Overview
Description
A vulnerability was detected in D-Link DWR-M960 1.01.07. This affects the function sub_462E14 of the file /boafrm/formSysLog of the component System Log Configuration Endpoint. Performing a manipulation of the argument submit-url results in stack-based buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used.
Statistics
- 1 Post
Last activity: 16 hours ago
Overview
- Moxa
- UC-1200A Series
05 Feb 2026
Published
05 Feb 2026
Updated
CVSS v4.0
HIGH (7.0)
EPSS
0.01%
KEV
Description
A physical attack vulnerability exists in certain Moxa industrial computers using TPM-backed LUKS full-disk encryption on Moxa Industrial Linux 3, where the discrete TPM is connected to the CPU via an SPI bus. Exploitation requires invasive physical access, including opening the device and attaching external equipment to the SPI bus to capture TPM communications. If successful, the captured data may allow offline decryption of eMMC contents. This attack cannot be performed through brief or opportunistic physical access and requires extended physical access, possession of the device, appropriate equipment, and sufficient time for signal capture and analysis. Remote exploitation is not possible.
Statistics
- 1 Post
Last activity: 13 hours ago
Overview
Description
A vulnerability was found in D-Link DWR-M960 1.01.07. Affected by this vulnerability is the function sub_424AFC of the file /boafrm/formFilter of the component Filter Configuration Endpoint. The manipulation of the argument submit-url results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been made public and could be used.
Statistics
- 1 Post
Last activity: 17 hours ago
Overview
- QuantumNous
- new-api
24 Feb 2026
Published
24 Feb 2026
Updated
CVSS v4.0
HIGH (7.1)
EPSS
0.04%
KEV
Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.10, a SQL LIKE wildcard injection vulnerability in the `/api/token/search` endpoint allows authenticated users to cause denial of service through resource exhaustion by crafting malicious search patterns. The token search endpoint accepts user-supplied `keyword` and `token` parameters that are directly concatenated into SQL LIKE clauses without escaping wildcard characters (`%`, `_`). This allows attackers to inject patterns that trigger expensive database queries. Version 0.10.8-alpha.10 contains a patch.
Statistics
- 1 Post
Last activity: 12 hours ago
Fediverse
🚨 CVE-2026-25591 (HIGH): QuantumNous new-api <0.10.8-alpha.10 vulnerable to SQL LIKE wildcard injection in /api/token/search. Auth users can cause DoS via crafted search patterns. Patch ASAP! https://radar.offseq.com/threat/cve-2026-25591-cwe-943-improper-neutralization-of--2ce4358a #OffSeq #Infosec #SQLInjection #Vulnerability
Overview
Description
Nagios Host esensors_websensor_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability.
The specific flaw exists within the esensors_websensor_configwizard_func method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28249.
Statistics
- 1 Post
Last activity: 7 hours ago
Overview
Description
Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE is unique from CVE-2018-0797 and CVE-2018-0812.
Statistics
- 1 Post
Last activity: 13 hours ago
Overview
Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. The vulnerability has been fixed in jsPDF@4.2.0. As a workaround, sanitize user input before passing it to the vulnerable API members.
Statistics
- 1 Post
Last activity: 16 hours ago
Overview
- NixOS
- nixpkgs
02 Feb 2026
Published
04 Feb 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.04%
KEV
Description
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05.
Statistics
- 1 Post
Last activity: 22 hours ago
Bluesky
Overview
Description
A weakness has been identified in Tenda A21 1.0.0.0. This affects the function fromSetIpMacBind of the file /goform/SetIpMacBind. This manipulation of the argument list causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
Statistics
- 1 Post
Last activity: 18 hours ago
Overview
Description
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Statistics
- 2 Posts
Last activity: 7 hours ago
Bluesky
CISAが2つの既知の脆弱性をカタログに追加
CISA Adds Two Known Exploited Vulnerabilities to Catalog #CISA (Feb 20)
CVE-2025-49113 RoundCube Webメールにおける信頼できないデータのデシリアライゼーションの脆弱性
CVE-2025-68461 RoundCube Webメールのクロスサイトスクリプティング脆弱性
www.cisa.gov/news-events/...