Cybersecurity & Regolamentazione UE

News & Sicurezza

Aggiornamenti da ENISA, NVD e le principali fonti di cybersecurity europee. Tutto quello che un Responsabile Tecnico deve sapere.

25079 risultati

VulnerabilitàAlta
CVE-2026-2842

CVE ID :CVE-2026-2842 Published : June 18, 2026, 6:55 p.m. | 2 hours, 47 minutes ago Description :None Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE18 giu 2026
VulnerabilitàAlta
CVE-2026-48716 - nanobot: Path traversal via unsanitized WhatsApp document fileName enables arbitrary file write

CVE ID :CVE-2026-48716 Published : June 18, 2026, 6:46 p.m. | 2 hours, 56 minutes ago Description :nanobot is a personal AI assistant. In versions 0.1.5.post3 and prior, the WhatsApp bridge in bridge/src/whatsapp.ts constructs a filesystem path using the fileName field from an incoming WhatsApp document message without sanitization. The WhatsApp bridge downloads media attachments and writes them to disk using a filename derived from the sender's message via documentMessage.fileName, which is concatenated with a prefix and its raw value is passed directly to path.join(mediaDir, outFilename). Node.js path.join resolves .. components, allowing an attacker to escape the intended media/ directory by sending a document with a crafted fileName such as ../../../.ssh/authorized_keys. Because the attacker also controls the file content (the downloaded buffer), this is a write-anywhere primitive — both path and content are attacker-controlled. A fix for this issue is planned for version 0.1.5.post4. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE18 giu 2026
VulnerabilitàAlta
CVE-2026-47846 - Bitnami Cassandra Default Superuser Vulnerability

CVE ID :CVE-2026-47846 Published : June 18, 2026, 6:39 p.m. | 3 hours, 3 minutes ago Description :Bitnami Cassandra container images are affected by a retained default superuser vulnerability. When a custom administrator account is configured via the CASSANDRA_USER environment variable, the container initialization script creates the new superuser account but fails to drop the built-in cassandra account in certain scenarios. This leaves the default cassandra:cassandra superuser active as an unintended access path. Affected versions — Container image: 4.0.x prior to 4.0.20-photon-5-r7; 4.1.x prior to 4.1.11-photon-5-r7; 5.0.x prior to 5.0.8-photon-5-r4 / 5.0.8-debian-12-r3. Severity: 9.8 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE18 giu 2026
VulnerabilitàAlta
CVE-2026-47847 - Bitnami MariaDB Galera: Hardcoded Credentials

CVE ID :CVE-2026-47847 Published : June 18, 2026, 6:37 p.m. | 3 hours, 5 minutes ago Description :Bitnami MariaDB Galera container images and Helm chart are affected by a hardcoded default credential vulnerability in the Galera replication health-check user. The MARIADB_REPLICATION_USER and MARIADB_REPLICATION_PASSWORD environment variables defaulted to monitor and monitor respectively. This user is granted REPLICATION CLIENT privileges from any host ('%'). The Bitnami Helm chart for MariaDB Galera did not expose parameters to configure this user's credentials, resulting in all chart deployments using this publicly known credential by default. Affected versions — Container image: 10.6.x prior to 10.6.27-photon-5-r0; 10.11.x prior to 10.11.17-photon-5-r1; 11.4.x prior to 11.4.12-photon-5-r0; 11.8.x prior to 11.8.7-photon-5-r1; 12.3.x prior to 12.3.2-photon-5-r0 / 12.3.2-debian-12-r0. Helm chart: prior to 18.3.0. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE18 giu 2026
VulnerabilitàAlta
CVE-2026-12390 - Access of resource using incompatible type ('type confusion') in AzeoTech DAQFactory

CVE ID :CVE-2026-12390 Published : June 18, 2026, 6:30 p.m. | 3 hours, 12 minutes ago Description :In AzeoTech DAQFactory versions 21.1 and prior, a Type Confusion vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution. Severity: 8.4 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE18 giu 2026
VulnerabilitàAlta
CVE-2026-47833 - BPM: Container-to-Host Privilege Escalation via Symlink Following

