Overview
Description
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
Statistics
- 1 Post
Last activity: 11 hours ago
Overview
- Apache Software Foundation
- Apache Log4j Core
- org.apache.logging.log4j:log4j-core
10 Apr 2026
Published
10 Apr 2026
Updated
CVSS v4.0
MEDIUM (6.9)
EPSS
0.15%
KEV
Description
Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters.
The impact depends on the StAX implementation in use:
* JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.
* Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger.
Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.
Statistics
- 3 Posts
Last activity: 11 hours ago
Bluesky
This addresses the following vulnerabilities: CVE-2026-34481 CVE-2026-34480 CVE-2026-34478 CVE-2026-21932 N/A Security fixes for apigee-open-telemetry-collector
Overview
- Apache Software Foundation
- Apache Log4j Core
- org.apache.logging.log4j:log4j-core
10 Apr 2026
Published
10 Apr 2026
Updated
CVSS v4.0
MEDIUM (6.9)
EPSS
0.15%
KEV
Description
Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.
Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:
* The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.
* The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.
Users of the SyslogAppender are not affected, as its configuration attributes were not modified.
Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
Statistics
- 3 Posts
Last activity: 11 hours ago
Bluesky
This addresses the following vulnerabilities: CVE-2026-34481 CVE-2026-34480 CVE-2026-34478 CVE-2026-21932 N/A Security fixes for apigee-open-telemetry-collector
Overview
- rails
- activesupport
23 Mar 2026
Published
24 Mar 2026
Updated
CVSS v4.0
MEDIUM (6.6)
EPSS
0.02%
KEV
Description
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Statistics
- 1 Post
Last activity: 11 hours ago
Overview
- Oracle Corporation
- Oracle Java SE
20 Jan 2026
Published
21 Jan 2026
Updated
CVSS v3.1
HIGH (7.4)
EPSS
0.03%
KEV
Description
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).
Statistics
- 3 Posts
Last activity: 11 hours ago
Bluesky
This addresses the following vulnerabilities: CVE-2026-34481 CVE-2026-34480 CVE-2026-34478 CVE-2026-21932 N/A Security fixes for apigee-open-telemetry-collector
Overview
Description
ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.
Statistics
- 1 Post
Last activity: 11 hours ago
Overview
- RedisBloom
- RedisBloom
05 May 2026
Published
05 May 2026
Updated
CVSS v4.0
HIGH (7.7)
EPSS
0.34%
KEV
Description
RedisBloom is a probabilistic data structures module for Redis. In all versions of RedisBloom before 2.8.20, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisBloom module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This issue is fixed in version 2.8.20.
Statistics
- 1 Post
Last activity: 9 hours ago
Fediverse
CVE-2026-23479 was one of the high severity bugs we found when we won at Wiz's ZeroDay Cloud competition. Be on the lookout soon for the technical deep dive on ZDC blog - this was a really interesting bug because of its subtlety. The complex interaction between portions of code far apart from each other in the codebase likely wouldn't have been noticed by humans or traditional SAST tools but can now be found in hours through AI with the right scaffolding
Thank you to the teams at Redis and Google Wiz for the collaboration in securing critical open source projects
Overview
Description
Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.
Statistics
- 1 Post
Last activity: 9 hours ago
Fediverse
CVE-2026-23479 was one of the high severity bugs we found when we won at Wiz's ZeroDay Cloud competition. Be on the lookout soon for the technical deep dive on ZDC blog - this was a really interesting bug because of its subtlety. The complex interaction between portions of code far apart from each other in the codebase likely wouldn't have been noticed by humans or traditional SAST tools but can now be found in hours through AI with the right scaffolding
Thank you to the teams at Redis and Google Wiz for the collaboration in securing critical open source projects
Overview
- Apache Software Foundation
- Apache CXF
08 Aug 2025
Published
26 Feb 2026
Updated
CVSS
Pending
EPSS
0.21%
KEV
Description
If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility.
Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.
Statistics
- 2 Posts
Last activity: 11 hours ago
Overview
Description
Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.
Statistics
- 1 Post
Last activity: 9 hours ago
Fediverse
CVE-2026-23479 was one of the high severity bugs we found when we won at Wiz's ZeroDay Cloud competition. Be on the lookout soon for the technical deep dive on ZDC blog - this was a really interesting bug because of its subtlety. The complex interaction between portions of code far apart from each other in the codebase likely wouldn't have been noticed by humans or traditional SAST tools but can now be found in hours through AI with the right scaffolding
Thank you to the teams at Redis and Google Wiz for the collaboration in securing critical open source projects