2026-04-03
2026-04-03 20:16Z
CRIT

CVE-2026-28798 — Zimaspace Zimaos: This results in unauthenticated access to internal-only endpoints and sensitive local services when the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-28798

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests to internal localhost services. This results in unauthenticated access to internal-only endpoints and sensitive local services when the product is reachable from the Internet through a Cloudflare Tunn CVSSv3.1 9.0 (CRITICAL)

CWECWE 918VNDZimaspaceVNDZimaosTYPVulnerability
9.0
CVSS v3.1
95
Edit Score
2026-04-03
2026-04-03 20:16Z
HIGH

CVE-2026-25726 — Cloudreve Cloudreve: This allows them to forge valid JSON Web Tokens (JWTs) for any user, including

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-25726

Cloudreve is a self-hosted file management and sharing system. Prior to version 4.13.0, the application uses the weak pseudo-random number generator math/rand seeded with time.Now().UnixNano() to generate critical security secrets, including the secret_key, and hash_id_salt. These secrets are generated upon first startup and persisted in the database. An attacker can exploit this by obtaining the administrator's account creation time (via public API endpoints) to narrow the s CVSSv3.1 8.1 (HIGH)

CWECWE 338VNDCloudreveTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-03
2026-04-03 19:06Z
HIGH

Metasploit Wrap-Up 03/04/2026

Rapid7 Research·rapid7.comCVE-2026-28289CVE-2025-50286

Metasploit Framework 6.4.125 adds five new modules including unauthenticated RCE exploits for FreeScout and Grav CMS, a generic HTTP command execution module, Windows persistence via registry abuse, and HTTP/HTTPS payload adapters for x86/x64. The release also includes eight enhancements, six bug fixes, and expanded documentation across multiple scanner and auxiliary modules.

SRFApplicationTACTA0004TACTA0002SRFWebTACTA0003VNDRapid7VNDMetasploitTYPTool
72
Edit Score
2026-04-03
2026-04-03 18:16Z
CRIT

CVE-2026-32186 — Microsoft Bing: Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32186

Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges over a network. CVSSv3.1 10.0 (CRITICAL)

CWECWE 918VNDMicrosoftTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2026-04-03
2026-04-03 18:16Z
CRIT

CVE-2026-0545 — FastAPI: This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-0545

In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthentica CVSSv3.1 9.1 (CRITICAL)

CWECWE 306VNDFastapiTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-03
2026-04-03 17:16Z
CRIT

CVE-2026-28373 — Stackfield: The Stackfield Desktop App before 1.10.2 for macOS and Windows contains a path traversal

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-28373

The Stackfield Desktop App before 1.10.2 for macOS and Windows contains a path traversal vulnerability in certain decryption functionality when processing the filePath property. A malicious export can write arbitrary content to any path on the victim's filesystem. CVSSv3.1 9.6 (CRITICAL)

CWECWE 22VNDStackfieldTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2026-04-03
2026-04-03 16:16Z
HIGH

CVE-2026-35218 — Budibase Budibase: Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35218

Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl CVSSv3.1 8.7 (HIGH)

CWECWE 79VNDBudibaseTYPVulnerability
8.7
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-04-03
2026-04-03 16:16Z
CRIT

CVE-2026-35216 — Budibase Budibase: Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35216

Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. This issue has been patched in version 3.33.4. CVSSv3.1 9.0 (CRITICAL)

CWECWE 78VNDBudibaseTYPVulnerability
9.0
CVSS v3.1
95
Edit Score
2026-04-03
2026-04-03 16:16Z
HIGH

CVE-2026-35214 — Budibase Budibase: Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35214

Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can CVSSv3.1 8.7 (HIGH)

CWECWE 22VNDBudibaseTYPVulnerability
8.7
CVSS v3.1
94
Edit Score
2026-04-03
2026-04-03 16:16Z
CRIT

CVE-2026-31818 — Budibase Budibase: Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-31818

Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requ CVSSv3.1 9.6 (CRITICAL)

CWECWE 918CWECWE 1188VNDBudibaseTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2026-04-03
2026-04-03 16:16Z
CRIT

CVE-2026-31402 — Linux: This results in a slab-out-of-bounds write of up to 944 bytes past the end

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-31402

In the Linux kernel, the following vulnerability has been resolved: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT). When a LOCK operation is CVSSv3.1 9.8 (CRITICAL) · EPSS 15th percentile

TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-03
2026-04-03 16:16Z
HIGH

CVE-2026-31393 — Linux: A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an out-of-bounds read of adjacent skb

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-31393

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->dat CVSSv3.1 8.1 (HIGH) · EPSS 9th percentile

TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-03
2026-04-03 16:16Z
HIGH

CVE-2026-31392 — Linux: In the Linux kernel, the following vulnerability has been resolved: smb: client: fix krb5

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-31392

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix krb5 mount with username option Customer reported that some of their krb5 mounts were failing against a single server as the client was trying to mount the shares with wrong credentials. It turned out the client was reusing SMB session from first mount to try mounting the other shares, even though a different username= option had been specified to the other mounts. By using username mount CVSSv3.1 8.1 (HIGH) · EPSS 9th percentile

TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-03
2026-04-03 16:16Z
HIGH

CVE-2026-25044 — Budibase Budibase: User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-25044

Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command execution. This issue has been patched in version 3.33.4. CVSSv3.1 8.8 (HIGH)

CWECWE 78VNDBudibaseTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-03
2026-04-03 16:16Z
HIGH

CVE-2026-23462 — Linux: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HIDP: Fix possible

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23462

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HIDP: Fix possible UAF This fixes the following trace caused by not dropping l2cap_conn reference when user->remove callback is called: [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17 CVSSv3.1 8.8 (HIGH) · EPSS 9th percentile

TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-03
2026-04-03 16:16Z
HIGH

CVE-2026-23461 — Linux: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23461

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to conn->users. However, l2cap_register_user() and l2cap_unregister_user() don't use conn->lock, creating a race condition where these functions can access conn->users and conn->hchan concurrently with l2cap_conn_ CVSSv3.1 8.8 (HIGH) · EPSS 7th percentile

TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-03
2026-04-03 16:16Z
HIGH

CVE-2026-23459 — Linux: In the Linux kernel, the following vulnerability has been resolved: ip_tunnel: adapt iptunnel_xmit_stats() to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23459

In the Linux kernel, the following vulnerability has been resolved: ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS Blamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which call iptunnel_xmit_stats(). iptunnel_xmit_stats() was assuming tunnels were only using NETDEV_PCPU_STAT_TSTATS. @syncp offset in pcpu_sw_netstats and pcpu_dstats is different. 32bit kernels would either have corruptions or freezes if the syncp sequence was overwritt CVSSv3.1 8.2 (HIGH) · EPSS 7th percentile

TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2026-04-03
2026-04-03 16:16Z
HIGH

CVE-2026-23457 — Linux: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23457

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 3 CVSSv3.1 8.6 (HIGH) · EPSS 9th percentile

TYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-04-03
2026-04-03 16:16Z
HIGH

CVE-2026-23456 — Linux: This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23456

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byt CVSSv3.1 8.2 (HIGH) · EPSS 9th percentile

TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2026-04-03
2026-04-03 16:16Z
CRIT

CVE-2026-23455 — Linux: If the encoded length is 0, the decrement wraps to -1, which is then

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23455

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Ad CVSSv3.1 9.1 (CRITICAL) · EPSS 9th percentile

TYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-03
2026-04-03 16:16Z
CRIT

CVE-2026-23450 — Linux: This leads to two issues: 1) NULL pointer dereference: sk_user_data is NULL when accessed.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23450

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1]. smc_tcp_syn_recv_sock() is called in the TCP receive path (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP listening socket). It reads sk_user_data to get the smc_sock pointer. However, when the SMC listen socket is being closed concurrently, smc_close_active() sets clcsoc CVSSv3.1 9.8 (CRITICAL) · EPSS 9th percentile

TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-03
2026-04-03 16:16Z
CRIT

CVE-2026-23428 — Linux Linux_kernel: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free of

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23428

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free of share_conf in compound request smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == TREE_CONNECTED on the initial lookup path, but the compound reuse path bypasses this check entirely. If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state to TREE_DISCONNECTED and frees share_co CVSSv3.1 9.8 (CRITICAL) · EPSS 2th percentile

CWECWE 416TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-03
2026-04-03 16:16Z
CRIT

CVE-2026-23427 — Linux Linux_kernel: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23427

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in durable v2 replay of active file handles parse_durable_handle_context() unconditionally assigns dh_info->fp->conn to the current connection when handling a DURABLE_REQ_V2 context with SMB2_FLAGS_REPLAY_OPERATION. ksmbd_lookup_fd_cguid() does not filter by fp->conn, so it returns file handles that are already actively connected. The unconditional overwrite replaces fp->conn, and CVSSv3.1 9.8 (CRITICAL) · EPSS 2th percentile

CWECWE 416TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-03
2026-04-03 15:16Z
HIGH

CVE-2025-59711 — Kovai Biztalk360: Because of mishandling of user-provided input in an upload mechanism, an authenticated attacker is

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-59711

An issue was discovered in Biztalk360 before 11.5. Because of mishandling of user-provided input in an upload mechanism, an authenticated attacker is able to write files outside of the destination directory and/or coerce an authentication from the service, aka Directory Traversal. CVSSv3.1 8.3 (HIGH)

CWECWE 22VNDKovaiVNDBiztalk360TYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2026-04-03
2026-04-03 15:16Z
HIGH

CVE-2025-59710 — Kovai Biztalk360: Because of incorrect access control, any user is able to request the loading a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-59710

An issue was discovered in Biztalk360 before 11.5. Because of incorrect access control, any user is able to request the loading a DLL file. During the loading, a method is called. An attacker can craft a malicious DLL, upload it to the server, and use it to achieve remote code execution on the server. CVSSv3.1 8.8 (HIGH)

CWECWE 434VNDKovaiVNDBiztalk360TYPVulnerability
8.8
CVSS v3.1
94
Edit Score