Overview
Description
A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execute arbitrary system commands on an affected device with root privileges.
This vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.
Statistics
- 2 Posts
Last activity: 6 hours ago
Bluesky
Cisco、ゼロデイ攻撃で悪用されたAsyncOSの脆弱性(CVE-2025-20393)を修正
Cisco fixes AsyncOS vulnerability exploited in zero-day attacks (CVE-2025-20393) #HelpNetSecurity (Jan 16)
www.helpnetsecurity.com/2026/01/16/c...
シスコ、メールセキュリティ製品の脆弱性 CVE-2025-20393を修正-TOKAIコミュニケーションズのゼロデイ攻撃に悪用
rocket-boys.co.jp/security-mea...
#セキュリティ対策Lab #セキュリティ #Security #サイバー攻撃
Overview
Description
Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.
Statistics
- 1 Post
Last activity: 5 hours ago
Fediverse
😶🌫️ GNU C Library Fixes A Security Issue Present Since 1996 :catscoffee:
https://www.phoronix.com/news/Glibc-Security-Fix-For-1996-Bug
Overview
- Microsoft
- Windows Admin Center in Azure Portal
13 Jan 2026
Published
16 Jan 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.04%
KEV
Description
Improper verification of cryptographic signature in Windows Admin Center allows an authorized attacker to elevate privileges locally.
Statistics
- 1 Post
Last activity: 19 hours ago
Bluesky
📌 Critical Token Validation Flaw in Azure Windows Admin Center Enables Tenant-Wide Remote Code Execution (CVE-2026-20965) https://www.cyberhub.blog/article/18181-critical-token-validation-flaw-in-azure-windows-admin-center-enables-tenant-wide-remote-code-execution-cve-2026-20965
Overview
- siyuan-note
- siyuan
16 Jan 2026
Published
16 Jan 2026
Updated
CVSS v4.0
MEDIUM (5.3)
EPSS
Pending
KEV
Description
SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.
Statistics
- 1 Post
Last activity: Last hour
Bluesky
[25.11] siyuan: 3.4.0 -> 3.5.4-dev2, fixes CVE-2026-23645
https://github.com/NixOS/nixpkgs/pull/481359
#security
Overview
Description
Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system.
The vulnerability can be exploited via the Code block by an authenticated user with basic permissions and can lead to a full n8n instance takeover on instances operating under "Internal" execution mode.
If the instance is operating under the "External" execution mode (ex. n8n's official Docker image) - arbitrary code execution occurs inside a Sidecar container and not the main node, which significantly reduces the vulnerability impact.
Statistics
- 3 Posts
Last activity: 12 hours ago
Fediverse
🟠 CVE-2026-0863 - High (8.5)
Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system.
The vulnerability can be exploited via the Code ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-0863/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
Overview
- stefanberger
- libtpms
02 Jan 2026
Published
05 Jan 2026
Updated
CVSS v3.1
MEDIUM (5.5)
EPSS
0.00%
KEV
Description
libtpms, a library that provides software emulation of a Trusted Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The commonly used integration of libtpms with OpenSSL 3.x contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality. Version 0.10.2 fixes the issue. No known workarounds are available.
Statistics
- 1 Post
Last activity: 16 hours ago
Bluesky
URGENT: #Fedora 43 libtpms update fixes CVE-2026-21444 - cryptographic IV flaw in VM TPM emulation. Read more: 👉 tinyurl.com/mr2a3tu8 #Security
Overview
Description
In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additional execution privileges needed. User interaction is not needed for exploitation.
Statistics
- 1 Post
Last activity: 6 hours ago
Bluesky
#WhisperPair、 数億台のBluetooth 機器に深刻な脆弱性 CVE-2025-36911-Google Fast Pairの不備による盗聴・追跡リスクの実態
rocket-boys.co.jp/security-mea...
#セキュリティ対策Lab #セキュリティ #Security #サイバー攻撃
Overview
- Bluspark Global
- BLUVOYIX
14 Jan 2026
Published
14 Jan 2026
Updated
CVSS v4.0
CRITICAL (10.0)
EPSS
0.16%
KEV
Description
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform.
Statistics
- 1 Post
Last activity: 6 hours ago
Fediverse
HOLY COW, BATMAN:
Complete takeover of a high-value target system, without cracking skills, nor any complex chained attacks:
CVE-2026-22236: APIs did not check for a valid authorization token. As a result, all APIs were unauthenticated.
followed by
CVE-2026-22240: Plaintext passwords. There were 3 APIs that could be used to retrieve the plaintext passwords of all accounts, including admins.
Overview
- Bluspark Global
- BLUVOYIX
14 Jan 2026
Published
14 Jan 2026
Updated
CVSS v4.0
CRITICAL (10.0)
EPSS
0.06%
KEV
Description
The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password.
Statistics
- 1 Post
Last activity: 6 hours ago
Fediverse
HOLY COW, BATMAN:
Complete takeover of a high-value target system, without cracking skills, nor any complex chained attacks:
CVE-2026-22236: APIs did not check for a valid authorization token. As a result, all APIs were unauthenticated.
followed by
CVE-2026-22240: Plaintext passwords. There were 3 APIs that could be used to retrieve the plaintext passwords of all accounts, including admins.