24h | 7d | 30d

CVE-2026-8511

Overview

  • Google
  • Chrome
14 May 2026
Published
15 May 2026
Updated
CVSS
Pending
EPSS
0.07%
KEV

Description

Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Statistics

  • 1 Post
Last activity: 12 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

⚠️ CRITICAL vuln: CVE-2026-8511 in Google Chrome (pre-148.0.7778.168) — use-after-free in UI may enable remote sandbox escape via crafted HTML. Patch status unclear. Update ASAP once confirmed! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 12h ago

CVE-2026-33811

Overview

  • Go standard library
  • net
  • net
07 May 2026
Published
08 May 2026
Updated
CVSS
Pending
EPSS
0.02%
KEV

Description

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

Statistics

  • 1 Post
Last activity: 3 hours ago

Bluesky

Profile picture fallback
Lambda Watchdog @lambdawatchdog.bsky.social
🔍 Lambda Watchdog detected that CVE-2026-33811 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/496 #AWS #Lambda #Security #CVE #DevOps #SecOps
  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-0264

Overview

  • Palo Alto Networks
  • Cloud NGFW
13 May 2026
Published
14 May 2026
Updated
CVSS v4.0
HIGH (7.2)
EPSS
0.07%
KEV

Description

A buffer overflow vulnerability in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS® Software allows an unauthenticated attacker with network access to cause a denial of service (DoS) condition (all PAN-OS platforms except Cloud NGFW and Prisma Access) or potentially execute arbitrary code by sending specially crafted network traffic (PA-Series hardware only). Panorama, Cloud NGFW, and Prisma® Access are not impacted by this vulnerability.

Statistics

  • 1 Post
Last activity: 16 hours ago

Bluesky

Profile picture fallback
ripjyr.bsky.social @ripjyr.bsky.social
Paloaltoの脆弱性情報 「CVE-2026-0264 PAN-OS: Heap-Based Buffer Overflow in DNS Proxy and DNS Server Allows Unauthenticated Remote Code Execution (Severity: HIGH)」が公開されました。 → https://security.paloaltonetworks.com/CVE-2026-0264
  • 0
  • 0
  • 0
  • 16h ago

CVE-2026-42471

Overview

  • Pending
01 May 2026
Published
01 May 2026
Updated
CVSS
Pending
EPSS
0.05%
KEV

Description

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-side RCE if connecting to a malicious server.

Statistics

  • 1 Post
Last activity: 2 hours ago

Bluesky

Profile picture fallback
ケイ | 副業Webライター📖 @keiwork35.bsky.social
【脆弱性情報】 CVE-2026-42471 MixPHP Framework 2.xの脆弱性について MixPHP Framework 2.x(バージョン2.2.17まで)における安全でないデシリアライズの脆弱性です。この脆弱性により、悪意のあるサーバーに接続した場合、クライアント側でリモートコード実行(RCE)が可能になります。
  • 0
  • 0
  • 0
  • 2h ago

CVE-2026-43284

Overview

  • Linux
  • Linux
08 May 2026
Published
14 May 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.01%
KEV

Description

In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().

Statistics

  • 1 Post
  • 2 Interactions
Last activity: 8 hours ago

Fediverse

Profile picture fallback
NWCS @nwcs

CVE-2026-42945 + CVE-2026-43284 = full compromise, hope you guys are patching ;)

#infosec #cybersecurity

  • 0
  • 2
  • 0
  • 8h ago

CVE-2026-28515

Overview

  • openDCIM
  • openDCIM
27 Feb 2026
Published
11 May 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
44.25%
KEV

Description

openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges. In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 21 hours ago

Fediverse

Profile picture fallback
Caitlin Condon @catc0n

❗Earlier today, VulnCheck Canaries detected first-time exploitation of CVE-2026-28515 and CVE-2026-28517 in openDCIM, an open-source code base used for data center infrastructure management.

🐚 The cluster of attacker activity we're observing so far originates from a single Chinese IP and uses what appears to be a customized implementation of AI vuln discovery tool Vulnhuntr to automatically check for vulnerable installations before dropping a PHP webshell.

🌐 The VulnCheck team's ASM queries for these vulnerabilities find fewer than 50 systems online, many of which belong to higher education institutions globally. Both CVEs were discovered by new VulnCheck research team member @chocapikk_.

Moar KEVs: vulncheck.com/kev

  • 0
  • 1
  • 0
  • 21h ago

CVE-2026-28517

Overview

  • openDCIM
  • openDCIM
27 Feb 2026
Published
12 May 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
31.37%
KEV

Description

openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitization. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 21 hours ago

Fediverse

Profile picture fallback
Caitlin Condon @catc0n

❗Earlier today, VulnCheck Canaries detected first-time exploitation of CVE-2026-28515 and CVE-2026-28517 in openDCIM, an open-source code base used for data center infrastructure management.

🐚 The cluster of attacker activity we're observing so far originates from a single Chinese IP and uses what appears to be a customized implementation of AI vuln discovery tool Vulnhuntr to automatically check for vulnerable installations before dropping a PHP webshell.

🌐 The VulnCheck team's ASM queries for these vulnerabilities find fewer than 50 systems online, many of which belong to higher education institutions globally. Both CVEs were discovered by new VulnCheck research team member @chocapikk_.

Moar KEVs: vulncheck.com/kev

  • 0
  • 1
  • 0
  • 21h ago

CVE-2026-8053

Overview

  • MongoDB, Inc.
  • MongoDB Server
12 May 2026
Published
14 May 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.06%
KEV

Description

An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result in arbitrary code execution. This issue impacts MongoDB Server v5.0 versions prior to 5.0.33, v6.0 versions prior to 6.0.28, v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

Statistics

  • 1 Post
Last activity: 23 hours ago

Bluesky

Profile picture fallback
boredchilada @boredchilada.bsky.social
~Cybergcca~ Security updates released for vulnerabilities in GitLab, MongoDB, and VMware Fusion. - IOCs: CVE-2026-8053, CVE-2026-41702 - #GitLab #ThreatIntel #VMware
  • 0
  • 0
  • 0
  • 23h ago

CVE-2026-41702

Overview

  • VMware
  • Fusion
15 May 2026
Published
15 May 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.01%
KEV

Description

VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during an operation performed by a SETUID binary. A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed.

Statistics

  • 1 Post
Last activity: 23 hours ago

Bluesky

Profile picture fallback
boredchilada @boredchilada.bsky.social
~Cybergcca~ Security updates released for vulnerabilities in GitLab, MongoDB, and VMware Fusion. - IOCs: CVE-2026-8053, CVE-2026-41702 - #GitLab #ThreatIntel #VMware
  • 0
  • 0
  • 0
  • 23h ago
Showing 61 to 69 of 69 CVEs