Overview
Description
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Statistics
- 1 Post
Last activity: 9 hours ago
Bluesky
Overview
- Microsoft
- Windows Server 2025
12 Aug 2025
Published
26 Feb 2026
Updated
CVSS v3.1
HIGH (7.2)
EPSS
0.51%
KEV
Description
Relative path traversal in Windows Kerberos allows an authorized attacker to elevate privileges over a network.
Statistics
- 2 Posts
Last activity: 21 hours ago
Overview
- Sonos
- Era 300
11 Apr 2026
Published
11 Apr 2026
Updated
CVSS v3.0
CRITICAL (10.0)
EPSS
1.27%
KEV
Description
Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos Era 300. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the DataOffset field within SMB responses. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the kernel. Was ZDI-CAN-28345.
Statistics
- 1 Post
Last activity: 23 hours ago
Fediverse
⚠️ CVE-2026-4149: Sonos Era 300 (v17.5) has a CRITICAL remote code execution vulnerability via SMB, allowing kernel-level compromise without auth. No patch yet — restrict SMB access! https://radar.offseq.com/threat/cve-2026-4149-cwe-119-improper-restriction-of-oper-dcf90312 #OffSeq #Sonos #Infosec #RCE
Overview
- Totolink
- A7100RU
12 Apr 2026
Published
12 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
Pending
KEV
Description
A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setAppCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument enable can lead to os command injection. The attack may be launched remotely. The exploit has been published and may be used.
Statistics
- 1 Post
Last activity: 4 hours ago
Fediverse
🚨 CRITICAL: CVE-2026-6115 in Totolink A7100RU (7.4cu.2313_b20191024) allows unauth'd remote OS command injection via /cgi-bin/cstecgi.cgi. No patch yet. Restrict access & monitor vendor updates. https://radar.offseq.com/threat/cve-2026-6115-os-command-injection-in-totolink-a71-2eb78416 #OffSeq #Vulnerability #Router #Infosec
Overview
- marimo-team
- marimo
09 Apr 2026
Published
09 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
2.70%
KEV
Description
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.
Statistics
- 1 Post
Last activity: 5 hours ago
Description
An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device.
Statistics
- 1 Post
Last activity: 18 hours ago