61303 matches found
CVE-2026-39337
creationtimestamp| type| source ---|---|--- 2026-04-07 19:35:33+00:00| seen| Telegram/MwNatB1kDaoxbSrZihFWwC12FE1HreAtxbr2hmQcZTjcFY 2026-04-07 19:48:17+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3miwkcbdjif2g 2026-04-08 00:41:21+00:00| seen|...
CVE-2026-39318
creationtimestamp| type| source ---|---|--- 2026-04-07 19:35:16+00:00| seen| Telegram/yEepCm2Odjvpf0uI90hS1hr8dhkmidpoORZ8hNAmW5Xwfo 2026-04-07 20:16:21+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3miwluho6g425 2026-04-08 10:39:40+00:00| seen|...
CVE-2026-39323
creationtimestamp| type| source ---|---|--- 2026-04-07 19:35:16+00:00| seen| Telegram/yEepCm2Odjvpf0uI90hS1hr8dhkmidpoORZ8hNAmW5Xwfo 2026-04-07 19:44:56+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3miwk4carkf2q 2026-04-08 09:07:35+00:00| seen|...
CVE-2026-35575
creationtimestamp| type| source ---|---|--- 2026-04-07 19:35:02+00:00| published-proof-of-concept| Telegram/b7kqkVlyupyGML8IRNuJF5vW46V1gBKnrWAnE54KrYglqM 2026-04-08 10:00:20+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mixzvu7pk22m 2026-04-10 00:07:08+00:00| seen|...
CVE-2026-5734
creationtimestamp| type| source ---|---|--- 2026-04-07 19:33:24+00:00| seen| Telegram/UR5TCX5vufcj9skQtsOGmPNpHO32u3eWlC-vhPXaaDs7Lc 2026-04-08 12:10:17+00:00| seen| https://bsky.app/profile/o2cloud.bsky.social/post/3miyb6aeqsg2z 2026-04-09 00:01:20+00:00| seen|...
CVE-2026-39319
creationtimestamp| type| source ---|---|--- 2026-04-07 19:26:34+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3miwj3helvu2i 2026-04-07 19:35:16+00:00| seen| Telegram/yEepCm2Odjvpf0uI90hS1hr8dhkmidpoORZ8hNAmW5Xwfo 2026-04-08 10:39:48+00:00| seen|...
CVE-2026-39370 WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then...
CVE-2026-39368
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege...
CVE-2026-29181
creationtimestamp| type| source ---|---|--- 2026-04-07 18:34:27+00:00| published-proof-of-concept| https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475 2026-04-07 23:20:49+00:00| published-proof-of-concept|...
GHSA-QMWH-9M9C-H36M Gotenberg has incomplete fix for ExifTool arbitrary file write: case-insensitive bypass and missing HardLink/SymLink tags
Summary The fix for ExifTool arbitrary file write commit 043b158, released in v8.29.0 uses a case-sensitive blocklist to filter dangerous pseudo-tags. ExifTool processes tag names case-insensitively, so alternate casings bypass the filter. The blocklist also omits the HardLink and SymLink...
Gotenberg has incomplete fix for ExifTool arbitrary file write: case-insensitive bypass and missing HardLink/SymLink tags
Summary The fix for ExifTool arbitrary file write commit 043b158, released in v8.29.0 uses a case-sensitive blocklist to filter dangerous pseudo-tags. ExifTool processes tag names case-insensitively, so alternate casings bypass the filter. The blocklist also omits the HardLink and SymLink...
CVE-2026-35534
creationtimestamp| type| source ---|---|--- 2026-04-07 17:29:48+00:00| seen| Telegram/t7opZ3s7Nl85xZs745vJOFh0FG2Whznv9BGbk6FzHivbIC0 2026-04-11 03:37:08+00:00| seen| https://bsky.app/profile/cyberhub.blog/post/3mj6vvfabd62n...
Russia Hacked Routers to Steal Microsoft Office Tokens
Hackers linked to Russia's military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens...
Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign
The Russia-linked threat actor known as APT28 aka Forest Blizzard has been linked to a new campaign that has compromised insecure MikroTik and TP-Link routers and modified their settings to turn them into malicious infrastructure under their control as part of a cyber espionage campaign since at...
CVE-2021-4473
creationtimestamp| type| source ---|---|--- 2026-04-07 15:58:08+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3miw5gorvxq22 2026-04-08 21:03:01+00:00| seen| https://bsky.app/profile/beikokucyber.bsky.social/post/3miz6wtjcpe2p 2026-04-26 22:07:07+00:00| seen|...
EUVD-2026-19726
ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For...
CVE-2026-35571 Emissary has Stored XSS via Navigation Template Link Injection
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript:...
CVE-2026-35571 Emissary has Stored XSS via Navigation Template Link Injection
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript:...
CVE-2026-35571
CVE-2026-35571 affects Emissary prior to 8.39.0. Mustache navigation templates interpolated config-controlled link values directly into href attributes without URL scheme validation, allowing an administrator with navItems access to inject javascript: URIs and trigger stored XSS against other aut...
CVE-2026-3466
creationtimestamp| type| source ---|---|--- 2026-04-07 15:21:30+00:00| published-proof-of-concept| Telegram/OQovZCNyncHtmKsEQoVAn9WglYI3Qk-HPEu8DU-i8r2-BaQ 2026-04-07 15:38:01+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3miw4crqhwx2n...