2026-04-09
2026-04-09 21:16Z
CRIT

CVE-2026-5977 — Executing a manipulation of the argument wifiOff can lead to os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5977

A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument wifiOff can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77CWECWE 78TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-09
2026-04-09 21:16Z
HIGH

CVE-2026-40093 — Nimiq Nimiq_proof-of-stake: nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40093

nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In 1.3.0 and earlier, block timestamp validation enforces that timestamp >= parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MIN_PRODUCER_TIMEOUT for skip blocks, but there is no visible upper bound check against the wall clock. A malicious block-producing validator can set block timestamps arbitrarily far in the future. This directly affects reward calculations via Pol CVSSv3.1 8.1 (HIGH) · EPSS 20th percentile

CWECWE 1284VNDNimiqTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-09
2026-04-09 21:16Z
HIGH

CVE-2023-54359 — WordPress: adivaha Travel Plugin 2.3 contains a time-based blind SQL injection vulnerability that allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-54359

WordPress adivaha Travel Plugin 2.3 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pid' GET parameter. Attackers can send requests to the /mobile-app/v3/ endpoint with crafted 'pid' values using XOR-based payloads to extract sensitive database information or cause denial of service. CVSSv3.1 8.2 (HIGH)

CWECWE 89VNDWordpressTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2026-04-09
2026-04-09 20:43Z
INFO

v9.0.0-rc4

BloodHound releases·github.com

BloodHound v9.0.0-rc4 release candidate published with minor bug fixes and dependency updates. Changes include UI navigation scrolling fixes, history table height adjustments, AzureHound version bump, Go 1.26.2 upgrade, and module updates.

VNDBloodhoundVNDSpecter OpsTYPTool
15
Edit Score
2026-04-09
2026-04-09 20:16Z
CRIT

CVE-2026-5976 — Performing a manipulation of the argument sambaEnabled results in os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5976

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument sambaEnabled results in os command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77CWECWE 78TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-09
2026-04-09 20:16Z
CRIT

CVE-2026-5975 — Totolink: Such manipulation of the argument wanIdx leads to os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5975

A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setDmzCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument wanIdx leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77CWECWE 78VNDTotolinkTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-09
2026-04-09 20:16Z
HIGH

CVE-2026-4436 — A low-privileged remote attacker can send Modbus packets to manipulate register values that are

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4436

A low-privileged remote attacker can send Modbus packets to manipulate register values that are inputs to the odorant injection logic such that too much or too little odorant is injected into a gas line. CVSSv3.1 8.6 (HIGH)

CWECWE 306TYPVulnerability
8.6
CVSS v3.1
93
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-04-09
2026-04-09 20:16Z
CRIT

CVE-2026-40089 — Sonicverse: The Sonicverse Radio Audio Streaming Stack dashboard contains a Server-Side Request Forgery (SSRF) vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40089

Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The Sonicverse Radio Audio Streaming Stack dashboard contains a Server-Side Request Forgery (SSRF) vulnerability in its API client (apps/dashboard/lib/api.ts). Installations created using the provided install.sh script (including the one‑liner bash <(curl -fsSL https://sonicverse.short.gy/install-audiostack)) are affected. In these deployments, the dashboard accepts user-controlled URLs and passes them CVSSv3.1 9.9 (CRITICAL)

CWECWE 918VNDSonicverseTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2026-04-09
2026-04-09 20:16Z
CRIT

CVE-2026-40088 — PraisonAI: Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40088

PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters. This vulnerability is fixed in 4.5.121. CVSSv3.1 9.6 (CRITICAL)

CWECWE 78VNDPraisonaiTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2026-04-09
2026-04-09 20:16Z
CRIT

CVE-2026-29145 — Apache Tomcat: CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-29145

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2 CVSSv3.1 9.1 (CRITICAL)

CWECWE 287VNDApacheVNDClient CertTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-09
2026-04-09 20:16Z
CRIT

CVE-2025-13926 — An attacker could use data obtained by sniffing the network traffic to forge packets

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-13926

An attacker could use data obtained by sniffing the network traffic to forge packets in order to make arbitrary requests to Contemporary Controls BASC 20T. CVSSv3.1 9.8 (CRITICAL)

CWECWE 807TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-09
2026-04-09 19:16Z
CRIT

CVE-2026-39912 — V2Board: 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39912

V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin priv CVSSv3.1 9.1 (CRITICAL)

CWECWE 201VNDV2boardTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-09
2026-04-09 19:16Z
CRIT

CVE-2026-31170 — ToToLink: An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-31170

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77VNDTotolinkTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-09
2026-04-09 19:00Z
HIGH

Inside Cirro: Attack Paths, Cloud Graphs, and Extensible Schemas

Bishop Fox Labs·bishopfox.com

Bishop Fox released Cirro, an open-source cloud attack path analysis tool for Azure that models relationships between identities, RBAC, resources, and data-plane artifacts (secrets, certificates) to expose privilege escalation and lateral movement chains. The tool uses a templated YAML schema engine with Tera templating to scale across Azure resource types without hardcoding, and includes CirroDash for graph visualization and cirro-azcli-ext for passive API response capture.

