All news with #vulnerability disclosure tag

⚠️ Lantronix EDS3000PS and EDS5000 devices contain multiple critical vulnerabilities, including OS command injection and authentication bypass, some exploitable without authentication, that can result in root-level code execution. Affected firmware versions include EDS3000PS 3.1.0.0R2 and EDS5000 2.1.0.0R3, with several CVEs rated CVSS 9.8. Lantronix has published firmware updates to 3.2.0.0R2 and 2.2.0.0R1. Operators should apply updates, restrict network exposure, and follow CISA mitigation guidance.

🔒 Cloudflare disclosed multiple HTTP/1.x request smuggling vulnerabilities in the open-source Pingora framework (CVE-2026-2833, CVE-2026-2835, CVE-2026-2836) that can desynchronize proxy and backend request framing when Pingora is used as an ingress proxy. The issues — reported by Rajat Raghav via Cloudflare’s bug bounty — allow bypass of proxy-layer checks, cross-user hijacking, or cache poisoning in exposed standalone deployments. Cloudflare confirmed its CDN and customer traffic were not affected and released fixes and hardening in Pingora 0.8.0. If you run Pingora as a proxy, upgrade to 0.8.0 as soon as possible.

⚠️ CISA has added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2021-22054 (Omnissa Workspace ONE SSRF), CVE-2025-26399 (SolarWinds Web Help Desk insecure deserialization), and CVE-2026-1603 (Ivanti Endpoint Manager authentication bypass). BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate listed KEV entries by the specified deadlines. CISA strongly urges all organizations to prioritize timely patching and mitigation to reduce exposure to active exploitation.

🔍 Anthropic reported discovering 22 new vulnerabilities in the Firefox browser using Claude Opus 4.6 during a two-week assessment in January 2026. Fourteen issues were rated high, seven moderate and one low, and most were patched in Firefox 148. The model detected a JavaScript use-after-free bug in about 20 minutes, which researchers validated in a virtualized environment. When tasked to produce exploits the model succeeded only twice after many attempts and roughly $4,000 in API spend, underscoring that discovery is cheaper than reliable exploitation.

⚠️ Researchers at Imperva disclosed a configuration weakness in the OAuth credential handling of n8n that fails to sanitize the authorization URL, enabling a stored XSS payload to be saved in the application database. An attacker with access to a victim's n8n instance can replace a legitimate URL with malicious JavaScript that executes when other users interact with the same credential. Because the payload is persistent, it can expose multiple OAuth credentials and enable broader system compromise. The flaw was fixed in n8n v2.6.4 on February 6.

🔒 CISA added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog affecting Hikvision and Rockwell Automation. CVE-2017-7921 (CVSS 9.8) is an improper authentication flaw that can enable privilege escalation and exposure of sensitive information in multiple Hikvision products. CVE-2021-22681 (CVSS 9.8) involves insufficiently protected credentials in Studio 5000 Logix Designer, RSLogix 5000 and Logix Controllers, which can allow an unauthorized network user to bypass verification and modify controller configuration or application code. SANS has detected exploit attempts targeting vulnerable Hikvision cameras; there are no public reports of active attacks exploiting the Rockwell issue. Federal civilian agencies are required to update to supported software by March 26, 2026 under BOD 22-01, and CISA urges all organizations to prioritize remediation of KEV-listed vulnerabilities.

⚠️ A critical vulnerability in the User Registration & Membership WordPress plugin (CVE-2026-1492, CVSS 9.8) is being actively exploited to create unauthenticated administrator accounts. The flaw allows attackers to supply a role during membership registration and obtain full admin privileges. Defiant's Wordfence blocked over 200 exploit attempts in the past 24 hours, indicating live attacks. WPEverest released a fix in 5.1.3 (the article notes 5.1.4 was released last week); update immediately or disable the plugin until you can patch.

🚨 Cisco released its March 4 semiannual firewall update addressing 25 security advisories and 48 CVEs, led by two “perfect 10” flaws in Secure Firewall Management Center (FMC). CVE-2026-20079 (authentication bypass) and CVE-2026-20131 (insecure deserialization) both carry CVSS scores of 10 and can yield unauthenticated root access via the web management interface. Cisco reports no known exploitation yet and offers no workarounds; administrators should remove public FMC exposure until patches can be applied.

🔔 CISA has added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The new entries affect Hikvision, Rockwell, and multiple Apple products and include CVE-2017-7921, CVE-2021-22681, CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000. Under BOD 22-01 Federal Civilian Executive Branch agencies must remediate listed CVEs by the required due dates; CISA strongly urges all organizations to prioritize timely remediation to reduce exposure to common attack vectors.

