Live intelligence feed
2692 collected events across every source — vulnerabilities, rulemaking and (soon) advisories, enforcement & news — newest first. This is the raw stream behind the compliance boards.
All sources
CISA KEV · 1644
NVD CVE · 603
News · 229
eCFR · 98
CISA advisory · 21
DoD CIO CMMC · 21
DC3 DCISE · 19
DOJ FCA · 16
Fed. Register · 11
DCSA · 10
Cyber AB docs · 10
NIST · 9
OIRA · 1
⊙ Subscribe (RSS)
this exact view — open in your feed reader
-
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication.
-
In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.
-
Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server.
-
Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server.
-
A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow.
-
The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side-channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9495.
-
The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9494.
-
jpress v4.2.0 is vulnerable to command execution via io.jpress.web.admin._AddonController::doUploadAndInstall.
-
A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software allows a remote, unauthenticated attacker to upload a file to any location on the filesystem.
-
A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k EoP.
-
A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for PE files.
-
Google Chrome Media contains a use-after-free vulnerability that allows a remote attacker to execute code via a crafted HTML page.
-
Injection vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services).
-
Synacor Zimbra Collaboration Suite (ZCS) contains an improper restriction of XML external entity (XXE) vulnerability in the mailboxd component.
-
An Improper Authorization vulnerability in Fortinet FortiOS and FortiProxy under SSL VPN web portal allows an unauthenticated attacker to modify the password.
-
A heap buffer overflow in Fortinet FortiOS and FortiProxy may cause the SSL VPN web service termination for logged in users.
-
Remote Code Execution in PAN-OS with GlobalProtect Portal or GlobalProtect Gateway Interface enabled.
-
Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
-
Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands
-
Kibana contain an arbitrary code execution flaw in the Timelion visualizer.
-
Primetek Primefaces is vulnerable to a weak encryption flaw resulting in remote code execution
-
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation.
-
Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization.
-
Microsoft Windows AppX Installer contains a spoofing vulnerability which has a high impacts to confidentiality, integrity, and availability.
-
Google Chromium V8 Engine contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not...
-
A Broken or Risky Cryptographic Algorithm exists in AnonAddy 0.8.5 via VerificationController.php.
-
By now, Federal IT decision-makers are very familiar with machine learning (ML) and artificial intelligence (AI).
-
Zoho Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.
-
Kernel/ptrace.c in Linux kernel mishandles contains an improper privilege management vulnerability that allows local users to obtain root access.
-
RealTek Jungle SDK contains multiple memory corruption vulnerabilities which can allow an attacker to perform remote code execution.
-
Sonatype Nexus Repository Manager before 3.15.0 has an incorrect access control vulnerability. Exploitation allows for remote code execution.
-
The optional Apache Solr module DataImportHandler contains a code injection vulnerability.
-
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
-
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
-
Fortinet FortiOS "execute restore src-vis" downloads code without integrity checking, allowing an attacker to arbitrarily download files.
-
Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
-
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
-
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method.
-
The JBoss Application Server, shipped with Red Hat Enterprise Application Platform 5.2, allows an attacker to execute arbitrary code via crafted serialized data.
-
JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, allows attackers to perform remote code execution. This vulnerability can only be exploited when the Java Security Manager is not properly configured.