Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1941+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
All tags
296 articles

#CVE

All CosmicBytez Labs articles tagged #CVE, across news, security advisories, how-to guides, and projects.

  • SecurityJul 16, 2026

    CVE-2026-42533: NGINX Memory Corruption via Map Directive Regex (CVSS 8.1)

    A vulnerability in NGINX Plus and NGINX Open Source allows map directives using regex matching with capture variables to trigger memory corruption when the capture variable is referenced before the map output variable.

  • SecurityJul 16, 2026

    CVE-2026-56699: Critical NDJSON Injection in Wazuh Manager (CVSS 10.0)

    CVSS 10.0 flaw in Wazuh Manager 5.0 beta lets enrolled agents inject NDJSON ops into OpenSearch under admin credentials, deleting logs and corrupting alerts.

  • SecurityJul 16, 2026

    CVE-2026-61736: LightRAG Critical CORS Credential Bypass (CVSS 9.3)

    LightRAG's default server configuration combines CORS_ORIGINS=* with allow_credentials=True, allowing any origin to make credentialed cross-origin requests and exposing knowledge graphs to unauthorized access.

  • SecurityJul 14, 2026

    CVE-2026-13221: Perl Regex Trie Overflow Produces Silent Incorrect Matches

    A critical flaw in Perl through 5.43.9 causes regex alternations with more than 65,535 branches to silently produce incorrect matches, potentially bypassing security filters that rely on regex validation.

  • SecurityJul 14, 2026

    CVE-2026-14453: Critical SSTI to RCE in Centreon Open Tickets (CVSS 9.6)

    A critical Server-Side Template Injection vulnerability in Centreon's centreon-open-tickets module allows unauthenticated attackers to achieve Remote Code Execution via the unsanitized message_confirm field.

  • SecurityJul 14, 2026

    CVE-2026-57433: Perl Storable Signed Integer Overflow in SX_HOOK Deserialization

    A CVSS 9.8 signed integer overflow in Perl's Storable module (before 3.41) allows a crafted SX_HOOK record to wrap an I32_MAX item count to -1, corrupting heap memory and potentially enabling remote code execution.

  • SecurityJul 14, 2026

    CVE-2026-58065: Apache Airflow Git Provider Disables SSH Host Key Verification

    The Apache Airflow Git provider runs git-over-SSH with StrictHostKeyChecking=no by default, allowing a network-position attacker to silently impersonate the Git server and steal SSH credentials or inject malicious code.

  • SecurityJul 14, 2026

    CVE-2026-61500: Rejetto HFS Session Cookie Key Derived from Math.random()

    Rejetto HFS 3.0.0–3.2.0 derives its session-cookie signing key from JavaScript's non-cryptographic Math.random(), and leaks generator outputs to unauthenticated clients — enabling full session forgery with CVSS 9.8.

  • SecurityJul 13, 2026

    CVE-2008-4128: Cisco IOS Cross-Site Request Forgery Vulnerability

    Cisco IOS 12.4 contains multiple CSRF vulnerabilities that allow remote attackers to execute arbitrary commands. The flaw has been added to the CISA Known Exploited Vulnerabilities catalog, signaling active exploitation.

  • SecurityJul 13, 2026

    CVE-2026-11964: WordPress User Registration Plugin PayPal Webhook Bypass

    The User Registration & Membership WordPress plugin before 5.2.2 fails to verify PayPal webhook signatures, allowing unauthenticated attackers to forge payment events and gain free premium memberships.

  • SecurityJul 12, 2026

    CVE-2026-15488: Unrestricted File Upload in shiroiAdmin Enables Remote Code Execution

    A high-severity unrestricted file upload vulnerability in shiroiAdmin versions 1.1 and 1.3 allows unauthenticated remote attackers to upload PHP webshells and achieve remote code execution.

  • SecurityJul 12, 2026

    CVE-2026-15489: SQL Injection in TOKO-ONLINE-ROTI Login Endpoint

    A high-severity SQL injection vulnerability in the TOKO-ONLINE-ROTI bakery management system allows remote attackers to manipulate the login.php Username parameter and compromise the backend database without authentication.

  • SecurityJul 12, 2026

    CVE-2026-15490: SQL Injection in TOKO-ONLINE-ROTI Product Add Endpoint

    A high-severity SQL injection vulnerability in the TOKO-ONLINE-ROTI PHP bakery system allows remote attackers to manipulate the kode_produk and kd_cs parameters in proses/add.php, enabling database compromise.

  • SecurityJul 12, 2026

    CVE-2026-60090: PraisonAI SQL Injection via Unvalidated Dimension Parameter in Vector Store Backends

    A CVSS 9.8 critical SQL injection vulnerability in PraisonAI before 4.6.78 allows attackers to exploit the unvalidated dimension argument in PGVector and...

  • SecurityJul 12, 2026

    CVE-2026-61445: PraisonAI AICoder Arbitrary File Write and Command Injection via LLM Tool Calls

    A CVSS 9.9 critical vulnerability in PraisonAI before 4.6.78 allows attackers to write files to arbitrary filesystem locations and execute arbitrary OS...

  • SecurityJul 12, 2026

    CVE-2026-61447: PraisonAI CodeAgent Remote Code Execution via Unsandboxed Python Execution

    A CVSS 10.0 critical vulnerability in PraisonAI before 1.6.78 allows attackers to achieve remote code execution by injecting malicious prompts that...

  • SecurityJul 11, 2026

    CVE-2026-13353: WordPress WP Ultimate CSV Importer RCE via MappedFields Parameter

    A critical CVSS 8.8 remote code execution vulnerability in WP Ultimate CSV Importer allows unauthenticated attackers to execute arbitrary PHP code on...

  • SecurityJul 11, 2026

    CVE-2026-48939: iCagenda Unrestricted File Upload Allows PHP Code Execution

    A critical unrestricted file upload vulnerability in the iCagenda Joomla event calendar plugin allows unauthenticated attackers to upload arbitrary PHP...

  • SecurityJul 11, 2026

    CVE-2026-56765: Vikunja Authorization Bypass Enables Permission Escalation

    A critical authorization flaw in Vikunja task manager (CVSS 9.8) exposes share hashes via LinkSharing.ReadAll and allows task attachment access through...

  • SecurityJul 11, 2026

    CVE-2026-59792: JetBrains IntelliJ IDEA Remote Code Execution via Path Traversal

    A critical RCE vulnerability (CVSS 9.6) in JetBrains IntelliJ IDEA before 2026.1.4 allows code execution through path traversal in project workspace ID...

  • SecurityJul 10, 2026

    CVE-2026-15158: WordPress Blocksy Companion Arbitrary File Upload (CVSS 9.8)

    A critical arbitrary file upload vulnerability in the Blocksy Companion WordPress plugin (versions up to 2.1.46) allows unauthenticated attackers to...

  • SecurityJul 10, 2026

    CVE-2026-2342: ValeApp Stored Cross-Site Scripting (CVSS 9.3)

    A critical stored XSS vulnerability in OceanicSoft's ValeApp allows attackers to inject persistent JavaScript payloads that execute in every victim's...

  • SecurityJul 10, 2026

    CVE-2026-56291: Balbooa Forms Unrestricted File Upload Enables Full RCE

    A critical unauthenticated file upload vulnerability in Balbooa Forms for Joomla allows attackers to upload executable files and achieve full remote code...

  • SecurityJul 10, 2026

    CVE-2026-5955: BiEticaret E-Commerce SQL Injection (CVSS 9.8)

    A critical SQL injection vulnerability in Inrove Software's BiEticaret e-commerce platform (versions before v3.3.57) allows unauthenticated attackers to...

  • SecurityJul 9, 2026

    CVE-2026-15062: Critical SQL Injection in Snowflake Snowpark Python SDK

    A critical-severity SQL injection vulnerability (CVSS 9.6) in the Snowflake Snowpark Python SDK allows authenticated low-privilege users to execute SQL...

  • SecurityJul 9, 2026

    CVE-2026-35210: OpenCTI Authorization Bypass Allows Confidence Level and Object Marking Circumvention

    An authentication bypass vulnerability in OpenCTI prior to 7.260326.0 allows any authenticated user with KNOWLEDGE_KNUPDATE permission to bypass...

  • SecurityJul 9, 2026

    CVE-2026-47831: Weak RNG in BOSH Windows Stemcell Builder Enables Remote Password Prediction

    A cryptographically weak random number generator in the GenerateRandomPassword function of bosh-windows-stemcell-builder allows remote attackers to...

  • SecurityJul 8, 2026

    CVE-2026-12153: WP Learn Manager Plugin — Unauthenticated Authorization Bypass Allows Plugin Installation

    A critical CVSS 9.8 authorization bypass in the WP Learn Manager WordPress plugin allows unauthenticated attackers to install and activate arbitrary...

  • SecurityJul 8, 2026

    CVE-2026-13019: Esri ArcGIS Portal Critical Unauthenticated API Access

    A critical missing authentication vulnerability in Esri Portal for ArcGIS 12.1 and earlier allows remote unauthenticated attackers to access protected API...

  • SecurityJul 8, 2026

    CVE-2026-14487: WordPress Simple Coherent Form Plugin — Critical Unauthenticated File Deletion

    A critical CVSS 9.1 vulnerability in the Simple Coherent Form WordPress plugin allows unauthenticated attackers to delete arbitrary files on the server,...

  • SecurityJul 8, 2026

    CVE-2026-48908: JoomShaper SP Page Builder Unrestricted File Upload RCE

    A critical unrestricted file upload vulnerability in JoomShaper's SP Page Builder allows unauthenticated attackers to upload arbitrary PHP files and...

