24h | 7d | 30d

Overview

  • Linux
  • Linux

08 May 2026
Published
11 May 2026
Updated

CVSS v3.1
HIGH (7.8)
EPSS
0.16%

KEV

Description

In the Linux kernel, the following vulnerability has been resolved: bonding: fix type confusion in bond_setup_by_slave() kernel BUG at net/core/skbuff.c:2306! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306 RSP: 0018:ffffc90004aff760 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e RDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900 RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000 R10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780 R13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0 Call Trace: <TASK> ipgre_header+0xdd/0x540 net/ipv4/ip_gre.c:900 dev_hard_header include/linux/netdevice.h:3439 [inline] packet_snd net/packet/af_packet.c:3028 [inline] packet_sendmsg+0x3ae5/0x53c0 net/packet/af_packet.c:3108 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa54/0xc30 net/socket.c:2592 ___sys_sendmsg+0x190/0x1e0 net/socket.c:2646 __sys_sendmsg+0x170/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe1a0e6c1a9 When a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond, bond_setup_by_slave() directly copies the slave's header_ops to the bond device: bond_dev->header_ops = slave_dev->header_ops; This causes a type confusion when dev_hard_header() is later called on the bond device. Functions like ipgre_header(), ip6gre_header(),all use netdev_priv(dev) to access their device-specific private data. When called with the bond device, netdev_priv() returns the bond's private data (struct bonding) instead of the expected type (e.g. struct ip_tunnel), leading to garbage values being read and kernel crashes. Fix this by introducing bond_header_ops with wrapper functions that delegate to the active slave's header_ops using the slave's own device. This ensures netdev_priv() in the slave's header functions always receives the correct device. The fix is placed in the bonding driver rather than individual device drivers, as the root cause is bond blindly inheriting header_ops from the slave without considering that these callbacks expect a specific netdev_priv() layout. The type confusion can be observed by adding a printk in ipgre_header() and running the following commands: ip link add dummy0 type dummy ip addr add 10.0.0.1/24 dev dummy0 ip link set dummy0 up ip link add gre1 type gre local 10.0.0.1 ip link add bond1 type bond mode active-backup ip link set gre1 master bond1 ip link set gre1 up ip link set bond1 up ip addr add fe80::1/64 dev bond1

Statistics

  • 1 Post

Last activity: 7 hours ago

Bluesky

Profile picture fallback
19年以上見過ごされていたLinux kernelのゼロデイ脆弱性を報告した話:CVE-2026-43456 | セキュリティブログ | 脆弱性診断(セキュリティ診断)のGMOサイバーセキュリティ byイエラエ gmo-cybersecurity.com/blog/19-year...
  • 0
  • 0
  • 0
  • 7h ago

Overview

  • Veeam
  • Backup and Replication

09 Jun 2026
Published
10 Jun 2026
Updated

CVSS v4.0
CRITICAL (9.4)
EPSS
0.59%

KEV

Description

A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.

Statistics

  • 1 Post

Last activity: 20 hours ago

Fediverse

Profile picture fallback

Critical Veeam Backup Flaw Exposes Enterprise Recovery Systems to Full Remote Takeover + Video

Introduction: When Your Backup Becomes the Weakest Link Backups are supposed to be the last line of defense against cyberattacks. They protect businesses from ransomware, accidental deletion, hardware failures, and even insider threats. But what happens when the backup server itself becomes the attacker's first target? A newly disclosed critical vulnerability, CVE-2026-44963,…

undercodenews.com/critical-vee

  • 0
  • 0
  • 0
  • 20h ago

Overview

  • code-projects
  • Hotel and Tourism Reservation

05 Jul 2026
Published
06 Jul 2026
Updated

CVSS v4.0
MEDIUM (6.9)
EPSS
Pending

KEV

Description

A flaw has been found in code-projects Hotel and Tourism Reservation 1.0. Affected is an unknown function of the file /admin/add_room.php. Executing a manipulation of the argument delete_image/edit/description/number/price/rooms/type can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used.

Statistics

  • 1 Post

Last activity: 19 hours ago

Fediverse

Profile picture fallback

CVE-2026-14754 - SQLi in code-projects Hotel and Tourism Reservation 1.0. Remote exploit available. CVSS 7.3. Unpatched. Update or mitigate immediately. #CVE #infosec #cybersecurity

valtersit.com/cve/CVE-2026-147

  • 0
  • 0
  • 0
  • 19h ago

Overview

  • mjperpinosa
  • stumasy

05 Jul 2026
Published
06 Jul 2026
Updated

CVSS v4.0
MEDIUM (6.9)
EPSS
Pending

KEV

Description

A vulnerability was detected in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This impacts an unknown function of the file /PHP/objects/notes of the component Note Handler/Assignment Handler. Performing a manipulation of the argument assignment_item_id results in authorization bypass. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.

