Overview
- gpriday
- Page Builder by SiteOrigin
03 Mar 2026
Published
03 Mar 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.10%
KEV
Description
The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.5 via the locate_template() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Statistics
- 1 Post
Last activity: 10 hours ago
Fediverse
🚨 CVE-2026-2448: HIGH severity path traversal in Page Builder by SiteOrigin (all versions). Contributor+ authentication enables LFI, risking server takeover. No patch yet — restrict permissions, monitor activity, and use a WAF. https://radar.offseq.com/threat/cve-2026-2448-cwe-22-improper-limitation-of-a-path-365740f6 #OffSeq #WordPress #Vuln
Overview
- Erlang
- OTP
- erlang/otp
20 Feb 2026
Published
21 Feb 2026
Updated
CVSS v4.0
LOW (2.3)
EPSS
0.02%
KEV
Description
Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal. This vulnerability is associated with program files lib/tftp/src/tftp_file.erl, src/tftp_file.erl.
This issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0.
Statistics
- 1 Post
Last activity: 3 hours ago
Overview
- Budibase
- budibase
25 Feb 2026
Published
25 Feb 2026
Updated
CVSS v3.1
CRITICAL (9.9)
EPSS
0.07%
KEV
Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in `packages/server/src/db/inMemoryView.ts` where user-controlled view map functions are directly evaluated without sanitization. The primary impact comes from what lives inside the pod's environment: the `app-service` pod runs with secrets baked into its environment variables, including `INTERNAL_API_KEY`, `JWT_SECRET`, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable. Version 3.30.4 contains a patch.
Statistics
- 1 Post
Last activity: 3 hours ago
Overview
- Xerox
- FreeFlow Core
27 Feb 2026
Published
28 Feb 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.06%
KEV
Description
Improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability in Xerox FreeFlow Core allows unauthorized path traversal leading to RCE.
This issue affects Xerox FreeFlow Core versions up to and including 8.0.7.
Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on - https://www.support.xerox.com/en-us/product/core/downloads
https://www.support.xerox.com/en-us/product/core/downloads
Statistics
- 1 Post
Last activity: 20 hours ago
Overview
Description
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attacks by suppressing
or mis-routing legitimate charger telemetry, or conduct brute-force
attacks to gain unauthorized access.
Statistics
- 1 Post
Last activity: 20 hours ago
Overview
- Mobility46
- mobility46.se
27 Feb 2026
Published
03 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.4)
EPSS
0.11%
KEV
Description
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend.
Statistics
- 1 Post
Last activity: 1 hour ago
Overview
- Microsoft
- Windows 10 Version 21H2
13 Jan 2026
Published
26 Feb 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.02%
KEV
Description
Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally.
Statistics
- 1 Post
Last activity: 3 hours ago
Bluesky
Overview
- EV Energy
- ev.energy
27 Feb 2026
Published
03 Mar 2026
Updated
CVSS v3.1
HIGH (7.3)
EPSS
0.04%
KEV
Description
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
malicious actor to cause a denial-of-service condition by overwhelming
the backend with valid session requests.
Statistics
- 1 Post
Last activity: 15 hours ago
Overview
- Mobility46
- mobility46.se
27 Feb 2026
Published
03 Mar 2026
Updated
CVSS v3.1
HIGH (7.3)
EPSS
0.04%
KEV
Description
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
malicious actor to cause a denial-of-service condition by overwhelming
the backend with valid session requests.
Statistics
- 1 Post
Last activity: 15 hours ago
Overview
- SolarWinds
- Web Help Desk
28 Jan 2026
Published
27 Feb 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
9.92%
KEV
Description
SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.
Statistics
- 1 Post
Last activity: 16 hours ago
Bluesky
📢 SolarWinds Web Help Desk: chaîne RCE pré-auth par désérialisation et doubles contournements (CVE-2025-40552/40553/4055…📝 …
https://cyberveille.ch/posts/2026-03-02-solarwinds-web-help-desk-chaine-rce-pre-auth-par-deserialisation-et-doubles-contournements-cve-2025-40552-40553-40554/ #IOC #Cyberveil…