•22 minutes ago•CVE-2026-2836
8.4CVE-2026-2836: Host-Blind Cache Poisoning in Cloudflare Pingora
A high-severity cache poisoning vulnerability exists in Cloudflare Pingora versions prior to 0.8.0 due to an insecure default implementation of the cache key generation logic. The default `CacheKey` trait implementation constructed cache keys using only the URI path and query string, ignoring the `Host` header and URI scheme. This 'host-blind' behavior allows attackers targeting multi-tenant or shared proxy environments to poison the cache by associating malicious content with a path (e.g., `/lib.js`) that is subsequently served to legitimate users requesting the same path on a different domain.
2 views•6 min read
•about 1 hour ago•CVE-2026-26196
6.9CVE-2026-26196: Sensitive API Token Exposure via URL Query Parameters in Gogs
Gogs, a self-hosted Git service, contained a vulnerability in its API authentication mechanism prior to version 0.14.2. The application permitted the transmission of sensitive authentication tokens via URL query parameters (`token` and `access_token`). This architectural flaw resulted in the potential leakage of credentials to server access logs, proxy logs, browser history, and HTTP Referer headers, exposing users to account takeover risks.
3 views•5 min read
•about 2 hours ago•CVE-2026-26194
8.8CVE-2026-26194: Command Option Injection in Gogs Release Deletion
A high-severity command option injection vulnerability exists in the Gogs self-hosted Git service prior to version 0.14.2. The flaw resides in the `DeleteReleaseOfRepoByID` function, where user-supplied Git tag names are passed directly to a system shell command without adequate sanitization or argument separation. This allows an attacker to inject arbitrary flags into the underlying `git` binary execution, potentially leading to Denial of Service (DoS) or unauthorized information disclosure.
5 views•5 min read
•about 2 hours ago•CVE-2026-25048
8.7CVE-2026-25048: Stack Exhaustion Denial of Service in xgrammar EBNF Parser
xgrammar, a library used for structured generation in Large Language Model (LLM) pipelines, contains a critical denial of service vulnerability in its EBNF parser. The issue stems from uncontrolled recursion during the parsing of nested grammar structures. An attacker can supply a crafted grammar string with excessive nesting (e.g., thousands of parentheses), causing the recursive descent parser to consume all available stack memory. This results in a segmentation fault (SIGSEGV) that crashes the host process.
3 views•5 min read
•about 3 hours ago•CVE-2026-27944
9.8CVE-2026-27944: Unauthenticated Backup Download and Encryption Key Disclosure in Nginx UI
A critical authentication bypass and information disclosure vulnerability exists in Nginx UI versions prior to 2.3.3. The application exposes the `/api/backup` endpoint without requiring authentication, allowing unauthenticated remote attackers to trigger and download full system backups. Compounding this issue, the backup generation logic explicitly includes the AES-256 encryption key and initialization vector (IV) in the HTTP response headers, enabling immediate decryption of the downloaded archives. This flaw permits complete system compromise through the exfiltration of database credentials, SSL private keys, and application configuration files.
9 views•5 min read
•about 11 hours ago•CVE-2026-20122
5.4CVE-2026-20122: Arbitrary File Overwrite in Cisco Catalyst SD-WAN Manager API
A vulnerability in the API interface of Cisco Catalyst SD-WAN Manager (formerly vManage) allows an authenticated, remote attacker to overwrite arbitrary files on the underlying operating system. The flaw stems from improper input validation and insufficient privilege checks within specific API endpoints used for file ingestion. By exploiting this vulnerability, an attacker with read-only credentials can overwrite critical system files, potentially leading to privilege escalation to the 'vmanage' user context. This issue is actively being exploited in the wild, often chained with authentication bypass vulnerabilities.
9 views•5 min read
•about 14 hours ago•CVE-2026-20131
10.0CVE-2026-20131: Unauthenticated RCE in Cisco Secure Firewall Management Center via Java Deserialization
A critical vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) software allows an unauthenticated, remote attacker to execute arbitrary code with root privileges. The flaw arises from the improper handling of Java serialized data, enabling attackers to supply malicious objects that the application deserializes without validation.
27 views•4 min read
•about 14 hours ago•CVE-2026-20079
10.0CVE-2026-20079: Authentication Bypass & RCE in Cisco Secure FMC
A critical authentication bypass vulnerability exists in the Cisco Secure Firewall Management Center (FMC) Software. Identified as CVE-2026-20079 with a maximum CVSS score of 10.0, this flaw allows an unauthenticated, remote attacker to bypass security controls and execute arbitrary commands with root privileges on the underlying operating system. The vulnerability stems from an improperly initialized system process created during the boot sequence.
18 views•4 min read
•about 14 hours ago•CVE-2025-15558
7.0CVE-2025-15558: Local Privilege Escalation via Uncontrolled Search Path in Docker CLI for Windows
A critical Local Privilege Escalation (LPE) vulnerability affects Docker CLI for Windows, stemming from an insecure plugin search path in the `C:\ProgramData` directory. Due to permissive default Access Control Lists (ACLs) on Windows, low-privileged users can create subdirectories within `ProgramData`. The Docker CLI plugin manager inadvertently trusts this location, allowing attackers to plant malicious executables that are subsequently executed by privileged users during standard Docker operations.
11 views•5 min read
•about 14 hours ago•GHSA-HHJV-JQ77-CMVX
HighGHSA-HHJV-JQ77-CMVX: Android Shell Blocklist Bypass in Zeptoclaw via Argument Permutation
The `zeptoclaw` Rust framework contains a security bypass vulnerability in its Android device shell interface (`device_shell`). The vulnerability allows attackers to execute dangerous commands, specifically recursive file deletions (`rm -rf`), by circumventing a naive blocklist implementation. The original security control relied on literal substring matching, which fails to account for argument permutations, alternative flag syntax, or binary aliasing (e.g., `busybox rm`). This flaw permits malicious agents or attackers with access to the framework's shell tool to perform destructive actions on connected Android devices.
3 views•7 min read
•about 15 hours ago•CVE-2026-22719
8.1CVE-2026-22719: Unauthenticated Command Injection in VMware Aria Operations
A high-severity command injection vulnerability exists in the support-assisted product migration interface of VMware Aria Operations (formerly vRealize Operations). The flaw allows unauthenticated remote attackers to execute arbitrary commands with administrative privileges, provided the target system is actively undergoing a support-assisted migration. This vulnerability has been identified in active exploitation campaigns and added to the CISA Known Exploited Vulnerabilities (KEV) catalog.
10 views•4 min read
•about 15 hours ago•GHSA-5WP8-Q9MX-8JX8
9.8GHSA-5WP8-Q9MX-8JX8: Critical Shell Security Bypass in Zeptoclaw AI Runtime
A critical vulnerability in the `zeptoclaw` AI agent runtime allows attackers to bypass shell security controls, including allowlists and blocklists, to execute arbitrary commands. The flaw stems from insufficient input validation in `src/security/shell.rs`, specifically regarding shell metacharacters, globbing patterns, and argument permutation. By manipulating command strings, an attacker can escape the intended sandbox and execute code on the host system, even when 'Strict' security modes are enabled.
5 views•6 min read