24h | 7d | 30d

Overview

  • immutable-js
  • immutable-js

06 Mar 2026
Published
06 Mar 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.06%

KEV

Description

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

Statistics

  • 2 Posts

Last activity: 18 hours ago

Bluesky

Profile picture fallback
PH70510:WebSphere Liberty is affected by a prototype pollution vulnerability due to immutable (CVE-2026-29063 CVSS 8.7) https://tinyurl.com/27tvd2v2
  • 0
  • 0
  • 0
  • 19h ago
Profile picture fallback
IBM WebSphere Application Server Liberty is affected by a prototype pollution vulnerability due to immutable (CVE-2026-29063) https://tinyurl.com/25lyxhlz
  • 0
  • 0
  • 0
  • 18h ago

Overview

  • acowebs
  • Woocommerce Custom Product Addons Pro

23 Mar 2026
Published
24 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.14%

KEV

Description

The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: "custom" with {this.value}).

Statistics

  • 1 Post

Last activity: 23 hours ago

Bluesky

Profile picture fallback
CVE-2026-4001 (CRITICAL 9.8) WooCommerce Custom Product Addons Pro allows unauthenticated RCE via eval() misuse. ๐Ÿ”Ž Full analysis: basefortify.eu/cve_reports/... #CVE #CyberSecurity #WordPress #RCE
  • 0
  • 0
  • 0
  • 23h ago

Overview

  • Sophos
  • Sophos Firewall

25 Mar 2022
Published
21 Oct 2025
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
94.44%

Description

An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.

Statistics

  • 1 Post
  • 3 Interactions

Last activity: 15 hours ago

Fediverse

Profile picture fallback

200,886,675 sessions. 101 unique source IPs. March 16โ€“23, 2026.

GreyNoise At The Edge intelligence brief highlights:

1. The MEVSPACE RDP brute-force operator returned after a 99.8% infrastructure collapse โ€” single IP generated 7,975,241 sessions before deliberately withdrawing after 4 days. GreyNoise has tracked a surge-withdraw-reconstitute cycle since January 2026, reinforcing that well-resourced operators can reconstitute capacity within days.

2. Two coordinated campaigns emerged: VPSVAULT.HOST (IoT worm weaponizing 21+ CVEs against 12+ manufacturers) and Omegatech (TLS fingerprint randomization with 5,854 unique JA3s per node).

3. Sophos CVE-2022-1040 exploitation stabilized at 638,654 sessions in its fifth consecutive week. Enterprise VPN credential pressure reached week 9 across five vendors with 2.9M+ combined sessions.

4. n8n CVE-2026-21858 (CVSS 10.0) reached 118,086 sessions with links to MuddyWater and ZeroBot. ICS/SCADA reconnaissance expanded with new HMI and PLC vulnerabilities trending.

๐Ÿ”— greynoise.io/resources/at-the-

  • 1
  • 2
  • 0
  • 15h ago

Overview

  • n8n-io
  • n8n

07 Jan 2026
Published
12 Jan 2026
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
7.42%

KEV

Description

n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.

Statistics

  • 1 Post
  • 3 Interactions

Last activity: 15 hours ago

Fediverse

Profile picture fallback

200,886,675 sessions. 101 unique source IPs. March 16โ€“23, 2026.

GreyNoise At The Edge intelligence brief highlights:

1. The MEVSPACE RDP brute-force operator returned after a 99.8% infrastructure collapse โ€” single IP generated 7,975,241 sessions before deliberately withdrawing after 4 days. GreyNoise has tracked a surge-withdraw-reconstitute cycle since January 2026, reinforcing that well-resourced operators can reconstitute capacity within days.

2. Two coordinated campaigns emerged: VPSVAULT.HOST (IoT worm weaponizing 21+ CVEs against 12+ manufacturers) and Omegatech (TLS fingerprint randomization with 5,854 unique JA3s per node).

3. Sophos CVE-2022-1040 exploitation stabilized at 638,654 sessions in its fifth consecutive week. Enterprise VPN credential pressure reached week 9 across five vendors with 2.9M+ combined sessions.

4. n8n CVE-2026-21858 (CVSS 10.0) reached 118,086 sessions with links to MuddyWater and ZeroBot. ICS/SCADA reconnaissance expanded with new HMI and PLC vulnerabilities trending.

๐Ÿ”— greynoise.io/resources/at-the-

  • 1
  • 2
  • 0
  • 15h ago

Overview

  • Apple
  • Safari

29 Jul 2025
Published
23 Mar 2026
Updated

CVSS
Pending
EPSS
0.27%

Description

The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, watchOS 11.6, visionOS 2.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6. Processing maliciously crafted web content may lead to memory corruption.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 12 hours ago

Fediverse

Profile picture fallback

@gknauss I think the thing is to move to 18.7.3, which is patched.

