Overview
- SolarWinds
- Serv-U
24 Feb 2026
Published
26 Feb 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.02%
KEV
Description
An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Statistics
- 2 Posts
Last activity: 10 hours ago
Fediverse
All four security defects, tracked as CVE-2025-40538 to CVE-2025-40541, have a CVSS score of 9.1, could result in remote code execution, and impact Serv-U version 15.5. https://www.securityweek.com/solarwinds-patches-four-critical-serv-u-vulnerabilities/
Overview
Description
A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to gain elevated privileges.
This vulnerability is due to improper access controls on commands within the application CLI. An attacker could exploit this vulnerability by running a maliciously crafted command on the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-priv-E6e8tEdF
Statistics
- 1 Post
Last activity: 19 hours ago
Overview
- libexpat project
- libexpat
23 Jan 2026
Published
23 Jan 2026
Updated
CVSS v3.1
LOW (2.9)
EPSS
0.00%
KEV
Description
In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.
Statistics
- 1 Post
Last activity: 3 hours ago
Overview
Description
urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.
Statistics
- 1 Post
- 1 Interaction
Last activity: 8 hours ago
Overview
- VMware
- VMware Aria Operations
- vmware-aria-operations
25 Feb 2026
Published
27 Feb 2026
Updated
CVSS v3.1
MEDIUM (6.2)
EPSS
0.05%
KEV
Description
VMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with privileges in vCenter to access Aria Operations may leverage this vulnerability to obtain administrative access in VMware Aria Operations. To remediate CVE-2026-22721, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found in VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 .
Statistics
- 1 Post
Last activity: 22 hours ago
Overview
- VMware
- VMware Aria Operations
- vmware-aria-operations
25 Feb 2026
Published
26 Feb 2026
Updated
CVSS v3.1
HIGH (8.0)
EPSS
0.08%
KEV
Description
VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with privileges to create custom benchmarks may be able to inject script to perform administrative actions in VMware Aria Operations.
To remediate CVE-2026-22720, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' of VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947https:// .
Statistics
- 1 Post
Last activity: 22 hours ago
Overview
- VMware
- Aria Operations
- vmware-aria-operations
25 Feb 2026
Published
26 Feb 2026
Updated
CVSS v3.1
HIGH (8.1)
EPSS
0.33%
KEV
Description
VMware Aria Operations contains a command injection vulnerability. A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress.
To remediate CVE-2026-22719, apply the patches listed in the 'Fixed Version' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001
Workarounds for CVE-2026-22719 are documented in the 'Workarounds' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001
Statistics
- 1 Post
Last activity: 22 hours ago