SOC Cyber Wall v13 — Veille CVE

[P0] CVE-2026-3055 — Citrix NetScaler Out-of-Bounds Read Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Sun, 29 Mar 2026 22:00:00 +0000

CVSS=9.8 EPSS=0.443 Score=222.0 | Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread

[P0] CVE-2021-22054 — Omnissa Workspace ONE Server-Side Request Forgery [KEV | RANSOMWARE:Conti | ITW]

Sun, 08 Mar 2026 23:00:00 +0000

CVSS=0.0 EPSS=0.938 Score=217.6 | Omnissa Workspace ONE Server-Side Request Forgery

[P0] CVE-2025-32432 — Craft CMS Code Injection Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Thu, 19 Mar 2026 23:00:00 +0000

CVSS=0.0 EPSS=0.877 Score=210.2 | Craft CMS Code Injection Vulnerability

[P0] CVE-2025-68613 — n8n Improper Control of Dynamically-Managed Code Resources Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Tue, 10 Mar 2026 23:00:00 +0000

CVSS=0.0 EPSS=0.792 Score=200.0 | n8n Improper Control of Dynamically-Managed Code Resources Vulnerability

[P0] CVE-2026-1603 — Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Sun, 08 Mar 2026 23:00:00 +0000

CVSS=0.0 EPSS=0.654 Score=183.5 | Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability

[P0] CVE-2026-33634 — Aquasecurity Trivy Embedded Malicious Code Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Wed, 25 Mar 2026 23:00:00 +0000

CVSS=8.8 EPSS=0.212 Score=183.2 | Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with maliciou

[P0] CVE-2026-33017 — Langflow Code Injection Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Tue, 24 Mar 2026 23:00:00 +0000

CVSS=9.8 EPSS=0.057 Score=175.6 | Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker

[P0] CVE-2025-54068 — Laravel Livewire Code Injection Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Thu, 19 Mar 2026 23:00:00 +0000

CVSS=0.0 EPSS=0.583 Score=175.0 | Laravel Livewire Code Injection Vulnerability

[P0] CVE-2026-20131 — Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deseri [KEV | RANSOMWARE:Conti | ITW]

Wed, 18 Mar 2026 23:00:00 +0000

CVSS=10.0 EPSS=0.006 Score=170.7 | A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vulnerability is due to insecure deserialization of a user-suppli

[P0] CVE-2026-5281 — Google Dawn Use-After-Free Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Tue, 31 Mar 2026 22:00:00 +0000

CVSS=8.8 EPSS=0.030 Score=166.4 | Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

[P0] CVE-2026-3910 — Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Thu, 12 Mar 2026 23:00:00 +0000

CVSS=8.8 EPSS=0.008 Score=163.7 | Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

[P0] CVE-2026-3909 — Google Skia Out-of-Bounds Write Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Thu, 12 Mar 2026 23:00:00 +0000

CVSS=8.8 EPSS=0.003 Score=163.1 | Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

[P0] CVE-2025-53521 — F5 BIG-IP Stack-Based Buffer Overflow Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Thu, 26 Mar 2026 23:00:00 +0000

CVSS=0.0 EPSS=0.414 Score=154.7 | F5 BIG-IP Stack-Based Buffer Overflow Vulnerability

[P0] CVE-2026-3502 — TrueConf Client Download of Code Without Integrity Check Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Wed, 01 Apr 2026 22:00:00 +0000

CVSS=7.8 EPSS=0.012 Score=153.3 | TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code executio

[P0] CVE-2025-26399 — SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Sun, 08 Mar 2026 23:00:00 +0000

CVSS=0.0 EPSS=0.282 Score=138.9 | SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability

[P0] CVE-2025-47813 — Wing FTP Server Information Disclosure Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Sun, 15 Mar 2026 23:00:00 +0000

CVSS=0.0 EPSS=0.204 Score=129.5 | Wing FTP Server Information Disclosure Vulnerability

[P0] CVE-2025-66376 — Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Tue, 17 Mar 2026 23:00:00 +0000

CVSS=0.0 EPSS=0.100 Score=117.0 | Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability

[P0] CVE-2026-35044 — BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation [RANSOMWARE:Hive | ITW]

