2026-04-21
2026-04-21 20:17Z
CRIT

CVE-2026-40884 — Goshs Goshs: Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40884

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFTP service and access files without a password. This vulnerability is fixed in 2.0.0-beta.6. CVSSv3.1 9.8 (CRITICAL) · EPSS 17th percentile

CWECWE 306VNDGoshsVNDSimplehttpserverTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-21
2026-04-21 20:17Z
HIGH

CVE-2026-40883 — Goshs Goshs: From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40883

goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. This vulnerability is fixed in 2.0.0-beta.6. CVSSv3.1 8.1 (HIGH) · EPSS 5th percentile

CWECWE 352VNDGoshsVNDSimplehttpserverTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-21
2026-04-21 20:17Z
HIGH

CVE-2026-40880 — Zfnd Zebra-consensus: Prior to zebrad version 4.3.1 and zebra-consensus version 5.0.2, a logic error in Zebra's

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40880

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and zebra-consensus version 5.0.2, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By carefully submitting a transaction that is valid for height H+1 but invalid for H+2 and then mining that transaction in a block at height H+2, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from t CVSSv3.1 8.1 (HIGH) · EPSS 13th percentile

CWECWE 1025VNDZfndVNDZebraTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-21
2026-04-21 20:17Z
HIGH

CVE-2026-40876 — Goshs Goshs: is a SimpleHTTPServer written in Go.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40876

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files. The SFTP subsystem routes requests through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards fil CVSSv3.1 8.8 (HIGH) · EPSS 13th percentile

CWECWE 22VNDGoshsVNDSimplehttpserverTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-21
2026-04-21 20:16Z
CRIT

CVE-2026-40372 — Microsoft Asp.net_core: Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40372

Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network. CVSSv3.1 9.1 (CRITICAL) · EPSS 8th percentile

CWECWE 347VNDMicrosoftTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-21
2026-04-21 19:16Z
HIGH

CVE-2026-40868 — Kyverno Kyverno: Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ...

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40868

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. Because context.apiCall.service.url is policy-controlled, this can send the kyverno serviceaccount token to an attacker-controlled endpoint (confused deputy). Namespaced policies are bloc CVSSv3.1 8.1 (HIGH) · EPSS 9th percentile

CWECWE 922VNDKyvernoTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-21
2026-04-21 19:16Z
HIGH

CVE-2026-40614 — Pjsip Pjsip: In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40614

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames due to insufficient buffer size validation in the Opus codec decode path. The FEC decode buffers (dec_frame[].buf) were allocated based on a PCM-derived formula: (sample_rate/1000) * 60 * channel_cnt * 2. At 8 kHz mono this yields only 960 bytes, but codec_parse() can output encoded frames up to MAX_ENCODED_PACKET_SIZE CVSSv3.1 8.8 (HIGH)

CWECWE 122VNDPjsipTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-04-21
2026-04-21 18:16Z
HIGH

CVE-2026-40611 — Encrypt: Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40611

Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process. This vulnerability is fixed in 4.34.0. CVSSv3.1 8.8 (HIGH)

CWECWE 22VNDEncryptTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-21
2026-04-21 17:16Z
CRIT

CVE-2026-5652 — Craftycontrol Crafty_controller: An insecure direct object reference vulnerability in the Users API component of Crafty Controller

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5652

An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation. CVSSv3.1 9.0 (CRITICAL) · EPSS 21th percentile

CWECWE 639VNDCraftycontrolTYPVulnerability
9.0
CVSS v3.1
95
Edit Score
2026-04-21
2026-04-21 17:16Z
HIGH

CVE-2026-40583 — Ultradag Ultradag: In version 0.1, a non-council attacker can submit a signed SmartOp::Vote transaction that passes

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40583

UltraDAG is a minimal DAG-BFT blockchain in Rust. In version 0.1, a non-council attacker can submit a signed SmartOp::Vote transaction that passes signature, nonce, and balance prechecks, but fails authorization only after state mutation has already occurred. CVSSv3.1 8.2 (HIGH) · EPSS 12th percentile

