Overview
- musl-libc
- musl
10 Apr 2026
Published
10 Apr 2026
Updated
CVSS v3.1
HIGH (8.1)
EPSS
Pending
KEV
Description
An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly implemented double-word primitives. The number of elements must exceed about seven million, i.e., the 32nd Leonardo number on 32-bit platforms (or the 64th Leonardo number on 64-bit platforms, which is not practical).
Statistics
- 1 Post
- 43 Interactions
Last activity: 3 hours ago
Overview
- Meta
- react-server-dom-turbopack
08 Apr 2026
Published
08 Apr 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.32%
KEV
Description
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
Statistics
- 4 Posts
- 2 Interactions
Last activity: Last hour
Bluesky
React Server ComponentでDoSの脆弱性 "Summary of CVE-2026-23869 - Vercel" https://vercel.com/changelog/summary-of-cve-2026-23869
React Server Components(RSC)のDoS脆弱性の修正としてNext.js 15.5.15/16.2.3とReact 19.2.5がリリースされている。
App RouterのServer Functionエンドポイントに対して、細工されたHTTPリクエストを送ることで過剰なCPU消費を引き起こせる脆弱性。
Next… "" https://vercel.com/changelog/summary-of-cve-2026-23869
Overview
- marimo-team
- marimo
09 Apr 2026
Published
09 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
2.70%
KEV
Description
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.
Statistics
- 3 Posts
- 1 Interaction
Last activity: 5 hours ago
Fediverse
A critical remote code execution (RCE) vulnerability in the Marimo notebook, CVE-2026-39987, was exploited by a threat actor just nine hours after its public disclosure. The unauthenticated flaw allows arbitrary system command execution, and the attacker successfully used it to steal credentials and exfiltrate files.
https://www.securityweek.com/critical-marimo-flaw-exploited-hours-after-public-disclosure/
Bluesky
A critical unauthenticated RCE in Marimo (CVE-2026-39987) was exploited just 9 hours after public disclosure via the terminal WebSocket endpoint, allowing shell access and data exfiltration. Upgrade to 0.23.0+. #MarimoExploit #RCEvulnerability
Overview
- Apache Software Foundation
- Apache ActiveMQ Broker
- org.apache.activemq:activemq-broker
07 Apr 2026
Published
08 Apr 2026
Updated
CVSS
Pending
EPSS
5.60%
KEV
Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ.
Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including
BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).
An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext.
Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().
This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3.
Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue
Statistics
- 2 Posts
Last activity: 6 hours ago
Fediverse
A 13-year-old ActiveMQ RCE bug (CVE-2026-34197) was discovered and weaponized in minutes by researchers using AI, specifically Claude, highlighting the potential of AI in exploit-building. The vulnerability, which allowed arbitrary system command execution through the Jolokia API, has been fixed in newer versions of ActiveMQ Classic.
https://www.csoonline.com/article/4157146/claude-uncovers-a-13%e2%80%91year%e2%80%91old-activemq-rce-bug-within-minutes.html
Overview
Description
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Statistics
- 1 Post
- 4 Interactions
Last activity: 10 hours ago
Fediverse
Critical Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Actively Exploited — Patch Now
#CyberSecurity
https://securebulletin.com/critical-fortinet-forticlient-ems-zero-day-cve-2026-35616-actively-exploited-patch-now/
Overview
Description
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.
Statistics
- 2 Posts
- 1 Interaction
Last activity: 11 hours ago
Bluesky
Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access https://thehackernews.com/2026/04/docker-cve-2026-34040-lets-attackers.html
Overview
- SaturdayDrive
- Ninja Forms - File Uploads
07 Apr 2026
Published
08 Apr 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.07%
KEV
Description
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in version 3.3.27.
Statistics
- 2 Posts
- 1 Interaction
Last activity: 3 hours ago
Fediverse
Explotación activa de CVE-2026-0740 en Ninja Forms File Uploads pone en riesgo miles de #WordPress
Overview
Description
OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.
Statistics
- 1 Post
- 2 Interactions
Last activity: 21 hours ago
Fediverse
Who still remembers the #Debian RNG patch disaster??
https://nvd.nist.gov/vuln/detail/cve-2008-0166
I just realized this will very soon be 18 (eighteen) years ago! 😲 Feeling old yet?
Overview
- Totolink
- A7100RU
10 Apr 2026
Published
10 Apr 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.89%
KEV
Description
A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setVpnAccountCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument User results in os command injection. The attack may be launched remotely. The exploit is now public and may be used.
Statistics
- 1 Post
Last activity: 11 hours ago
Fediverse
⚠️ CVE-2026-6029 (CRITICAL, CVSS 9.3): Totolink A7100RU firmware 7.4cu.2313_b20191024 is vulnerable to unauthenticated OS command injection via setVpnAccountCfg. No patch yet — restrict access and monitor for updates. https://radar.offseq.com/threat/cve-2026-6029-os-command-injection-in-totolink-a71-25809d7e #OffSeq #CVE20266029 #Infosec
Overview
- Ubuntu
- openssh
- openssh
12 Mar 2026
Published
18 Mar 2026
Updated
CVSS v4.0
LOW (2.7)
EPSS
0.03%
KEV
Description
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
Statistics
- 1 Post
Last activity: 7 hours ago
Fediverse
OpenSSH 10.3 には
CVE-2026-3497
https://nvd.nist.gov/vuln/detail/CVE-2026-3497
の修正が含まれる(つまり 11.0_RC4 追加アイテム)ということなのだろうか