News & Sicurezza

CVE ID :CVE-2026-0049 Published : April 6, 2026, 7:16 p.m. | 39 minutes ago Description :In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Severity: 6.2 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2025-54324 Published : April 6, 2026, 7:16 p.m. | 39 minutes ago Description :An issue was discovered in NAS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Incorrect Handling of a DL NAS Transport packet leads to a Denial of Service. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2025-48651 Published : April 6, 2026, 7:16 p.m. | 39 minutes ago Description :N/A Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-5681 Published : April 6, 2026, 7:15 p.m. | 40 minutes ago Description :A flaw has been found in itsourcecode sanitize or validate this input 1.0. This impacts an unknown function of the file /borrowedequip.php of the component Parameter Handler. This manipulation of the argument emp_id causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-35183 Published : April 6, 2026, 7:11 p.m. | 44 minutes ago Description :Brave CMS is an open-source CMS. Prior to 2.0.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the article image deletion feature. It is located in app/Http/Controllers/Dashboard/ArticleController.php within the deleteImage method. The endpoint accepts a filename from the URL but does not verify ownership. This allows an authenticated user with edit permissions to delete images attached to articles owned by other users. This vulnerability is fixed in 2.0.6. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-35182 Published : April 6, 2026, 7:10 p.m. | 45 minutes ago Description :Brave CMS is an open-source CMS. Prior to 2.0.6, this vulnerability is a missing authorization check found in the update role endpoint at routes/web.php. The POST route for /rights/update-role/{id} lacks the checkUserPermissions:assign-user-roles middleware. This allows any authenticated user to change account roles and promote themselves to Super Admin. This vulnerability is fixed in 2.0.6. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-35181 Published : April 6, 2026, 7:09 p.m. | 45 minutes ago Description :WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with SameSite=None cookies, a cross-origin POST can modify the video player appearance on the entire platform. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-35172 Published : April 6, 2026, 7:08 p.m. | 46 minutes ago Description :Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared digest descriptor but leaves stale repo-scoped membership behind, so a later Stat or Get from repo b repopulates the shared descriptor and makes the deleted blob readable from repo a again. This vulnerability is fixed in 3.1.0. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-35180 Published : April 6, 2026, 7:06 p.m. | 48 minutes ago Description :WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize_settings_nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with SameSite=None cookie policy, a cross-origin POST can overwrite the platform's logo with attacker-controlled content. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-35179 Published : April 6, 2026, 7:05 p.m. | 49 minutes ago Description :WWBN AVideo is an open source video platform. In versions 26.0 and prior, the SocialMediaPublisher plugin exposes a publishInstagram.json.php endpoint that acts as an unauthenticated proxy to the Facebook/Instagram Graph API. The endpoint accepts user-controlled parameters including an access token, container ID, and Instagram account ID, and passes them directly to the Graph API via InstagramUploader::publishMediaIfIsReady(). This allows any unauthenticated user to make arbitrary Graph API calls through the server, potentially using stolen tokens or abusing the platform's own credentials. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-35178 Published : April 6, 2026, 7:01 p.m. | 54 minutes ago Description :Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains remote code execution vulnerability in the timezone conversion flow, which processes attacker-controlled cookie values in an unsafe manner. This vulnerability is fixed in 65.0.0. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-5679 Published : April 6, 2026, 7 p.m. | 55 minutes ago Description :A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_B20221024. The impacted element is the function vsetTr069Cfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument stun_pass leads to os command injection. The exploit has been disclosed publicly and may be used. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...