Fri, 03 Apr 2026 23:14:18 +0000

CVSS=8.8 EPSS=0.000 Score=112.8 | ## Summary The Dockerfile generation function `generate_containerfile()` in `src/bentoml/_internal/container/generate.py` uses an unsandboxed `jinja2.Environment` with the `jinja2.ext.do` extension to render user-provided `dockerfile_template` files. When a victim imports a malicious bento archive

[P0] CVE-2026-20963 — Microsoft SharePoint Deserialization of Untrusted Data Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Tue, 17 Mar 2026 23:00:00 +0000

CVSS=0.0 EPSS=0.060 Score=112.2 | Microsoft SharePoint Deserialization of Untrusted Data Vulnerability

[P0] CVE-2025-43510 — Apple Multiple Products Improper Locking Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Thu, 19 Mar 2026 23:00:00 +0000

CVSS=0.0 EPSS=0.005 Score=105.6 | Apple Multiple Products Improper Locking Vulnerability

[P0] CVE-2025-43520 — Apple Multiple Products Classic Buffer Overflow Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Thu, 19 Mar 2026 23:00:00 +0000

CVSS=0.0 EPSS=0.004 Score=105.5 | Apple Multiple Products Classic Buffer Overflow Vulnerability

[P0] CVE-2025-31277 — Apple Multiple Products Buffer Overflow Vulnerability [KEV | RANSOMWARE:Conti | ITW]

Thu, 19 Mar 2026 23:00:00 +0000

CVSS=0.0 EPSS=0.002 Score=105.2 | Apple Multiple Products Buffer Overflow Vulnerability

[P0] CVE-2026-35405 — libp2p-rendezvous: Unlimited namespace registrations per peer enables OOM DoS on rendezvous servers [RANSOMWARE:Conti | ITW]

Sat, 04 Apr 2026 06:33:46 +0000

CVSS=7.5 EPSS=0.000 Score=105.0 | ### Summary The`libp2p-rendezvous` server has no limit on how many namespaces a single peer can register. A malicious peer can repeatedly register unique namespaces in a loop, and the server accepts the requests, allocating memory for each registration without pushback. If an attacker continues sub

[P2] CVE-2026-5323 — a11y-mcp: Server-Side Request Forgery (SSRF) vulnerability in A11yServer function [RANSOMWARE:Conti | ITW]

Sat, 04 Apr 2026 05:35:53 +0000

CVSS=5.3 EPSS=0.000 Score=96.8 | A vulnerability was found in priyankark a11y-mcp up to 1.0.5. This vulnerability affects the function A11yServer of the file src/index.js. The manipulation results in server-side request forgery. The attack must be initiated from a local position. The exploit has been made public and could be used.

[P2] CVE-2026-4325 — Keycloak: Replay of action tokens via improper handling of single-use entries [RANSOMWARE:Play | ITW]

Sat, 04 Apr 2026 05:58:45 +0000

CVSS=5.3 EPSS=0.000 Score=91.8 | A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This coul

[P2] CVE-2026-35181 — AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php [RANSOMWARE:Play | ITW]

Fri, 03 Apr 2026 23:43:24 +0000

CVSS=4.3 EPSS=0.000 Score=90.8 | **Severity:** Medium **CWE:** CWE-352 (Cross-Site Request Forgery) ## Summary The player skin configuration endpoint at `admin/playerUpdate.json.php` does not validate CSRF tokens. The `plugins` table is explicitly excluded from the ORM's domain-based security check via `ignoreTableSecurityCheck()

[P2] CVE-2026-35471 — goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

Fri, 03 Apr 2026 21:58:48 +0000

CVSS=9.8 EPSS=0.000 Score=63.8 | ### Summary * `deleteFile()` missing return after path traversal check | `httpserver/handler.go:645-671` The finding affects the default configuration, no flags or authentication required. ### Details **File:** `httpserver/handler.go:645-671` **Trigger:** `GET /?delete` (handler.go:157-160

[P2] CVE-2026-35393 — goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload

Fri, 03 Apr 2026 04:08:21 +0000

CVSS=9.8 EPSS=0.000 Score=63.8 | ### Summary * POST multipart upload directory not sanitized | `httpserver/updown.go:71-174` This finding affect the default configuration, no flags or authentication required. ### Details **File:** `httpserver/updown.go:71-174` **Trigger:** `POST //upload` (server.go:49-51 checks `HasSuffix

