News & Sicurezza

CVE ID :CVE-2026-33206 Published : March 27, 2026, 3:16 p.m. | 36 minutes ago Description :calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre' handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the file system into the converted book. Additionally, missing authentication and server-side request forgery in the background-image endpoint in the ebook reader web view allow the files to be exfiltrated without additional interaction. Version 9.6.0 contains a fix. Severity: 8.2 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-33284 Published : March 27, 2026, 3:16 p.m. | 36 minutes ago Description :GlobaLeaks is free and open-source whistleblowing software. Prior to version 5.0.89, the /api/support endpoint of GlobaLeaks performs minimal validation on user-submitted support requests. As a result, arbitrary URLs can be included in support emails sent to administrators. Version 5.0.89 patches the issue. Severity: 1.2 | LOW Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-33433 Published : March 27, 2026, 3:16 p.m. | 36 minutes ago Description :Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical version of that header to impersonate any identity to the backend. The backend receives two header entries — the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Versions 2.11.42, 3.6.11, and 3.7.0-ea.3 patch the issue. Severity: 5.1 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Critical 9.4 CVSS RCE Flaws in n8n Turn Workflows into Backdoors Security researchers have disclosed two critical vulnerabilities in n8n, the popular fair-code workflow automation platform used by technical teams to bridge the gap between low-code speed and full-co ... Read more Published Date: Mar 27, 2026 (2 days, 12 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-33660 CVE-2026-2417 CVE-2026-3584 CVE-2025-29969

Critical 9.8 CVSS Flaw in Pharos Mosaic Controllers Grants Root Access to Unauthenticated Attackers A security advisory has been issued by CISA regarding a critical vulnerability discovered in Pharos Controls’ Mosaic Show Controller firmware. The flaw, which carries a severity CVSS score of 9.8, cou ... Read more Published Date: Mar 27, 2026 (2 days, 13 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-2417 CVE-2026-3584 CVE-2026-0866 CVE-2026-2256 CVE-2026-27699 CVE-2025-62878 CVE-2025-30411 CVE-2026-1358 CVE-2025-26385 CVE-2026-1453 CVE-2026-23830 CVE-2025-14988 CVE-2026-0994 CVE-2026-0695 CVE-2025-61937 CVE-2025-37186 CVE-2025-52691 CVE-2025-37164 CVE-2025-59396 CVE-2025-58428 CVE-2025-58384 CVE-2025-29969 CVE-2025-1316 CVE-2021-26829 CVE-1999-0073

CVE ID :CVE-2026-4340 Published : March 27, 2026, 1:16 p.m. | 36 minutes ago Description :Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-4982 Published : March 27, 2026, 1:16 p.m. | 36 minutes ago Description :A user with permission "update world" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature. The exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages. Severity: 7.3 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-4622 Published : March 27, 2026, 12:16 p.m. | 1 hour, 37 minutes ago Description :OS Command Injection vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to execute arbitrary OS commands via network. Severity: 7.1 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-25100 Published : March 27, 2026, 12:16 p.m. | 1 hour, 37 minutes ago Description :Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload functionality. An authenticated attacker with content upload privileges (such as Author, Editor, or Administrator) can upload an SVG file containing a malicious payload, which is executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication. The vendor was notified early about this vulnerability, but stopped responding in the middle of coordination. All versions up to 3.18.2 are considered to be vulnerable, future versions might also be vulnerable. Severity: 4.8 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-25101 Published : March 27, 2026, 12:16 p.m. | 1 hour, 37 minutes ago Description :Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in version 3.17.2. Severity: 4.8 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-4620 Published : March 27, 2026, 12:16 p.m. | 1 hour, 37 minutes ago Description :OS Command Injection vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to execute arbitrary OS commands via network. Severity: 7.1 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-4619 Published : March 27, 2026, 12:16 p.m. | 1 hour, 37 minutes ago Description :Path Traversal vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to wtite over any file via network. Severity: 6.0 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...