24h | 7d | 30d

CVE-2026-2892

Overview

  • themeisle
  • Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
30 Apr 2026
Published
01 May 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.08%
KEV

Description

The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the 'get_customer_data' method relying on an unsigned 'o_stripe_data' cookie to determine Stripe product ownership for unauthenticated users. The 'check_purchase' method trusts this cookie data without performing server-side verification against the Stripe API for one-time 'payment' mode purchases. This makes it possible for unauthenticated attackers to bypass Stripe purchase-gated content visibility conditions by forging the 'o_stripe_data' cookie with a target product ID, which is publicly exposed in the checkout block's HTML source.

Statistics

  • 1 Post
Last activity: 4 hours ago

Bluesky

Profile picture fallback
ケイ | 副業Webライター📖 @keiwork35.bsky.social
【脆弱性情報】 CVE-2026-2892 Otter Blocksの脆弱性について CVE-2026-2892は、WordPress用のOtter Blocksプラグインにおいて、すべてのバージョン(3.1.4を含む)で発生する購入検証バイパスの脆弱性です。
  • 0
  • 0
  • 0
  • 4h ago

CVE-2026-44258

Overview

  • efwGrp
  • efw4.X
12 May 2026
Published
12 May 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.05%
KEV

Description

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfinder_checkRisk function validates target and targets for path traversal and home containment, but does not validate the dst (destination) parameter used by elfinder_paste. An attacker can copy or move files from within the home directory to any arbitrary destination by setting dst to a base64-encoded traversal path. This bypasses the protected=true security control. This vulnerability is fixed in 4.08.010.

Statistics

  • 1 Post
Last activity: 12 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CVE-2026-44258: CRITICAL OS command injection in efwGrp efw4.X (<4.08.010). Attackers can copy/move files outside home dir, bypassing controls. Upgrade to 4.08.010+ ASAP! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 12h ago

CVE-2026-42854

Overview

  • espressif
  • arduino-esp32
12 May 2026
Published
13 May 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.20%
KEV

Description

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an attacker-controlled HTTP header field (Content-Type: multipart/form-data; boundary=...) without enforcing any length limit. Sending a boundary string longer than ~8000 characters overflows the 8192-byte task stack of the loopTask, causing a crash and potential remote code execution. This vulnerability is fixed in 3.3.8.

Statistics

  • 1 Post
Last activity: 15 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🔥 CRITICAL: CVE-2026-42854 in arduino-esp32 (<3.3.8) enables stack buffer overflow via HTTP multipart boundary — can crash device or allow RCE. Patch ASAP by upgrading to 3.3.8! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 15h ago

CVE-2026-25244

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
Last activity: 4 hours ago

Fediverse

Profile picture fallback
CyberNetsecIO @netsecio

📰 WebdriverIO Flaw (CVSS 9.8) Allows CI/CD Takeover via Malicious Git Branches

Critical 9.8 CVSS command injection flaw (CVE-2026-25244) found in WebdriverIO. Malicious git branch names can lead to CI/CD server takeover. If you use @wdio/browserstack-service, update immediately! 🚨 #CyberSecurity #SupplyChain #DevSecOps

🔗 cyber.netsecops.io

  • 0
  • 0
  • 0
  • 4h ago

CVE-2025-66335

Overview

  • Apache Software Foundation
  • Apache Doris MCP Server
20 Apr 2026
Published
20 Apr 2026
Updated
CVSS
Pending
EPSS
0.10%
KEV

Description

Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of intended query validation and access restrictions through the MCP query execution interface. Version 0.6.1 and later are not affected.

Statistics

  • 1 Post
Last activity: 22 hours ago

Bluesky

Profile picture fallback
piggo @pigondrugs.bsky.social
~Akamai~ Flaws in Apache Doris, Pinot, and Alibaba RDS MCP servers allow SQL injection and unauthenticated data exposure. - IOCs: CVE-2025-66335 - #CVE202566335 #SQLi #ThreatIntel
  • 0
  • 0
  • 0
  • 22h ago

CVE-2025-54518

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
Last activity: 3 hours ago

Bluesky

Profile picture fallback
Kaldata.com @kaldata.bsky.social
AMD предупреди за уязвимост в процесорите на базата на Zen 2 AMD съобщи за открита уязвимост (CVE-2025-54518; AMD-SB-7052) с CVSS рейтинг от 7.3 в работата на кеша за операции/микрооперации на процесорите, базирани на микроархитектурата Zen 2, която може да доведе до неправилно изпълнение на…
  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-41872

Overview

  • EPG, Inc.
  • "Kura Sushi Official App" for Android
12 May 2026
Published
12 May 2026
Updated
CVSS v3.0
HIGH (7.4)
EPSS
0.02%
KEV

Description

"Kura Sushi Official App" provided by EPG, Inc. is vulnerable to improper certificate validation. A man-in-the-middle attack may allow eavesdropping on, or altering, the communication on push notifications between the affected application and the relevant server.

Statistics

  • 1 Post
Last activity: 16 hours ago

Bluesky

Profile picture fallback
セキュリティ対策Lab @securitylab-jp.bsky.social
くら寿司 公式アプリに危険度の高い脆弱性 CVE-2026-41872-悪意ある無線LANでプッシュ通知の盗聴・改ざんが可能 rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #security #securitynews
  • 0
  • 0
  • 0
  • 16h ago

CVE-2026-42523

Overview

  • Jenkins Project
  • Jenkins GitHub Plugin
29 Apr 2026
Published
29 Apr 2026
Updated
CVSS
Pending
EPSS
0.04%
KEV

Description

Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission.

Statistics

  • 1 Post
Last activity: 4 hours ago

Bluesky

Profile picture fallback
ケイ | 副業Webライター📖 @keiwork35.bsky.social
【脆弱性情報】 CVE-2026-42523 Jenkins GitHub Pluginの脆弱性について Jenkins GitHub Plugin 1.46.0以前のバージョンは、"GitHub hook trigger for GITScm polling"機能の検証を実装するJavaScriptの一部として、
  • 0
  • 0
  • 0
  • 4h ago

CVE-2026-44547

Overview

  • ChurchCRM
  • CRM
12 May 2026
Published
13 May 2026
Updated
CVSS v3.1
CRITICAL (9.6)
EPSS
0.03%
KEV

Description

ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release therefore remains exploitable by the PoC published with the original advisory. This vulnerability is fixed in 7.3.1.

Statistics

  • 1 Post
Last activity: 18 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CVE-2026-44547: CRITICAL improper authentication in ChurchCRM 7.2.0 – 7.3.0 (CVSS 9.6). Low-priv attackers can bypass auth and compromise data. Upgrade to 7.3.1 urgently! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 18h ago

CVE-2026-44257

Overview

  • efwGrp
  • efw4.X
12 May 2026
Published
12 May 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.21%
KEV

Description

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomcat process can write — including the servlet context root. Combined with the framework's multipart /uploadServlet and an event that calls file.saveUploadFiles + FileManager.unZip, a remote attacker with no credentials drops a JSP webshell and executes arbitrary commands as the Tomcat user. This vulnerability is fixed in 4.08.010.

Statistics

  • 1 Post
Last activity: 13 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL: CVE-2026-44257 in efwGrp efw4.X (<4.08.010) enables remote, unauthenticated command execution via crafted zip uploads and path traversal. Patch to 4.08.010 ASAP. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 13h ago
Showing 31 to 40 of 61 CVEs