Overview
- RedisTimeSeries
- RedisTimeSeries
05 May 2026
Published
06 May 2026
Updated
CVSS v4.0
HIGH (7.7)
EPSS
0.34%
KEV
Description
RedisTimeSeries is a time-series module for Redis. In all versions before 1.12.14 of RedisTimeSeries, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisTimeSeries module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This has been patched in version 1.12.14.
Statistics
- 1 Post
- 1 Interaction
Last activity: 15 hours ago
Fediverse
CVE-2026-23479 was one of the high severity bugs we found when we won at Wiz's ZeroDay Cloud competition. Be on the lookout soon for the technical deep dive on ZDC blog - this was a really interesting bug because of its subtlety. The complex interaction between portions of code far apart from each other in the codebase likely wouldn't have been noticed by humans or traditional SAST tools but can now be found in hours through AI with the right scaffolding
Thank you to the teams at Redis and Google Wiz for the collaboration in securing critical open source projects
Overview
Description
Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on replicas where replica-read-only is disabled or can be disabled, which may lead to remote code execution. A workaround is to prevent users from executing Lua scripts or avoid using replicas where replica-read-only is disabled. This is patched in version 8.6.3.
Statistics
- 1 Post
- 1 Interaction
Last activity: 15 hours ago
Fediverse
CVE-2026-23479 was one of the high severity bugs we found when we won at Wiz's ZeroDay Cloud competition. Be on the lookout soon for the technical deep dive on ZDC blog - this was a really interesting bug because of its subtlety. The complex interaction between portions of code far apart from each other in the codebase likely wouldn't have been noticed by humans or traditional SAST tools but can now be found in hours through AI with the right scaffolding
Thank you to the teams at Redis and Google Wiz for the collaboration in securing critical open source projects
Overview
- Apache Software Foundation
- Apache CXF
08 Aug 2025
Published
26 Feb 2026
Updated
CVSS
Pending
EPSS
0.21%
KEV
Description
If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility.
Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.
Statistics
- 2 Posts
Last activity: 16 hours ago
Overview
- Go standard library
- crypto/x509
- crypto/x509
29 Oct 2025
Published
20 Nov 2025
Updated
CVSS
Pending
EPSS
0.02%
KEV
Description
Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
Statistics
- 3 Posts
Last activity: 16 hours ago
Overview
Description
spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes — all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.
Statistics
- 3 Posts
Last activity: 16 hours ago
Overview
- Go standard library
- crypto/x509
- crypto/x509
29 Oct 2025
Published
04 Nov 2025
Updated
CVSS
Pending
EPSS
0.01%
KEV
Description
Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.
Statistics
- 3 Posts
Last activity: 16 hours ago
Overview
- Go standard library
- crypto/x509
- crypto/x509
02 Dec 2025
Published
03 Dec 2025
Updated
CVSS
Pending
EPSS
0.01%
KEV
Description
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
Statistics
- 3 Posts
Last activity: 16 hours ago
Overview
- Go standard library
- encoding/pem
- encoding/pem
29 Oct 2025
Published
04 Nov 2025
Updated
CVSS
Pending
EPSS
0.04%
KEV
Description
The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.
Statistics
- 3 Posts
Last activity: 16 hours ago
Overview
Description
This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.
Statistics
- 1 Post
Last activity: 5 hours ago
Overview
Description
This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.
Statistics
- 1 Post
Last activity: 5 hours ago