CVE-2026-27787

creationtimestamp| type| source ---|---|--- 2026-04-07 20:00:00+00:00| seen| https://jvn.jp/en/jp/JVN33581068/ 2026-04-08 07:51:25+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mixspefv4u2i...

CVE-2026-39342

creationtimestamp| type| source ---|---|--- 2026-04-07 19:35:49+00:00| seen| Telegram/KxTaYuDzH0Z1i49WRh0FHus2MwhOECzgEb0vJJCyVaWiEf0 2026-04-07 20:21:29+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3miwm5mzrwf2n...

CVE-2026-39337

creationtimestamp| type| source ---|---|--- 2026-04-07 19:35:33+00:00| seen| Telegram/MwNatB1kDaoxbSrZihFWwC12FE1HreAtxbr2hmQcZTjcFY 2026-04-07 19:48:17+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3miwkcbdjif2g 2026-04-08 00:41:21+00:00| seen|...

CVE-2026-39331

creationtimestamp| type| source ---|---|--- 2026-04-07 19:35:33+00:00| seen| Telegram/MwNatB1kDaoxbSrZihFWwC12FE1HreAtxbr2hmQcZTjcFY 2026-04-08 08:14:55+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mixtzdzngk2w 2026-04-11 02:37:07+00:00| seen|...

CVE-2026-39318

creationtimestamp| type| source ---|---|--- 2026-04-07 19:35:16+00:00| seen| Telegram/yEepCm2Odjvpf0uI90hS1hr8dhkmidpoORZ8hNAmW5Xwfo 2026-04-07 20:16:21+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3miwluho6g425 2026-04-08 10:39:40+00:00| seen|...

CVE-2026-39323

creationtimestamp| type| source ---|---|--- 2026-04-07 19:35:16+00:00| seen| Telegram/yEepCm2Odjvpf0uI90hS1hr8dhkmidpoORZ8hNAmW5Xwfo 2026-04-07 19:44:56+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3miwk4carkf2q 2026-04-08 09:07:35+00:00| seen|...

CVE-2026-35575

creationtimestamp| type| source ---|---|--- 2026-04-07 19:35:02+00:00| published-proof-of-concept| Telegram/b7kqkVlyupyGML8IRNuJF5vW46V1gBKnrWAnE54KrYglqM 2026-04-08 10:00:20+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mixzvu7pk22m 2026-04-10 00:07:08+00:00| seen|...

CVE-2026-5734

creationtimestamp| type| source ---|---|--- 2026-04-07 19:33:24+00:00| seen| Telegram/UR5TCX5vufcj9skQtsOGmPNpHO32u3eWlC-vhPXaaDs7Lc 2026-04-08 12:10:17+00:00| seen| https://bsky.app/profile/o2cloud.bsky.social/post/3miyb6aeqsg2z 2026-04-09 00:01:20+00:00| seen|...

CVE-2026-39319

creationtimestamp| type| source ---|---|--- 2026-04-07 19:26:34+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3miwj3helvu2i 2026-04-07 19:35:16+00:00| seen| Telegram/yEepCm2Odjvpf0uI90hS1hr8dhkmidpoORZ8hNAmW5Xwfo 2026-04-08 10:39:48+00:00| seen|...

CVE-2026-39370 WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)

WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then...

CVE-2026-39368

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege...

CVE-2026-29181

creationtimestamp| type| source ---|---|--- 2026-04-07 18:34:27+00:00| published-proof-of-concept| https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475 2026-04-07 23:20:49+00:00| published-proof-of-concept|...

GHSA-QMWH-9M9C-H36M Gotenberg has incomplete fix for ExifTool arbitrary file write: case-insensitive bypass and missing HardLink/SymLink tags

Summary The fix for ExifTool arbitrary file write commit 043b158, released in v8.29.0 uses a case-sensitive blocklist to filter dangerous pseudo-tags. ExifTool processes tag names case-insensitively, so alternate casings bypass the filter. The blocklist also omits the HardLink and SymLink...

Gotenberg has incomplete fix for ExifTool arbitrary file write: case-insensitive bypass and missing HardLink/SymLink tags

Summary The fix for ExifTool arbitrary file write commit 043b158, released in v8.29.0 uses a case-sensitive blocklist to filter dangerous pseudo-tags. ExifTool processes tag names case-insensitively, so alternate casings bypass the filter. The blocklist also omits the HardLink and SymLink...

CVE-2026-35534

creationtimestamp| type| source ---|---|--- 2026-04-07 17:29:48+00:00| seen| Telegram/t7opZ3s7Nl85xZs745vJOFh0FG2Whznv9BGbk6FzHivbIC0 2026-04-11 03:37:08+00:00| seen| https://bsky.app/profile/cyberhub.blog/post/3mj6vvfabd62n...

Russia Hacked Routers to Steal Microsoft Office Tokens

Hackers linked to Russia's military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens...

Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign

The Russia-linked threat actor known as APT28 aka Forest Blizzard has been linked to a new campaign that has compromised insecure MikroTik and TP-Link routers and modified their settings to turn them into malicious infrastructure under their control as part of a cyber espionage campaign since at...

CVE-2021-4473

creationtimestamp| type| source ---|---|--- 2026-04-07 15:58:08+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3miw5gorvxq22 2026-04-08 21:03:01+00:00| seen| https://bsky.app/profile/beikokucyber.bsky.social/post/3miz6wtjcpe2p 2026-04-26 22:07:07+00:00| seen|...

EUVD-2026-19726

ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For...

CVE-2026-35571 Emissary has Stored XSS via Navigation Template Link Injection

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript:...