24h | 7d | 30d

Overview

  • n8n

18 Jan 2026
Published
23 Jan 2026
Updated

CVSS v3.1
HIGH (8.5)
EPSS
0.06%

KEV

Description

Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system. The vulnerability can be exploited via the Code block by an authenticated user with basic permissions and can lead to a full n8n instance takeover on instances operating under "Internal" execution mode. If the instance is operating under the "External" execution mode (ex. n8n's official Docker image) - arbitrary code execution occurs inside a Sidecar container and not the main node, which significantly reduces the vulnerability impact.

Statistics

  • 1 Post

Last activity: 5 hours ago

Bluesky

Profile picture
n8nでリモートコード実行が可能になる脆弱性(CVE-2026-1470,CVE-2026-0863) rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #セキュリティ #Security #CybersecurityNews
  • 0
  • 0
  • 0
  • 5h ago

Overview

  • tornadoweb
  • tornado

12 Dec 2025
Published
18 Dec 2025
Updated

CVSS v3.1
MEDIUM (5.4)
EPSS
0.06%

KEV

Description

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.

Statistics

  • 1 Post

Last activity: 12 hours ago

Bluesky

Profile picture
🚨 Critical security update for #Debian 11 #Bullseye. Patch #Python #Tornado now for CVE-2025-67724 (Header Injection/XSS), CVE-2025-67725/26 (DoS). Read more: 👉 tinyurl.com/4f674wpz #Security
  • 0
  • 0
  • 0
  • 12h ago

Overview

  • tornadoweb
  • tornado

12 Dec 2025
Published
18 Dec 2025
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.24%

KEV

Description

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS). Due to Python string immutability, each concatenation copies the entire string, resulting in O(n²) time complexity. The severity can vary from high if max_header_size has been increased from its default, to low if it has its default value of 64KB. This issue is fixed in version 6.5.3.

Statistics

  • 1 Post

Last activity: 12 hours ago

Bluesky

Profile picture
🚨 Critical security update for #Debian 11 #Bullseye. Patch #Python #Tornado now for CVE-2025-67724 (Header Injection/XSS), CVE-2025-67725/26 (DoS). Read more: 👉 tinyurl.com/4f674wpz #Security
  • 0
  • 0
  • 0
  • 12h ago

Overview

  • OpenSSL
  • OpenSSL

27 Jan 2026
Published
29 Jan 2026
Updated

CVSS
Pending
EPSS
0.00%

KEV

Description

Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16MB remains unauthenticated. When the 'openssl dgst' command is used with algorithms that only support one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input is buffered with a 16MB limit. If the input exceeds this limit, the tool silently truncates to the first 16MB and continues without signaling an error, contrary to what the documentation states. This creates an integrity gap where trailing bytes can be modified without detection if both signing and verification are performed using the same affected codepath. The issue affects only the command-line tool behavior. Verifiers that process the full message using library APIs will reject the signature, so the risk primarily affects workflows that both sign and verify with the affected 'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and library users are unaffected. The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the command-line tools are outside the OpenSSL FIPS module boundary. OpenSSL 3.5 and 3.6 are vulnerable to this issue. OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

Statistics

  • 1 Post

Last activity: 3 hours ago

Bluesky

Profile picture
AISLE's autonomous analysis discovered 12 previously undisclosed OpenSSL vulnerabilities and flagged six more, including CVE-2025-15467 and CVE-2025-15469, and OpenSSL maintainers praised high quality of the reports and constructive collaboration.
  • 0
  • 0
  • 0
  • 3h ago

Overview

  • n8n

27 Jan 2026
Published
27 Jan 2026
Updated

CVSS v3.1
CRITICAL (9.9)
EPSS
0.35%

KEV

Description

n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.

Statistics

  • 1 Post

Last activity: 5 hours ago

Bluesky

Profile picture
n8nでリモートコード実行が可能になる脆弱性(CVE-2026-1470,CVE-2026-0863) rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #セキュリティ #Security #CybersecurityNews
  • 0
  • 0
  • 0
  • 5h ago

Overview

  • Apache Software Foundation
  • Apache Tomcat

28 Apr 2025
Published
03 Nov 2025
Updated

CVSS
Pending
EPSS
3.28%

KEV

Description

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

Statistics

  • 1 Post

Last activity: 19 hours ago

Fediverse

Profile picture

VDE-2026-006
Pilz: Multiple Vulnerabilities affecting the PIT User Authentication Service

The PIT User Authentication Service is affected by multiple vulnerabilities in included third-party components.
CVE-2025-31650, CVE-2025-48988, CVE-2025-12383, CVE-2025-61795

certvde.com/en/advisories/vde-

pilz.csaf-tp.certvde.com/.well

  • 0
  • 0
  • 0
  • 19h ago

Overview

  • Eclipse Foundation
  • Jersey

18 Nov 2025
Published
18 Nov 2025
Updated

CVSS v4.0
CRITICAL (9.4)
EPSS
0.06%

KEV

Description

In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)

Statistics

  • 1 Post

Last activity: 19 hours ago

Fediverse

Profile picture

VDE-2026-006
Pilz: Multiple Vulnerabilities affecting the PIT User Authentication Service

The PIT User Authentication Service is affected by multiple vulnerabilities in included third-party components.
CVE-2025-31650, CVE-2025-48988, CVE-2025-12383, CVE-2025-61795

certvde.com/en/advisories/vde-

pilz.csaf-tp.certvde.com/.well

  • 0
  • 0
  • 0
  • 19h ago

Overview

  • Apache Software Foundation
  • Apache Tomcat

27 Oct 2025
Published
04 Nov 2025
Updated

CVSS
Pending
EPSS
0.12%

KEV

Description

Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which fixes the issue.

Statistics

  • 1 Post

Last activity: 19 hours ago

Fediverse

Profile picture

VDE-2026-006
Pilz: Multiple Vulnerabilities affecting the PIT User Authentication Service

The PIT User Authentication Service is affected by multiple vulnerabilities in included third-party components.
CVE-2025-31650, CVE-2025-48988, CVE-2025-12383, CVE-2025-61795

certvde.com/en/advisories/vde-

pilz.csaf-tp.certvde.com/.well

  • 0
  • 0
  • 0
  • 19h ago

Overview

  • Apache Software Foundation
  • Apache Tomcat

16 Jun 2025
Published
03 Nov 2025
Updated

CVSS
Pending
EPSS
0.12%

KEV

Description

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Statistics

  • 1 Post

Last activity: 19 hours ago

Fediverse

Profile picture

VDE-2026-006
Pilz: Multiple Vulnerabilities affecting the PIT User Authentication Service

The PIT User Authentication Service is affected by multiple vulnerabilities in included third-party components.
CVE-2025-31650, CVE-2025-48988, CVE-2025-12383, CVE-2025-61795

certvde.com/en/advisories/vde-

pilz.csaf-tp.certvde.com/.well

  • 0
  • 0
  • 0
  • 19h ago
Showing 41 to 49 of 49 CVEs