24h | 7d | 30d

Overview

  • Palo Alto Networks
  • PAN-OS

12 Apr 2024
Published
21 Oct 2025
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
94.30%

Description

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

Statistics

  • 1 Post

Last activity: 13 hours ago

Bluesky

Profile picture fallback
Zero-Day in the Wild: Inside the PAN-OS GlobalProtect Critical Command Injection (CVE-2024-3400) Introduction: In April 2024, the cybersecurity community was rocked by the disclosure of CVE-2024-3400, a critical command injection vulnerability residing in the GlobalProtect feature of Palo Alto…
  • 0
  • 0
  • 0
  • 13h ago

Overview

  • Nsasoft
  • Nsauditor SpotAuditor

20 Feb 2026
Published
24 Feb 2026
Updated

CVSS v4.0
MEDIUM (6.7)
EPSS
0.10%

KEV

Description

SpotAuditor 5.3.1.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting excessive data in the registration name field. Attackers can enter a large string of characters (5000 bytes or more) in the name field during registration to trigger an unhandled exception that crashes the application.

Statistics

  • 1 Post

Last activity: 16 hours ago

Bluesky

Profile picture fallback
📌 CVE-2019-25434 - SpotAuditor 5.3.1.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting excessive ... https://www.cyberhub.blog/cves/CVE-2019-25434
  • 0
  • 0
  • 0
  • 16h ago

Overview

  • MaxSite
  • CMS

01 Mar 2026
Published
02 Mar 2026
Updated

CVSS v4.0
MEDIUM (6.9)
EPSS
0.04%

KEV

Description

A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php of the component MarkItUp Preview AJAX Endpoint. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. The exploit has been published and may be used. Upgrading to version 109.2 will fix this issue. This patch is called 08937a3c5d672a242d68f53e9fccf8a748820ef3. You should upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.

Statistics

  • 1 Post

Last activity: 14 hours ago

Bluesky

Profile picture fallback
📌 CVE-2026-3395 - A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editor_markitup/preview... https://www.cyberhub.blog/cves/CVE-2026-3395
  • 0
  • 0
  • 0
  • 14h ago

Overview

  • Cisco
  • Cisco Catalyst SD-WAN Manager

25 Feb 2026
Published
26 Feb 2026
Updated

CVSS v3.1
HIGH (8.8)
EPSS
0.04%

KEV

Description

A vulnerability in Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker with low privileges to gain root privileges on the underlying operating system. This vulnerability is due to an insufficient user authentication mechanism in the REST API. An attacker could exploit this vulnerability by sending a request to the REST API of the affected system. A successful exploit could allow the attacker to gain root privileges on the underlying operating system.

Statistics

  • 1 Post

Last activity: 12 hours ago

Bluesky

Profile picture fallback
📌 CVE-2026-20126 - A vulnerability in Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker with low privileges to gain root privileges on the under... https://www.cyberhub.blog/cves/CVE-2026-20126
  • 0
  • 0
  • 0
  • 12h ago

Overview

  • angular
  • angular

26 Feb 2026
Published
26 Feb 2026
Updated

CVSS v4.0
HIGH (7.6)
EPSS
0.04%

KEV

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Versions prior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19 have a cross-Site scripting vulnerability in the Angular internationalization (i18n) pipeline. In ICU messages (International Components for Unicode), HTML from translated content was not properly sanitized and could execute arbitrary JavaScript. Angular i18n typically involves three steps, extracting all messages from an application in the source language, sending the messages to be translated, and then merging their translations back into the final source code. Translations are frequently handled by contracts with specific partner companies, and involve sending the source messages to a separate contractor before receiving final translations for display to the end user. If the returned translations have malicious content, it could be rendered into the application and execute arbitrary JavaScript. When successfully exploited, this vulnerability allows for execution of attacker controlled JavaScript in the application origin. Depending on the nature of the application being exploited this could lead to credential exfiltration and/or page vandalism. Several preconditions apply to the attack. The attacker must compromise the translation file (xliff, xtb, etc.). Unlike most XSS vulnerabilities, this issue is not exploitable by arbitrary users. An attacker must first compromise an application's translation file before they can escalate privileges into the Angular application client. The victim application must use Angular i18n, use one or more ICU messages, render an ICU message, and not defend against XSS via a safe content security policy. Versions 21.2.0, 21.1.6, 20.3.17, and 19.2.19 patch the issue. Until the patch is applied, developers should consider reviewing and verifying translated content received from untrusted third parties before incorporating it in an Angular application, enabling strict CSP controls to block unauthorized JavaScript from executing on the page, and enabling Trusted Types to enforce proper HTML sanitization.

