24h | 7d | 30d

Overview

  • ultimatemember
  • Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

27 Mar 2026
Published
27 Mar 2026
Updated

CVSS v3.1
HIGH (8.0)
EPSS
0.03%

KEV

Description

The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.2. This is due to the '{usermeta:password_reset_link}' template tag being processed within post content via the '[um_loggedin]' shortcode, which generates a valid password reset token for the currently logged-in user viewing the page. This makes it possible for authenticated attackers, with Contributor-level access and above, to craft a malicious pending post that, when previewed by an Administrator, generates a password reset token for the Administrator and exfiltrates it to an attacker-controlled server, leading to full account takeover.

Statistics

  • 1 Post

Last activity: 13 hours ago

Fediverse

Profile picture fallback

🔥 HIGH severity: CVE-2026-4248 in Ultimate Member plugin (≤2.11.2) lets Contributor users trigger admin password resets via malicious post preview — risking full site takeover. Restrict access & monitor now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 13h ago

Overview

  • Wavlink
  • WL-WN579X3-C

28 Mar 2026
Published
28 Mar 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
Pending

KEV

Description

A vulnerability was determined in Wavlink WL-WN579X3-C 231124. This impacts the function sub_4019FC of the file /cgi-bin/firewall.cgi of the component UPNP Handler. Executing a manipulation of the argument UpnpEnabled can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 1 Post

Last activity: Last hour

Fediverse

Profile picture fallback

🚨 HIGH severity buffer overflow in Wavlink WL-WN579X3-C (231124): Remote attackers can exploit UPnP Handler to run code. No patch from vendor. Disable UPnP & block remote access immediately. CVE-2026-5004 radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • Last hour

Overview

  • wpchill
  • Kali Forms — Contact Form & Drag-and-Drop Builder

20 Mar 2026
Published
23 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.29%

KEV

Description

The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.

Statistics

  • 1 Post

Last activity: 7 hours ago

Fediverse

Profile picture fallback
  • 0
  • 0
  • 0
  • 7h ago

Overview

  • Canonical
  • lxd
  • lxd

12 Mar 2026
Published
13 Mar 2026
Updated

CVSS v4.0
CRITICAL (9.4)
EPSS
0.13%

KEV

Description

An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10.

Statistics

  • 1 Post

Last activity: 19 hours ago

Bluesky

Profile picture fallback
CVE-2026-28384 - Authenticated RCE via unsanitized compression_algorithm scq.ms/47wBAGX
  • 0
  • 0
  • 0
  • 19h ago

Overview

  • Tenda
  • i12

12 Mar 2026
Published
12 Mar 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.05%

KEV

Description

A security vulnerability has been detected in Tenda i12 1.0.0.6(2204). The impacted element is the function formwrlSSIDget of the file /goform/wifiSSIDget. Such manipulation of the argument index leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.

Statistics

  • 1 Post

Last activity: 15 hours ago

Bluesky

Profile picture fallback
CVE-2026-4043 - Tenda i12 wifiSSIDget formwrlSSIDget stack-based overflow scq.ms/4b81djL
  • 0
  • 0
  • 0
  • 15h ago

Overview

  • Linux
  • Linux

18 Mar 2026
Published
25 Mar 2026
Updated

CVSS
Pending
EPSS
0.03%

KEV

Description

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix unprivileged local user can do privileged policy management An unprivileged local user can load, replace, and remove profiles by opening the apparmorfs interfaces, via a confused deputy attack, by passing the opened fd to a privileged process, and getting the privileged process to write to the interface. This does require a privileged target that can be manipulated to do the write for the unprivileged process, but once such access is achieved full policy management is possible and all the possible implications that implies: removing confinement, DoS of system or target applications by denying all execution, by-passing the unprivileged user namespace restriction, to exploiting kernel bugs for a local privilege escalation. The policy management interface can not have its permissions simply changed from 0666 to 0600 because non-root processes need to be able to load policy to different policy namespaces. Instead ensure the task writing the interface has privileges that are a subset of the task that opened the interface. This is already done via policy for confined processes, but unconfined can delegate access to the opened fd, by-passing the usual policy check.

Statistics

  • 1 Post

Last activity: 18 hours ago

Bluesky

Profile picture fallback
Compute Engine update on March 27, 2026 https://docs.cloud.google.com/compute/docs/release-notes#March_27_2026 #googlecloud A vulnerability (CVE-2026-23268) about CrackArmor was discovered and has been addressed. For more information, see the GCP-2026-015 security bulletin.
  • 0
  • 0
  • 0
  • 18h ago

Overview

  • gematik
  • app-Authenticator

27 Mar 2026
Published
27 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.3)
EPSS
0.05%

KEV

Description

Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to authenticate with the identities of victim users who click on a malicious deep link. Update Gematik Authenticator to version 4.16.0 or greater to receive a patch. There are no known workarounds.

Statistics

  • 1 Post

Last activity: 22 hours ago

Fediverse

Profile picture fallback

🚨 CVE-2026-33875 (CRITICAL, CVSS 9.3): gematik app-Authenticator <4.16.0 is vulnerable to authentication hijack via malicious deep links. No workarounds — update to 4.16.0+ urgently! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 22h ago

Overview

  • Oracle Corporation
  • Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in

20 Jan 2026
Published
02 Feb 2026
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
0.02%

KEV

Description

Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

Statistics

  • 1 Post

Last activity: 10 hours ago

Bluesky

Profile picture fallback
Honey for Hackers: A Study of Attacks Targeting the Recent CVE-2026-21962 and Other Critical WebLogic Vulnerabilities on a High Interactive Oracle Honeypot
  • 0
  • 0
  • 0
  • 10h ago

Overview

  • WWBN
  • AVideo

27 Mar 2026
Published
27 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
0.04%

KEV

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Live_schedule::keyExists()` method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from `LiveTransmition::keyExists()` when the initial parameterized lookup returns no results. Although the calling function correctly uses parameterized queries for its own lookup, the fallback path to `Live_schedule::keyExists()` undoes this protection entirely. This vulnerability is distinct from GHSA-pvw4-p2jm-chjm, which covers SQL injection via the `live_schedule_id` parameter in the reminder function. This finding targets the stream key lookup path used during RTMP publish authentication. As of time of publication, no patched versions are available.

Statistics

  • 1 Post

Last activity: 17 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL: CVE-2026-34374 in WWBN AVideo ≤26.0 allows unauthenticated SQL injection via stream key lookup during RTMP authentication. No patch out yet. Restrict access, use WAFs, & monitor logs. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 17h ago
Showing 21 to 29 of 29 CVEs