24h | 7d | 30d

CVE-2026-21992

Overview

  • Oracle Corporation
  • Oracle Identity Manager
20 Mar 2026
Published
20 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.02%
KEV

Description

Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. Note: Oracle Web Services Manager is installed with an Oracle Fusion Middleware Infrastructure. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Statistics

  • 9 Posts
  • 11 Interactions
Last activity: Last hour

Fediverse

Profile picture fallback
𝔸𝕟𝕠𝕟𝕪𝕞𝕠𝕦𝕤 :verified: @youranonnewsirc

Geopolitical tensions remain high as the Iran conflict disrupts the Strait of Hormuz, impacting oil prices and global tech supply chains due to halted helium output from Qatar (Mar 20-21, 2026). In technology, Google introduced a mandatory 24-hour wait for Android sideloading from unverified developers (Mar 20, 2026), while Nvidia showcased new AI chips at GTC 2026 (Mar 20, 2026). Cybersecurity saw Oracle patch a critical RCE vulnerability (CVE-2026-21992) (Mar 21, 2026), and Iranian-linked hackers targeted medical tech firm Stryker, wiping devices (Mar 20, 2026). A Trivy supply chain attack also deployed 'CanisterWorm' across npm packages (Mar 20, 2026).

#Cybersecurity #Geopolitics #TechNews

  • 0
  • 1
  • 0
  • 2h ago
Profile picture fallback
HackerWorkspace @hackerworkspace

Oracle Patches Critical CVE-2026-21992 Enabling Unauthenticated RCE in Identity Manager

thehackernews.com/2026/03/orac

Short summary: hackerworkspace.com/article/or

  • 0
  • 1
  • 0
  • Last hour
Profile picture fallback
AllAboutSecurity @allaboutsecurity

CVE-2026-21992: Oracle schließt RCE-Lücke in Fusion Middleware außerhalb des regulären Patch-Zyklus

Die als CVE-2026-21992 klassifizierte Schwachstelle erlaubt es Angreifern, ohne Anmeldedaten beliebigen Code auf betroffenen Systemen auszuführen – sofern diese über das Netz erreichbar sind.

all-about-security.de/cve-2026

#oracle #cve #RCE #fusionMiddleware

  • 0
  • 0
  • 0
  • 9h ago

Bluesky

Profile picture fallback
BleepingComputer @bleepingcomputer.com
Oracle has released an out-of-band security update to fix a critical unauthenticated remote code execution vulnerability in Identity Manager and Web Services Manager tracked as CVE-2026-21992.
  • 4
  • 5
  • 0
  • 23h ago
Profile picture fallback
Cybersecurity News Everyday @hendryadrian.bsky.social
Oracle released an emergency patch for CVE-2026-21992, a critical unauthenticated RCE in Identity Manager and Web Services Manager with a 9.8 CVSS score, exploitable remotely over HTTP. #OracleFix #RCEVulnerability #USA
  • 0
  • 0
  • 0
  • 20h ago
Profile picture fallback
r/blueteamsec bot @r-blueteamsec.bsky.social
Oracle Security Alert Advisory - CVE-2026-21992
  • 0
  • 0
  • 1
  • 14h ago
Profile picture fallback
All About Security @allaboutsecurity.bsky.social
CVE-2026-21992: Oracle schließt RCE-Lücke in Fusion Middleware außerhalb des regulären Patch-Zyklus - Die als CVE-2026-21992 klassifizierte Schwachstelle erlaubt es Angreifern, ohne Anmeldedaten beliebigen Code auf betroffenen Systemen auszuführen www.all-about-security.de/cve-2026-219... #oracle
  • 0
  • 0
  • 0
  • 9h ago
Profile picture fallback
Cybersecurity News Everyday @hendryadrian.bsky.social
Oracle patches critical CVE-2026-21992 in Identity Manager and Web Services Manager allowing unauthenticated remote code execution via HTTP. CVSS score 9.8 highlights severity. #OraclePatch #RemoteCodeExec #USA
  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-33017

Overview

  • langflow-ai
  • langflow
20 Mar 2026
Published
21 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.44%
KEV

