News & Sicurezza

CVE ID :CVE-2025-43219 Published : April 2, 2026, 7:20 p.m. | 34 minutes ago Description :The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.6. Processing a maliciously crafted image may corrupt process memory. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2025-43210 Published : April 2, 2026, 7:20 p.m. | 34 minutes ago Description :An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2025-43202 Published : April 2, 2026, 7:20 p.m. | 34 minutes ago Description :This issue was addressed with improved memory handling. This issue is fixed in iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6. Processing a file may lead to memory corruption. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-34848 Published : April 2, 2026, 8:16 p.m. | 5 hours, 38 minutes ago Description :hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability in the team member overflow tooltip via display name. This issue has been patched in version 2026.3.0. Severity: 5.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

HiSecOS web server contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to the administrator role by sending specially crafted packets to the web server. Attackers can exploit this flaw to gain full administrative access to the affected device.

A vulnerability was determined in projectworlds Car Rental Project 1.0. The affected element is an unknown function of the file /login.php of the component Parameter Handler. This manipulation of the argument uname causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

CVE ID :CVE-2026-34577 Published : April 2, 2026, 5:24 p.m. | 30 minutes ago Description :Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragment. The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker to read responses from internal services, cloud metadata endpoints, and other network-internal resources. This issue has been patched in version 2.21.3. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-34576 Published : April 2, 2026, 5:23 p.m. | 31 minutes ago Description :Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file extension check (.png, .jpg, etc.) which is trivially bypassed by appending an image extension to any URL path. An authenticated API user can fetch internal network resources, cloud instance metadata, and other internal services, with the response data uploaded to storage and returned to the attacker. This issue has been patched in version 2.21.3. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-34124 Published : April 2, 2026, 5:20 p.m. | 34 minutes ago Description :A denial-of-service vulnerability was identified in TP-Link Tapo C520WS v2.6 within the HTTP request path parsing logic. The implementation enforces length restrictions on the raw request path but does not account for path expansion performed during normalization. An attacker on the adjacent network may send a crafted HTTP request to cause buffer overflow and memory corruption, leading to system interruption or device reboot. Severity: 7.1 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-34122 Published : April 2, 2026, 5:20 p.m. | 34 minutes ago Description :A stack-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within a configuration handling component due to insufficient input validation. An attacker can exploit this vulnerability by supplying an excessively long value for a vulnerable configuration parameter, resulting in a stack overflow. Successful exploitation results in Denial-of-Service (DoS) condition, leading to a service crash or device reboot, impacting availability. Severity: 7.1 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-34121 Published : April 2, 2026, 5:20 p.m. | 34 minutes ago Description :An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt action to a request containing privileged DS do actions, bypassing authorization checks. Successful exploitation allows unauthenticated execution of restricted configuration actions, which may result in unauthorized modification of device state. Severity: 8.7 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-34120 Published : April 2, 2026, 5:19 p.m. | 34 minutes ago Description :A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within the asynchronous parsing of local video stream content due to insufficient alignment and validation of buffer boundaries when processing streaming inputs.An attacker on the same network segment could trigger heap memory corruption conditions by sending crafted payloads that cause write operations beyond allocated buffer boundaries. Successful exploitation causes a Denial-of-Service (DoS) condition, causing the device’s process to crash or become unresponsive. Severity: 7.1 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...