News & Sicurezza

CVE ID :CVE-2026-3945 Published : March 30, 2026, 8:16 a.m. | 5 hours, 37 minutes ago Description :An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service (DoS). The issue occurs because chunk size values are parsed using strtol() without properly validating overflow conditions (e.g., errno == ERANGE). A crafted chunk size such as 0x7fffffffffffffff (LONG_MAX) bypasses the existing validation check (chunklen Severity: 8.7 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-2328 Published : March 30, 2026, 8:16 a.m. | 5 hours, 37 minutes ago Description :An unauthenticated remote attacker can exploit insufficient input validation to access backend components beyond their intended scope via path traversal, resulting in exposure of sensitive information. Severity: 7.5 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Hackers Circle Citrix NetScaler Flaw Within Hours of Disclosure A newly disclosed critical vulnerability, CVE-2026-3055, affecting Citrix NetScaler appliances is already drawing attention from threat actors, with evidence of active reconnaissance efforts emerging ... Read more Published Date: Mar 30, 2026 (1 day, 4 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-4368 CVE-2026-3055

CVE ID :CVE-2026-5106 Published : March 30, 2026, 5:15 a.m. | 4 hours, 38 minutes ago Description :A flaw has been found in code-projects Exam Form Submission 1.0. The impacted element is an unknown function of the file /admin/update_fst.php. Executing a manipulation of the argument sname can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used. Severity: 4.8 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-5107 Published : March 30, 2026, 6:16 a.m. | 5 hours, 37 minutes ago Description :A vulnerability has been found in FRRouting FRR up to 10.5.1. This affects the function process_type2_route of the file bgpd/bgp_evpn.c of the component EVPN Type-2 Route Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The identifier of the patch is 7676cad65114aa23adde583d91d9d29e2debd045. To fix this issue, it is recommended to deploy a patch. Severity: 4.2 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-5104 Published : March 30, 2026, 3:15 a.m. | 6 hours, 38 minutes ago Description :A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Impacted is the function setStaticRoute of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ip leads to command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-5105 Published : March 30, 2026, 4:16 a.m. | 5 hours, 37 minutes ago Description :A vulnerability was detected in Totolink A3300R 17.0.0cu.557_b20221024. The affected element is the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. Performing a manipulation of the argument pptpPassThru results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

The CVE Watchtower: Weekly Threat Intelligence Briefing (March 23 – March 29, 2026) Whether you are steering the organizational ship as a CISO or maintaining the operational engines as a system administrator, cutting through the noise of weekly vulnerabilities is essential to keeping ... Read more Published Date: Mar 30, 2026 (1 day, 6 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-4689 CVE-2026-4688 CVE-2026-33634 CVE-2026-33478 CVE-2026-3587 CVE-2026-3584 CVE-2026-33017 CVE-2025-53521

The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order.

CVE ID :CVE-2026-3124 Published : March 30, 2026, 2:16 a.m. | 7 hours, 37 minutes ago Description :The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order. Severity: 7.5 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2025-15036 Published : March 30, 2026, 2:16 a.m. | 7 hours, 37 minutes ago Description :A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments. Severity: 9.6 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-5103 Published : March 30, 2026, 2:16 a.m. | 7 hours, 37 minutes ago Description :A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. This issue affects the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument enable causes command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...