  • SecurityJul 8, 2026

    CVE-2026-9695: DELMIA Apriso Manufacturing MES — Improper Authentication Enables Privileged Server Access

    A critical CVSS 9.8 improper authentication vulnerability in Dassault Systèmes DELMIA Apriso (releases 2020–2026) allows unauthenticated attackers to gain...

  • SecurityJul 8, 2026

    CVE-2026-9701: WordPress Eventer Plugin — Insecure Password Reset Enables Account Takeover

    A critical CVSS 9.8 vulnerability in the Eventer WordPress plugin exposes plaintext password reset keys in user meta, allowing unauthenticated attackers...

  • SecurityJul 7, 2026

    CVE-2025-53827: ownCloud Updater Exposes Dangerous Method (CVSS 9.1)

    A critical vulnerability in ownCloud Core's Updater component exposes a dangerous method to administrators, enabling potential remote code execution on...

  • SecurityJul 6, 2026

    CVE-2024-6228: WordPress WANotifier Plugin Local File Inclusion

    A local file inclusion vulnerability in the WANotifier WordPress plugin (before v2.6) allows any authenticated subscriber-level user to include and...

  • SecurityJul 6, 2026

    CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System

    An unauthenticated remote SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows attackers to manipulate the id...

  • SecurityJul 5, 2026

    CVE-2026-14635: Unrestricted File Upload RCE in CodeIgniter Ecommerce Bootstrap

    A high-severity unrestricted file upload vulnerability in the kirilkirkov Ecommerce-CodeIgniter-Bootstrap allows authenticated vendor users to upload...

  • SecurityJul 5, 2026

    CVE-2026-14637: PHP Deserialization RCE in CodeIgniter Ecommerce Bootstrap Shopping Cart

    A high-severity PHP deserialization vulnerability in the kirilkirkov Ecommerce-CodeIgniter-Bootstrap allows attackers to inject malicious serialized...

  • SecurityJul 5, 2026

    CVE-2026-14641: Remote SQL Injection in SourceCodester Class and Exam Timetabling System

    A high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to dump the...

  • SecurityJul 5, 2026

    CVE-2026-14642: Remote SQL Injection in SourceCodester Timetabling System edit_class2.php

    A high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to fully...

  • NewsJul 4, 2026

    New 'Bad Epoll' Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android

    A use-after-free bug in the Linux kernel's epoll subsystem — CVE-2026-46242 — lets any local user escalate to root on Linux 6.4+ with ~99% reliability. A...

  • SecurityJul 4, 2026

    CVE-2026-4321: Critical SQL Injection in Raera Destekz Plugin (No Patch Available)

    A CVSS 9.8 critical SQL injection in the Destekz plugin by Raera - Ankara Web Design allows unauthenticated remote attackers full database access. The...

  • SecurityJul 4, 2026

    CVE-2026-49814: Dell PowerProtect Data Domain OS Command Injection

    A high-severity OS command injection vulnerability in Dell PowerProtect Data Domain allows authenticated remote attackers to execute arbitrary commands...

  • NewsJul 2, 2026

    Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

    Anubis ransomware affiliates are exploiting CVE-2025-5777 (Citrix Bleed 2) for initial access while pairing BYOVD techniques and stolen supply chain...

  • NewsJul 2, 2026

    SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation

    CISA has added a high-severity Microsoft SharePoint Server remote code execution vulnerability to its Known Exploited Vulnerabilities catalog following...

  • SecurityJul 2, 2026

    CVE-2026-14198: Fastify Middie Middleware Path Bypass (CVSS 9.1)

    Critical path bypass vulnerability in @fastify/middie versions 9.1.0 through 9.3.2 allows attackers to evade middleware protection by exploiting a %2F...

  • SecurityJul 2, 2026

    CVE-2026-52186: Critical SQL Injection RCE in UTT nv518G Router

    A critical SQL injection vulnerability (CVSS 9.8) in the UTT nv518G router allows unauthenticated remote attackers to execute arbitrary code via the...

  • NewsJul 1, 2026

    Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Attempts

    A critical pre-authentication remote code execution flaw in Progress Kemp LoadMaster (CVE-2026-8037, CVSS 9.6) is under active exploitation attempts,...

  • SecurityJul 1, 2026

    CVE-2025-36359: IBM DevOps Session Hijacking Vulnerability (CVSS 8.1)

    IBM DevOps Automation and IBM DevOps Loop fail to invalidate session IDs after expiration, allowing authenticated attackers to impersonate other users via...

  • SecurityJul 1, 2026

    CVE-2026-12923: YouTube Showcase WordPress Plugin Arbitrary Function Call

    A high-severity arbitrary function call vulnerability in the YouTube Showcase plugin allows authenticated attackers to invoke arbitrary PHP functions via...

  • SecurityJul 1, 2026

    CVE-2026-9711: Critical SQL Injection in EventON WordPress Plugin (CVSS 9.8)

    A critical unauthenticated SQL injection vulnerability in the EventON WordPress Virtual Event Calendar Plugin affects versions up to 5.0.11, exposing...

  • NewsJun 30, 2026

    BlueHammer Vulnerability Exploited in Ransomware Attacks Before Microsoft Patch

    The Microsoft Defender vulnerability CVE-2026-33825 was actively exploited as a zero-day by ransomware groups before Microsoft had the chance to release a...

  • NewsJun 30, 2026

    Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

    Threat actors are actively weaponizing CVE-2026-33017, a critical unauthenticated RCE flaw in Langflow, to deploy a Monero miner via the lambsys...

  • NewsJun 30, 2026

    Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild

    A critical CVSS 9.8 authentication bypass vulnerability in Oracle E-Business Suite's Payments module is being actively exploited in the wild, according to...

  • SecurityJun 30, 2026

    CVE-2026-12073: ProfileGrid WordPress Plugin Critical Privilege Escalation

    A critical CVSS 9.8 vulnerability in the ProfileGrid WordPress plugin allows unauthenticated attackers to take over any user account and escalate...

  • SecurityJun 30, 2026

    CVE-2026-13550: SQL Injection in itsourcecode Baptism Information Management System 1.0

    A high-severity SQL injection vulnerability has been identified in itsourcecode Baptism Information Management System 1.0, allowing remote attackers to...

  • SecurityJun 30, 2026

    CVE-2026-13551: SQL Injection in itsourcecode Baptism Information Management System 1.0 (editBaptism.php)

    A second high-severity SQL injection vulnerability has been disclosed in itsourcecode Baptism Information Management System 1.0, this time affecting the...

  • SecurityJun 30, 2026

    CVE-2026-53434: Critical Apache Tomcat CRL Configuration Flaw (CVSS 9.1)

    A critical vulnerability in Apache Tomcat's FFM/Panama TLS connector silently ignores invalid or malformed CRL configurations, causing the server to...

  • NewsletterJun 30, 2026

    June 30 Digest: BlueHammer Zero-Day, Ransomware Goes Corporate, AI Supply Chain Risks & Nation-State ICS Threats

    A Microsoft Defender zero-day fuels ransomware before any patch exists; researchers dissect how syndicate groups run HR departments and tiered pricing;...

  • NewsJun 29, 2026

    Critical SimpleHelp Flaw Exploited to Deploy Djinn Infostealer

    Hackers are actively exploiting CVE-2026-48558 in SimpleHelp remote support software to deploy Djinn Stealer, a previously undocumented cross-platform...

  • NewsJun 29, 2026

    Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw

    A heap overflow in libssh2's transport layer allows a malicious SSH server to achieve pre-authentication RCE against any connecting client. All versions...

  • SecurityJun 29, 2026

    CVE-2026-13521: SQL Injection in SourceCodester Class and Exam Timetabling System

    A remotely exploitable SQL injection vulnerability affects SourceCodester Class and Exam Timetabling System 1.0 via the course_year_section parameter in...

  • SecurityJun 29, 2026

    CVE-2026-13526: SQL Injection in SourceCodester Class and Exam Timetabling System

    A remotely exploitable SQL injection flaw in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated attackers to manipulate...

  • SecurityJun 29, 2026

    CVE-2026-49048: Critical SQL Injection in JoomCCK Joomla Extension

    A critical unauthenticated SQL injection vulnerability (CVSS 9.8) in the JoomCCK Joomla extension allows attackers to read, modify, or delete database...

  • NewsJun 28, 2026

    Why Patch Directives Only Go So Far

    Six weeks of undetected access through a compromised VPN appliance exposes a hard truth: patching is necessary but not sufficient. Organisations already...

  • SecurityJun 28, 2026

    CVE-2026-13485: SQL Injection in SourceCodester Class and Exam Timetabling System

    A high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to...

  • SecurityJun 28, 2026

    CVE-2026-13486: SQL Injection in SourceCodester Class and Exam Timetabling System (preview6.php)

    A second high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 targets /preview6.php via the...

  • SecurityJun 28, 2026

    CVE-2026-13487: SQL Injection in SourceCodester Timetabling System (/archive.php)

    A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated attackers to manipulate the...

  • SecurityJun 28, 2026

    CVE-2026-13488: SQL Injection in SourceCodester Timetabling System (/preview7.php)

    A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated attackers to manipulate the...

  • SecurityJun 28, 2026

    CVE-2026-13498: SQL Injection in Restaurant Management System via Password Reset

    A high-severity SQL injection vulnerability in yashpokharna2555's restaurant management system allows unauthenticated attackers to exploit the...

  • SecurityJun 28, 2026

    CVE-2026-58053: Newly Disclosed Informational Vulnerability

    CVE-2026-58053 was disclosed on June 28, 2026 with an informational severity rating. NVD analysis is pending; no exploitation or vendor advisory has been...

