Overview
Description
This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.
Statistics
- 2 Posts
- 2 Interactions
Last activity: 11 hours ago
Fediverse
🔐 CVE-2026-45064: HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing
➡️ https://symfony.com/blog/cve-2026-45064-htmlsanitizer-url-attributes-pass-through-bidi-override-characters-visual-href-spoofing
Overview
Description
This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.
Statistics
- 2 Posts
- 2 Interactions
Last activity: 11 hours ago
Fediverse
🔐 CVE-2026-45075: HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]
➡️ https://symfony.com/blog/cve-2026-45075-head-request-bypasses-methods-get-filter-in-isgranted-issignaturevalid-iscsrftokenvalid
Overview
Description
This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.
Statistics
- 1 Post
- 1 Interaction
Last activity: 4 hours ago
Fediverse
[🖼 Harald Eilertsen]Harald Eilertsen wrote the following post Wed, 20 May 2026 19:56:18 +0200 @!Hubzilla Support Forum @!Hubzilla Community Forum
[🖼 Harald Eilertsen]Harald Eilertsen wrote the following post Wed, 20 May 2026 19:52:37 +0200 Hubzilla version 11.2.1 contains an important fix for a security issue that would in some cases allow a malicious actor to alter an activity (such as a Like or Announce/Repeat, etc) without affecting the cryptographic signature of the activity. This could caue potential unauthenticated activities to be injected into the system.
Only activities coming from other fediverse software relying on LD-Signatures are affected. Hubzilla defaults to using the more robust Data Integrity Proofs where available, such as between Hubzilla instances. In addition, the way Hubzilla normalizes the incoming messages before validating the signature mitigated most of the attack vectors, while some would still affect us.
In version 11.2.1 further mitigations has been implemented, so that we will reject activities containing any of the potentially dangerous keywords before even trying to validate the signature.
Thanks to the Mastodon security team for reporting this issue, and helping us understand how the attack work. See also their announcement about the issue.
[🖼 Harald Eilertsen]Harald Eilertsen wrote the following post Wed, 20 May 2026 19:52:37 +0200 Hubzilla version 11.2.1 contains an important fix for a security issue that would in some cases allow a malicious actor to alter an activity (such as a Like or Announce/Repeat, etc) without affecting the cryptographic signature of the activity. This could caue potential unauthenticated activities to be injected into the system.
Only activities coming from other fediverse software relying on LD-Signatures are affected. Hubzilla defaults to using the more robust Data Integrity Proofs where available, such as between Hubzilla instances. In addition, the way Hubzilla normalizes the incoming messages before validating the signature mitigated most of the attack vectors, while some would still affect us.
In version 11.2.1 further mitigations has been implemented, so that we will reject activities containing any of the potentially dangerous keywords before even trying to validate the signature.
Thanks to the Mastodon security team for reporting this issue, and helping us understand how the attack work. See also their announcement about the issue.
- CVE: CVE-2026-46349
- Severity: 5.3 (Medium)
- Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
- Vulnerable component: PubCrawl (ActivityPub addon)
- Vulnerable version: Up to and including 11.2
- Fixed in: 11.2.1
Overview
Description
Certain 5400 RPM hard drives, for laptops and other PCs in approximately 2005 and later, allow physically proximate attackers to cause a denial of service (device malfunction and system crash) via a resonant-frequency attack with the audio signal from the Rhythm Nation music video. A reported product is Seagate STDT4000100 763649053447.
Statistics
- 1 Post
- 3 Interactions
Last activity: 17 hours ago
Fediverse
@anomalocarididae disproportionately many fedizens a have read some version of https://nvd.nist.gov/vuln/detail/CVE-2022-38392 .
What I want to know is how loud do you have to play it?
Overview
- Cisco
- Cisco Secure Workload
20 May 2026
Published
20 May 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
Pending
KEV
Description
A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role.
This vulnerability is due to insufficient validation and authentication when accessing REST API endpoints. An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint. A successful exploit could allow the attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user.
Statistics
- 1 Post
- 2 Interactions
Last activity: 4 hours ago
Overview
Description
This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.
Statistics
- 2 Posts
- 1 Interaction
Last activity: 11 hours ago
Overview
Description
This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.
Statistics
- 2 Posts
- 1 Interaction
Last activity: 12 hours ago
Overview
Description
This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.
Statistics
- 2 Posts
- 1 Interaction
Last activity: 11 hours ago
Overview
Description
Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.
Statistics
- 2 Posts
- 1 Interaction
Last activity: 12 hours ago
Overview
Description
This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.
Statistics
- 2 Posts
- 1 Interaction
Last activity: 12 hours ago