24h | 7d | 30d

CVE-2026-2592

Overview

  • zarinpal
  • Zarinpal Gateway
17 Feb 2026
Published
17 Feb 2026
Updated
CVSS v3.1
HIGH (7.7)
EPSS
Pending
KEV

Description

The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due to the payment callback handler 'Return_from_ZarinPal_Gateway' failing to validate that the authority token provided in the callback URL belongs to the specific order being marked as paid. This makes it possible for unauthenticated attackers to potentially mark orders as paid without proper payment by reusing a valid authority token from a different transaction of the same amount.

Statistics

  • 1 Post
Last activity: 3 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🛡️ CVE-2026-2592 (HIGH, CVSS 7.7): Zarinpal Gateway for WooCommerce has improper access control — orders can be marked as paid via reused authority tokens. All versions affected. Audit callback validation & monitor for fraud. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 3h ago

CVE-2024-9781

Overview

  • Wireshark Foundation
  • Wireshark
10 Oct 2024
Published
10 Oct 2024
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.13%
KEV

Description

AppleTalk and RELOAD Framing dissector crash in Wireshark 4.4.0 and 4.2.0 to 4.2.7 allows denial of service via packet injection or crafted capture file

Statistics

  • 1 Post
Last activity: 17 hours ago

Bluesky

Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
🚨 URGENT: #Debian 11 Wireshark users! DLA-4479-1 patches 8 CVEs including CVE-2024-9781. Attackers can crash dissectors (HTTP3, Kafka, MongoDB) with a single packet. Read more: 👉 tinyurl.com/5rum9c88 #Security
  • 0
  • 0
  • 0
  • 17h ago

CVE-2026-2577

Overview

  • HKUDS
  • nanobot
16 Feb 2026
Published
16 Feb 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.04%
KEV

Description

The WhatsApp bridge component in Nanobot binds the WebSocket server to all network interfaces (0.0.0.0) on port 3001 by default and does not require authentication for incoming connections. An unauthenticated remote attacker with network access to the bridge can connect to the WebSocket server to hijack the WhatsApp session. This allows the attacker to send messages on behalf of the user, intercept all incoming messages and media in real-time, and capture authentication QR codes.

Statistics

  • 1 Post
Last activity: 20 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🔴 CVE-2026-2577: CRITICAL vuln in HKUDS nanobot WhatsApp bridge (port 3001) — no auth required for WebSocket! Attackers can hijack sessions & intercept messages. Restrict access & monitor traffic. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 20h ago

CVE-2026-2439

Overview

  • BVA
  • Concierge::Sessions
  • Concierge-Sessions
16 Feb 2026
Published
16 Feb 2026
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically, * There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason. * The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses. * UUIDs are identifiers whose mere possession grants access, as per RFC 9562. * The output of the built-in rand() function is predictable and unsuitable for security applications.

Statistics

  • 1 Post
Last activity: 11 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CVE-2026-2439 (HIGH): BVA Concierge::Sessions 0.8.1-0.8.4 uses weak session ID generation, risking session hijack. Upgrade or use secure RNG for session IDs! No active exploits, but risk is significant. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 11h ago

CVE-2026-2451

Overview

  • pretix
  • pretix-doistep
  • pretix-doistep
16 Feb 2026
Published
16 Feb 2026
Updated
CVSS v4.0
HIGH (7.5)
EPSS
0.05%
KEV

Description

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for this plugin. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg file.

Statistics

  • 1 Post
Last activity: 5 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CVE-2026-2451 (HIGH): pretix-doistep 1.0.0 allows backend users to abuse email template placeholders to exfiltrate config, DB passwords & API keys. Rotate creds, audit templates & restrict edit rights ASAP. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 5h ago

CVE-2026-2550

Overview

  • EFM
  • iptime A6004MX
16 Feb 2026
Published
16 Feb 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.04%
KEV

Description

A vulnerability was found in EFM iptime A6004MX 14.18.2. Affected is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi. The manipulation results in unrestricted upload. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 2 Posts
Last activity: 21 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

CVE-2026-2550 (CRITICAL, CVSS 9.3) in EFM iptime A6004MX 14.18.2: Unrestricted remote file upload via /cgi/timepro.cgi. Exploit public, no vendor response. Isolate affected devices ASAP. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 23h ago
Profile picture fallback
Offensive Sequence @offseq

CVE-2026-2550 (CRITICAL): EFM iptime A6004MX (fw 14.18.2) allows unauthenticated uploads via /cgi/timepro.cgi — enabling full device compromise. No patch yet. Block access & monitor for malicious activity. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 21h ago

CVE-2026-25049

Overview

  • n8n-io
  • n8n
04 Feb 2026
Published
05 Feb 2026
Updated
CVSS v4.0
CRITICAL (9.4)
EPSS
0.03%
KEV

Description

n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2.

Statistics

  • 2 Posts
Last activity: 19 hours ago

Bluesky

Profile picture fallback
InfoSecSherpa 🏔️ @infosecsherpa.bsky.social
New from Cris Staicu at Endor Labs: "CVE-2026-25049 Expression Escape Vulnerability Leading to RCE in n8n" api.cyfluencer.com/s/cve-2026-2...
  • 0
  • 0
  • 1
  • 19h ago

CVE-2026-25108

Overview

  • Soliton Systems K.K.
  • FileZen
13 Feb 2026
Published
13 Feb 2026
Updated
CVSS v3.0
HIGH (8.8)
EPSS
0.25%
KEV

Description

FileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command.

Statistics

  • 1 Post
Last activity: 17 hours ago

Fediverse

Profile picture fallback
Anonymous :verified: @youranonnewsirc

Recent intelligence (Feb 15-16, 2026): Google patched an actively exploited Chrome zero-day (CVE-2026-2441), and a critical FileZen flaw (CVE-2026-25108) also sees in-the-wild exploitation. Microsoft unveiled an AI Security Dashboard for enterprises. Geopolitically, China's Russian oil imports surged 21%, and Indonesia considers deploying 8,000 troops to Gaza. A Trusted Tech Alliance formed to secure digital infrastructure. AI ethics concerns continue to be prominent.

#Cybersecurity #TechNews #Geopolitics

  • 0
  • 0
  • 0
  • 17h ago
Showing 31 to 38 of 38 CVEs