  • SecurityJun 28, 2026

    CVE-2026-8095: WordPress Frontend File Manager Plugin Allows Arbitrary File Deletion

    A high-severity authenticated file deletion vulnerability in the nmedia Frontend File Manager Plugin for WordPress allows subscribers to delete any file...

  • SecurityJun 27, 2026

    CVE-2025-55017: Apache IoTDB Critical Path Traversal Vulnerability

    Critical path traversal vulnerability (CVSS 9.1) in Apache IoTDB affects versions 1.0.0 through 1.3.5 and 2.0.0 through 2.0.5. Users must upgrade...

  • SecurityJun 27, 2026

    CVE-2025-64152: Apache IoTDB Second Critical Path Traversal Flaw

    A second critical path traversal vulnerability (CVSS 9.1) in Apache IoTDB affects versions 1.0.0 through 1.3.5 and 2.0.0 through 2.0.6. Patch to 1.3.6 or...

  • SecurityJun 27, 2026

    CVE-2026-52884: Notepad++ Trusted Directory Bypass via Path Traversal (CVSS 7.8)

    A path traversal flaw in Notepad++ v8.9.6.1 allows attackers to bypass the trusted directory plugin verification check using path sequences, potentially...

  • SecurityJun 27, 2026

    CVE-2026-54350: Budibase Unauthenticated Database Read & Write (CVSS 10.0)

    A critical CVSS 10.0 flaw in Budibase allows unauthenticated visitors of any published app to read every document in backing database collections and...

  • SecurityJun 27, 2026

    CVE-2026-54352: Budibase Zip Upload Path Traversal Enables Remote Code Execution (CVSS 9.6)

    A critical path traversal vulnerability in Budibase's zip upload endpoint allows attackers to write arbitrary files outside the intended temp directory,...

  • NewsJun 26, 2026

    First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the Wild

    CISA has added CVE-2026-12569, a remote code execution flaw in PTC Windchill, to its Known Exploited Vulnerabilities catalog after confirming active...

  • SecurityJun 26, 2026

    CVE-2026-46735: Dell DDPM Mac OS Command Injection Allows Local Privilege Escalation

    A high-severity OS command injection flaw in Dell Display and Peripheral Manager for macOS (versions prior to 2.3) allows low-privileged local attackers...

  • NewsJun 25, 2026

    Mandiant Reveals How Cisco SD-WAN Zero-Day CVE-2026-20245 Gained Root Access

    Mandiant's post-incident analysis exposes a sophisticated multi-stage attack chain that exploited CVE-2026-20245 to plant a hidden root account on Cisco...

  • SecurityJun 25, 2026

    CVE-2026-12569: PTC Windchill and FlexPLM Remote Code Execution Vulnerability

    A critical unauthenticated RCE vulnerability in PTC Windchill and FlexPLM (CVSS 9.3) has been added to CISA's Known Exploited Vulnerabilities catalog,...

  • SecurityJun 25, 2026

    CVE-2026-45688: Rocket.Chat CAS Login MongoDB Operator Injection (CVSS 9.1)

    Critical unauthenticated account takeover vulnerability in Rocket.Chat's CAS login handler passes unsanitized client input directly into a MongoDB findOne...

  • SecurityJun 25, 2026

    CVE-2026-45689: Rocket.Chat OAuth Token Hijack via MongoDB Operator Injection (CVSS 9.1)

    Critical pre-authentication vulnerability in Rocket.Chat allows any unauthenticated network attacker to obtain a valid OAuth access token for an arbitrary...

  • SecurityJun 24, 2026

    CVE-2026-12485: GeoVision GV-I/O Box 4E UDP Stack Overflow (IP Address Field)

    A critical CVSS 10.0 stack-based buffer overflow in the GeoVision GV-I/O Box 4E DVRSearch service allows unauthenticated remote attackers to achieve...

  • SecurityJun 24, 2026

    CVE-2026-12486: GeoVision GV-I/O Box 4E OS Command Injection via libNetSetObj.so

    Multiple OS command injection vulnerabilities in GeoVision GV-I/O Box 4E firmware 2.09 allow attackers with network access to execute arbitrary system...

  • SecurityJun 24, 2026

    CVE-2026-12846: GeoVision GV-I/O Box 4E UDP Stack Overflow (Net Mask Field)

    A second critical CVSS 10.0 stack-based buffer overflow in GeoVision GV-I/O Box 4E firmware 2.09 — this time in the Net Mask field handling of the...

  • NewsJun 23, 2026

    29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests

    A heap over-read vulnerability introduced in a 1997 FTP parser change allows a malicious co-user of a shared Squid proxy to read other users' cleartext...

  • SecurityJun 23, 2026

    CVE-2025-67038: Lantronix EDS5000 OS Command Injection Vulnerability

    A critical OS command injection flaw in the Lantronix EDS5000 serial device server allows unauthenticated attackers to inject arbitrary commands via the...

  • NewsJun 22, 2026

    FFmpeg Fixes PixelSmash Flaw in Widely Used Video Decoder

    FFmpeg has patched a critical vulnerability dubbed PixelSmash that could enable remote code execution on Jellyfin servers and denial-of-service conditions...

  • NewsJun 22, 2026

    A Record-Breaking Patch Tuesday for June 2026

    Microsoft's June 2026 Patch Tuesday addressed nearly 200 security vulnerabilities — the highest single-month patch count in the company's history —...

  • NewsJun 21, 2026

    Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

    Active exploitation of CVE-2026-4020 in the Gravity SMTP WordPress plugin has generated over 17 million malicious requests, allowing unauthenticated...

  • NewsJun 19, 2026

    Splunk Enterprise Vulnerability Exploited in Attacks Days After Disclosure

    CVE-2026-20253, a critical unauthenticated remote code execution flaw in Splunk Enterprise, is being actively exploited in the wild just days after public...

  • SecurityJun 19, 2026

    CVE-2026-54414: FileRise Path Traversal Enables Arbitrary File Write and Admin Takeover

    A critical path traversal vulnerability in FileRise before 3.16.0 allows unauthenticated attackers to write arbitrary files and completely compromise...

  • SecurityJun 19, 2026

    CVE-2026-7515: BetterDocs Pro WordPress Plugin — Unauthenticated Local File Inclusion

    A critical Local File Inclusion vulnerability in the BetterDocs Pro WordPress plugin (up to v3.8.0) allows unauthenticated attackers to include and...

  • NewsJun 18, 2026

    F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution

    F5 has released emergency security updates for two critical vulnerabilities in NGINX Open Source, including a CVSS 9.2 use-after-free flaw in the HTTP/3...

  • NewsJun 17, 2026

    Attackers Hit Pair of Critical Fortinet Vulnerabilities the Vendor Disclosed in April

    Multiple threat intelligence firms have confirmed active exploitation of two critical vulnerabilities in Fortinet's FortiSandbox product — security flaws...

  • NewsJun 17, 2026

    CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

    CISA has added a maximum-severity vulnerability in the Joomla Content Editor (JCE) plugin to its Known Exploited Vulnerabilities catalog, warning that the...

  • SecurityJun 16, 2026

    CVE-2026-39574: Critical SQL Injection in InPost Gallery WordPress Plugin

    A critical unauthenticated SQL injection vulnerability (CVSS 9.3) in the InPost Gallery WordPress plugin allows attackers to extract sensitive database...

  • SecurityJun 16, 2026

    CVE-2026-6933: Unauthenticated RCE in Premmerce Dev Tools WordPress Plugin

    A high-severity unauthenticated remote code execution vulnerability (CVSS 8.8) in Premmerce Dev Tools for WordPress allows attackers to execute arbitrary...

  • SecurityJun 16, 2026

    CVE-2026-9862: Fortra BoKS OS Command Injection — CVSS 9.8 RCE

    Critical OS command injection in Fortra Core Privileged Access Manager allows unauthenticated remote code execution via the boks_autoregisterd service at...

  • NewsJun 15, 2026

    Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw

    Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, an authentication bypass vulnerability in PAN-OS GlobalProtect portals carrying a...

  • SecurityJun 15, 2026

    CVE-2026-12204: ShopXO Scheduled Task Authorization Bypass

    A CVSS 7.3 authorization bypass vulnerability in ShopXO up to 6.7.1 allows unauthenticated access to scheduled task endpoints in the Crontab controller,...

  • SecurityJun 15, 2026

    CVE-2026-8935: WP Maps Pro Unauthenticated Admin Account Creation (CVSS 9.8)

    A critical unauthenticated vulnerability in the WP Maps Pro WordPress plugin before 6.1.1 allows any visitor to create an administrator account and...

  • NewsJun 14, 2026

    Google Confirms ShinyHunters Exploited Oracle PeopleSoft Zero-Day CVE-2026-35273

    Google's Threat Intelligence Group confirmed in-the-wild exploitation of Oracle PeopleSoft zero-day CVE-2026-35273 by ShinyHunters, even as Oracle...

  • SecurityJun 14, 2026

    CVE-2026-54420: LiteSpeed cPanel Plugin Symlink Escape on Shared Hosting

    A high-severity symlink vulnerability in the LiteSpeed cPanel plugin (CVSS 8.5) allows users with FTP or web shell access to escape CloudLinux/CageFS...

  • SecurityJun 14, 2026

    CVE-2026-5513: Bookly WordPress Plugin Stored XSS via Cookie

    The Bookly scheduling plugin for WordPress contains a stored cross-site scripting vulnerability in versions up to 27.2, allowing unauthenticated attackers...

  • NewsJun 13, 2026

    Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication

    Splunk patches CVE-2026-20253, a CVSS 9.8 critical vulnerability enabling unauthenticated file operations and remote code execution in Splunk Enterprise.