CVE ID :CVE-2026-47833 Published : June 18, 2026, 6:30 p.m. | 3 hours, 12 minutes ago Description :setupBpmLogs follows symlink for bpm.log open and chown — container-to-host privilege escalation via /etc/shadow. A compromised process inside a bpm container can cause root to chown an arbitrary host file to vcap and append bpm JSON log lines to it. The chown alone lets the attacker take ownership of /etc/shadow and read every password hash on the host via the read-only /etc bind mount. This is a container-to-host confidentiality break affecting every bpm-managed job. Affected versions: bpm-release, all versions prior to v1.4.30. Severity: 6.9 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE18 giu 2026
VulnerabilitàCritica
CVE-2026-54390 (CVSS 9.8)

JTL Shop versions 5.2.0 through 5.7.1 contains a server-side template injection vulnerability that allows unauthenticated attackers to inject malicious template syntax due to unsanitized user-supplied input passed to the Smarty template engine. Attackers can exploit this flaw to read sensitive server-side values such as database credentials and encryption keys, and on versions 5.4.0 through 5.7.1, leverage registered Smarty modifiers including unserialize and file_get_contents to write a webshell to the web root and execute arbitrary commands as the web server user.

NVD (NIST)18 giu 2026
VulnerabilitàAlta
CVE-2026-48937 - Node.js HTTP/2 Denial of Service

CVE ID :CVE-2026-48937 Published : June 18, 2026, 6:01 p.m. | 3 hours, 41 minutes ago Description :A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE18 giu 2026
VulnerabilitàAlta
CVE-2026-55392 - NILFS utilities - Undefined Behavior and Out-of-Memory via Unvalidated s_log_block_size

CVE ID :CVE-2026-55392 Published : June 18, 2026, 6 p.m. | 3 hours, 42 minutes ago Description :NILFS utilities through 2.3.0, fixed in commit 26efb5d, nilfs_sb_is_valid() function fails to validate s_log_block_size field in NILFS2 superblock before bit-shift operations. Attackers supplying crafted NILFS2 images trigger undefined behavior through oversized shifts or out-of-memory conditions, crashing tools like nilfs-tune and dumpseg. Severity: 6.7 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE18 giu 2026
VulnerabilitàAlta
CVE-2026-9692 - Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely

CVE ID :CVE-2026-9692 Published : June 18, 2026, 5:53 p.m. | 3 hours, 49 minutes ago Description :Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy sources that are unsuitable for security purposes. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE18 giu 2026
VulnerabilitàAlta
CVE-2026-54390 - JTL Shop < 5.7.2 Server-Side Template Injection via Smarty Renderer

CVE ID :CVE-2026-54390 Published : June 18, 2026, 5:33 p.m. | 2 hours, 9 minutes ago Description :JTL Shop versions 5.2.0 through 5.7.1 contains a server-side template injection vulnerability that allows unauthenticated attackers to inject malicious template syntax due to unsanitized user-supplied input passed to the Smarty template engine. Attackers can exploit this flaw to read sensitive server-side values such as database credentials and encryption keys, and on versions 5.4.0 through 5.7.1, leverage registered Smarty modifiers including unserialize and file_get_contents to write a webshell to the web root and execute arbitrary commands as the web server user. Severity: 9.8 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE18 giu 2026
News
F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution

F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Ravie LakshmananJun 18, 2026Vulnerability / Cloud Security F5 has released security updates to address two critical security flaws in NGINX Open Source that could be exploited to achieve code execut ... Read more Published Date: Jun 18, 2026 (5 days, 18 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-42055 CVE-2026-42530 CVE-2026-11645 CVE-2026-42945

CVEfeed Newsroom18 giu 2026

Pagina 221 di 2090

Resta aggiornato sulla cybersecurity

Iscriviti a CodersRegistry per ricevere gli aggiornamenti più importanti su regolamentazione EU e vulnerabilità critiche.