24h | 7d | 30d

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 2 Posts

Last activity: 15 hours ago

Bluesky

Profile picture fallback
🔒 Vulnerabilidades críticas no StrongSwan (CVE-2026-35330 com CVSS 9.2) afetam versões ≤ 5.9.13. Guia prático para administradores openSUSE: como verificar, atualizar com script automatizado e mitigar com iptables/AppArmor. Saiba mais: -> tinyurl.com/5xm58zkj #SUSE
  • 0
  • 0
  • 1
  • 15h ago

Overview

  • Cap-go
  • capgo

19 Jun 2026
Published
19 Jun 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
Pending

KEV

Description

Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful, enabling unauthorized 2FA enablement and account takeover.

Statistics

  • 1 Post

Last activity: 6 hours ago

Fediverse

Profile picture fallback

CVE-2026-56073 (CRITICAL) affects Cap-go capgo <12.128.2: Insufficient data authenticity checks allow OTP bypass, enabling attackers to activate 2FA & take over accounts. No patch yet — monitor vendor updates. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 6h ago

Overview

  • moby
  • spdystream

16 Apr 2026
Published
17 Apr 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.43%

KEV

Description

spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes — all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.

Statistics

  • 1 Post

Last activity: 19 hours ago

Bluesky

Profile picture fallback
🛡️ #SUSE #Kubernetes: duas vulnerabilidades críticas (CVE-2026-33814 e CVE-2026-35469) permitem DoS remoto. Saiba mais: -> tinyurl.com/5ee7ab7u
  • 0
  • 0
  • 0
  • 19h ago

Overview

  • golang.org/x/net
  • golang.org/x/net/http2
  • golang.org/x/net/http2

07 May 2026
Published
08 May 2026
Updated

CVSS
Pending
EPSS
0.56%

KEV

Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Statistics

  • 1 Post

Last activity: 19 hours ago

Bluesky

Profile picture fallback
🛡️ #SUSE #Kubernetes: duas vulnerabilidades críticas (CVE-2026-33814 e CVE-2026-35469) permitem DoS remoto. Saiba mais: -> tinyurl.com/5ee7ab7u
  • 0
  • 0
  • 0
  • 19h ago

Overview

  • Linux
  • Linux

22 Apr 2026
Published
11 May 2026
Updated

CVSS v3.1
HIGH (7.8)
EPSS
0.13%

KEV

Description

In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617.

Statistics

  • 1 Post

Last activity: 20 hours ago

Bluesky

Profile picture fallback
NĂŁo pode reiniciar seu Oracle Linux 9 agora? Aprenda a mitigar CVE-2026-31504, CVE-2026-31533 e outras com iptables e ajustes de sysctl. Script incluso. Saiba mais: -> tinyurl.com/4zhwpk5s
  • 0
  • 0
  • 0
  • 20h ago

Overview

  • Linux
  • Linux

23 Apr 2026
Published
23 May 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.26%

KEV

Description

In the Linux kernel, the following vulnerability has been resolved: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 ("net: tls: handle backlogging of crypto requests"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry. When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist. The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record. Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.

Statistics

  • 1 Post

Last activity: 20 hours ago

Bluesky

Profile picture fallback
NĂŁo pode reiniciar seu Oracle Linux 9 agora? Aprenda a mitigar CVE-2026-31504, CVE-2026-31533 e outras com iptables e ajustes de sysctl. Script incluso. Saiba mais: -> tinyurl.com/4zhwpk5s
  • 0
  • 0
  • 0
  • 20h ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post

Last activity: 22 hours ago

Fediverse

Profile picture fallback

Node.js released 22.23.0, 24.17.0 and 26.3.1 on June 18, closing 13 CVEs. Two are HIGH severity: CVE-2026-48933, a WebCrypto AES integer overflow that triggers a remote process abort, and CVE-2026-48618, a TLS check where a Unicode dot separator defeats wildcard-depth validation and bypasses authentication. The releases also bundle llhttp 9.4.2, nghttp2 1.69.0 and openssl 3.5.7. How long does a Node patch take to reach your production fleet?

#nodejs #security

  • 0
  • 0
  • 0
  • 22h ago
Showing 31 to 37 of 37 CVEs