24h | 7d | 30d

CVE-2026-41579

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
0.01%
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
Last activity: 20 hours ago

Fediverse

Profile picture fallback
Can Artuc @canartuc

runc, the low-level OCI runtime under Docker and Kubernetes, shipped 1.4.3 and 1.3.6 plus the 1.5.0-rc.3 candidate on June 13. All carry a low-severity fix for CVE-2026-41579, where a container image with a /dev symlink could get limited write access to the host filesystem. The releases also reuse a single tmpfs instance when masking directories, cutting superblock overhead for Kubernetes nodes. How do you prioritize a low-severity flaw in something this foundational?
#containers #Kubernetes

  • 0
  • 0
  • 0
  • 20h ago

CVE-2026-49111

Overview

  • ThemeGrill
  • Masteriyo - LMS
  • learning-management-system
15 Jun 2026
Published
15 Jun 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
Pending
KEV

Description

Incorrect Privilege Assignment vulnerability in ThemeGrill Masteriyo - LMS allows Privilege Escalation. This issue affects Masteriyo - LMS: from n/a through 2.2.0.

Statistics

  • 1 Post
Last activity: 3 hours ago

Fediverse

Profile picture fallback
Hugo | DevOps | Cybersecurity @hugovalters

CVE-2026-49111 - Privilege Escalation in Themegrill Masteriyo LMS. CVSS 8.8. Unpatched in versions through 2.2.0. Update immediately. #CVE #WordPress #infosec

valtersit.com/cve/CVE-2026-491

  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-42897

Overview

  • Microsoft
  • Microsoft Exchange Server 2016 Cumulative Update 23
14 May 2026
Published
09 Jun 2026
Updated
CVSS v3.1
HIGH (8.1)
EPSS
2.51%
KEV

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

Statistics

  • 1 Post
Last activity: 1 hour ago

Bluesky

Profile picture fallback
Redmond @redmondit.bsky.social
Microsoft has released its June 2026 Exchange Server security updates, including fixes for CVE-2026-42897 and other vulnerabilities affecting supported on-premises deployments. See what Exchange administrators need to know: https://ow.ly/EOxl50ZbMqp #Microsoft #ExchangeServer #Cybersecurity
  • 0
  • 0
  • 0
  • 1h ago

CVE-2026-5482

Overview

  • Tecrail
  • Responsive FileManager
15 Jun 2026
Published
15 Jun 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
Pending
KEV

Description

Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution.  This project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release 9.14.0

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CVE-2026-5482 (CRITICAL): Tecrail Responsive FileManager ≤9.14.0 lets unauth'd attackers upload dangerous files via dialog.php, leading to RCE. Project is unmaintained — no patch. Restrict access & monitor now. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 7h ago

CVE-2026-9595

Overview

  • webpack-dev-server
  • webpack-dev-server
15 Jun 2026
Published
15 Jun 2026
Updated
CVSS v3.1
MEDIUM (5.3)
EPSS
Pending
KEV

Description

Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in webpack-dev-server@5.2.5. Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.

Statistics

  • 2 Posts
Last activity: 5 hours ago

Fediverse

Profile picture fallback
Ulises Gascon @ulisesgascon

🚨 Medium-severity security fix in webpack-dev-server@5.2.5 just released!

Patches CVE-2026-9595. webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies.

github.com/webpack/webpack-dev

  • 0
  • 0
  • 1
  • 5h ago

CVE-2025-8088

Overview

  • win.rar GmbH
  • WinRAR
08 Aug 2025
Published
26 Feb 2026
Updated
CVSS v4.0
HIGH (8.4)
EPSS
81.35%
KEV

Description

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET.

Statistics

  • 1 Post
Last activity: 10 hours ago

Bluesky

Profile picture fallback
Undercode Testing @undercode.bsky.social
Hackers Weaponize WinRAR & NTFS Alternate Data Streams: The Silent Malware Extraction Attack + Video Introduction: A path traversal vulnerability in WinRAR, tracked as CVE-2025-8088 (CVSS 8.4/8.8), continues to be actively exploited by Russia-aligned threat groups nearly a year after a patch was…
  • 0
  • 0
  • 0
  • 10h ago

CVE-2026-44168

Overview

  • MariaDB
  • server
12 Jun 2026
Published
12 Jun 2026
Updated
CVSS v3.1
HIGH (8.0)
EPSS
0.58%
KEV

Description

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the mariabackup SST method. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.

Statistics

  • 1 Post
Last activity: 18 hours ago

Fediverse

Profile picture fallback
Hugo | DevOps | Cybersecurity @hugovalters

CVE-2026-44168 - Command Injection in MariaDB. CVSS 8. Unvalidated SST parameters allow joiner to execute commands on donor. Patch available in latest versions. Update immediately. #CVE #MariaDB #infosec

valtersit.com/cve/CVE-2026-441

  • 0
  • 0
  • 0
  • 18h ago

CVE-2026-50623

Overview

  • Apache Software Foundation
  • Apache CXF
  • org.apache.cxf:cxf-rt-rs-security-oauth2
12 Jun 2026
Published
13 Jun 2026
Updated
CVSS
Pending
EPSS
0.52%
KEV

Description

An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However note that this is a safeguard only in the case that someone forgot to enable authentication on the service. Users are recommended to upgrade to version 4.2.2 or 4.1.7, which fixes this issue.

Statistics

  • 1 Post
Last activity: 8 hours ago

Fediverse

Profile picture fallback
Can Artuc @canartuc

Apache CXF, the widely used Java services framework, has a batch of 2026 security advisories on its project page, with more than a dozen CVEs concentrated in OAuth2 and JAX-WS handling. The headline is CVE-2026-50623, an authentication bypass in the OAuth2 TokenIntrospectionService, alongside JNDI injection, XXE, and response-splitting fixes. Anyone exposing CXF endpoints should review the list and upgrade. How do you track CVEs in dependencies you did not pick directly?
#security #Java

  • 0
  • 0
  • 0
  • 8h ago

CVE-2026-5079

Overview

  • multer
  • multer
15 Jun 2026
Published
15 Jun 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
Pending
KEV

Description

Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this. Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth their application requires. Workarounds: Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.

Statistics

  • 2 Posts
Last activity: 6 hours ago

Fediverse

Profile picture fallback
Ulises Gascon @ulisesgascon

🚨 High-severity security fix in multer@2.2.0 and multer@3.0.0-alpha.2 just released!

Patches CVE-2026-5079. multer vulnerable to Denial of Service via deeply nested field names.

github.com/expressjs/multer/se

  • 0
  • 0
  • 1
  • 6h ago

CVE-2026-52704

Overview

  • Edgar Rojas
  • WooCommerce PDF Invoice Builder
  • woo-pdf-invoice-builder
15 Jun 2026
Published
15 Jun 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
Pending
KEV

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion. This issue affects WooCommerce PDF Invoice Builder: from n/a through 2.0.8.

Statistics

  • 1 Post
Last activity: 5 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🚨 CRITICAL: CVE-2026-52704 in WooCommerce PDF Invoice Builder ≤2.0.8 enables remote code execution via code injection (CWE-94). No patch yet — disable/remove plugin to prevent full system compromise. More info: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 5h ago
Showing 31 to 40 of 52 CVEs