Overview
- Adobe
- Adobe Commerce
11 Mar 2026
Published
12 Mar 2026
Updated
CVSS v3.1
HIGH (8.7)
EPSS
0.04%
KEV
Description
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
Statistics
- 1 Post
Last activity: 21 hours ago
Overview
- MBS
- UBR-01 Mk II
09 Mar 2026
Published
09 Mar 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.18%
KEV
Description
A low-privileged remote attacker can exploit an arbitrary file write vulnerability in the wwupload.cgi endpoint. Due to path traversal this can lead to overwriting arbitrary files on the device and achieving a full system compromise.
Statistics
- 1 Post
Last activity: 22 hours ago
Overview
- xygeni
- xygeni-action
11 Mar 2026
Published
11 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
Pending
KEV
Description
xygeni-action is the GitHub Action for Xygeni Scanner. On March 3, 2026, an attacker with access to compromised credentials created a series of pull requests (#46, #47, #48) injecting obfuscated shell code into action.yml. The PRs were blocked by branch protection rules and never merged into the main branch. However, the attacker used the compromised GitHub App credentials to move the mutable v5 tag to point at the malicious commit (4bf1d4e19ad81a3e8d4063755ae0f482dd3baf12) from one of the unmerged PRs. This commit remained in the repository's git object store, and any workflow referencing @v5 would fetch and execute it. This is a supply chain compromise via tag poisoning. Any GitHub Actions workflow referencing xygeni/xygeni-action@v5 during the affected window (approximately March 3–10, 2026) executed a C2 implant that granted the attacker arbitrary command execution on the CI runner for up to 180 seconds per workflow run.
Statistics
- 1 Post
Last activity: 13 hours ago
Fediverse
🚨 CVE-2026-31976: CRITICAL supply chain risk in xygeni/xygeni-action. Workflows using @v5 (Mar 3 – 10, 2026) ran C2 code via tag poisoning. Pin to safe SHA, rotate creds, review logs. Details: https://radar.offseq.com/threat/cve-2026-31976-cwe-506-embedded-malicious-code-in--7bdbb65f #OffSeq #SupplyChain #CI_CD #GitHub
Overview
- MBS
- UBR-01 Mk II
09 Mar 2026
Published
09 Mar 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.39%
KEV
Description
A low-privileged remote attacker can trigger a stack-based buffer overflow via a crafted HTTP POST request using the ubr-network method resulting in full device compromise.
Statistics
- 1 Post
Last activity: 22 hours ago
Overview
- pinchtab
- pinchtab
07 Mar 2026
Published
10 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
Pending
KEV
Description
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Prior to version 0.7.7, a Server-Side Request Forgery (SSRF) vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and exfiltrate the full response content. This issue has been patched in version 0.7.7.
Statistics
- 1 Post
Last activity: 12 hours ago
Overview
- ImageMagick
- ImageMagick
24 Feb 2026
Published
26 Feb 2026
Updated
CVSS v3.1
MEDIUM (5.3)
EPSS
Pending
KEV
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Statistics
- 2 Posts
Last activity: 3 hours ago
Bluesky
Interesting nuance in the latest #openSUSE security advisory (SUSE-SU-2026:0870-1). The CVE-2026-24484 ImageMagick DoS patch highlights the risk in the conversion process (MVG to SVG), not just the file format itself. Read more: 👉 tinyurl.com/5akspd94 #Security
Overview
- ImageMagick
- ImageMagick
09 Mar 2026
Published
10 Mar 2026
Updated
CVSS v3.1
HIGH (7.1)
EPSS
Pending
KEV
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in stack corruption. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Statistics
- 1 Post
Last activity: Last hour
Overview
Description
An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.
Statistics
- 1 Post
Last activity: 12 hours ago
Overview
Description
This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.
Statistics
- 1 Post
Last activity: 1 hour ago
Bluesky
Overview
- OneUptime
- oneuptime
10 Mar 2026
Published
10 Mar 2026
Updated
CVSS v3.1
HIGH (7.2)
EPSS
Pending
KEV
Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file path passed to res.sendFile() in orker/FeatureSet/Workflow/Index.ts with no sanitization or authentication middleware. This vulnerability is fixed in 10.0.21.
Statistics
- 1 Post
Last activity: Last hour