2026-04-03
2026-04-03 14:16Z
HIGH

CVE-2026-25773 — Mattermost Focalboard: This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-25773

** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data inc CVSSv3.1 8.1 (HIGH) · EPSS 1th percentile

CWECWE 89VNDMattermostVNDUnsupportedTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-03
2026-04-03 14:16Z
HIGH

CVE-2026-23425 — Linux Linux_kernel: This results in the hypervisor seeing the flag as set while the ID registers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23425

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix ID register initialization for non-protected pKVM guests In protected mode, the hypervisor maintains a separate instance of the `kvm` structure for each VM. For non-protected VMs, this structure is initialized from the host's `kvm` state. Currently, `pkvm_init_features_from_host()` copies the `KVM_ARCH_FLAG_ID_REGS_INITIALIZED` flag from the host without the underlying `id_regs` data being CVSSv3.1 8.8 (HIGH) · EPSS 2th percentile

TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-03
2026-04-03 13:46Z
HIGH

You Don’t Have a Security Problem, You Have a Visibility Problem

Rapid7 Research·rapid7.com

Rapid7 research argues that most breaches stem from visibility gaps rather than advanced exploits—specifically the inability to map assets, identities, and attack paths holistically. The article uses a medical technology breach case study where exposed assets, credential reuse, and over-permissioned access chained together into a lateral movement path that remained invisible until critical systems were compromised. The core thesis is that attackers exploit the connections between common weaknesses, not individual vulnerabilities, and that a visibility-first approach focusing on asset discovery, identity exposure, and attack path simulation is more effective than traditional vulnerability management.

SRFNetworkTACTA0007SRFIdentitySRFCloudTACTA0008TYPResearchTYPThreat IntelSTGDiscovery
62
Edit Score
2026-04-03
2026-04-03 11:00Z
HIGH

Simplifying MBA obfuscation with CoBRA

Trail of Bits·blog.trailofbits.com

Trail of Bits released CoBRA, an open-source tool that simplifies Mixed Boolean-Arithmetic (MBA) obfuscation expressions with 99.86% success rate across 73,000+ real-world samples. CoBRA operates as a CLI tool, C++ library, and LLVM pass plugin, addressing a gap where existing simplifiers (SiMBA, GAMBA) handle only partial expression classes.

SRFApplicationTYPResearchTYPToolSTGDiscoverySTGDefense EvasionTECT1027TECT1027.002
82
Edit Score
2026-04-03
2026-04-03 08:16Z
HIGH

CVE-2026-4350 — Perfmatters: The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4350

The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the `PMCS::action_handler()` method processing the `$_GET['delete']` parameter without any sanitization, authorization check, or nonce verification. The unsanitized filename is concatenated with the storage directory path and passed to `unlink()`. This makes it possible for authenticated attackers, with Subscriber-level CVSSv3.1 8.1 (HIGH) · EPSS 14th percentile

CWECWE 22VNDPerfmattersTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-03
2026-04-03 05:16Z
HIGH

CVE-2026-5463 — Danmcinerney Pymetasploit3: Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5463

Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions. CVSSv3.1 8.6 (HIGH) · EPSS 83th percentile

CWECWE 77VNDCommandVNDDanmcinerneyTYPVulnerability
8.6
CVSS v3.1
94
Edit Score
2026-04-03
2026-04-03 00:16Z
CRIT

CVE-2026-33107 — Microsoft Azure_databricks: Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33107

Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network. CVSSv3.1 10.0 (CRITICAL)

CWECWE 918VNDMicrosoftTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-04-03
2026-04-03 00:16Z
CRIT

CVE-2026-33105 — Microsoft Azure_kubernetes_service: Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33105

Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network. CVSSv3.1 10.0 (CRITICAL)

CWECWE 285CWECWE 863VNDMicrosoftTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2026-04-03
2026-04-03 00:16Z
CRIT

CVE-2026-32213 — Microsoft Azure_ai_foundry: Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32213

Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network. CVSSv3.1 10.0 (CRITICAL)

CWECWE 285CWECWE 863VNDMicrosoftVNDAzureTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2026-04-03
2026-04-03 00:16Z
CRIT

CVE-2026-32211 — Microsoft Azure_web_apps: Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32211

Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker to disclose information over a network. CVSSv3.1 9.1 (CRITICAL)

CWECWE 306VNDMicrosoftTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-03
2026-04-03 00:16Z
HIGH

CVE-2026-32173 — Microsoft Azure_sre_agent: Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32173

Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over a network. CVSSv3.1 8.6 (HIGH)

CWECWE 287CWECWE 863VNDMicrosoftVNDAzureTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-04-03
2026-04-03 00:16Z
CRIT

CVE-2026-26135 — Microsoft Azure_custom_locations_resource_provider: Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-26135

Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a network. CVSSv3.1 9.6 (CRITICAL)

CWECWE 918VNDMicrosoftTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2026-04-03
2026-04-03 00:00Z
HIGH

Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads

Trend Micro Research·trendmicro.comin the wild

Anthropic accidentally exposed ~512K lines of Claude Code TypeScript source via a misconfigured npm package on March 31, 2026. Within 24 hours, threat actors weaponized the incident by creating fake GitHub repositories distributing Vidar stealer and GhostSocks proxy malware under the guise of leaked Claude Code, pivoting an existing rotating-lure campaign active since February 2026 that has impersonated 25+ software brands.

