News & Sicurezza

CVE ID :CVE-2026-43929 Published : May 12, 2026, 6:17 p.m. | 13 minutes ago Description :ssrfcheck is a library that checks if a string contains a potential SSRF attack. In 1.3.0 and earlier, ssrfcheck fails to block Server-Side Request Forgery attacks when the target private IP address is encoded as an IPv4-mapped IPv6 address (e.g. http://[::ffff:127.0.0.1]/). The WHATWG URL parser built into Node.js silently normalizes the IPv4 notation inside the brackets to compressed hex form ([::ffff:7f00:1]) before the library's private-IP regex ever runs. The regex was written to match dot-notation only and therefore never matches any real input — all seven IANA private IPv4 ranges, including the AWS/GCP/Azure metadata address 169.254.169.254, are bypassed. Any application using isSSRFSafeURL() to guard HTTP requests made with user-supplied URLs is fully exposed to SSRF. Severity: 8.2 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-43892 Published : May 12, 2026, 6:17 p.m. | 13 minutes ago Description :AntSword is a cross-platform website management toolkit. Prior to 2.1.16, incomplete noxss() sanitization leads to 1-click RCE via jquery.terminal format code injection. This vulnerability is fixed in 2.1.16. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-43891 Published : May 12, 2026, 6:17 p.m. | 13 minutes ago Description :changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extracts the archive and copies each restored watch UUID directory directly into the live datastore using shutil.copytree(entry.path, dst_dir). This preserves attacker-controlled files inside the restored watch directory, including history.txt. After restore, the application parses history.txt in the watch history property and returns the contents of the targeted local file. This vulnerability is fixed in 0.55.1. Severity: 7.5 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.

CVE ID :CVE-2026-42899 Published : May 12, 2026, 6:17 p.m. | 13 minutes ago Description :Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network. Severity: 7.5 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-42896 Published : May 12, 2026, 6:17 p.m. | 13 minutes ago Description :Integer overflow or wraparound in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. Severity: 7.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-42893 Published : May 12, 2026, 6:17 p.m. | 13 minutes ago Description :Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to perform tampering over a network. Severity: 7.4 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-42838 Published : May 12, 2026, 6:17 p.m. | 13 minutes ago Description :Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network. Severity: 5.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-42891 Published : May 12, 2026, 6:17 p.m. | 13 minutes ago Description :User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Execution with unnecessary privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.

Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.

CVE ID :CVE-2026-42830 Published : May 12, 2026, 6:17 p.m. | 13 minutes ago Description :Untrusted search path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...