Statistics

  • 1 Post

Last activity: 16 hours ago

Bluesky

Profile picture fallback
Angularのi18n機能にXSSが可能になる危険な脆弱性(CVE-2026-27970) rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #セキュリティ #Security #CybersecurityNews
  • 0
  • 0
  • 0
  • 16h ago

Overview

  • Pending

03 Mar 2026
Published
03 Mar 2026
Updated

CVSS v3.1
HIGH (7.2)
EPSS
0.02%

KEV

Description

An authenticated arbitrary file upload vulnerability in Cohesity TranZman Migration Appliance Release 4.0 Build 14614 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted patch file.

Statistics

  • 1 Post

Last activity: 13 hours ago

Bluesky

Profile picture fallback
📌 CVE-2025-63910 - An authenticated arbitrary file upload vulnerability in Cohesity TranZman Migration Appliance Release 4.0 Build 14614 allows attackers with Administra... https://www.cyberhub.blog/cves/CVE-2025-63910
  • 0
  • 0
  • 0
  • 13h ago

Overview

  • Qualcomm, Inc.
  • Snapdragon

02 Mar 2026
Published
03 Mar 2026
Updated

CVSS v3.1
HIGH (7.8)
EPSS
0.01%

KEV

Description

Memory Corruption when processing invalid user address with nonstandard buffer address.

Statistics

  • 1 Post

Last activity: 8 hours ago

Bluesky

Profile picture fallback
📌 CVE-2025-59603 - Memory Corruption when processing invalid user address with nonstandard buffer address. https://www.cyberhub.blog/cves/CVE-2025-59603
  • 0
  • 0
  • 0
  • 8h ago

Overview

  • openemr
  • openemr

03 Mar 2026
Published
04 Mar 2026
Updated

CVSS v3.1
CRITICAL (9.6)
EPSS
0.04%

KEV

Description

OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two paths where the gateway_api_key secret value is rendered to the client in plaintext. These secret keys being leaked could result in arbitrary money movement or broad account takeover of payment gateway APIs. This vulnerability is fixed in 8.0.0.

Statistics

  • 1 Post

Last activity: 18 hours ago

Bluesky

Profile picture fallback
📌 CVE-2026-25146 - OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at lea... https://www.cyberhub.blog/cves/CVE-2026-25146
  • 0
  • 0
  • 0
  • 18h ago

Overview

  • Cloudflare
  • https://github.com/cloudflare/pingora

04 Mar 2026
Published
04 Mar 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.05%

KEV

Description

An HTTP request smuggling vulnerability (CWE-444) was found in Pingora's handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the backend has accepted the upgrade. An attacker can thus directly forward a malicious payload after a request with an Upgrade header to that backend in a way that may be interpreted as a subsequent request header, bypassing proxy-level security controls and enabling cross-user session hijacking. Impact This vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to: * Bypass proxy-level ACL controls and WAF logic * Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests * Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP Cloudflare's CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode. Mitigation: Pingora users should upgrade to Pingora v0.8.0 or higher As a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.

Statistics

  • 1 Post

Last activity: 16 hours ago

Fediverse

Profile picture fallback

⚠️ CRITICAL: CVE-2026-2833 in Cloudflare Pingora enables HTTP request smuggling — attackers can bypass proxy ACLs/WAFs, poison caches, and hijack sessions. Upgrade to v0.8.0+ or filter Upgrade headers. More info: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 16h ago

Overview

  • valkey-io
  • valkey

23 Feb 2026
Published
25 Feb 2026
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.02%

KEV

Description

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.

Statistics

  • 1 Post

Last activity: 6 hours ago

Bluesky

Profile picture fallback
The new Valkey 8.0.7 update for #Fedora 42 fixes two really nasty security holes. One (CVE-2026-21863) lets an attacker crash your entire cluster just by sending a bad packet to the cluster bus. Read more: 👉 tinyurl.com/3rzy9uu8 #Security
  • 0
  • 0
  • 0
  • 6h ago
Showing 31 to 40 of 73 CVEs