  • SecurityJun 13, 2026

    CVE-2026-44990: sanitize-html XMP Element XSS Bypass (CVSS 9.3)

    sanitize-html versions prior to 2.17.4 allow attacker-controlled content inside a disallowed xmp element to render as live HTML, enabling stored XSS.

  • SecurityJun 12, 2026

    CVE-2026-41005: Cloud Foundry UAA SAML Signature Bypass

    A high-severity vulnerability (CVSS 9.0) in Cloud Foundry UAA allows attackers to bypass authentication by exploiting the incorrect treatment of XML...

  • SecurityJun 12, 2026

    CVE-2026-47365: WordPress Toolkit Argument Injection in cPanel & WHM

    A critical CVSS 9.9 argument injection vulnerability in WordPress Toolkit before 6.11.0 allows remote authenticated users to bypass cross-tenant...

  • SecurityJun 12, 2026

    CVE-2026-47367: UID Enterprise Agent Command Injection via Improper Input Validation

    A critical CVSS 9.9 command injection vulnerability in UID Enterprise Agent allows a low-privileged network attacker to execute arbitrary commands on the...

  • SecurityJun 12, 2026

    CVE-2026-47369: UniFi OS Privilege Escalation via Improper Input Validation

    A critical CVSS 9.9 privilege escalation vulnerability in Ubiquiti UniFi OS allows a low-privileged network attacker to escalate privileges within UniFi...

  • SecurityJun 12, 2026

    CVE-2026-47370: UniFi OS Command Injection via Improper Input Validation

    A critical CVSS 9.9 command injection vulnerability in Ubiquiti UniFi OS allows a low-privileged network attacker to execute arbitrary commands within...

  • NewsJun 11, 2026

    Microsoft Patches Exploited Exchange Server Vulnerability CVE-2026-42897

    Microsoft has released a patch for CVE-2026-42897, an Exchange Server zero-day that has been under active exploitation since at least May 14, 2026. The...

  • NewsJun 11, 2026

    Oracle Mitigates PeopleSoft Zero-Day Exploited in Data Theft Attacks

    Oracle has issued an emergency mitigation for CVE-2026-35273, a critical unauthenticated RCE flaw in PeopleSoft Suite being actively exploited by the...

  • NewsJun 11, 2026

    ShinyHunters Exploits Oracle PeopleSoft Zero-Day to Breach Universities

    The ShinyHunters group, tracked by Mandiant as UNC6240, has been exploiting CVE-2026-35273 in Oracle PeopleSoft to breach universities and higher...

  • SecurityJun 11, 2026

    CVE-2025-6254: WordPress Doctreat Core Plugin Privilege Escalation (CVSS 9.8)

    A critical unauthenticated privilege escalation vulnerability in the Doctreat Core WordPress plugin allows attackers to register with elevated roles,...

  • NewsJun 10, 2026

    Path Traversal Flaw in AI Dev Platform Langflow Exploited in Attacks

    Attackers are actively exploiting CVE-2026-5027, a high-severity path traversal vulnerability in Langflow, to write arbitrary files on exposed servers....

  • NewsJun 10, 2026

    Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE

    A high-severity path traversal flaw (CVE-2026-5027, CVSS 8.8) in the AI application builder Langflow is being actively exploited with no patch available....

  • SecurityJun 10, 2026

    CVE-2026-47928: Adobe ColdFusion Critical RCE — CVSS 9.6

    Adobe ColdFusion 2023.19 and 2025.8 are affected by a critical improper input validation flaw enabling unauthenticated remote code execution with scope change.

  • NewsJun 9, 2026

    Veeam Backup and Replication RCE Flaw Lets Domain Users Run Remote Code

    A critical CVE-2026-44963 flaw in Veeam Backup and Replication lets low-privilege domain users achieve remote code execution on backup servers. CVSS 9.4 —...

  • NewsJun 6, 2026

    Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available

    Cisco has disclosed active exploitation of CVE-2026-20245, a high-severity vulnerability in Catalyst SD-WAN Manager with a CVSS score of 7.8. No patch is…

  • SecurityJun 6, 2026

    CVE-2026-21029: Samsung Galaxy Editing Service Privilege Escalation

    A high-severity vulnerability in Samsung's Galaxy Editing Service allows local attackers to execute privileged operations due to improper export of Android…

  • SecurityJun 6, 2026

    CVE-2026-7537: MDJM Event Management WordPress Plugin Arbitrary File Upload

    A high-severity arbitrary file upload vulnerability in the MDJM Event Management plugin for WordPress allows authenticated attackers to upload malicious files…

  • SecurityJun 6, 2026

    CVE-2026-9851: WordPress Booking Package Plugin Privilege Escalation via Account Takeover

    A high-severity privilege escalation vulnerability in the Booking Package WordPress plugin allows unauthenticated or low-privileged attackers to take over…

  • NewsJun 5, 2026

    Cisco Warns of Unpatched SD-WAN Zero-Day Exploited in Attacks

    Cisco has issued an emergency warning about an actively exploited, unpatched zero-day in Cisco Catalyst SD-WAN Manager (CVE-2026-20245) that enables root…

  • NewsJun 4, 2026

    CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog

    CISA has added a critical remote code execution vulnerability in the Mirasvit Cache Warmer Magento extension to its Known Exploited Vulnerabilities catalog…

  • SecurityJun 4, 2026

    CVE-2026-36576: Critical OS Command Injection in docker-wkhtmltopdf-aas

    A CVSS 9.8 OS command injection vulnerability in openlabs docker-wkhtmltopdf-aas allows unauthenticated remote code execution via a crafted POST request to…

  • SecurityJun 4, 2026

    CVE-2026-36748: High-Severity Stored XSS in RockRMS via Social Media Profile Links

    RockRMS versions up to v16.13 are vulnerable to a CVSS 9.0 stored cross-site scripting flaw that allows attackers to inject malicious scripts through social…

  • SecurityJun 4, 2026

    CVE-2026-41283: OpenStack Mistral Critical RCE Vulnerability (CVSS 9.9)

    A critical unauthenticated remote code execution flaw in OpenStack Mistral through 22.0.0 allows attackers to execute arbitrary commands via exposed API…

  • NewsJun 3, 2026

    Critical Kirki Flaw Exploited to Hijack WordPress Admin Accounts

    Hackers are actively exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the widely-used Kirki Customizer Framework plugin for…

  • SecurityJun 3, 2026

    CVE-2022-0492: Linux Kernel Improper Authentication Vulnerability

    A Linux kernel vulnerability in the cgroups v1 release_agent feature allows local attackers to escalate privileges and escape containers. Added to CISA KEV…

  • NewsJun 2, 2026

    Google Fixes One Actively Exploited Android Zero-Day, 124 Flaws in June 2026 Update

    Google's June 2026 Android security update patches 124 vulnerabilities including one zero-day flaw that has been actively exploited in targeted attacks…

  • NewsMay 30, 2026

    Palo Alto GlobalProtect VPN Auth Bypass Flaw Now Exploited in Attacks

    Palo Alto Networks warns that CVE-2026-0257, a CVSS 7.8 authentication bypass in PAN-OS GlobalProtect, is under active exploitation by hackers attempting...

  • SecurityMay 30, 2026

    CVE-2026-9558: Critical SSTI in Mautic Enables Authenticated RCE

    A Server-Side Template Injection flaw in Mautic's Twig-based theme engine allows authenticated users with theme upload permissions to execute arbitrary...

  • SecurityMay 29, 2026

    CVE-2026-35676: phpMyFAQ Unauthenticated Password Reset Vulnerability

    phpMyFAQ before 4.1.3 contains a CVSS 8.2 flaw allowing unauthenticated attackers to reset any account password without token validation, enabling full...

  • NewsMay 28, 2026

    Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code

    Rapid7 discloses a critical CVSS 9.4 RCE in Gogs, the popular self-hosted Git service, letting any authenticated user run arbitrary code on the server.

  • SecurityMay 28, 2026

    CVE-2025-12686: Synology BeeStation OS Critical Buffer Overflow RCE

    Buffer overflow in Synology BeeStation OS AdminCenter lets unauthenticated attackers execute code remotely (CVSS 9.8) — patch to 1.3.2-65648 now.

  • SecurityMay 27, 2026

    CVE-2026-44444: Lumiverse AI Plugin Install Scripts Enable RCE (CVSS 9.1)

    Critical Lumiverse <0.9.7 flaw lets malicious extensions execute arbitrary code via package.json lifecycle scripts run by the Spindle build pipeline.

  • SecurityMay 27, 2026

    CVE-2026-44451: Lumiverse AI Chat TSX Sandbox Escape (CVSS 9.3)

    Critical sandbox escape in Lumiverse <0.9.7 lets attackers bypass JS global shadowing via crafted TSX component overrides, enabling code execution.

  • SecurityMay 27, 2026

    CVE-2026-48027: Nx Console Embedded Malicious Code — CISA KEV

    CISA adds CVE-2026-48027 to KEV after a malicious Nx Console VS Code extension was found harvesting credentials from disk and memory via obfuscation.

  • NewsMay 26, 2026

    Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across

    Microsoft has released updates fixing CVE-2026-45659, a CVSS 8.8 remote code execution vulnerability in SharePoint Server that requires no specialized.

  • SecurityMay 26, 2026

    CVE-2018-25362: Twitter-Clone SQL Injection via follow.php

    Twitter-Clone 1 contains a high-severity SQL injection vulnerability in follow.php that allows attackers to extract sensitive database information through.

  • SecurityMay 26, 2026

    CVE-2026-9525: SQL Injection in itsourcecode Electronic

    A remotely exploitable SQL injection vulnerability in the admin panel of itsourcecode Electronic Judging System 1.0 allows attackers to manipulate database.

