2026-03-18
2026-03-18 10:02Z
CRIT

The Most Organized Threat Actors Use Your ITSM (BMC FootPrints Pre-Auth Remote Code Execution Chains)

watchTowr Labs disclosed a pre-authenticated RCE chain against BMC FootPrints ITSM affecting versions 20.20.02–20.24.01.001, comprising four chained vulnerabilities: an authentication bypass via SEC_TOKEN generation in the password-reset endpoint (CVE-2025-71257), two blind SSRFs (CVE-2025-71258, CVE-2025-71259), and Java deserialization RCE via AspNetConfig servlet (CVE-2025-71260). BMC released hotfixes in September 2025 after a lengthy disclosure process; CVEs were assigned March 2026.

SRFApplicationTACTA0001TACTA0002SRFWebTACTA0003VNDBmcTYPResearchTYPWriteup
88
Edit Score
2026-03-18
2026-03-18 04:17Z
CRIT

CVE-2026-31938 — Parall Jspdf: Prior to version 4.2.1, user control of the `options` argument of the `output` function

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-31938

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The vulnerability can be exploited in the following scenario: the attacker provides values for the output options, for example via a web interface. These values are then passed unsanitized (automatically or semi-automatically) CVSSv3.1 9.6 (CRITICAL)

CWECWE 79VNDParallTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2026-03-18
2026-03-18 04:17Z
HIGH

CVE-2026-31898 — Parall Jspdf: Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-31898

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the `createAnnotation`: `color` parameter. The vulnerability has CVSSv3.1 8.1 (HIGH)

CWECWE 94CWECWE 116VNDParallTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-03-18
2026-03-18 02:16Z
HIGH

CVE-2026-2603 — Keycloak: A remote attacker could bypass security controls by sending a valid SAML response from

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-2603

A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication. CVSSv3.1 8.1 (HIGH)

CWECWE 306VNDKeycloakTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-03-18
2026-03-18 02:16Z
HIGH

CVE-2026-28500 — Linuxfoundation Onnx: In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load()

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-28500

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability trans CVSSv3.1 8.6 (HIGH)

CWECWE 345CWECWE 829CWECWE 693CWECWE 494VNDLinuxfoundationTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-03-18
2026-03-18 00:16Z
CRIT

CVE-2026-27459 — Pyopenssl Pyopenssl: is a Python wrapper around the OpenSSL library.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27459

pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected. CVSSv3.1 9.8 (CRITICAL)

CWECWE 120VNDPyopensslTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-18
2026-03-18 00:00Z
HIGH

From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA

Trend Micro Research·trendmicro.com

Trend Micro documents a SharePoint data exfiltration incident where attackers exploited three chained misconfigurations: exposed Spring Boot Actuator endpoints leaking service account usernames and configuration metadata, plaintext Azure AD application secrets stored in a spreadsheet, and enabled OAuth2 ROPC authentication that bypassed MFA. The attacker used stolen credentials to authenticate via ROPC, obtained a valid access token, and exfiltrated SharePoint data without malware or exploitation.

SRFApplicationTACTA0001TACTA0006TACTA0007SRFIdentitySRFCloudVNDMicrosoftVNDSpring
76
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-03-17
2026-03-17 22:16Z
HIGH

CVE-2026-32841 — Edimax Gs-5008pl_firmware: GS-5008PL firmware versions 1.00.54 and prior contain an authentication bypass vulnerability that allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32841

Edimax GS-5008PL firmware versions 1.00.54 and prior contain an authentication bypass vulnerability that allows unauthenticated attackers to access the management interface. Attackers can exploit the global authentication flag mechanism to gain administrative access without credentials after any user authenticates, enabling unauthorized password changes, firmware uploads, and configuration modifications. CVSSv3.1 8.1 (HIGH) · EPSS 19th percentile

CWECWE 1108VNDEdimaxTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-03-17
2026-03-17 20:16Z
HIGH

CVE-2026-30707 — SpeedExam: It allows Broken Access Control via the ReviewAnswerDetails ASP.NET PageMethod.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-30707

An issue was discovered in SpeedExam Online Examination System (SaaS) after v.FEV2026. It allows Broken Access Control via the ReviewAnswerDetails ASP.NET PageMethod. Authenticated attackers can bypass client-side restrictions and invoke this method directly to retrieve the full answer key. The provider states that this issue is "Fixed in [02/2026] backend service update." CVSSv3.1 8.1 (HIGH) · EPSS 11th percentile

CWECWE 284VNDSpeedexamTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-03-17
2026-03-17 18:16Z
CRIT

CVE-2026-32298 — Angeet Es3_kvm_firmware: The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by the 'cfg.lua'

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32298

The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by the 'cfg.lua' script, allowing an authenticated attacker to execute OS-level commands. CVSSv3.1 9.1 (CRITICAL) · EPSS 18th percentile

CWECWE 78VNDAngeetTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-03-17
2026-03-17 16:16Z
HIGH

CVE-2026-4148 — Mongodb Mongodb: A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4148

A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline. CVSSv3.1 8.8 (HIGH)

CWECWE 416VNDMongodbTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-17
2026-03-17 09:16Z
HIGH

CVE-2026-4208 — Mrsilaz Mfa_mail: This leads to a possible MFA bypass for future login attempts by providing an

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4208

The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider. CVSSv3.1 8.8 (HIGH) · EPSS 20th percentile

CWECWE 639VNDMrsilazTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-17
2026-03-17 09:16Z
HIGH

CVE-2026-1323 — Cps-it Mailqueue: The extension fails to properly define allowed classes used when deserializing transport failure metadata.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-1323

The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath']. CVSSv3.1 8.8 (HIGH) · EPSS 6th percentile