TACTA0007SRFIdentitySRFCloudVNDMicrosoftVNDAzureTYPResearchTYPToolSTGDiscovery
78
Edit Score
2026-04-09
2026-04-09 18:17Z
HIGH

CVE-2026-5329 — Rapid7: Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5329

Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages does not sufficiently validate the queue name supplied by the client, allowing a rogu CVSSv3.1 8.5 (HIGH)

CWECWE 20VNDRapid7TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2026-04-09
2026-04-09 18:17Z
HIGH

CVE-2026-40070 — Sgbett Bsv-wallet: BSV Ruby SDK is the Ruby SDK for the BSV blockchain.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40070

BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatev CVSSv3.1 8.1 (HIGH) · EPSS 1th percentile

CWECWE 347VNDBsvVNDSgbettTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-09
2026-04-09 18:17Z
CRIT

CVE-2026-39987 — Coreweave Marimo: Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39987

marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connectio CVSSv3.1 9.8 (CRITICAL)

CWECWE 306VNDCoreweaveTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-09
2026-04-09 18:17Z
HIGH

CVE-2026-39983 — Patrickjuchli Basic-ftp: Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39983

basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. Th CVSSv3.1 8.6 (HIGH)

CWECWE 93VNDPatrickjuchliVNDFtpTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-04-09
2026-04-09 18:17Z
HIGH

CVE-2026-39981 — AGiXT: An authenticated attacker can use directory traversal sequences to read, write, or delete arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39981

AGiXT is a dynamic AI Agent Automation Platform. Prior to 1.9.2, the safe_join() function in the essential_abilities extension fails to validate that resolved file paths remain within the designated agent workspace. An authenticated attacker can use directory traversal sequences to read, write, or delete arbitrary files on the server hosting the AGiXT instance. This vulnerability is fixed in 1.9.2. CVSSv3.1 8.8 (HIGH)

CWECWE 22VNDAgixtTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-09
2026-04-09 18:17Z
CRIT

CVE-2026-39980 — OpenCTI: Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39980

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of the OpenCTI platform process during notifier template execution. This vulnerability is fixed in 6.9.5. CVSSv3.1 9.1 (CRITICAL)

CWECWE 1336VNDOpenctiTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-09
2026-04-09 18:17Z
HIGH

CVE-2026-39911 — Hashgraph: Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39911

Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sen CVSSv3.1 8.8 (HIGH)

CWECWE 668VNDHashgraphTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-09
2026-04-09 18:16Z
HIGH

CVE-2026-30478 — Dynamic: A Dynamic-link Library Injection vulnerability in GatewayGeo MapServer for Windows version 5 allows attackers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-30478

A Dynamic-link Library Injection vulnerability in GatewayGeo MapServer for Windows version 5 allows attackers to escalate privileges via a crafted executable. CVSSv3.1 8.8 (HIGH)

CWECWE 427VNDDynamicTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-09
2026-04-09 17:51Z
HIGH

What Project Glasswing Means for Security Leaders

Rapid7 Research·rapid7.com

Anthropic's Project Glasswing, a restricted Claude Mythos Preview model, demonstrates AI-driven vulnerability discovery at scale, identifying thousands of high-severity flaws in major operating systems and browsers while autonomously developing exploits. Access is limited to 50+ trusted organizations including AWS, Apple, Microsoft, Google, and Cisco, with $100M in credits committed to open-source security work. The disclosure signals that vulnerability discovery bottlenecks are shifting downstream to prioritization, remediation, and validation workflows.

TACTA0001SRFAiVNDMicrosoftVNDAppleVNDGoogleVNDAnthropicVNDAwsVNDBroadcom
72
Edit Score
2026-04-09
2026-04-09 17:16Z
HIGH

CVE-2026-39974 — MCP: Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39974

n8n-MCP is a Model Context Protocol (MCP) server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations. Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTH_TOKEN to cause the server to issue HTTP requests to arbitrary URLs supplied through multi-tenant HTTP headers. Response bodies are reflected back through JSON-RPC, so an attacker can read the contents of any URL CVSSv3.1 8.5 (HIGH)

CWECWE 918VNDMcpTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2026-04-09
2026-04-09 17:16Z
CRIT

CVE-2026-39962 — Misp Misp: Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39962

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authenti CVSSv3.1 9.6 (CRITICAL)

CWECWE 90VNDMispTYPVulnerability
9.6
CVSS v3.1
98
Edit Score