24h | 7d | 30d

Overview

  • lxsmnsyc
  • seroval

22 Jan 2026
Published
22 Jan 2026
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.04%

KEV

Description

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.

Statistics

  • 1 Post

Last activity: 18 hours ago

Fediverse

Profile picture

🟠 CVE-2026-23956 - High (7.5)

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0
and below, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during ...

πŸ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 18h ago

Overview

  • Solvera Software Services Trade Inc.
  • Teknoera

22 Jan 2026
Published
22 Jan 2026
Updated

CVSS v3.1
HIGH (7.5)
EPSS
Pending

KEV

Description

Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers.This issue affects Teknoera: through 01102025.

Statistics

  • 1 Post

Last activity: 7 hours ago

Fediverse

Profile picture

🟠 CVE-2025-10855 - High (7.5)

Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers.This issue affects Teknoera: through 01102025.

πŸ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 7h ago

Overview

  • Revive
  • Revive Adserver

20 Jan 2026
Published
21 Jan 2026
Updated

CVSS v3.0
HIGH (7.1)
EPSS
0.03%

KEV

Description

HackerOne community member Jad Ghamloush (0xjad) has reported an authorization bypass vulnerability in the `tracker-delete.php` script of Revive Adserver. Users with permissions to delete trackers are mistakenly allowed to delete trackers owned by other accounts.

Statistics

  • 1 Post

Last activity: 1 hour ago

Bluesky

Profile picture
How I Found My First CVE (CVE-2026–21641) https://medium.com/@0xJad/how-i-found-my-first-cve-cve-2026-21641-7f29af74fc84?source=rss------bug_bounty-5
  • 0
  • 0
  • 0
  • 1h ago

Overview

  • vllm-project
  • vllm

21 Jan 2026
Published
22 Jan 2026
Updated

CVSS v3.1
HIGH (8.8)
EPSS
0.05%

KEV

Description

vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue.

Statistics

  • 1 Post

Last activity: 22 hours ago

Fediverse

Profile picture

🟠 CVE-2026-22807 - High (8.8)

vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, all...

πŸ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 22h ago

Overview

  • appsmithorg
  • appsmith

22 Jan 2026
Published
22 Jan 2026
Updated

CVSS v3.1
CRITICAL (9.4)
EPSS
0.14%

KEV

Description

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication.

Statistics

  • 1 Post

Last activity: 16 hours ago

Fediverse

Profile picture

πŸ”΄ CVE-2026-24042 - Critical (9.4)

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to...

πŸ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 16h ago

Overview

  • lxsmnsyc
  • seroval

22 Jan 2026
Published
22 Jan 2026
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.04%

KEV

Description

Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.

Statistics

  • 1 Post

Last activity: 17 hours ago

Fediverse

Profile picture

🟠 CVE-2026-24006 - High (7.5)

Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0
and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Sero...

πŸ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 17h ago

Overview

  • gristlabs
  • grist-core

22 Jan 2026
Published
22 Jan 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
0.05%

KEV

Description

Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets `GRIST_SANDBOX_FLAVOR` to `pyodide` and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting `GRIST_SANDBOX_FLAVOR` to `gvisor`.

Statistics

  • 1 Post

Last activity: 17 hours ago

Fediverse

Profile picture

πŸ”΄ CVE-2026-24002 - Critical (9)

Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, bu...

πŸ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 17h ago

Overview

  • horilla-opensource
  • horilla

22 Jan 2026
Published
22 Jan 2026
Updated

CVSS v3.1
HIGH (8.1)
EPSS
0.07%

KEV

Description

Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp field from their POST request, the user-supplied OTP is also None, causing the comparison user_otp == otp to pass. This allows an attacker to bypass two-factor authentication entirely without ever providing a valid OTP. If administrative accounts are targeted, it could lead to compromise of sensitive HR data, manipulation of employee records, and further system-wide abuse. This issue has been fixed in version 1.5.0.

Statistics

  • 1 Post

Last activity: 16 hours ago

Fediverse

Profile picture

🟠 CVE-2026-24038 - High (8.1)

Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp fi...

πŸ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 16h ago

Overview

  • laravel
  • reverb

21 Jan 2026
Published
22 Jan 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.57%

KEV

Description

Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node).

Statistics

  • 1 Post

Last activity: 22 hours ago

Fediverse

Profile picture

πŸ”΄ CVE-2026-23524 - Critical (9.8)

Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can...

πŸ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 22h ago

Overview

  • lxsmnsyc
  • seroval

21 Jan 2026
Published
21 Jan 2026
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.07%

KEV

Description

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario. This issue has been fixed in version 1.4.0.

Statistics

  • 1 Post

Last activity: 21 hours ago

Fediverse

Profile picture

🟠 CVE-2026-23737 - High (7.5)

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code executi...

πŸ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 21h ago
Showing 31 to 40 of 56 CVEs