CWECWE 502VNDCps ItTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-17
2026-03-17 08:15Z
CRIT

CVE-2026-4312 — Dragonsoft Gcb\/fcb_government_financial_cybersecurity_configuration_audit_: GCB/FCB Audit Software developed by DrangSoft has a Missing Authentication vulnerability, allowing unauthen

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4312

GCB/FCB Audit Software developed by DrangSoft has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access certain APIs to create a new administrative account. CVSSv3.1 9.8 (CRITICAL) · EPSS 46th percentile

CWECWE 306VNDDragonsoftVNDAuditTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-17
2026-03-17 04:16Z
HIGH

CVE-2026-0708 — Vstakhov Libucl: This can cause a segmentation fault (SEGV fault) in the `ucl_object_emit` function when parsing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-0708

A flaw was found in libucl. A remote attacker could exploit this by providing a specially crafted Universal Configuration Language (UCL) input that contains a key with an embedded null byte. This can cause a segmentation fault (SEGV fault) in the `ucl_object_emit` function when parsing and emitting the object, leading to a Denial of Service (DoS) for the affected system. CVSSv3.1 8.3 (HIGH) · EPSS 24th percentile

CWECWE 125VNDVstakhovTYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2026-03-16
2026-03-16 23:16Z
CRIT

CVE-2026-4177 — Toddr Yaml\: YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4177

YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming ancho CVSSv3.1 9.1 (CRITICAL)

CWECWE 120CWECWE 122VNDToddrTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-03-16
2026-03-16 21:16Z
CRIT

CVE-2025-69902 — A command injection vulnerability in the minimal_wrapper.py component of kubectl-mcp-server v1.2.0 allows attackers to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-69902

A command injection vulnerability in the minimal_wrapper.py component of kubectl-mcp-server v1.2.0 allows attackers to execute arbitrary commands via injecting arbitrary shell metacharacters. CVSSv3.1 9.8 (CRITICAL) · EPSS 58th percentile

CWECWE 94TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-16
2026-03-16 21:16Z
HIGH

CVE-2025-50881 — Use: The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-50881

The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution. When handling GET requests, the script takes user-supplied input from the `action` URL parameter, performs insufficient validation, and incorporates this input into a string that is subsequently executed by the `eval()` function. Although a `method_exists()` check is performed, it only validates the part of the user input *before* the first parenthe CVSSv3.1 8.8 (HIGH) · EPSS 49th percentile

CWECWE 94TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-16
2026-03-16 19:16Z
CRIT

CVE-2025-69809 — P2r3 Bareiron: A write-what-where condition in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to write arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-69809

A write-what-where condition in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to write arbitrary values to memory, enabling arbitrary code execution via a crafted packet. CVSSv3.1 9.8 (CRITICAL) · EPSS 21th percentile

CWECWE 123VNDP2r3TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-16
2026-03-16 19:16Z
CRIT

CVE-2025-69808 — P2r3 Bareiron: An out-of-bounds memory access (OOB) in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-69808

An out-of-bounds memory access (OOB) in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to access sensitive information and cause a Denial of Service (DoS) via supplying a crafted packet. CVSSv3.1 9.1 (CRITICAL) · EPSS 26th percentile

CWECWE 125VNDP2r3TYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-03-16
2026-03-16 18:16Z
CRIT

CVE-2026-27962 — Authlib Authlib: Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27962

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their ow CVSSv3.1 9.1 (CRITICAL)

CWECWE 347VNDAuthlibTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-03-16
2026-03-16 18:07Z
HIGH

Cage2Host — Offensive container‑escape toolkit for red teams. Automatically hunts and exploits Docker socket abuse, privileged conta

GitHub · container escape·github.comGITHUB POC

Cage2Host is a modular offensive container-escape toolkit designed for red teams, automating exploitation of Docker socket abuse, privileged containers, and host filesystem breakout vectors. The framework provides dual-mode execution (utility-based payload orchestration and direct module invocation), extensible plugin architecture, and operational features including base64 command transport, multi-stage pipelines, and automated cleanup.

TACTA0004TACTA0005SRFCloudTACTA0008TACTA0011TACTA0009TYPToolTYPExploit
78
Edit Score
2026-03-16
2026-03-16 16:16Z
CRIT

CVE-2025-62319 — Hcltech Unica: Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-62319

Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently depending on whether the injected condition evaluates to true or false. This allows an attacker to inject arbitrary SQL into backend configuration queries executed within the application. CVSSv3.1 9.8 (CRITICAL) · EPSS 15th percentile

CWECWE 89VNDHcltechVNDBooleanTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-16
2026-03-16 15:25Z
INFO

v2.11.0-rc1

AzureHound releases·github.com

AzureHound v2.11.0-rc1 released with minor maintenance updates including CLA workflow fixes, Windows resource generation tooling, and internal refactoring. No security fixes or feature additions of note in this pre-release candidate.

SRFIdentitySRFCloudVNDSpecteropsVNDMicrosoft AzureTYPTool
25
Edit Score
2026-03-16
2026-03-16 14:19Z
CRIT

CVE-2026-4181 — Dlink Dir-816_firmware: The manipulation of the argument key1/key2/key3/key4/pskValue results in stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4181

A security flaw has been discovered in D-Link DIR-816 1.10CNB05. This affects an unknown function of the file /goform/form2RepeaterStep2.cgi of the component goahead. The manipulation of the argument key1/key2/key3/key4/pskValue results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. CVSSv3.1 9.8 (CRITICAL)

CWECWE 787CWECWE 121CWECWE 119VNDDlinkTYPVulnerability
9.8
CVSS v3.1
99
Edit Score