24h | 7d | 30d

CVE-2026-42471

Overview

  • Pending
01 May 2026
Published
01 May 2026
Updated
CVSS
Pending
EPSS
0.05%
KEV

Description

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-side RCE if connecting to a malicious server.

Statistics

  • 1 Post
Last activity: 22 hours ago

Bluesky

Profile picture fallback
ケイ | 副業Webライター📖 @keiwork35.bsky.social
【脆弱性情報】 CVE-2026-42471 MixPHP Framework 2.xの脆弱性について MixPHP Framework 2.x(バージョン2.2.17まで)における安全でないデシリアライズの脆弱性です。この脆弱性により、悪意のあるサーバーに接続した場合、クライアント側でリモートコード実行(RCE)が可能になります。
  • 0
  • 0
  • 0
  • 22h ago

CVE-2024-3721

Overview

  • TBK
  • DVR-4104
13 Apr 2024
Published
01 Aug 2024
Updated
CVSS v3.1
MEDIUM (6.3)
EPSS
76.75%
KEV

Description

A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing of the file /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___. The manipulation of the argument mdb/mdc leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260573 was assigned to this vulnerability.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 19 hours ago

Bluesky

Profile picture fallback
boredchilada @boredchilada.bsky.social
~Recordedfuture~ 37 high-impact CVEs exploited in April 2026, including 31 in CISA KEV, driving ransomware and Nexcorium botnet attacks. - IOCs: CVE-2024-3721, CVE-2026-33032, Nexcorium - #CVE #Ransomware #ThreatIntel
  • 0
  • 1
  • 0
  • 19h ago

CVE-2026-33032

Overview

  • 0xJacky
  • nginx-ui
30 Mar 2026
Published
16 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
18.59%
KEV

Description

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 19 hours ago

Bluesky

Profile picture fallback
boredchilada @boredchilada.bsky.social
~Recordedfuture~ 37 high-impact CVEs exploited in April 2026, including 31 in CISA KEV, driving ransomware and Nexcorium botnet attacks. - IOCs: CVE-2024-3721, CVE-2026-33032, Nexcorium - #CVE #Ransomware #ThreatIntel
  • 0
  • 1
  • 0
  • 19h ago

CVE-2026-4798

Overview

  • themefusion
  • Avada (Fusion) Builder
13 May 2026
Published
13 May 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.06%
KEV

Description

The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘product_order’ parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note: The vulnerability can only be exploited if WooCommerce was previously used and then deactivated.

Statistics

  • 1 Post
Last activity: 17 hours ago

Bluesky

Profile picture fallback
Cybersecurity News Everyday @hendryadrian.bsky.social
Avada Builder flaws in versions through 3.15.2 can let authenticated users read arbitrary files or pull sensitive database data, including credentials and password hashes. Fixed in 3.15.3. #AvadaBuilder #CVE20264782 #CVE20264798
  • 0
  • 0
  • 0
  • 17h ago

CVE-2026-4782

Overview

  • themefusion
  • Avada (Fusion) Builder
13 May 2026
Published
13 May 2026
Updated
CVSS v3.1
MEDIUM (6.5)
EPSS
0.04%
KEV

Description

The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusion_get_svg_from_file' function with the 'custom_svg' parameter of the 'fusion_section_separator' shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. The vulnerability was partially patched in version 3.15.2 and fully patched in version 3.15.3.

Statistics

  • 1 Post
Last activity: 17 hours ago

Bluesky

Profile picture fallback
Cybersecurity News Everyday @hendryadrian.bsky.social
Avada Builder flaws in versions through 3.15.2 can let authenticated users read arbitrary files or pull sensitive database data, including credentials and password hashes. Fixed in 3.15.3. #AvadaBuilder #CVE20264782 #CVE20264798
  • 0
  • 0
  • 0
  • 17h ago

CVE-2025-6793

Overview

  • Marvell
  • QConvergeConsole
07 Jul 2025
Published
07 Jul 2025
Updated
CVSS v3.0
CRITICAL (9.4)
EPSS
87.03%
KEV

Description

Marvell QConvergeConsole QLogicDownloadImpl Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability. This vulnerability allows remote attackers to delete arbitrary files and disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the QLogicDownloadImpl class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files and disclose information in the context of SYSTEM. Was ZDI-CAN-24912.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 16 hours ago

Fediverse

Profile picture fallback
Metasploit @metasploit

The ultimate persistence mechanism is here: Vim plugin persistence! Seriously, who can close Vim anyway?

Catch up on the latest Metasploit Wrap-up, also featuring Unauthenticated Marvell QConvergeConsole Path Traversal (CVE-2025-6793), Authenticated RCE in GestioIP 3.5.7 (CVE-2024-48760), and a classic PHP filter bypass in Dolibarr ERP/CRM (CVE-2023-30253).

As always, check it out the blog: rapid7.com/blog/post/pt-metasp

  • 0
  • 1
  • 0
  • 16h ago

CVE-2023-30253

Overview

  • Pending
29 May 2023
Published
14 Jan 2025
Updated
CVSS
Pending
EPSS
90.43%
KEV

Description

Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 16 hours ago

Fediverse

Profile picture fallback
Metasploit @metasploit

The ultimate persistence mechanism is here: Vim plugin persistence! Seriously, who can close Vim anyway?

Catch up on the latest Metasploit Wrap-up, also featuring Unauthenticated Marvell QConvergeConsole Path Traversal (CVE-2025-6793), Authenticated RCE in GestioIP 3.5.7 (CVE-2024-48760), and a classic PHP filter bypass in Dolibarr ERP/CRM (CVE-2023-30253).

As always, check it out the blog: rapid7.com/blog/post/pt-metasp

  • 0
  • 1
  • 0
  • 16h ago

CVE-2024-48760

Overview

  • Pending
14 Jan 2025
Published
23 Jan 2025
Updated
CVSS
Pending
EPSS
66.58%
KEV

Description

An issue in GestioIP v3.5.7 allows a remote attacker to execute arbitrary code via the file upload function. The attacker can upload a malicious perlcmd.cgi file that overwrites the original upload.cgi file, enabling remote command execution.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 16 hours ago

Fediverse

Profile picture fallback
Metasploit @metasploit

The ultimate persistence mechanism is here: Vim plugin persistence! Seriously, who can close Vim anyway?

Catch up on the latest Metasploit Wrap-up, also featuring Unauthenticated Marvell QConvergeConsole Path Traversal (CVE-2025-6793), Authenticated RCE in GestioIP 3.5.7 (CVE-2024-48760), and a classic PHP filter bypass in Dolibarr ERP/CRM (CVE-2023-30253).

As always, check it out the blog: rapid7.com/blog/post/pt-metasp

  • 0
  • 1
  • 0
  • 16h ago
Showing 51 to 58 of 58 CVEs