Overview
- Apache Software Foundation
- Apache Tomcat
09 Apr 2026
Published
10 Apr 2026
Updated
CVSS
Pending
EPSS
0.04%
KEV
Description
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.
Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.
Statistics
- 1 Post
Last activity: 18 hours ago
Overview
Description
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix unprivileged local user can do privileged policy management
An unprivileged local user can load, replace, and remove profiles by
opening the apparmorfs interfaces, via a confused deputy attack, by
passing the opened fd to a privileged process, and getting the
privileged process to write to the interface.
This does require a privileged target that can be manipulated to do
the write for the unprivileged process, but once such access is
achieved full policy management is possible and all the possible
implications that implies: removing confinement, DoS of system or
target applications by denying all execution, by-passing the
unprivileged user namespace restriction, to exploiting kernel bugs for
a local privilege escalation.
The policy management interface can not have its permissions simply
changed from 0666 to 0600 because non-root processes need to be able
to load policy to different policy namespaces.
Instead ensure the task writing the interface has privileges that
are a subset of the task that opened the interface. This is already
done via policy for confined processes, but unconfined can delegate
access to the opened fd, by-passing the usual policy check.
Statistics
- 2 Posts
Last activity: 7 hours ago
Overview
Description
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
Statistics
- 1 Post
Last activity: 20 hours ago
Fediverse
CVE-2023-46805 is actively exploited in Ivanti Connect Secure and Policy Secure gateways. When chained with CVE-2024-21887, attackers gain unauthenticated RCE and full VPN appliance compromise, posing critical enterprise perimeter risk.
Read the full threat brief:
https://thecybermind.co/i1n8
Overview
- Tenable, Inc.
- Tenable Nessus, Tenable Nessus Agent
23 Apr 2026
Published
24 Apr 2026
Updated
CVSS v4.0
HIGH (7.4)
EPSS
0.02%
KEV
Description
This vulnerability allows an attacker to create a junction, enabling the deletion of arbitrary files with SYSTEM privileges. As a result, this condition potentially facilitates arbitrary code execution, whereby an attacker may exploit the vulnerability to execute malicious code with elevated SYSTEM privileges.
Statistics
- 1 Post
Last activity: 10 hours ago
Fediverse
🛡️ CrowdStrike LogScale CRITICAL vuln (CVE-2026-40050): unauth path traversal — remote file read risk for self-hosted users. Tenable Nessus for Windows: HIGH vuln (CVE-2026-33694), file deletion & privilege escalation. Patch ASAP! https://radar.offseq.com/threat/vulnerabilities-patched-in-crowdstrike-tenable-pro-da7dee84 #OffSeq #Vuln #CrowdStrike #Tenable
Description
SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.
Statistics
- 1 Post
Last activity: 1 hour ago
Overview
Description
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority.
Statistics
- 1 Post
Last activity: 1 hour ago