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

Statistics

  • 5 Posts
  • 4 Interactions
Last activity: 2 hours ago

Fediverse

Profile picture fallback
HackerWorkspace @hackerworkspace

Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure

thehackernews.com/2026/03/crit

Short summary: hackerworkspace.com/article/cr

  • 0
  • 3
  • 1
  • 21h ago

Bluesky

Profile picture fallback
Ninja Owl @ninjaowl.ai
Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure #cybersecurity #hacking #news #infosec #security #technology #privacy thehackernews.com/20...
  • 0
  • 1
  • 0
  • 2h ago
Profile picture fallback
Cybersecurity News Everyday @hendryadrian.bsky.social
A critical Langflow flaw (CVE-2026-33017) allows unauthenticated RCE via exec() on public endpoints. Exploits appeared within 20 hours of disclosure, affecting versions up to 1.8.1. Fixed in 1.9.0 dev release. #LangflowBug #RemoteExec #TechAlert
  • 0
  • 0
  • 0
  • 18h ago
Profile picture fallback
Eyal Estrin ☁️ @eyalestrin.bsky.social
CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours #patchmanagement
  • 0
  • 0
  • 0
  • 5h ago

CVE-2026-3888

Overview

  • snapd
17 Mar 2026
Published
18 Mar 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.00%
KEV

Description

Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.

Statistics

  • 4 Posts
  • 4 Interactions
Last activity: 12 hours ago

Fediverse

Profile picture fallback
ちゃんまい @mai_llj
snapdで権限昇格ができてしまうらしい
ubuntuユーザ多そうだしみんなアプデしようね
https://ubuntu.com/security/CVE-2026-3888
  • 1
  • 0
  • 0
  • 14h ago
Profile picture fallback
elhacker.NET @elhackernet

CVE-2026-3888 en Ubuntu: escalada a root aprovechando snap-confine y la limpieza de systemd-tmpfiles

blog.elhacker.net/2026/03/cve-

  • 0
  • 3
  • 1
  • 14h ago

Bluesky

Profile picture fallback
topickapp (IT技術系ニュースサイト) @topickapp.bsky.social
https://www.itmedia.co.jp/enterprise/articles/2603/20/news019.html Ubuntuデスクトップ環境で深刻な権限昇格の脆弱性(CVE-2026-3888)が確認されました。 通常ユーザーがローカル環境からroot権限を取得可能で、機密性などに広範な影響があります。 開発元は修正版を提供済みで、速やかなsnapdパッケージの更新が推奨されます。
  • 0
  • 0
  • 0
  • 12h ago

CVE-2026-20131

Overview

  • Cisco
  • Cisco Secure Firewall Management Center (FMC)
04 Mar 2026
Published
20 Mar 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.88%
KEV

Description

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root. Note: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.

Statistics

  • 2 Posts
  • 3 Interactions
Last activity: 4 hours ago

Fediverse

Profile picture fallback
Christoph Schmees @PC_Fluesterer

Cisco Zero-Day 36 Tage vor Update ausgenutzt

Am 2026-03-04 hat Cisco ein Update gegen die Sicherheitslücke CVE-2026-20131 veröffentlicht. Sie hat die Einstufung 10 von 10 erhalten: die schlimmste aller vorstellbaren Schwachstellen. Falls¹ die Verwaltungs-Oberfläche (Management Interface) der Secure Firewall Management Center (FMC) Software und Security Cloud Control (SCC) Firewall Management Software aus dem Internet erreichbar ist, kann ein entfernter Angreifer ohne Autorisierung beliebigen Code mit Administrator-Rechten auf den betroffenen Geräten ausführen (RCE). Sehr angemessen für Geräte, die

pc-fluesterer.info/wordpress/2

#Allgemein #Empfehlung #Hintergrund #Warnung #0day #closedsource #cybercrime #erpresser #exploits #firewall #hersteller #hintertür #sicherheit #UnplugTrump #vorfälle

  • 1
  • 2
  • 0
  • 4h ago

Bluesky

Profile picture fallback
Commonwealth Sentinel Cyber Security @cwealthsentinel.bsky.social
Interlock group exploiting the CISCO FMC flaw CVE-2026-20131 36 days before disclosure
  • 0
  • 0
  • 0
  • 22h ago

CVE-2026-33068

Overview

  • anthropics
  • claude-code
20 Mar 2026
Published
20 Mar 2026
Updated
CVSS v4.0
HIGH (7.7)
EPSS
0.14%
KEV

Description

Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53.

