pending
KEV
Description
An information disclosure vulnerability in the Chronosphere Chronocollector enables an unauthenticated attacker with network access to the collector service to retrieve sensitive information.
Statistics
- 1 Post
Last activity: 12 hours ago
Overview
- Palo Alto Networks
- GlobalProtect App
13 May 2026
Published
13 May 2026
Updated
CVSS v4.0
MEDIUM (4.9)
EPSS
Pending
KEV
Description
Multiple improper certificate validation vulnerabilities in the Palo Alto Networks GlobalProtect™ app enables an attacker to intercept encrypted communications and potentially compromise the endpoint. This can enable a local non-administrative operating system user or an attacker on the same subnet to redirect traffic to an unauthorized server and facilitate the installation of malicious software.
The GlobalProtect app on Linux, Windows, iOS and GlobalProtect UWP app are not affected.
Statistics
- 1 Post
Last activity: 12 hours ago
Overview
- Canon Marketing Japan Inc.
- GUARDIANWALL MailSuite (On-premises version)
13 May 2026
Published
13 May 2026
Updated
CVSS v3.0
CRITICAL (9.8)
EPSS
0.14%
KEV
Description
Stack-based buffer overflow vulnerability exists in GUARDIANWALL MailSuite and GUARDIANWALL Mail Security Cloud (SaaS version). If a remote attacker sends a specially crafted request to the product's web service, arbitrary code may be executed when the product is configured to run pop3wallpasswd with grdnwww user privilege.
Statistics
- 1 Post
Last activity: 22 hours ago
Overview
- Palo Alto Networks
- Prisma Access Agent
13 May 2026
Published
13 May 2026
Updated
CVSS v4.0
MEDIUM (5.9)
EPSS
Pending
KEV
Description
Multiple authorization bypass vulnerabilities in the Endpoint DLP component of Prisma Access Agent® allow a local attacker to bypass authentication controls and execute privileged operations.
Statistics
- 1 Post
Last activity: 12 hours ago
Overview
- Infused Addons
- InfusedWoo Pro
14 May 2026
Published
14 May 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
Pending
KEV
Description
The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This is due to missing nonce verification and capability checks in the iwar_save_recipe() AJAX handler. This makes it possible for unauthenticated attackers to create a malicious automation recipe that pairs an HTTP post trigger with an auto-login action, allowing any unauthenticated visitor to visit a crafted URL and receive authentication cookies for any targeted user account (e.g., administrator), achieving complete authentication bypass and privilege escalation.
Statistics
- 1 Post
Last activity: Last hour
Fediverse
🚨 CVE-2026-6510: InfusedWoo Pro ≤5.1.2 has a CRITICAL vuln (CVSS 9.8). Missing auth checks in iwar_save_recipe() lets attackers bypass auth & escalate to admin. No patch yet — disable plugin or restrict access now! https://radar.offseq.com/threat/cve-2026-6510-cwe-862-missing-authorization-in-inf-3dc63846 #OffSeq #WordPress #Vuln #CVE20266510
Overview
- Palo Alto Networks
- Cloud NGFW
13 May 2026
Published
13 May 2026
Updated
CVSS v4.0
MEDIUM (4.4)
EPSS
Pending
KEV
Description
A stored cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface.
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW and Prisma® Access are not impacted by this vulnerability.
Statistics
- 1 Post
Last activity: 12 hours ago
Overview
- Palo Alto Networks
- Prisma SD-WAN ION
13 May 2026
Published
13 May 2026
Updated
CVSS v4.0
MEDIUM (4.9)
EPSS
Pending
KEV
Description
A denial of service (DoS) vulnerability in Palo Alto Networks Prisma SD-WAN ION devices enables an unauthenticated attacker in a network adjacent to a Prisma SD-WAN ION device to cause a system disruption by sending a specially crafted IPv6 packet.
Statistics
- 1 Post
Last activity: 12 hours ago
Overview
Description
In the Linux kernel, the following vulnerability has been resolved:
xfrm: esp: avoid in-place decrypt on shared skb frags
MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP
marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),
so later paths that may modify packet data can first make a private
copy. The IPv4/IPv6 datagram append paths did not set this flag when
splicing pages into UDP skbs.
That leaves an ESP-in-UDP packet made from shared pipe pages looking
like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW
fast path for uncloned skbs without a frag_list and decrypts in place
over data that is not owned privately by the skb.
Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching
TCP. Also make ESP input fall back to skb_cow_data() when the flag is
present, so ESP does not decrypt externally backed frags in place.
Private nonlinear skb frags still use the existing fast path.
This intentionally does not change ESP output. In esp_output_head(),
the path that appends the ESP trailer to existing skb tailroom without
calling skb_cow_data() is not reachable for nonlinear skbs:
skb_tailroom() returns zero when skb->data_len is nonzero, while ESP
tailen is positive. Thus ESP output will either use the separate
destination-frag path or fall back to skb_cow_data().
Statistics
- 1 Post
Last activity: 15 hours ago
Overview
- cubecart
- v6
13 May 2026
Published
13 May 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
Pending
KEV
Description
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Invoices, Documents, and Contact Forms). The application unsafely evaluates user-supplied input using the Smarty template engine without enabling Smarty Security Policies. This allows any authenticated user with administrative privileges to execute arbitrary operating system commands (RCE) on the server. This vulnerability is fixed in 6.7.0.
Statistics
- 1 Post
Last activity: 6 hours ago