24h | 7d | 30d

Overview

  • Ivanti
  • ICS

12 Jan 2024
Published
21 Oct 2025
Updated

CVSS v3.0
HIGH (8.2)
EPSS
94.37%

Description

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Statistics

  • 1 Post

Last activity: 14 hours ago

Fediverse

Profile picture fallback

CVE-2023-46805 is actively exploited in Ivanti Connect Secure and Policy Secure gateways. When chained with CVE-2024-21887, attackers gain unauthenticated RCE and full VPN appliance compromise, posing critical enterprise perimeter risk.

Read the full threat brief:
thecybermind.co/i1n8

thecybermind.co/2026/04/23/iva

  • 0
  • 0
  • 0
  • 14h ago

Overview

  • CyferShepard
  • Jellystat

22 Apr 2026
Published
23 Apr 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
0.08%

KEV

Description

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via `POST /api/getUserDetails` and `POST /api/getLibrary`, enabling full read of any table in the database - including `app_config`, which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL. Because the vulnerable call site dispatches via `node-postgres`'s simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via `COPY ... TO PROGRAM`. Under the role shipped by the project's `docker-compose.yml` (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive. Version 1.1.10 contains a fix.

Statistics

  • 1 Post

Last activity: 23 hours ago

Fediverse

Profile picture fallback

Five critical self-hosted flaws landed April 20-22. Marimo pre-auth remote takeover (CVE-2026-39987, CVSS 9.3), exploited in 10 hours. Apache Airflow XCom. Spinnaker Echo. Jellystat SQL injection to takeover (CVE-2026-41167, 9.1). OpenVPN 2.7.2 fixed two. Three trace to injection. Across 14 compliant platforms I have architected, the audit finding is patch cadence, not availability. A 10-hour window makes quarterly cadence a breach timeline.

#CyberSecurity #SelfHosted #OpenSource #InfoSec

  • 0
  • 0
  • 0
  • 23h ago

Overview

  • Tenable, Inc.
  • Tenable Nessus, Tenable Nessus Agent

23 Apr 2026
Published
24 Apr 2026
Updated

CVSS v4.0
HIGH (7.4)
EPSS
0.02%

KEV

Description

This vulnerability allows an attacker to create a junction, enabling the deletion of arbitrary files with SYSTEM privileges. As a result, this condition potentially facilitates arbitrary code execution, whereby an attacker may exploit the vulnerability to execute malicious code with elevated SYSTEM privileges.

Statistics

  • 1 Post

Last activity: 4 hours ago

Fediverse

Profile picture fallback

🛡️ CrowdStrike LogScale CRITICAL vuln (CVE-2026-40050): unauth path traversal — remote file read risk for self-hosted users. Tenable Nessus for Windows: HIGH vuln (CVE-2026-33694), file deletion & privilege escalation. Patch ASAP! radar.offseq.com/threat/vulner

  • 0
  • 0
  • 0
  • 4h ago
Showing 41 to 43 of 43 CVEs