News & Sicurezza

CVE ID :CVE-2026-28261 Published : April 8, 2026, 1:16 p.m. | 39 minutes ago Description :Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale, versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to secret exposure. The attacker may be able to use the exposed secret to access the vulnerable system with privileges of the compromised account. Severity: 7.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-24511 Published : April 8, 2026, 1:16 p.m. | 39 minutes ago Description :Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.6 and versions 9.11.0.0 through 9.13.0.0, contains a generation of error message containing sensitive information vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to information disclosure. Severity: 4.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2025-14815 Published : April 8, 2026, 2:16 p.m. | 1 hour, 39 minutes ago Description :Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics Digital Solutions GENESIS versions 11.02 and prior allows a local attacker to disclose the SQL Server credentials stored in plaintext within the local SQLite file by exploiting this vulnerability, when the local caching feature using SQLite is enabled and SQL authentication is used for the SQL Server authentication. As a result, the unauthorized attacker could access the SQL Server and disclose, tamper with, or destroy data on the server, potentially cause a denial-of-service (DoS) condition on the system. Severity: 9.3 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE-2026-34208 (CVSS 10): Critical Sandbox Escape Uncovered in SandboxJS In the world of secure software development, sandboxing is the ultimate safety net—a controlled environment designed to run untrusted code without letting it touch the “real” system. However, a critic ... Read more Published Date: Apr 08, 2026 (1 day, 1 hour ago) Vulnerabilities has been mentioned in this article. CVE-2026-5747 CVE-2026-22679 CVE-2026-34197 CVE-2026-34208 CVE-2026-35616 CVE-2026-5281 CVE-2026-3502 CVE-2026-26954 CVE-2026-23830

CVE ID :CVE-2026-31411 Published : April 8, 2026, 2:16 p.m. | 1 hour, 39 minutes ago Description :In the Linux kernel, the following vulnerability has been resolved: net: atm: fix crash due to unvalidated vcc pointer in sigd_send() Reproducer available at [1]. The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged: int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon struct msghdr msg = { .msg_iov = &iov, ... }; *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values. Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found. Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used. Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety. [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3 Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-35023 Published : April 8, 2026, 2:16 p.m. | 1 hour, 39 minutes ago Description :Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct object reference vulnerability in the preview.php endpoint where the item_id parameter lacks proper authorization checks. Attackers can enumerate sequential item_id values to access and retrieve image previews from other users' private or group conversations, resulting in unauthorized disclosure of sensitive information. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

WCAPF – WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the create_crop function in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability was partially patched in version 1.2.5.

Apache ActiveMQ Patches RCE and Path Traversal Flaws Apache ActiveMQ, the widely used open-source message broker, has released critical security updates to address two vulnerabilities that could allow attackers to execute arbitrary code or access restri ... Read more Published Date: Apr 08, 2026 (1 day, 2 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-22679 CVE-2026-34197 CVE-2026-33227 CVE-2026-35616 CVE-2026-5281 CVE-2026-3502 CVE-2026-22739 CVE-2026-27728 CVE-2025-54539 CVE-2025-27533

Critical Zero-Day: Unauthenticated RCE Exploited in Weaver E-cology 10.0 A critical security vulnerability, tracked as CVE-2026-22679, has been identified in Weaver (Fanwei) E-cology 10.0, one of the most widely used enterprise collaborative office platforms. With a CVSS s ... Read more Published Date: Apr 08, 2026 (1 day ago) Vulnerabilities has been mentioned in this article. CVE-2026-22679 CVE-2021-4473 CVE-2026-34197 CVE-2026-35616 CVE-2026-5281 CVE-2026-3502 CVE-2026-20127 CVE-2026-21962 CVE-2025-55182 CVE-2025-59689 CVE-2025-7775 CVE-2025-6554 CVE-2025-31103 CVE-2025-0108

CVE ID :CVE-2026-5208 Published : April 8, 2026, 12:16 p.m. | 1 hour, 39 minutes ago Description :Command injection in alerts in CoolerControl/coolercontrold Severity: 8.2 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-28264 Published : April 8, 2026, 12:16 p.m. | 1 hour, 39 minutes ago Description :Dell PowerProtect Agent Service, version(s) prior to 20.1, contain(s) an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. Severity: 3.3 | LOW Visit the link for more details, such as CVSS details, affected products, timeline, and more...