News & Sicurezza

CVE ID :CVE-2026-39389 Published : April 8, 2026, 3:16 p.m. | 40 minutes ago Description :CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0. Severity: 6.7 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-39390 Published : April 8, 2026, 3:16 p.m. | 40 minutes ago Description :CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors. This vulnerability is fixed in 0.31.4.0. Severity: 5.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-33753 Published : April 8, 2026, 4:16 p.m. | 1 hour, 39 minutes ago Description :rfc3161-client is a Python library implementing the Time-Stamp Protocol (TSP) described in RFC 3161. Prior to 1.0.6, an Authorization Bypass vulnerability in rfc3161-client's signature verification allows any attacker to impersonate a trusted TimeStamping Authority (TSA). By exploiting a logic flaw in how the library extracts the leaf certificate from an unordered PKCS#7 bag of certificates, an attacker can append a spoofed certificate matching the target common_name and Extended Key Usage (EKU) requirements. This tricks the library into verifying these authorization rules against the forged certificate while validating the cryptographic signature against an actual trusted TSA (such as FreeTSA), thereby bypassing the intended TSA authorization pinning entirely. This vulnerability is fixed in 1.0.6. Severity: 6.2 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

IBM Identity and Verify Access Vulnerabilities Allow Remote Attacker to Access Sensitive Data A critical security bulletin highlights multiple vulnerabilities in Verify Identity Access and Security Verify Access products. If left unpatched, these widespread security flaws could allow malicious ... Read more Published Date: Apr 08, 2026 (1 day, 14 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-1346 CVE-2026-1343 CVE-2026-1342 CVE-2026-4101 CVE-2026-2862 CVE-2026-1491 CVE-2026-1345 CVE-2026-1188 CVE-2025-12635 CVE-2023-46233

CVE ID :CVE-2026-33229 Published : April 8, 2026, 4:16 p.m. | 1 hour, 39 minutes ago Description :XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1. Severity: 8.6 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

High-Severity Patches: NVIDIA Secures DALI and Triton Inference Server NVIDIA has released two significant security updates addressing high-severity vulnerabilities across its DALI and Triton Inference Server software. The patches fix critical flaws that could lead to ar ... Read more Published Date: Apr 08, 2026 (1 day, 12 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-5747 CVE-2026-24174 CVE-2026-24173 CVE-2026-24156 CVE-2026-24147 CVE-2026-24146 CVE-2026-22679 CVE-2026-35616 CVE-2026-5281 CVE-2026-3502 CVE-2026-33017 CVE-2026-4342 CVE-2025-23316

CVE ID :CVE-2025-57854 Published : April 8, 2026, 2:16 p.m. | 1 hour, 39 minutes ago Description :A container privilege escalation flaw was found in certain OpenShift Update Service (OSUS) images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. Severity: 6.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2025-58713 Published : April 8, 2026, 2:16 p.m. | 1 hour, 39 minutes ago Description :A container privilege escalation flaw was found in certain Red Hat Process Automation Manager images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. Severity: 6.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2025-57853 Published : April 8, 2026, 2:16 p.m. | 1 hour, 39 minutes ago Description :A container privilege escalation flaw was found in certain Web Terminal images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. Severity: 6.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2025-57847 Published : April 8, 2026, 2:16 p.m. | 1 hour, 39 minutes ago Description :A container privilege escalation flaw was found in certain Ansible Automation Platform images. This issue arises from the /etc/passwd file being created with group-writable permissions during the build process. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This vulnerability allows an attacker to add a new user with any arbitrary UID, including UID 0, gaining full root privileges within the container. Severity: 6.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2025-57851 Published : April 8, 2026, 2:16 p.m. | 1 hour, 39 minutes ago Description :A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. Severity: 6.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies The Russian threat actor known as APT28 (aka Forest Blizzard and Pawn Storm) has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undocumented mal ... Read more Published Date: Apr 08, 2026 (1 day, 1 hour ago) Vulnerabilities has been mentioned in this article. CVE-2026-35616 CVE-2026-5281 CVE-2026-34040 CVE-2026-21513 CVE-2026-21509 CVE-2025-55182