Submit #773890: https://bagofwords.com/ bagofwords <=0.0.297 Remote command execution [Accepted]
Submit #773890 / VDB-352065
Aggregator
Google slows Android sideloading to trip up scammers
1 week ago
Google’s advanced flow for Android changes how apps from unverified developers are installed, adding steps to reduce scam-driven sideloading. The feature is aimed at experienced users and allows sideloading through a controlled, one-time setup. It addresses scam scenarios where attackers pressure individuals to install malicious software. In these cases, scammers often stay on the phone and guide victims step by step, pushing them to bypass security warnings and disable protections before they can pause or … More →
The post Google slows Android sideloading to trip up scammers appeared first on Help Net Security.
Anamarija Pogorelec
Ушёл из жизни Сергей Минеев — легендарный охотник за APT-группировками
1 week ago
Коллеги по индустрии сообщили о смерти исследователя.
CVE-2026-33135 | LabRedesCefetRJ WeGIA up to 3.6.6 novo_memorandoo.php msg cross site scripting (GHSA-w5rv-5884-w94v)
1 week ago
A vulnerability was found in LabRedesCefetRJ WeGIA up to 3.6.6. It has been classified as problematic. This affects an unknown function of the file /html/memorando/novo_memorandoo.php. This manipulation of the argument msg causes cross site scripting.
This vulnerability appears as CVE-2026-33135. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is recommended.
vuldb.com
CVE-2026-33134 | LabRedesCefetRJ WeGIA up to 3.6.5 GET Parameter restaurar_produto.php id_produto sql injection (GHSA-qg95-x997-66wq)
1 week ago
A vulnerability was found in LabRedesCefetRJ WeGIA up to 3.6.5 and classified as critical. The impacted element is an unknown function of the file html/matPat/restaurar_produto.php of the component GET Parameter Handler. The manipulation of the argument id_produto results in sql injection.
This vulnerability is reported as CVE-2026-33134. The attack can be launched remotely. No exploit exists.
It is suggested to upgrade the affected component.
vuldb.com
CVE-2026-33132 | Zitadel up to 3.4.8/4.12.2 API V2 Endpoint authorization (GHSA-g2pf-ww5m-2r9m)
1 week ago
A vulnerability has been found in Zitadel up to 3.4.8/4.12.2 and classified as problematic. The affected element is an unknown function of the component API V2 Endpoint. The manipulation leads to incorrect authorization.
This vulnerability is documented as CVE-2026-33132. The attack can be initiated remotely. There is not any exploit available.
The affected component should be upgraded.
vuldb.com
CVE-2026-33136 | LabRedesCefetRJ WeGIA up to 3.6.6 Memorando listar_memorandos_ativos.php msg cross site scripting (GHSA-xjqp-5q3h-2cxh)
1 week ago
A vulnerability, which was classified as problematic, was found in LabRedesCefetRJ WeGIA up to 3.6.6. Impacted is an unknown function of the file /html/memorando/listar_memorandos_ativos.php of the component Memorando Module. Executing a manipulation of the argument msg can lead to cross site scripting.
This vulnerability is registered as CVE-2026-33136. It is possible to launch the attack remotely. No exploit is available.
You should upgrade the affected component.
vuldb.com
CVE-2026-32595 | Traefik up to 2.11.40/3.6.10 timing discrepancy (GHSA-g3hg-j4jv-cwfr)
1 week ago
A vulnerability, which was classified as problematic, has been found in Traefik up to 2.11.40/3.6.10. This issue affects some unknown processing. Performing a manipulation results in observable timing discrepancy.
This vulnerability is cataloged as CVE-2026-32595. It is possible to initiate the attack remotely. There is no exploit available.
It is advisable to upgrade the affected component.
vuldb.com
CVE-2026-33131 | h3js h3 up to 2.0.0-0/2.0.1-rc.14/2.0.1-rc.15 Host event.url/event.url.hostname/event.url._url authentication spoofing (GHSA-3vj8-jmxq-cgj5)
1 week ago
A vulnerability classified as critical was found in h3js h3 up to 2.0.0-0/2.0.1-rc.14/2.0.1-rc.15. This vulnerability affects unknown code of the component Host Handler. Such manipulation of the argument event.url/event.url.hostname/event.url._url leads to authentication bypass by spoofing.