CWECWE 460CWECWE 696VNDUltradagTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2026-04-21
2026-04-21 17:16Z
CRIT

CVE-2026-38835 — Tenda W30e_firmware: W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-38835

Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. CVSSv3.1 9.8 (CRITICAL) · EPSS 38th percentile

CWECWE 77VNDTendaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-21
2026-04-21 17:05Z
LOW

v9.0.2

BloodHound releases·github.comCVE-2026-33815CVE-2026-33816

BloodHound v9.0.2 released with routine maintenance updates including cipher additions, Azure post-processing fixes, and a pgx dependency upgrade to remediate two CVEs in the database driver. The release includes minor feature additions and build improvements.

SRFApplicationVNDBloodhoundVNDSpecter OpsTYPToolTYPVulnerability
9.8
CVSS v3.1
35
Edit Score
2026-04-21
2026-04-21 16:02Z
CRIT

The Vercel Breach Explains Why Identity Attack Path Management Can’t Wait

SpecterOps·specterops.ioin the wild

Vercel suffered a supply-chain breach when an employee connected the AI tool Context.ai to corporate Google Workspace via OAuth with overly broad permissions. Context.ai was subsequently compromised via an infostealer (Lumma Stealer) targeting a Context.ai employee, exposing OAuth tokens that granted attackers direct access to Vercel's identity infrastructure and internal systems. SpecterOps frames this as a structural identity attack path problem: the compromise of a non-human identity (NHI) with delegated trust relationships enabled lateral movement at machine speed, exposing the inadequacy of traditional IAM governance against AI-driven identity risks.

TACTA0001SRFIdentityTACTA0003SRFCloudTACTA0008VNDGoogleVNDVercelVNDContext Ai
82
Edit Score
2026-04-21
2026-04-21 15:41Z
HIGH

CVE-2026-3324 — Log360: ManageEngine Log360 builds 13000–13013 contain an authentication bypass vulnerability in exposed V1

Horizon3.ai·horizon3.aiCVE-2026-3324

ManageEngine Log360 builds 13000–13013 contain an authentication bypass vulnerability in exposed V1 APIs that allows attackers to bypass authorization checks and gain unauthorized access to data and operations. The vendor patched the issue in build 13017 released March 10, 2026, with public disclosure on April 17, 2026.

SRFApplicationTACTA0001SRFWebVNDLog360VNDManageengineTYPVulnerabilityTYPAdvisorySTGInitial Access
68
Edit Score
2026-04-21
2026-04-21 15:16Z
HIGH

CVE-2026-31019 — Dolibarr Dolibarr_erp\/crm: An authenticated user with permission to edit PHP content can bypass this filtering, resulting

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-31019

In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code execution with the ability to execute arbitrary operating system commands on the server. CVSSv3.1 8.8 (HIGH)

CWECWE 78VNDDolibarrTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-21
2026-04-21 15:16Z
HIGH

CVE-2026-31018 — Dolibarr Dolibarr_erp\/crm: In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-31018

In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation. CVSSv3.1 8.8 (HIGH)

CWECWE 94CWECWE 284VNDDolibarrTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-21
2026-04-21 14:38Z
CRIT

Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained

Rapid7 Research·rapid7.comin the wild

Rapid7 analyzed two Kyber ransomware variants—one targeting VMware ESXi and one targeting Windows—recovered from a March 2026 incident. The ESXi variant uses ChaCha8 encryption despite claiming post-quantum Kyber1024, while the Windows variant correctly implements AES-256-CTR with Kyber1024 key wrapping. Both variants share campaign infrastructure and employ sophisticated anti-recovery techniques including VM termination, shadow copy deletion, and management interface defacement.