Statistics

  • 1 Post

Last activity: 17 hours ago

Fediverse

Profile picture fallback

CVE-2026-14753 - Authorization Bypass in mjperpinosa stumasy. Remote exploit public. CVSS 7.3. No patch available. Restrict access to /PHP/objects/notes immediately. #CVE #infosec #cybersecurity

valtersit.com/cve/CVE-2026-147

  • 0
  • 0
  • 0
  • 17h ago

Overview

  • PROG MIS
  • ERP App

06 Jul 2026
Published
06 Jul 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
Pending

KEV

Description

ERP App developed by PROG MIS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to view application code and obtain the database account and password.

Statistics

  • 1 Post

Last activity: 23 hours ago

Fediverse

Profile picture fallback

CVE-2026-14807: CRITICAL hard-coded credentials in PROG MIS ERP App allow unauthenticated remote access to source code & DB creds. No patch available — restrict access & monitor activity. CVSS 9.3 radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 23h ago

Overview

  • BeyondTrust
  • Remote Support

06 Jul 2026
Published
07 Jul 2026
Updated

CVSS v4.0
CRITICAL (9.2)
EPSS
Pending

KEV

Description

A critical pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support and Privileged Remote Access. Improper validation of authentication data may allow a network-positioned attacker to bypass access controls and gain unauthorized access to the appliance, including accounts with elevated privileges. Exploitation requires a specific authentication configuration to be enabled

Statistics

  • 1 Post

Last activity: Last hour

Bluesky

Profile picture fallback
BeyondTrust disclosed four pre-authentication vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) products. Two critical flaws (CVE-2026-40138 […]
  • 0
  • 0
  • 0
  • Last hour

Overview

  • Adobe
  • ColdFusion

30 Jun 2026
Published
01 Jul 2026
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
1.02%

KEV

Description

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Statistics

  • 1 Post

Last activity: 7 hours ago

Bluesky

Profile picture fallback
Hackers Begin Exploiting Critical Adobe ColdFusion Flaw Just Hours After Patch Release Cybersecurity researchers have confirmed that attackers are actively exploiting a critical vulnerability in Adobe ColdFusion, tracked as CVE-2026-48282, only hours after Adobe released security updates.
  • 0
  • 0
  • 0
  • 7h ago

Overview

  • cursor
  • cursor

25 Jun 2026
Published
25 Jun 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.64%

KEV

Description

Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default, and the sandbox grants write access to the command's working directory. A flaw was identified in how the agent could modify the working_directory parameter, which could cause the sandbox to include writable paths outside the intended workspace. A malicious agent could set working_directory to a sensitive location and write arbitrary files outside the workspace under the user's privileges. This enables non-sandboxed Remote Code Execution — for example by overwriting the cursorsandbox helper so later commands run unsandboxed — with no user interaction beyond a benign prompt. This vulnerability is fixed in 3.0.

Statistics

  • 1 Post

Last activity: 17 hours ago

Fediverse

Profile picture fallback

Discover the new Cursor IDE RCE vulnerability called DuneSlide. This critical sandbox escape flaw assigned CVE-2026-50548 threatens developer environments.

securityonline.info/cursor-ide

  • 0
  • 0
  • 0
  • 17h ago

Overview

  • Oracle Corporation
  • Oracle Payments

28 May 2026
Published
29 May 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.68%

KEV

Description

Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Statistics

  • 1 Post

Last activity: 16 hours ago

Fediverse

Profile picture fallback

📰 Critical Oracle E-Business Suite RCE Flaw (CVE-2026-46817) Under Active Attack

🚨 CRITICAL ALERT: A 9.8 CVSS flaw in Oracle E-Business Suite (CVE-2026-46817) is being ACTIVELY EXPLOITED for unauthenticated RCE. Attackers can take over the entire application. Patch immediately! #Oracle #EBS #CyberSecurity #CVE #RCE

🌐 cyber[.]netsecops[.]io

🔗 cyber.netsecops.io/articles/cr

  • 0
  • 0
  • 0
  • 16h ago
Showing 11 to 19 of 19 CVEs