Statistics

  • 2 Posts
Last activity: 15 hours ago

Fediverse

Profile picture fallback
HackerWorkspace @hackerworkspace

RAXE-2026-040: Claude Code Workspace Trust Dialog Bypass via Repository Settings (CVE-2026-33068) | RAXE Labs

raxe.ai/labs/advisories/RAXE-2

Short summary: hackerworkspace.com/article/ra

  • 0
  • 0
  • 0
  • 21h ago

Bluesky

Profile picture fallback
Best of r/cybersecurity @cybersecurity.page
Anthropic's Claude Code CLI had a security vulnerability (CVE-2026-33068) due to a configuration loading order defect. The bug allowed repository settings to bypass workspace trust, enabling potential malicious activity. The issue is fixed in version 2.1.53.
  • 0
  • 0
  • 0
  • 15h ago

CVE-2026-29796

Overview

  • IGL-Technologies
  • eParking.fi
20 Mar 2026
Published
20 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.4)
EPSS
0.10%
KEV

Description

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 16 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

⚠️ CRITICAL: CVE-2026-29796 affects all IGL-Technologies eParking.fi versions. Missing WebSocket auth allows attackers to impersonate charging stations, disrupt operations, and corrupt data. Restrict access, monitor traffic, and secure now! radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 16h ago

CVE-2025-66376

Overview

  • Zimbra
  • Collaboration
05 Jan 2026
Published
19 Mar 2026
Updated
CVSS v3.1
HIGH (7.2)
EPSS
11.43%
KEV

Description

Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 9 hours ago

Bluesky

Profile picture fallback
Cybersecurity News Everyday @hendryadrian.bsky.social
Iran-linked Handala returns with a new domain after U.S. seizures, tied to MOIS. Stryker wipes linked, APT28 exploits Zimbra CVE-2025-66376 on Ukrainian gov mail, Interlock ransomware abuses Cisco zero-day. #IranOps #Ukraine #CiscoExploit
  • 0
  • 1
  • 0
  • 9h ago

CVE-2026-4373

Overview

  • jetmonsters
  • JetFormBuilder — Dynamic Blocks Form Builder
21 Mar 2026
Published
21 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.10%
KEV

Description

The JetFormBuilder plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 3.5.6.2. This is due to the 'Uploaded_File::set_from_array' method accepting user-supplied file paths from the Media Field preset JSON payload without validating that the path belongs to the WordPress uploads directory. Combined with an insufficient same-file check in 'File_Tools::is_same_file' that only compares basenames, this makes it possible for unauthenticated attackers to exfiltrate arbitrary local files as email attachments by submitting a crafted form request when the form is configured with a Media Field and a Send Email action with file attachment.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 10 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🚨 JetFormBuilder for WordPress is HIGH risk (CVE-2026-4373): Absolute path traversal in all versions allows unauth attackers to exfiltrate files via crafted Media Field form. Review & secure deployments! radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 0
  • 10h ago

CVE-2026-4261

Overview

  • husobj
  • Expire Users
21 Mar 2026
Published
21 Mar 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.04%
KEV

Description

The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.2. This is due to the plugin allowing a user to update the 'on_expire_default_to_role' meta through the 'save_extra_user_profile_fields' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 12 hours ago

Fediverse

Profile picture fallback
Offensive Sequence @offseq

🔥 HIGH severity: CVE-2026-4261 in Expire Users (WordPress, all versions) lets Subscribers escalate to Admin via missing authorization in 'save_extra_user_profile_fields'. Patch urgently or mitigate! radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 0
  • 12h ago

CVE-2026-22812

Overview

  • anomalyco
  • opencode
12 Jan 2026
Published
13 Jan 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
3.55%
KEV

Description

OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216.

Statistics

  • 1 Post
Last activity: 1 hour ago

Bluesky

Profile picture fallback
Securitycipher @securitycipher.bsky.social
CVE-2026–22812: How I Got RCE on a 71k-Star AI Coding Tool With Zero Authentication https://medium.com/@dhxrxx/cve-2026-22812-how-i-got-rce-on-a-71k-star-ai-coding-tool-with-zero-authentication-7524fbc3317f?source=rss------bug_bounty-5
  • 0
  • 0
  • 0
  • 1h ago
Showing 1 to 10 of 35 CVEs