[P2] CVE-2026-35392 — goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload

Fri, 03 Apr 2026 04:07:55 +0000

CVSS=9.8 EPSS=0.000 Score=63.8 | ### Summary * PUT upload has no path sanitization | `httpserver/updown.go:20-69` This finding affects the default configuration, no flags or authentication required. ### Details **File:** `httpserver/updown.go:20-69` **Trigger:** `PUT /` (server.go:57-59 routes directly to `put()`) The han

[P2] CVE-2026-0596 — Mflow: Command Injection when serving models with enable_mlserver=True

Sat, 04 Apr 2026 05:32:08 +0000

CVSS=9.6 EPSS=0.002 Score=62.9 | A command injection vulnerability exists in Mflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows fo

[P2] CVE-2026-31818 — Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist

Fri, 03 Apr 2026 21:34:49 +0000

CVSS=9.6 EPSS=0.000 Score=62.6 | ## 1. Summary | Field | Value | |-------|-------| | **Title** | SSRF via REST Connector with Empty Default Blacklist Leading to Full Internal Data Exfiltration | | **Product** | Budibase | | **Version** | 3.30.6 (latest stable as of 2026-02-25) | | **Component** | REST Datasource Integration + Back

[P2] CVE-2026-34208 — SandboxJS: Sandbox integrity escape

Fri, 03 Apr 2026 21:44:39 +0000

CVSS=10.0 EPSS=0.000 Score=60.0 | ### Summary SandboxJS blocks direct assignment to global objects (for example `Math.random = ...`), but this protection can be bypassed through an exposed callable constructor path: `this.constructor.call(target, attackerObject)`. Because `this.constructor` resolves to the internal `SandboxGlobal` f

[P3] CVE-2026-35216 — Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step

Sat, 04 Apr 2026 06:04:59 +0000

CVSS=9.1 EPSS=0.000 Score=59.6 | ### Summary An unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as `root` inside the container. ##

[P3] CVE-2026-35463 — pyLoad: Improper Neutralization of Special Elements used in an OS Command

Sat, 04 Apr 2026 06:42:02 +0000

CVSS=8.8 EPSS=0.000 Score=57.8 | ### Summary The `ADMIN_ONLY_OPTIONS` protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is **only applied to core config options**, not to plugin config options. The `AntiVirus` plugi

[P3] CVE-2026-35470 — OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals

Fri, 03 Apr 2026 21:57:08 +0000

CVSS=8.8 EPSS=0.000 Score=57.8 | ## Description Six `confronta_righe.php` files across different modules in OpenSTAManager <= 2.10.1 contain an SQL Injection vulnerability. The `righe` parameter received via `$_GET['righe']` is directly concatenated into an SQL query without any sanitization, parameterization or validation. An au

[P3] CVE-2026-33175 — Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims

Fri, 03 Apr 2026 21:35:39 +0000

CVSS=8.8 EPSS=0.000 Score=57.8 | ### Summary An authentication bypass vulnerability in `oauthenticator` allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When `email` is used as the usrname_claim, this gives users control over their username and the possibility of account takeover. ###

[P3] CVE-2026-35214 — Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write

Sat, 04 Apr 2026 06:04:22 +0000

CVSS=8.7 EPSS=0.000 Score=57.2 | ## Summary The plugin file upload endpoint (`POST /api/plugin/upload`) passes the user-supplied filename directly to `createTempFolder()` without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing `../` to delete a

[P3] CVE-2026-33752 — curl_cffi: Redirect-based SSRF leads to internal network access in curl_cffi (with TLS impersonation bypass)

Fri, 03 Apr 2026 21:36:44 +0000

CVSS=8.6 EPSS=0.000 Score=56.6 | ### Summary curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi’s TLS impersonation

[P3] CVE-2026-33950 — Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity

Fri, 03 Apr 2026 21:37:19 +0000

CVSS=9.4 EPSS=0.000 Score=56.5 | ## Summary According to SignalK's security documentation, when a server is first initialized without security enabled, the **/skServer/enableSecurity** endpoint is intentionally exposed to allow the owner to set up the initial admin account. This initial open access is by design. However, the crit