  • NewsMay 23, 2026

    Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV

    CISA has added CVE-2026-9082, a SQL injection vulnerability in Drupal Core, to its Known Exploited Vulnerabilities catalog following confirmed in-the-wild...

  • NewsMay 23, 2026

    Drupal: Critical SQL Injection Flaw Now Targeted in Attacks

    Drupal is warning that hackers are actively attempting to exploit a 'highly critical' SQL injection vulnerability, CVE-2026-9082, announced earlier this...

  • NewsMay 23, 2026

    LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run

    A maximum-severity vulnerability in the LiteSpeed User-End cPanel Plugin, tracked as CVE-2026-48172 with a CVSS score of 10.0, is under active...

  • SecurityMay 22, 2026

    CVE-2025-34291: Langflow Origin Validation Error

    CISA adds CVE-2025-34291 to the Known Exploited Vulnerabilities catalog — an overly permissive CORS configuration combined with a SameSite=None refresh...

  • NewsMay 21, 2026

    Drupal Patches Highly Critical Vulnerability Exposing

    Drupal has released an urgent security update for CVE-2026-9082, a highly critical flaw that can be exploited without authentication to achieve...

  • NewsMay 21, 2026

    Microsoft Warns of New Defender Zero-Days Exploited in Attacks

    Microsoft has issued emergency patches for two Windows Defender vulnerabilities that were actively exploited as zero-days before fixes were available....

  • NewsMay 18, 2026

    Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL

    A coordinated wave of critical security patches landed this week from Ivanti, Fortinet, SAP, VMware, and n8n. Topping the list is CVE-2026-8043 in Ivanti...

  • NewsMay 18, 2026

    Microsoft Exchange Zero-Day Under Attack, No Patch Available

    A zero-day XSS vulnerability in Microsoft Exchange Server (CVE-2026-42897) is being actively exploited in the wild, allowing attackers to compromise...

  • NewsMay 17, 2026

    Cisco Catalyst SD-WAN Controller Auth Bypass Actively

    Cisco has patched a maximum-severity authentication bypass flaw in its Catalyst SD-WAN Controller that has already been exploited in limited attacks....

  • NewsMay 17, 2026

    NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker

    A heap buffer overflow in NGINX's rewrite module is under active exploitation, days after disclosure. The CVSS 9.2 flaw impacts both NGINX Plus and Open...

  • SecurityMay 17, 2026

    CVE-2026-8719: WordPress AI Engine Plugin Privilege

    A missing WordPress capability check in the AI Engine plugin's MCP OAuth bearer-token path allows any authenticated user to escalate privileges to...

  • NewsMay 16, 2026

    Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited

    Cisco has patched CVE-2026-20182, a zero-day in Catalyst SD-WAN Manager that has been actively exploited in targeted attacks by sophisticated threat actor...

  • NewsMay 16, 2026

    Microsoft Rejects Critical Azure Vulnerability Report, No

    A security researcher claims Microsoft silently patched an Azure Backup for AKS vulnerability after rejecting his disclosure report — issuing no CVE and...

  • NewsMay 16, 2026

    Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild

    Microsoft has shared mitigations for CVE-2026-42897 until a permanent patch can be released for affected Exchange Server versions actively being targeted...

  • SecurityMay 16, 2026

    CVE-2020-37228: iDS6 DSSPro Digital Signage CAPTCHA

    A critical CVSS 9.8 vulnerability in iDS6 DSSPro Digital Signage System 6.2 allows attackers to retrieve valid CAPTCHA codes from the login endpoint and...

  • SecurityMay 16, 2026

    CVE-2020-37239: libbabl 0.1.62 Broken Double-Free Detection

    A critical CVSS 9.8 memory safety flaw in libbabl 0.1.62 allows attackers to call babl_free() twice on the same pointer without triggering the library's...

  • SecurityMay 16, 2026

    CVE-2026-41258: OpenMRS Velocity Template Injection Enables

    A critical unsandboxed Apache Velocity template injection vulnerability in OpenMRS Core allows authenticated attackers to execute arbitrary code on the...

  • SecurityMay 16, 2026

    CVE-2026-45402: Open WebUI File ID Authorization Bypass

    A high-severity authorization bypass in Open WebUI prior to 0.9.5 allows authenticated users to attach arbitrary files to resources they do not own via...

  • SecurityMay 15, 2026

    CVE-2026-42457: vCluster Platform Stored XSS via templateRef Name Field

    A stored cross-site scripting vulnerability in vCluster Platform allows attackers to inject and execute arbitrary JavaScript via the name field of a...

  • NewsMay 14, 2026

    18-Year-Old NGINX Rewrite Module Flaw Enables

    Researchers have disclosed multiple critical vulnerabilities in NGINX Plus and NGINX Open Source, including a heap buffer overflow in...

  • SecurityMay 14, 2026

    CVE-2026-40621: ELECOM Wireless LAN Access Point

    Critical authentication bypass vulnerability in ELECOM wireless LAN access point devices allows unauthenticated attackers to access protected URLs and...

  • NewsMay 13, 2026

    Microsoft May 2026 Patch Tuesday Fixes 120 Flaws, No

    Microsoft's May 2026 Patch Tuesday delivers security updates for 120 vulnerabilities across Windows, Edge, Office, Azure, and more — with no zero-days...

  • NewsMay 13, 2026

    Microsoft Patches 138 Vulnerabilities Including DNS and Netlogon RCE Flaws

    Microsoft's May 2026 Patch Tuesday addresses 138 security vulnerabilities across its product portfolio, including 30 rated Critical — with notable DNS...

  • SecurityMay 13, 2026

    CVE-2026-8053: MongoDB Time-Series Out-of-Bounds Write

    An authenticated user with database write privileges can trigger an out-of-bounds memory write in the mongod process via a flaw in MongoDB Server's...

  • SecurityMay 12, 2026

    CVE-2026-28872: Apple iOS & iPadOS Remote Denial-of-Service

    A CVSS 7.5 denial-of-service vulnerability in Apple iOS and iPadOS allows a remote attacker to exhaust device resources and crash the operating system...

  • NewsMay 10, 2026

    Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS

    The Apache Software Foundation has released urgent security updates for the Apache HTTP Server addressing a severe vulnerability in the HTTP/2 protocol...

  • NewsMay 10, 2026

    Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation

    Ivanti has disclosed a high-severity improper input validation vulnerability in Endpoint Manager Mobile (EPMM) that is being actively exploited in the...

  • NewsMay 10, 2026

    Ollama Out-of-Bounds Read Flaw Allows Remote Process Memory

    Researchers have disclosed a critical out-of-bounds read vulnerability in Ollama that enables remote unauthenticated attackers to leak the entire process...

  • NewsMay 10, 2026

    PAN-OS RCE Exploit Under Active Use Enabling Root Access

    Palo Alto Networks has disclosed that CVE-2026-0300, a critical CVSS 9.3 buffer overflow in the PAN-OS User-ID Authentication service, is being actively...

  • SecurityMay 9, 2026

    CVE-2026-37431: Beauty Parlour Management System SQL

    A critical unauthenticated SQL injection vulnerability in Beauty Parlour Management System v1.1 allows attackers to dump the entire backend database via a...

  • SecurityMay 9, 2026

    CVE-2026-41583: ZEBRA Zcash Node Consensus Rule Bypass

    A missing sighash validation in ZEBRA, the Rust-based Zcash node, allowed invalid V5 transactions to pass consensus checks — patched in zebrad 4.3.1 and...

  • SecurityMay 9, 2026

    CVE-2026-41588: RELATE Courseware Timing Attack in Authentication (CVSS 9.0)

    A timing attack vulnerability in RELATE's check_sign_in_key() function could allow attackers to infer valid sign-in keys through response time differences...

  • SecurityMay 9, 2026

    CVE-2026-42193: Plunk Email Platform SNS Webhook Forgery

    A critical unauthenticated vulnerability in Plunk, the open-source AWS SES email platform, allows attackers to forge Amazon SNS webhook payloads without...

  • SecurityMay 9, 2026

    CVE-2026-42296: Argo Workflows templateReferencing Strict

    A high-severity security bypass in Argo Workflows (CVSS 8.1) allows users with Workflow creation permissions to escape templateReferencing: Strict mode,...

  • SecurityMay 8, 2026

    CVE-2026-33109: Azure Managed Instance for Apache Cassandra

    A critical improper access control flaw in Azure Managed Instance for Apache Cassandra allows an authorized network attacker to execute arbitrary code,...

  • SecurityMay 8, 2026

    CVE-2026-41500: electerm macOS Command Injection via Install Script

    A critical command injection vulnerability in the electerm terminal client allows remote attackers to achieve unauthenticated code execution on macOS...

  • SecurityMay 8, 2026

    CVE-2026-41501: electerm Linux Command Injection via Install Script

    A critical command injection flaw in electerm's Linux installer allows remote attackers to execute arbitrary shell commands by injecting into unsanitized...

  • SecurityMay 8, 2026

    CVE-2026-42208: LiteLLM AI Gateway Pre-Auth SQL Injection

    A critical SQL injection vulnerability in LiteLLM's proxy server allows unauthenticated attackers to manipulate database queries during API key...

  • NewsMay 3, 2026

    CISA Adds Actively Exploited Linux Root Access Bug

    The U.S. Cybersecurity and Infrastructure Security Agency has added CVE-2026-31431, a Linux kernel privilege escalation flaw enabling root access, to its...

  • SecurityMay 3, 2026

    CVE-2026-5324: WordPress Brizy Page Builder Unauthenticated

    The Brizy Page Builder plugin for WordPress contains a critical unauthenticated Stored Cross-Site Scripting flaw in versions up to 2.8.11, enabling...