This vulnerability is listed as CVE-2026-33131. The attack may be performed from remote. There is no available exploit.
Upgrading the affected component is advised.
vuldb.com
CVE-2026-25792 | Greenshot up to 1.3.312 untrusted search path (GHSA-f8v9-7fph-fr2j)
1 week ago
A vulnerability classified as problematic has been found in Greenshot up to 1.3.312. This affects an unknown part. This manipulation causes untrusted search path.
This vulnerability is tracked as CVE-2026-25792. The attack is restricted to local execution. No exploit exists.
vuldb.com
CVE-2026-32305 | Traefik up to 2.11.40/3.6.10 TLS Configuration improper authentication (GHSA-wvvq-wgcr-9q48)
1 week ago
A vulnerability described as critical has been identified in Traefik up to 2.11.40/3.6.10. Affected by this issue is some unknown functionality of the component TLS Configuration Handler. The manipulation results in improper authentication.
This vulnerability is identified as CVE-2026-32305. The attack can be executed remotely. There is not any exploit available.
Upgrading the affected component is recommended.
vuldb.com
CVE-2026-33133 | LabRedesCefetRJ WeGIA up to 3.6.6 SQL File Parser loadBackupDB sql injection (GHSA-qqff-p8fc-hg5f)
1 week ago
A vulnerability marked as critical has been reported in LabRedesCefetRJ WeGIA up to 3.6.6. Affected by this vulnerability is the function loadBackupDB of the component SQL File Parser. The manipulation leads to sql injection.
This vulnerability is referenced as CVE-2026-33133. Remote exploitation of the attack is possible. No exploit is available.
It is suggested to upgrade the affected component.
vuldb.com
CVE-2026-4499 | D-Link DIR-820LW 2.03 SSDP ssdpcgi_main os command injection
1 week ago
A vulnerability labeled as critical has been found in D-Link DIR-820LW 2.03. Affected is the function ssdpcgi_main of the component SSDP. Executing a manipulation can lead to os command injection.
The identification of this vulnerability is CVE-2026-4499. The attack may be launched remotely. Furthermore, there is an exploit available.
vuldb.com
DragonForce
1 week ago
You must login to view this content
cohenido
Terminated contract led to $2.5 million cyber extortion scheme
1 week ago
A federal jury convicted Cameron Curry, 27, a Charlotte resident, of carrying out an extensive cyber extortion scheme targeting a Washington, D.C.-based international technology company. He faces up to two years in prison on each of the six charges. Curry, who worked as a data analyst for about six months with the victim company and had access to its data files and internal personnel and corporate information, began the scheme after learning his contract would … More →
The post Terminated contract led to $2.5 million cyber extortion scheme appeared first on Help Net Security.
Sinisa Markovic
Submit #773883: D-Link DIR-820LW B2.03 OS Command Injection [Accepted]
1 week ago
Submit #773883 / VDB-352055
junqi
Akira
1 week ago
You must login to view this content
cohenido
Microsoft Unveils New Teams Optimizations for Windows App on iOS & Android
1 week ago
Microsoft has officially announced the general availability of new Microsoft Teams optimizations for the Windows App on both iOS and Android platforms. Released on March 18, 2026, this update introduces the WebRTC Redirector Service to mobile users connecting to Azure Virtual Desktop and Windows 365 environments. For IT administrators and security teams managing distributed workforces, […]
The post Microsoft Unveils New Teams Optimizations for Windows App on iOS & Android appeared first on Cyber Security News.
Abinaya
Live Webinar | Efficiency today. Exploits tomorrow: Strategies for Highly-Regulated Industries to Secure Non-Human Identities
1 week ago
Live Webinar | Emerging Attack Patterns and Response Strategies for 2026
1 week ago