SRFApplicationTACTA0005TACTA0001TACTA0002TACTA0006TACTA0007TACTA0009SRFSupply Chain
78
Edit Score
2026-04-02
2026-04-02 21:16Z
HIGH

CVE-2025-15620 — HiOS: Switch Platform versions 09.1.00 prior to 09.4.05 and 10.3.01 contains a denial-of-service vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-15620

HiOS Switch Platform versions 09.1.00 prior to 09.4.05 and 10.3.01 contains a denial-of-service vulnerability in the web interface that allows remote attackers to reboot the affected device by sending a malicious HTTP GET request to a specific endpoint. Attackers can trigger an uncontrolled reboot condition through crafted HTTP requests to cause service disruption and unavailability of the switch. CVSSv3.1 8.6 (HIGH) · EPSS 1th percentile

CWECWE 306VNDHiosTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-04-02
2026-04-02 20:16Z
CRIT

CVE-2026-35053 — Hackerbay Oneuptime: Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35053

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication middleware. An attacker who can obtain or guess a workflow ID can trigger arbitrary workflow execution with attacker-controlled input data, enabling JavaScript code execution, notification abuse, and data manipu CVSSv3.1 9.8 (CRITICAL)

CWECWE 306VNDHackerbayVNDOneuptimeTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-02
2026-04-02 20:16Z
HIGH

CVE-2026-34840 — Hackerbay Oneuptime: An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimately

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34840

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() verifies the first <Signature> element in the XML DOM using xml-crypto, while getEmail() always reads from assertion[0] via xml2js. An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimatel CVSSv3.1 8.1 (HIGH)

CWECWE 347VNDHackerbayVNDOneuptimeTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-02
2026-04-02 19:21Z
HIGH

CVE-2026-34759 — Hackerbay Oneuptime: Combined with a projectId leak from the public Status Page API, an unauthenticated attacker

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34759

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase ph CVSSv3.1 8.1 (HIGH)

CWECWE 862VNDHackerbayVNDOneuptimeTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-02
2026-04-02 19:21Z
HIGH

CVE-2026-34742 — Lfprojects Mcp_go_sdk: Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does not enable

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34742

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPHandler or SSEHandler, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tool CVSSv3.1 8.1 (HIGH)

CWECWE 1188VNDLfprojectsVNDMcpTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-02
2026-04-02 18:16Z
HIGH

CVE-2026-34577 — Gitroom Postiz: The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34577

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragment. The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker to read response CVSSv3.1 8.6 (HIGH)

CWECWE 918VNDGitroomVNDPostizTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-04-02
2026-04-02 18:16Z
HIGH

CVE-2026-34524 — Sillytavern Sillytavern: Prior to version 1.17.0, a path traversal vulnerability in chat endpoints allows an authenticated

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34524

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in chat endpoints allows an authenticated attacker to read and delete arbitrary files under their user data root (for example secrets.json and settings.json) by supplying avatar_url="..". This issue has been patched in version 1.17.0. CVSSv3.1 8.3 (HIGH)

CWECWE 22VNDSillytavernTYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2026-04-02
2026-04-02 18:16Z
HIGH

CVE-2026-34522 — Sillytavern Sillytavern: Prior to version 1.17.0, a path traversal vulnerability in /api/chats/import allows an authenticated attacker

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34522

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in /api/chats/import allows an authenticated attacker to write attacker-controlled files outside the intended chats directory by injecting traversal sequences into character_name. This issue has been patched in version 1.17.0. CVSSv3.1 8.1 (HIGH)

CWECWE 22CWECWE 73VNDSillytavernTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-02
2026-04-02 18:16Z
HIGH

CVE-2026-34121 — Tp-link Tapo_c520ws_firmware: An authentication bypass vulnerability within the HTTP handling of the DS configuration service in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34121

An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt action to a request containing privileged DS do actions, bypassing authorization checks. Successful exploitation allows unauthenticated execution of restricted configuration ac CVSSv3.1 8.8 (HIGH)

CWECWE 287VNDTp LinkTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-02
2026-04-02 17:16Z
CRIT

CVE-2026-34877 — Arm Mbed_tls: Insufficient protection of serialized SSL context or session structures allows an attacker who can

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34877

An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502CWECWE 250VNDArmVNDMbedTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-02
2026-04-02 17:16Z
CRIT

CVE-2026-33950 — Signalk Signal_k_server: Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33950

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4. CVSSv3.1 9.4 (CRITICAL)

CWECWE 862CWECWE 288CWECWE 285VNDSignalVNDSignalkTYPVulnerability
9.4
CVSS v3.1
97
Edit Score
2026-04-02
2026-04-02 16:16Z
HIGH

CVE-2026-5350 — Trendnet Tew-657brm_firmware: The manipulation of the argument mac_pc_dba results in stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5350

A security flaw has been discovered in Trendnet TEW-657BRM 1.00.1. The impacted element is the function update_pcdb of the file /setup.cgi. The manipulation of the argument mac_pc_dba results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor confirms, that "[t]he product in question (...) has been discontinued and end of life since June 23, 2011, that is more than 14 years a CVSSv3.1 8.8 (HIGH)

CWECWE 121CWECWE 119VNDTrendnetTYPVulnerability
8.8
CVSS v3.1
94
Edit Score