  • NewsMay 2, 2026

    Critical cPanel Flaw Mass-Exploited in 'Sorry' Ransomware

    A newly disclosed critical vulnerability in cPanel and WHM tracked as CVE-2026-41940 is being mass-exploited by ransomware actors to breach web hosting...

  • SecurityMay 2, 2026

    CVE-2026-42779: Critical Apache MINA Deserialization Class

    An incomplete fix for CVE-2026-41635 leaves Apache MINA 2.1.x and 2.2.x branches exposed to a critical deserialization bypass via...

  • NewsApr 30, 2026

    Critical cPanel and WHM Bug Exploited as Zero-Day, PoC Now

    The critical CVE-2026-41940 authentication bypass vulnerability in cPanel, WHM, and WP Squared is being actively exploited in the wild and has been...

  • NewsApr 29, 2026

    CISA Adds Actively Exploited ConnectWise and Windows Flaws

    CISA has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog — CVE-2024-1708 affecting ConnectWise ScreenConnect...

  • NewsApr 29, 2026

    GitHub Fixes RCE Flaw That Gave Access to Millions of Private Repos

    GitHub has patched CVE-2026-3854, a critical remote code execution vulnerability exploitable via a single HTTP request that could have granted attackers...

  • SecurityApr 29, 2026

    CVE-2026-35155: Dell iDRAC10 Race Condition Enables

    Dell iDRAC10 versions 1.20.70.50 and 1.30.05.10 contain a race condition vulnerability allowing authenticated low-privileged attackers to gain elevated...

  • NewsApr 28, 2026

    Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE

    Cybersecurity researchers have disclosed CVE-2026-25874, a critical unauthenticated remote code execution vulnerability (CVSS 9.3) in Hugging Face's...

  • NewsApr 28, 2026

    Hackers Are Exploiting a Critical LiteLLM Pre-Auth SQLi Flaw

    Threat actors are actively exploiting CVE-2026-42208, a critical pre-authentication SQL injection vulnerability in the LiteLLM open-source LLM gateway,...

  • NewsApr 27, 2026

    Firefox Vulnerability Allows Tor User Fingerprinting Across

    A high-severity Firefox vulnerability (CVE-2026-6770) exploits the internal ordering of IndexedDB database names to generate a stable 44-bit fingerprint...

  • SecurityApr 27, 2026

    CVE-2026-6785: Memory Safety Bugs in Firefox and Thunderbird Enable Arbitrary Code Execution

    A CVSS 8.1 high-severity collection of memory safety bugs affects Firefox 149, Firefox ESR 140.9, Firefox ESR 115.34, Thunderbird 149, and Thunderbird ESR...

  • SecurityApr 27, 2026

    CVE-2026-7037: Unauthenticated OS Command Injection in Totolink A8000RU

    A critical CVSS 9.8 OS command injection vulnerability in the Totolink A8000RU router allows unauthenticated remote attackers to execute arbitrary...

  • SecurityApr 25, 2026

    CVE-2025-29635: D-Link DIR-823X Command Injection

    A command injection flaw in end-of-life D-Link DIR-823X routers allows authenticated remote attackers to execute arbitrary OS commands. CISA has added...

  • SecurityApr 25, 2026

    CVE-2026-21515: Azure IoT Central Elevation of Privilege

    A critical CVSS 9.9 elevation of privilege vulnerability in Azure IoT Central allows an authenticated attacker to escalate privileges over a network by...

  • SecurityApr 24, 2026

    CVE-2026-39440: FunnelFormsPro WordPress Plugin Remote Code

    A critical code injection vulnerability in the FunnelFormsPro WordPress plugin through version 3.8.1 allows remote code inclusion, enabling attackers to...

  • SecurityApr 24, 2026

    CVE-2026-6885: Borg SPM 2007 Arbitrary File Upload Enables

    A critical arbitrary file upload vulnerability in the end-of-life Borg SPM 2007 application allows unauthenticated attackers to upload web shell backdoors...

  • SecurityApr 24, 2026

    CVE-2026-6886: Borg SPM 2007 Authentication Bypass Allows

    A critical authentication bypass vulnerability in the end-of-life Borg SPM 2007 application permits unauthenticated remote attackers to log into the...

  • SecurityApr 24, 2026

    CVE-2026-6887: Borg SPM 2007 SQL Injection Exposes Full

    A critical SQL injection vulnerability in the end-of-life Borg SPM 2007 application allows unauthenticated remote attackers to inject arbitrary SQL...

  • SecurityApr 23, 2026

    CVE-2026-33656: EspoCRM Formula Engine Attachment sourceId

    A critical improper access control vulnerability in EspoCRM's built-in formula scripting engine allows authenticated administrators to overwrite the...

  • SecurityApr 23, 2026

    CVE-2026-39987: Marimo Pre-Auth Remote Code Execution

    A critical pre-authorization remote code execution vulnerability in Marimo, the open-source reactive Python notebook, allows unauthenticated attackers to...

  • SecurityApr 23, 2026

    CVE-2026-41167: Jellystat Authenticated SQL Injection in Multiple API Endpoints (CVSS 9.1)

    A critical SQL injection vulnerability in Jellystat, the open-source statistics app for Jellyfin, allows authenticated users to execute arbitrary SQL...

  • SecurityApr 23, 2026

    CVE-2026-4119: WordPress Create DB Tables Plugin

    A critical CVSS 9.1 authorization bypass in the WordPress Create DB Tables plugin (all versions up to 1.2.1) allows unauthenticated users to create or...

  • NewsApr 22, 2026

    New Mirai Campaign Exploits RCE Flaw in End-of-Life D-Link

    A new Mirai-based malware campaign is actively exploiting CVE-2025-29635, a high-severity command-injection vulnerability in end-of-life D-Link DIR-823X...

  • SecurityApr 22, 2026

    CVE-2026-21997: Oracle Life Sciences Empirica Signal

    A high-severity vulnerability in Oracle Life Sciences Empirica Signal versions 9.2.1-9.2.3 allows a low-privileged attacker with network access via HTTP...

  • SecurityApr 22, 2026

    CVE-2026-22753: Spring Security Filter Chain Bypass via PathPattern Matcher

    A high-severity flaw in Spring Security allows security filter chains to silently fail to match requests when PathPatternRequestMatcher.Builder is used to...

  • NewsApr 21, 2026

    Surge in Bomgar RMM Exploitation Demonstrates Supply Chain

    A critical RCE flaw in BeyondTrust Bomgar remote monitoring and management software is being actively exploited to spread ransomware and compromise...

  • SecurityApr 21, 2026

    CVE-2025-2749: Kentico Xperience Path Traversal

    Kentico Xperience contains a path traversal vulnerability allowing an authenticated user's Staging Sync Server to upload arbitrary data to relative path...

  • SecurityApr 21, 2026

    CVE-2026-24467: OpenAEV Password Reset Account Takeover

    OpenAEV's password reset implementation contains multiple chained weaknesses enabling reliable account takeover in versions 1.0.0 through 2.0.12 of the...

  • SecurityApr 21, 2026

    CVE-2026-29646: OpenXiangShan NEMU RISC-V Hypervisor

    A critical privilege escalation flaw in OpenXiangShan NEMU's RISC-V hypervisor extension allows a VS-mode guest write to the supervisor interrupt-enable...

  • SecurityApr 21, 2026

    CVE-2026-32604: Spinnaker Clouddriver Remote Code Execution

    A critical unauthenticated RCE vulnerability in Spinnaker's clouddriver service allows attackers to execute arbitrary commands on clouddriver pods,...

  • SecurityApr 21, 2026

    CVE-2026-32613: Spinnaker Echo Spring Expression Language

    A critical code injection flaw in Spinnaker's Echo service allows unrestricted Spring Expression Language (SPeL) execution via artifact processing,...

  • SecurityApr 21, 2026

    CVE-2026-39918: Vvveb CMS Unauthenticated PHP Code

    Vvveb CMS versions prior to 1.0.8.1 allow unauthenticated attackers to inject arbitrary PHP code through the installation endpoint's unsanitized subdir...

  • NewsApr 20, 2026

    SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious

    A critical CVSS 9.8 command injection vulnerability in the SGLang AI inference framework allows attackers to achieve remote code execution by supplying a...

  • NewsApr 19, 2026

    Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables

    A critical authentication bypass vulnerability in nginx-ui, a popular open-source web-based Nginx management interface, is being actively exploited to...

  • NewsApr 19, 2026

    NIST to Stop Rating Non-Priority Flaws Due to Volume

    The National Institute of Standards and Technology will stop assigning CVSS severity scores to lower-priority vulnerabilities in the NVD as CVE submission...

  • NewsApr 18, 2026

    In Other News: Satellite Cybersecurity Act, $90K Chrome

    This week's cybersecurity roundup covers the proposed Satellite Cybersecurity Act, a $90,000 Chrome heap overflow bug, a 16-year-old hacker arrest,...

  • SecurityApr 18, 2026

    CVE-2026-37749: SQL Injection Auth Bypass in CodeAstro

    A critical SQL injection vulnerability in CodeAstro Simple Attendance Management System v1.0 allows unauthenticated remote attackers to bypass login...

  • SecurityApr 18, 2026

    CVE-2026-40492: SAIL XWD Codec Heap Buffer Overflow (CVSS

    A critical heap buffer overflow in the SAIL image library's XWD codec arises from a mismatch between pixel depth and bits-per-pixel, enabling arbitrary...