For devices running versions of iOS prior to 18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in iOS 18.6. For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG. Both exploits develop their own fakeobj/addrof primitives, and then build arbitrary read/write primitives the same way on top of them.

I'm unaware of a compelling reason or hardware limitation to not upgrade from 18.6 to 18.7

cloud.google.com/blog/topics/t

  • 0
  • 1
  • 0
  • 12h ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 9 hours ago

Fediverse

Profile picture fallback

We're released Netty 4.2.11 and 4.1.132. These contain many bug fixes, and fixes for two CVEs both rated *high*:

- CVE-2026-33871: HTTP/2 CONTINUATION frame flood Denial of Service.
- CVE-2026-33870: HTTP/1.1 Request Smuggling vulnerability in chunked encoding parsing.

Release notes for 4.2.11: netty.io/news/2026/03/24/4-2-1
Release notes for 4.1.132: netty.io/news/2026/03/24/4-1-1

Also of note: We had 17 people contribute to Netty 4.2.11, of which 5 are new first time contributors ๐Ÿ˜ฒ

#netty #java

  • 0
  • 1
  • 0
  • 9h ago

Overview

  • Apple
  • iOS and iPadOS

17 Dec 2025
Published
26 Feb 2026
Updated

CVSS
Pending
EPSS
0.20%

Description

A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 12 hours ago

Fediverse

Profile picture fallback

@gknauss I think the thing is to move to 18.7.3, which is patched.

For devices running versions of iOS prior to 18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in iOS 18.6. For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG. Both exploits develop their own fakeobj/addrof primitives, and then build arbitrary read/write primitives the same way on top of them.

I'm unaware of a compelling reason or hardware limitation to not upgrade from 18.6 to 18.7

cloud.google.com/blog/topics/t

  • 0
  • 1
  • 0
  • 12h ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 9 hours ago

Fediverse

Profile picture fallback

We're released Netty 4.2.11 and 4.1.132. These contain many bug fixes, and fixes for two CVEs both rated *high*:

- CVE-2026-33871: HTTP/2 CONTINUATION frame flood Denial of Service.
- CVE-2026-33870: HTTP/1.1 Request Smuggling vulnerability in chunked encoding parsing.

Release notes for 4.2.11: netty.io/news/2026/03/24/4-2-1
Release notes for 4.1.132: netty.io/news/2026/03/24/4-1-1

Also of note: We had 17 people contribute to Netty 4.2.11, of which 5 are new first time contributors ๐Ÿ˜ฒ

#netty #java

  • 0
  • 1
  • 0
  • 9h ago

Overview

  • nltk
  • nltk

20 Mar 2026
Published
23 Mar 2026
Updated

CVSS v3.1
HIGH (8.1)
EPSS
0.04%

KEV

Description

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the `subdir` and `id` attributes when processing remote XML index files. Attackers can control a remote XML index server to provide malicious values containing path traversal sequences (such as `../`), which can lead to arbitrary directory creation, arbitrary file creation, and arbitrary file overwrite. Commit 89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a patches the issue.

Statistics

  • 1 Post

Last activity: 18 hours ago

Bluesky

Profile picture fallback
python3Packages.nltk: patch CVE-2025-33231 and CVE-2026-33236 https://github.com/NixOS/nixpkgs/pull/502569 https://tracker.security.nixos.org/issues/NIXPKGS-2026-0688 https://tracker.security.nixos.org/issues/NIXPKGS-2026-0708 #security
  • 0
  • 0
  • 0
  • 18h ago

Overview

  • NVIDIA
  • CUDA Toolkit

20 Jan 2026
Published
26 Feb 2026
Updated

CVSS v3.1
MEDIUM (6.7)
EPSS
0.02%

KEV

Description

NVIDIA Nsight Systems for Windows contains a vulnerability in the applicationโ€™s DLL loading mechanism where an attacker could cause an uncontrolled search path element by exploiting insecure DLL search paths. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service and information disclosure.

Statistics

  • 1 Post

Last activity: 18 hours ago

Bluesky

Profile picture fallback
python3Packages.nltk: patch CVE-2025-33231 and CVE-2026-33236 https://github.com/NixOS/nixpkgs/pull/502569 https://tracker.security.nixos.org/issues/NIXPKGS-2026-0688 https://tracker.security.nixos.org/issues/NIXPKGS-2026-0708 #security
  • 0
  • 0
  • 0
  • 18h ago
Showing 31 to 40 of 50 CVEs