⚠️ Ox Security has disclosed a zero-click remote code execution (RCE) vulnerability affecting FreeScout, tracked as CVE-2026-28289 (Mail2Shell), which bypasses an earlier fix (CVE-2026-27636). By sending a single crafted email to any address configured in FreeScout, an attacker can execute code on the server without authentication and without any user interaction. Ox warned thousands of instances may be exposed and urged immediate upgrades to v1.8.207 or later. Administrators are also advised to disable AllowOverrideAll in Apache on affected servers.

🛠 This article reviews fourteen long-dormant software vulnerabilities that persisted for ten to thirty years and were only recently discovered or fixed. It highlights flaws across foundational components — from libpng and Python modules to Windows internals, bootloaders, network daemons, and secrets vaults — illustrating how legacy design choices and sparse code review can leave pervasive risks. The piece summarizes impacts, discovery timelines, and the remediation actions taken by vendors and maintainers.

⚠️ Hitachi Energy disclosed authentication-based directory access vulnerabilities in the Relion REB500 product (firmware versions ≤ 8.3.3.0), tracked as CVE-2026-2459 and CVE-2026-2460. Authenticated users with certain roles can access and modify directories beyond their authorization. The vendor advises updating to REB500 v8.3.3.1 and recommends disabling or tightly controlling the Installer role as an interim mitigation.

🔒 Hitachi Energy disclosed multiple vulnerabilities in the RTU500 series CMU firmware that may reveal limited user-management data or cause device outages. The issues span improper permission handling, input validation gaps, uncontrolled recursion, and unbounded memory allocation, with CVSS scores up to 7.5. Vendor fixes are available — update to CMU Firmware 12.7.8, 13.7.8 (or later), or 13.8.2 as applicable — and apply recommended network mitigations until devices are patched.

⚠️ The Labkotec LID-3300IP ice detector contains an unauthenticated remote-access vulnerability (CVE-2026-1775) that allows an attacker to modify device parameters and execute operational commands by sending specially crafted packets. CISA assigns a CVSS v3.1 base score of 9.4 (Critical). Labkotec recommends migrating to the LID-3300IP Type 2, installing firmware V2.40, and enabling HTTPS; until remediation, operators should remove Internet exposure, segment networks, enforce strong credentials, and monitor device activity.

⚠️ CISA warns of a high-severity driver vulnerability, CVE-2026-3437, in Portwell Engineering Toolkits v4.8.2 allowing a local authenticated user to read and write arbitrary memory. The flaw (CWE-119) can enable privilege escalation or denial-of-service, and carries a CVSS v3.1 base score of 8.8. Portwell has not responded to CISA coordination requests; users should minimize device exposure and contact Portwell support for guidance.

🔒 Google patched a high-severity WebView policy enforcement bug, CVE-2026-0628 (CVSS 8.8), in early January 2026 that could let a malicious extension inject scripts or HTML into the browser's new Gemini side panel. Discovered by Palo Alto Networks Unit 42 researcher Gal Weizman, the flaw could have enabled privilege escalation to access local files, take screenshots, and turn on camera or microphone without consent. The fix shipped in Chrome 143.0.7499.192/.193 (Windows/Mac) and 143.0.7499.192 (Linux).

⚠️ Kaspersky's GReAT discovered a critical flaw, CVE-2026-3102, in ExifTool that can execute embedded shell commands when processing crafted image metadata on macOS if ExifTool is invoked with the -n/--printConv flag. The issue affects ExifTool versions 13.49 and earlier and can be exploited in automated workflows or apps that bundle the library. Update to ExifTool 13.50 immediately, isolate processing of untrusted files, and verify third-party tools do not include older copies of the library.

🔒 Researchers at Oasis Security disclosed a chain of flaws that allowed malicious websites to connect to a locally running OpenClaw agent and seize control. The issue exploits browser behavior that permits WebSocket connections to localhost combined with the agent’s automatic device pairing, weak authentication and disabled rate limits. Tracked as CVE-2026-25253, the vulnerability enabled silent password brute-forcing and device registration. OpenClaw issued a prompt fix (v2026.2.25+) but experts warn architectural changes and stronger controls are needed.

🔒 CISA reports multiple vulnerabilities in Chargemap's public charging infrastructure that could allow attackers to impersonate charging stations, hijack sessions, and disrupt services. The most severe issue (CVE-2026-25851) involves unauthenticated OCPP WebSocket endpoints and carries a CVSS 3.1 base score of 9.4. Chargemap did not respond to coordination; users should contact vendor support and reduce network exposure until fixes are available.

🔒 Yokogawa has issued patches for multiple Vnet/IP vulnerabilities affecting CENTUM VP R6 and R7 interface packages that could allow denial-of-service or, in one case, arbitrary code execution. Affected packages (VP6C3300 and VP7C3300) at or below R1.07.00 are vulnerable; the flaws are tracked as CVE-2025-1924 and CVE-2025-48019 through CVE-2025-48023. CISA reports CVSS scores up to 6.9 (MEDIUM) and recommends applying vendor patch R1.08.00 and following advisory YSAR-26-0002 for implementation guidance.