  • SecurityApr 18, 2026

    CVE-2026-40493: SAIL PSD Codec Buffer Overflow via channels

    A critical out-of-bounds write in SAIL's PSD codec occurs when the pixel buffer is allocated using a raw header formula that doesn't account for actual...

  • SecurityApr 18, 2026

    CVE-2026-40494: SAIL TGA Codec RLE Decoder Asymmetric

    A critical heap write-past-end vulnerability in SAIL's TGA codec RLE decoder stems from an asymmetric bounds check that correctly validates run-packets...

  • SecurityApr 18, 2026

    CVE-2026-6284: PLC Brute Force Password Bypass (CVSS 9.1)

    A critical vulnerability in a programmable logic controller allows unauthenticated network attackers to brute force weak passwords and gain full...

  • SecurityApr 18, 2026

    CVE-2026-6518: WordPress CMP Plugin Arbitrary File Upload

    The CMP Coming Soon & Maintenance Plugin for WordPress contains a critical arbitrary file upload flaw that allows subscriber-level authenticated users to...

  • SecurityApr 17, 2026

    CVE-2026-40322: SiYuan XSS via Mermaid innerHTML Injection

    SiYuan knowledge management versions 3.6.3 and below render Mermaid diagrams with loose security, allowing attacker-controlled javascript: URLs to execute...

  • SecurityApr 12, 2026

    CVE-2026-6112: Totolink A7100RU OS Command Injection via setRadvdCfg

    A critical OS command injection vulnerability (CVSS 9.8) in Totolink A7100RU firmware allows unauthenticated remote attackers to execute arbitrary...

  • SecurityApr 12, 2026

    CVE-2026-6113: Totolink A7100RU OS Command Injection via setTtyServiceCfg

    A critical OS command injection flaw (CVSS 9.8) in Totolink A7100RU enables remote unauthenticated attackers to execute arbitrary commands by manipulating...

  • SecurityApr 12, 2026

    CVE-2026-6114: Totolink A7100RU OS Command Injection via setNetworkCfg

    CVE-2026-6114 is a critical OS command injection vulnerability (CVSS 9.8) in the Totolink A7100RU router's setNetworkCfg function, exploitable remotely...

  • SecurityApr 12, 2026

    CVE-2026-6115: Totolink A7100RU OS Command Injection via setAppCfg

    CVE-2026-6115 describes a critical OS command injection vulnerability (CVSS 9.8) in the Totolink A7100RU router, exploitable remotely and without...

  • SecurityApr 10, 2026

    CVE-2025-57735: Apache Airflow JWT Token Not Invalidated on Logout

    A critical CVSS 9.1 vulnerability in Apache Airflow fails to invalidate JWT tokens upon user logout, allowing intercepted tokens to be reused for...

  • SecurityApr 10, 2026

    CVE-2026-34177: Canonical LXD Incomplete VM Restriction

    A critical CVSS 9.1 flaw in Canonical LXD versions 4.12 through 6.7 omits raw.apparmor and raw.qemu.conf from the VM low-level option denylist, allowing...

  • SecurityApr 10, 2026

    CVE-2026-34178: Canonical LXD Backup Import Path

    A critical CVSS 9.1 vulnerability in Canonical LXD before 6.8 allows authenticated attackers to bypass project restrictions during backup import. The...

  • SecurityApr 10, 2026

    CVE-2026-34578: OPNsense LDAP Injection Enables Auth Bypass

    A high-severity LDAP injection vulnerability in OPNsense's authentication connector allows unauthenticated attackers to bypass login controls by injecting...

  • SecurityApr 10, 2026

    CVE-2026-5977: TOTOLINK A7100RU Critical OS Command

    A critical OS command injection vulnerability (CVSS 9.8) in TOTOLINK A7100RU routers allows unauthenticated remote attackers to execute arbitrary system...

  • SecurityApr 10, 2026

    CVE-2026-5978: TOTOLINK A7100RU Critical OS Command

    A second critical OS command injection vulnerability (CVSS 9.8) in TOTOLINK A7100RU routers allows unauthenticated remote attackers to execute arbitrary...

  • SecurityApr 9, 2026

    CVE-2026-4498: Kibana Fleet Plugin Privilege Escalation

    A high-severity privilege escalation flaw in Kibana's Fleet plugin debug route handlers allows authenticated users with limited Fleet sub-feature...

  • SecurityApr 7, 2026

    CVE-2026-35392: Critical Path Traversal in goshs Go HTTP

    A critical CVSS 9.8 path traversal vulnerability in goshs, a SimpleHTTPServer written in Go, allows unauthenticated attackers to write arbitrary files via...

  • SecurityApr 7, 2026

    CVE-2026-5637: SQL Injection in projectworlds Car Rental

    A remotely exploitable SQL injection vulnerability (CVE-2026-5637) has been disclosed in projectworlds Car Rental System 1.0. The flaw exists in...

  • NewsApr 6, 2026

    Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Actively

    A critical zero-day in FortiClient EMS with a CVSS score of 9.8 is being actively exploited in the wild while Fortinet has released only an emergency...

  • SecurityApr 4, 2026

    CVE-2026-26477: DokuWiki media_upload_xhr() Denial of Service

    A high-severity denial-of-service vulnerability in DokuWiki v.2025-05-14b 'Librarian' allows remote attackers to crash the application by exploiting the...

  • SecurityApr 4, 2026

    CVE-2026-3445: ProfilePress WordPress Plugin Allows

    A high-severity authorization flaw in the ProfilePress WordPress plugin (up to v4.16.11) lets unauthenticated or low-privilege users bypass membership...

  • SecurityApr 4, 2026

    CVE-2026-4896: WCFM WooCommerce Plugin IDOR Allows

    A high-severity Insecure Direct Object Reference vulnerability in the WCFM Frontend Manager for WooCommerce plugin (up to v6.7.25) lets authenticated...

  • SecurityApr 3, 2026

    CVE-2026-28815: swift-crypto X-Wing HPKE Out-of-Bounds Read

    A crafted short X-Wing HPKE encapsulated key can trigger an out-of-bounds read in the C decapsulation path of Apple's swift-crypto library, potentially...

  • NewsApr 2, 2026

    Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts

    A large-scale credential harvesting campaign has been observed exploiting the React2Shell vulnerability (CVE-2025-55182) as an initial infection vector,...

  • NewsApr 1, 2026

    New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation

    Google has released a Chrome security update patching 21 vulnerabilities including a high-severity use-after-free zero-day in the Dawn graphics engine...

  • SecurityApr 1, 2026

    CVE-2026-1579: MAVLink Protocol Unauthenticated Shell Access

    A critical CVSS 9.8 vulnerability in the MAVLink drone communication protocol allows unauthenticated attackers to send arbitrary SERIAL_CONTROL commands —...

  • SecurityApr 1, 2026

    CVE-2026-5272: Chrome GPU Heap Buffer Overflow Enables

    A high-severity heap buffer overflow in Chrome's GPU component allows remote attackers to execute arbitrary code via a crafted HTML page. Affects all...

  • NewsMar 30, 2026

    Hackers Now Exploit Critical F5 BIG-IP Flaw in Attacks

    F5 has reclassified a BIG-IP APM vulnerability from denial-of-service to critical remote code execution, warning that attackers are actively exploiting...

  • SecurityMar 30, 2026

    CVE-2026-32973: OpenClaw Exec Allowlist Bypass via Glob

    A critical CVSS 9.8 vulnerability in OpenClaw allows attackers to bypass the exec allowlist by exploiting improper glob pattern normalization where the ?...

  • SecurityMar 30, 2026

    CVE-2026-32975: OpenClaw Zalouser Weak Authorization via Mutable Group Display Names

    A critical CVSS 9.8 authorization bypass in OpenClaw's Zalouser allowlist mode matches mutable group display names instead of stable identifiers, letting...

  • SecurityMar 30, 2026

    CVE-2026-32987: OpenClaw Bootstrap Code Replay Enables

    A critical CVSS 9.8 vulnerability in OpenClaw allows attackers to replay a valid bootstrap setup code multiple times before approval, escalating device...

  • SecurityMar 30, 2026

    CVE-2026-4176: Perl Compress::Raw::Zlib Critical

    Perl versions 5.9.4 through 5.43.8 ship a vulnerable Compress::Raw::Zlib core module that inherits CVE-2026-3381 from a vendored zlib dependency. CVSS 9.8...

  • SecurityMar 30, 2026

    CVE-2026-5128: Steam Trader 2.1.1 Unauthenticated Sensitive

    A CVSS 10.0 critical vulnerability in steam-trader 2.1.1 exposes Steam account credentials, identity secrets, and shared secrets to unauthenticated remote...

  • SecurityMar 29, 2026

    CVE-2026-5016: elecV2P SSRF Vulnerability in URL Handler

    A server-side request forgery vulnerability in elecV2P up to version 3.8.3 allows remote attackers to manipulate the eAxios function via the /mock...

  • SecurityMar 28, 2026

    CVE-2026-33875: Gematik Authenticator Authentication Flow

    A critical vulnerability in Gematik Authenticator prior to version 4.16.0 allows attackers to hijack authentication sessions via malicious deep links,...

  • SecurityMar 27, 2026

    CVE-2025-53521: F5 BIG-IP APM Remote Code Execution — CISA

    A critical unauthenticated RCE vulnerability in F5 BIG-IP APM is being actively exploited in the wild. Malicious traffic targeting access policy virtual...

  • SecurityMar 27, 2026

    CVE-2026-33669: SiYuan Unauthenticated Document Content

    A critical unauthenticated information disclosure vulnerability in SiYuan, the personal knowledge management system, allows remote attackers to retrieve...