[P3] CVE-2026-35039 — fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorizatio

Fri, 03 Apr 2026 04:07:10 +0000

CVSS=9.1 EPSS=0.000 Score=54.6 | ## Impact Setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to: - Valid tokens returning claims from different valid tokens -

[P3] CVE-2026-35408 — Directus: Missing Cross-Origin Opener Policy

Sat, 04 Apr 2026 06:06:02 +0000

CVSS=8.7 EPSS=0.000 Score=52.2 | ## Summary Directus's Single Sign-On (SSO) login pages lacked a `Cross-Origin-Opener-Policy` (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retains the ability to access and manipulate the `window` object of that page. An attacke

[P3] CVE-2026-35043 — BentoML: Command Injection in cloud deployment setup script

Fri, 03 Apr 2026 22:03:24 +0000

CVSS=7.8 EPSS=0.000 Score=51.8 | Commit ce53491 (March 24) fixed command injection via `system_packages` in Dockerfile templates and `images.py` by adding `shlex.quote`. However, the cloud deployment path in `src/bentoml/_internal/cloud/deployment.py` was not included in the fix. Line 1648 interpolates `system_packages` directly in

[P3] CVE-2026-35409 — Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import

Sat, 04 Apr 2026 06:10:54 +0000

CVSS=7.7 EPSS=0.000 Score=51.2 | ### Summary A Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. ### Details Directus implements an IP

[P3] CVE-2026-35187 — pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter

Sat, 04 Apr 2026 04:18:44 +0000

CVSS=7.7 EPSS=0.000 Score=51.2 | ## Vulnerability Details **CWE-918**: Server-Side Request Forgery (SSRF) The `parse_urls` API function in `src/pyload/core/api/__init__.py` (line 556) fetches arbitrary URLs server-side via `get_url(url)` (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenticated

[P3] GHSA-393c-p46r-7c95 — Directus: Path Traversal and Broken Access Control in File Management API

Sat, 04 Apr 2026 06:06:40 +0000

CVSS=8.5 EPSS=0.000 Score=51.0 | ## Summary Critical vulnerabilities were identified in the Directus file management API that allow unauthorized manipulation of file storage paths and metadata. These issues enable attackers to overwrite files belonging to other users, write files outside intended storage boundaries via path traver

[P3] CVE-2026-35464 — pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fi

Sat, 04 Apr 2026 06:43:37 +0000

CVSS=7.5 EPSS=0.000 Score=50.0 | ## Summary The fix for CVE-2026-33509 (GHSA-r7mc-x6x7-cqxx) added an `ADMIN_ONLY_OPTIONS` set to block non-admin users from modifying security-critical config options. The `storage_folder` option is not in this set and passes the existing path restriction because the Flask session directory is outs

[P3] CVE-2026-30762 — LightRAG: Hardcoded JWT Signing Secret Allows Authentication Bypass

Sat, 04 Apr 2026 06:14:44 +0000

CVSS=7.5 EPSS=0.000 Score=50.0 | Summary: The file lightrag/api/config.py (line 397) uses a default JWT secret "lightrag-jwt-default-secret" when the TOKEN_SECRET environment variable is not set. The AuthHandler in lightrag/api/auth.py (lines 24-25) uses this secret to sign and verify tokens. An unauthenticated attacker can forge v

[P3] CVE-2026-35394 — @mobilenext/mobile-mcp: Arbitrary Android Intent Execution via mobile_open_url

Sat, 04 Apr 2026 05:37:10 +0000

CVSS=8.3 EPSS=0.000 Score=49.8 | ### Summary The `mobile_open_url` tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. ### Details The vulnerab

[P3] CVE-2026-35457 — libp2p-rendezvous: Unbounded rendezvous DISCOVER cookies enable remote memory exhaustion

Sat, 04 Apr 2026 06:34:32 +0000

CVSS=8.2 EPSS=0.000 Score=49.2 | ### Summary The rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue `DISCOVER` requests and force unbounded memory growth. ### Details Pagination state is stored in: ```rs HashMap> ``` On `Message::Discover`: `

[P3] CVE-2026-4636 — Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants

Sat, 04 Apr 2026 06:00:16 +0000

CVSS=8.1 EPSS=0.000 Score=48.6 | A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resour