24h | 7d | 30d

Overview

  • Go toolchain
  • cmd/go
  • cmd/go

28 Jan 2026
Published
29 Jan 2026
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.

Statistics

  • 1 Post

Last activity: Last hour

Bluesky

Profile picture fallback
🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2025-68119 impacts libcap in 20 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/400 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • Last hour

Overview

  • WaterFutures
  • EPyT-Flow

06 Feb 2026
Published
06 Feb 2026
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
0.11%

KEV

Description

EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files. This vulnerability is fixed in 0.16.1.

Statistics

  • 1 Post

Last activity: 19 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL (CVSS 10.0): CVE-2026-25632 in WaterFutures EPyT-Flow (<0.16.1) — attacker-controlled JSON allows OS command execution via unsafe deserialization. Upgrade to 0.16.1+ ASAP. Monitor for suspicious activity. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 19h ago

Overview

  • GnuTLS
  • libtasn1

07 Jan 2026
Published
20 Jan 2026
Updated

CVSS
Pending
EPSS
0.06%

KEV

Description

Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.

Statistics

  • 1 Post

Last activity: Last hour

Bluesky

Profile picture fallback
🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2025-13151 impacts libtasn1 in 27 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/402 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • Last hour

Overview

  • D-Link
  • DIR-823X

08 Feb 2026
Published
08 Feb 2026
Updated

CVSS v4.0
HIGH (8.6)
EPSS
Pending

KEV

Description

A vulnerability was found in D-Link DIR-823X 250416. Affected by this issue is some unknown functionality of the file /goform/set_ac_status. Performing a manipulation of the argument ac_ipaddr/ac_ipstatus/ap_randtime results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used.

Statistics

  • 1 Post

Last activity: 9 hours ago

Fediverse

Profile picture fallback

🚨 HIGH severity: CVE-2026-2129 in D-Link DIR-823X (v250416) enables unauthenticated remote OS command injection via /goform/set_ac_status. Exploit code is public — patch or restrict access now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 9h ago

Overview

  • Shenzhen Tenda Technology
  • Tenda G300-F

07 Feb 2026
Published
07 Feb 2026
Updated

CVSS v4.0
HIGH (8.6)
EPSS
Pending

KEV

Description

Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

Statistics

  • 1 Post

Last activity: 8 hours ago

Fediverse

Profile picture fallback

⚠️ CVE-2026-25857: HIGH-severity OS command injection in Tenda G300-F routers (≤16.01.14.2). No patch yet — exposure of management interface risks full device compromise. Restrict access, monitor WAN diagnostics. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 8h ago

Overview

  • Go toolchain
  • cmd/go
  • cmd/go

28 Jan 2026
Published
29 Jan 2026
Updated

CVSS
Pending
EPSS
0.01%

KEV

Description

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.

Statistics

  • 1 Post

Last activity: Last hour

Bluesky

Profile picture fallback
🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2025-61731 impacts libcap in 20 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/399 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • Last hour

Overview

  • quickjs-ng
  • quickjs

19 Jan 2026
Published
20 Jan 2026
Updated

CVSS v4.0
MEDIUM (5.3)
EPSS
0.06%

KEV

Description

A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.

Statistics

  • 1 Post

Last activity: 19 hours ago

Bluesky

Profile picture fallback
[Backport release-25.11] quickjs{,-ng}: react to CVE-2026-1144 and CVE-2026-1145 https://github.com/NixOS/nixpkgs/pull/486490 #security
  • 0
  • 0
  • 0
  • 19h ago

Overview

  • quickjs-ng
  • quickjs

19 Jan 2026
Published
20 Jan 2026
Updated

CVSS v4.0
MEDIUM (5.3)
EPSS
0.07%

KEV

Description

A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue.

Statistics

  • 1 Post

Last activity: 19 hours ago

Bluesky

Profile picture fallback
[Backport release-25.11] quickjs{,-ng}: react to CVE-2026-1144 and CVE-2026-1145 https://github.com/NixOS/nixpkgs/pull/486490 #security
  • 0
  • 0
  • 0
  • 19h ago
Showing 21 to 28 of 28 CVEs