  • SecurityMar 27, 2026

    CVE-2026-33670: SiYuan readDir Path Traversal Notebook

    A critical path traversal vulnerability in SiYuan's /api/file/readDir interface allows unauthenticated remote attackers to traverse notebook directories...

  • SecurityMar 24, 2026

    CVE-2026-33478: AVideo CloneSite Plugin Unauthenticated RCE

    A critical chain of vulnerabilities in WWBN AVideo's CloneSite plugin allows fully unauthenticated attackers to achieve remote code execution via key...

  • NewsMar 21, 2026

    Interlock Ransomware Exploited Cisco FMC Zero-Day for 36

    CVE-2026-20131, a maximum-severity CVSS 10.0 insecure deserialization flaw in Cisco Firepower Management Center, was exploited by Interlock ransomware as...

  • NewsMar 21, 2026

    Critical Langflow RCE Flaw Exploited Within 20 Hours of Disclosure

    CVE-2026-33017, a CVSS 9.3 unauthenticated remote code execution vulnerability in the Langflow AI platform, was weaponized by threat actors within 20...

  • SecurityMar 21, 2026

    CVE-2025-43510: Apple Multiple Products Improper Locking

    Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain an improper locking vulnerability allowing a malicious app to cause unexpected changes in...

  • SecurityMar 21, 2026

    CVE-2026-22172: OpenClaw Critical Authorization Bypass via WebSocket Scope Elevation

    A critical CVSS 9.9 authorization bypass in OpenClaw allows authenticated users to self-declare elevated scopes over WebSocket connections without...

  • NewsMar 20, 2026

    Oracle Pushes Emergency Fix for Critical Identity Manager

    Oracle has released an out-of-band security update to fix a critical unauthenticated remote code execution vulnerability in Oracle Identity Manager and...

  • NewsMar 18, 2026

    Critical Unpatched GNU Telnetd Flaw (CVE-2026-32746)

    Researchers have disclosed a critical unauthenticated remote code execution vulnerability in the GNU InetUtils telnet daemon (telnetd). CVE-2026-32746...

  • NewsMar 18, 2026

    Interlock Ransomware Has Been Exploiting Cisco FMC Zero-Day

    The Interlock ransomware gang has been actively exploiting a CVSS 10.0 insecure deserialization flaw in Cisco Secure Firewall Management Center since late...

  • SecurityMar 18, 2026

    CVE-2026-21994: Critical Unauthenticated RCE in Oracle Edge

    A critical unauthenticated remote code execution vulnerability (CVSS 9.8) in Oracle's Edge Cloud Infrastructure Designer and Visualisation Toolkit allows...

  • SecurityMar 18, 2026

    CVE-2026-30884: Critical Authorization Bypass in Moodle

    A critical (CVSS 9.6) authorization bypass vulnerability in the moodle-mod_customcert plugin allows any teacher with manage capability in a single course...

  • SecurityMar 18, 2026

    CVE-2026-32298: Angeet ES3 KVM OS Command Injection via cfg.lua Script

    A high-severity OS command injection vulnerability (CVSS 9.1) in the Angeet ES3 KVM switch allows authenticated attackers to execute arbitrary OS-level...

  • SecurityMar 17, 2026

    CVE-2025-69902: Critical Command Injection in kubectl-mcp-server

    A critical command injection vulnerability in kubectl-mcp-server allows unauthenticated attackers to execute arbitrary OS commands through unsanitized...

  • SecurityMar 17, 2026

    CVE-2026-4177: YAML::Syck Heap Buffer Overflow Enables

    A critical heap buffer overflow in YAML::Syck for Perl allows remote code execution through crafted YAML input that exceeds the 512-byte class name...

  • SecurityMar 17, 2026

    CVE-2026-4312: DrangSoft GCB/FCB Audit Software Missing

    A critical missing authentication flaw (CVSS 9.8) in DrangSoft's GCB/FCB Audit Software allows unauthenticated remote attackers to directly access...

  • SecurityMar 16, 2026

    CVE-2015-20115: RealtyScript 4.0.2 Stored XSS via File

    CVE-2015-20115 is a stored cross-site scripting vulnerability in RealtyScript 4.0.2 that allows authenticated attackers to upload malicious script files...

  • SecurityMar 16, 2026

    CVE-2025-47813: Wing FTP Server Path Disclosure Enables RCE

    CISA has added CVE-2025-47813, a medium-severity information disclosure flaw in Wing FTP Server, to its KEV catalog after confirming active exploitation...

  • NewsMar 13, 2026

    Veeam Patches Five Critical RCE Vulnerabilities Exposing

    Veeam Software has released a critical security update for Backup & Replication, patching five remote code execution vulnerabilities with CVSS scores...

  • NewsMar 12, 2026

    CISA Flags Actively Exploited n8n RCE Bug as 24,700

    CISA added CVE-2025-68613 — a CVSS 9.9 remote code execution flaw in n8n's workflow expression evaluator — to its Known Exploited Vulnerabilities catalog...

  • NewsMar 12, 2026

    Researchers Disclose Critical n8n Flaws Enabling RCE and Credential Theft

    Security researchers have published details of two newly patched critical vulnerabilities in n8n — CVE-2026-27577 (CVSS 9.4), an expression sandbox escape...

  • SecurityMar 12, 2026

    CVE-2025-68613: n8n Remote Code Execution via Improper

    CISA adds CVE-2025-68613 to the Known Exploited Vulnerabilities catalog — a CVSS 9.9 flaw in n8n's workflow expression evaluation system that enables...

  • ChecklistMar 11, 2026

    Vulnerability Management Checklist

    Structured checklist for building and maintaining a vulnerability management program — scan cadence, patching SLAs, risk acceptance workflows, remediation...

  • SecurityMar 8, 2026

    CVE-2026-29067: ZITADEL Password Reset Poisoned by Host Header Injection

    A high-severity host header injection vulnerability in ZITADEL's login V2 password reset flow allows attackers to redirect reset links to...

  • SecurityMar 8, 2026

    ZITADEL Critical XSS in SAML Endpoint Enables 1-Click

    A critical cross-site scripting vulnerability in ZITADEL's login V2 /saml-post endpoint allows unauthenticated attackers to execute arbitrary JavaScript...

  • SecurityMar 8, 2026

    CVE-2026-29192: ZITADEL Stored XSS via Default Redirect URI

    A stored cross-site scripting vulnerability in ZITADEL's login V2 interface allows organization administrators to inject malicious JavaScript via a...

  • SecurityMar 4, 2026

    CVE-2026-28775: Unauthenticated Root RCE in IDC SFX

    A critical unauthenticated RCE vulnerability in International Datacasting Corporation's SFX Series satellite receivers allows attackers to execute...

  • SecurityFeb 23, 2026

    CISA Adds Two Actively Exploited Roundcube Webmail Flaws to KEV

    CISA has added two Roundcube Webmail vulnerabilities to the Known Exploited Vulnerabilities catalog — CVE-2025-49113 (CVSS 9.9, deserialization RCE) and...

  • SecurityFeb 20, 2026

    Microsoft February 2026 Patch Tuesday Fixes Six Actively

    Microsoft's February 2026 Patch Tuesday addresses roughly 60 vulnerabilities including six actively exploited zero-days across Windows, Office, and Azure...

  • NewsFeb 11, 2026

    2026 Vulnerability Forecast: Up to 117,000 CVEs Expected

    FIRST predicts a median of 59,427 new CVEs in 2026 with realistic scenarios reaching 70,000-100,000 vulnerabilities, as software complexity and...

  • SecurityFeb 11, 2026

    Microsoft Patch Tuesday February 2026: 6 Actively Exploited

    Microsoft's February 2026 Patch Tuesday addresses 60 vulnerabilities including 6 actively exploited zero-days and 3 publicly disclosed issues, with...

  • SecurityFeb 10, 2026

    WinRAR Path Traversal Flaw CVE-2025-8088 Actively Exploited

    Critical path traversal vulnerability in WinRAR enables ransomware and credential theft as Russian and Chinese threat actors weaponize phishing campaigns...

  • SecurityFeb 5, 2026

    NGINX TLS Vulnerability Enables Man-in-the-Middle Attacks

    CVE-2026-1642 affects NGINX OSS and Plus when proxying to upstream TLS servers, allowing attackers to inject plaintext data into responses.

  • SecurityFeb 2, 2026

    Critical Vulnerability Discovered in Popular Enterprise VPN

    Security researchers have identified a severe authentication bypass vulnerability affecting multiple enterprise VPN products. Immediate patching recommended.

  • SecurityJan 25, 2026

    WordPress Plugin Vulnerability (CVSS 10.0) Under Active

    Maximum severity flaw in Modular DS WordPress plugin allows unauthenticated privilege escalation. All versions through 2.5.1 affected with active...

  • NewsJan 24, 2026

    Google Patches Actively Exploited Chrome Zero-Day

    Google has released an emergency Chrome update to fix a zero-day vulnerability being actively exploited in targeted attacks against journalists and activists.

  • NewsJan 21, 2026

    Mass Exploitation of Fortinet FortiGate Devices Underway

    Security researchers warn of mass exploitation campaigns targeting Fortinet FortiGate firewalls. Over 50,000 devices believed to be compromised globally.

  • SecurityJan 18, 2026

    Critical D-Link Router RCE Under Active Exploitation - No

    CVE-2026-0625 allows unauthenticated remote code execution on legacy D-Link DSL routers. Devices are end-of-life with no patches forthcoming. Immediate...

  • SecurityJan 14, 2026

    Microsoft January 2026 Patch Tuesday: 114 Flaws Fixed, One

    Microsoft's first security update of 2026 addresses 114 vulnerabilities including three zero-days. One flaw is actively exploited in the wild with CISA...