SRFOsTACTA0005TACTA0002SRFNetwork ApplianceTACTA0040VNDMicrosoftVNDVmwareTYPResearch
82
Edit Score
2026-04-21
2026-04-21 13:16Z
HIGH

CVE-2026-6750 — Mozilla Firefox: Privilege escalation in the Graphics: WebRender component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6750

Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. CVSSv3.1 8.8 (HIGH)

CWECWE 269VNDMozillaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-21
2026-04-21 13:16Z
CRIT

CVE-2026-6748 — Mozilla Firefox: Uninitialized memory in the Audio/Video: Web Codecs component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6748

Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. CVSSv3.1 9.8 (CRITICAL)

CWECWE 457CWECWE 824VNDMozillaVNDUninitializedTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-21
2026-04-21 11:16Z
HIGH

CVE-2026-41038 — Qntmnet Qn-i-470_firmware: An attacker on the same network could exploit this vulnerability by performing password guessing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-41038

This vulnerability exists in Quantum Networks router due to lack of enforcement of strong password policies in the web-based management interface. An attacker on the same network could exploit this vulnerability by performing password guessing or brute-force attacks against user accounts, leading to unauthorized access to the targeted device. CVSSv3.1 8.8 (HIGH) · EPSS 7th percentile

CWECWE 521VNDQntmnetVNDQuantumTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-21
2026-04-21 10:16Z
HIGH

CVE-2026-41037 — Qntmnet Qn-i-470_firmware: An attacker on the same network could exploit this vulnerability by performing brute force

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-41037

This vulnerability exists in Quantum Networks router due to missing rate limiting and CAPTCHA protection for failed login attempts in the web-based management interface. An attacker on the same network could exploit this vulnerability by performing brute force attacks against administrative credentials, leading to unauthorized access with root privileges on the targeted device. CVSSv3.1 8.8 (HIGH) · EPSS 7th percentile

CWECWE 307VNDQntmnetVNDQuantumTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-21
2026-04-21 10:16Z
HIGH

CVE-2026-41036 — Qntmnet Qn-i-470_firmware: Successful exploitation of this vulnerability could allow the attacker to perform remote code execution

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-41036

This vulnerability exists in Quantum Networks router due to inadequate sanitization of user-supplied input in the management CLI interface. An authenticated remote attacker could exploit this vulnerability by injecting arbitrary OS commands on the targeted device. Successful exploitation of this vulnerability could allow the attacker to perform remote code execution with root privileges on the targeted device. CVSSv3.1 8.8 (HIGH) · EPSS 64th percentile

CWECWE 78VNDQntmnetVNDQuantumTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-21
2026-04-21 07:58Z
INFO

shannon — Shannon Lite is an autonomous, white-box AI pentester for web applications and APIs. It analyzes your source code, ident

GitHub · LPE exploits·github.comGITHUB POC

Shannon Lite is an open-source autonomous AI pentester for web applications and APIs that performs white-box security testing by analyzing source code and executing real exploits. The tool identifies attack vectors across injection, XSS, SSRF, and authentication bypass categories, generating proof-of-concept exploits for confirmed vulnerabilities. Shannon Pro, the commercial variant, adds agentic SAST, SCA, secrets scanning, and business logic testing with static-dynamic correlation.

SRFApplicationSRFWebTACTA0042TACTA0043TYPToolSTGDiscoverySTGExecutionSTGInitial Access
72
Edit Score
2026-04-21
2026-04-21 04:16Z
CRIT

CVE-2026-5965 — NewSoftOA: developed by NewSoft has an OS Command Injection vulnerability, allowing unauthenticated local attackers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5965

NewSoftOA developed by NewSoft has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server. CVSSv3.1 9.8 (CRITICAL) · EPSS 92th percentile

CWECWE 78VNDNewsoftoaTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2026-04-21
2026-04-21 03:16Z
HIGH

CVE-2026-40497 — Freescout Freescout: CSP allows `style-src * 'self' 'unsafe-inline'`, so injected inline styles execute freely.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40497

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's `Helper::stripDangerousTags()` removes `<script>`, `<form>`, `<iframe>`, `<object>` but does NOT strip `<style>` tags. The mailbox signature field is saved via POST /mailbox/settings/{id} and later rendered unescaped via `{!! $conversation->getSignatureProcessed([], true) !!}` in conversation views. CSP allows `style-src * 'self' 'unsafe-inline'`, so injected inline styles exec CVSSv3.1 8.1 (HIGH)

CWECWE 79VNDFreescoutTYPVulnerability
8.1
CVSS v3.1
91
Edit Score