jell.ie CVEs

Read at: 2026-04-14T12:36:53+00:00

CVE-2025-13822 - Authentication bypass in MCPHub

CVE ID :CVE-2025-13822
Published : April 14, 2026, 10:23 a.m. | 19 minutes ago
Description :MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 10:23 am UTC

CVE-2026-4109 - Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) <= 4.1.8 Missing Authorization to Authenticated (Subscriber+) Order Information Exposure

CVE ID :CVE-2026-4109
Published : April 14, 2026, 9:16 a.m. | 1 hour, 26 minutes ago
Description :The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 9:16 am UTC

CVE-2026-33929 - Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code

CVE ID :CVE-2026-33929
Published : April 14, 2026, 9:16 a.m. | 1 hour, 26 minutes ago
Description :Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples. This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7. Users are recommended to update to version 2.0.37 or 3.0.8 once available. Until then, they should apply the fix provided in GitHub PR 427. The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF". Users who have copied this example into their production code should apply the mentioned change. The example has been changed accordingly and is available in the project repository.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 9:16 am UTC

CVE-2026-33892 - Industrial Edge Management Pro/Virtual Unauthenticated Remote Authentication Bypass

CVE ID :CVE-2026-33892
Published : April 14, 2026, 9:16 a.m. | 1 hour, 26 minutes ago
Description :A vulnerability has been identified in Industrial Edge Management Pro V1 (All versions >= V1.7.6 = V2.0.0 = V2.2.0 Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 9:16 am UTC

CVE-2026-31924 - Apache APISIX: Plugin tencent-cloud-cls log export uses plaintext HTTP

CVE ID :CVE-2026-31924
Published : April 14, 2026, 9:16 a.m. | 1 hour, 26 minutes ago
Description :Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 9:16 am UTC

CVE-2026-31923 - Apache APISIX: Openid-connect `tls_verify` field is disabled by default

CVE ID :CVE-2026-31923
Published : April 14, 2026, 9:16 a.m. | 1 hour, 26 minutes ago
Description :Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 9:16 am UTC

CVE-2026-31908 - Apache APISIX: forward auth plugin allows header injection

CVE ID :CVE-2026-31908
Published : April 14, 2026, 9:16 a.m. | 1 hour, 26 minutes ago
Description :Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2.12.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 9:16 am UTC

CVE-2026-27668 - RUGGEDCOM CROSSBOW SAM-P Privilege Escalation Vulnerability

CVE ID :CVE-2026-27668
Published : April 14, 2026, 9:16 a.m. | 1 hour, 26 minutes ago
Description :A vulnerability has been identified in RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) (All versions Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 9:16 am UTC

CVE-2026-25654 - SINEC NMS Authentication Bypass Vulnerability

CVE ID :CVE-2026-25654
Published : April 14, 2026, 9:16 a.m. | 1 hour, 26 minutes ago
Description :A vulnerability has been identified in SINEC NMS (All versions Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 9:16 am UTC

CVE-2026-24032 - SINEC NMS Authentication Bypass Vulnerability

CVE ID :CVE-2026-24032
Published : April 14, 2026, 9:16 a.m. | 1 hour, 26 minutes ago
Description :A vulnerability has been identified in SINEC NMS (All versions Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 9:16 am UTC

CVE-2025-40745 - Siemens Certificates Validation Weakness

CVE ID :CVE-2025-40745
Published : April 14, 2026, 9:16 a.m. | 1 hour, 26 minutes ago
Description :A vulnerability has been identified in Siemens Software Center (All versions Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 9:16 am UTC

CVE-2026-2582 - Germanized for WooCommerce <= 3.20.5 - Unauthenticated Arbitrary Shortcode Execution

CVE ID :CVE-2026-2582
Published : April 14, 2026, 7:16 a.m. | 3 hours, 27 minutes ago
Description :The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution via 'account_holder' parameter in all versions up to, and including, 3.20.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 7:16 am UTC

CVE-2026-3017 - Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts <= 3.0.12 - Authenticated (Administrator+) PHP Object Injection

CVE ID :CVE-2026-3017
Published : April 14, 2026, 6:16 a.m. | 4 hours, 27 minutes ago
Description :The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.12 via deserialization of untrusted input in the import_shortcodes() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 6:16 am UTC

CVE-2026-4059 - ShopLentor <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute

CVE ID :CVE-2026-4059
Published : April 14, 2026, 4:17 a.m. | 6 hours, 26 minutes ago
Description :The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentor_quickview_button shortcode's button_text attribute in all versions up to, and including, 3.3.5. This is due to insufficient input sanitization and missing output escaping on user-supplied shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 4:17 am UTC

CVE-2026-4479 - WholeSale Products Dynamic Pricing Management WooCommerce <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

CVE ID :CVE-2026-4479
Published : April 14, 2026, 4:17 a.m. | 6 hours, 26 minutes ago
Description :The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity: 4.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 4:17 am UTC

CVE-2026-40315 - PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries

CVE ID :CVE-2026-40315
Published : April 14, 2026, 4:17 a.m. | 6 hours, 26 minutes ago
Description :PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization. Since SQL identifiers cannot be safely parameterized, an attacker who controls the table_prefix value (e.g., through from_yaml or from_dict configuration input) can inject arbitrary SQL fragments that alter query structure. This enables unauthorized data access, such as reading internal SQLite tables like sqlite_master, and manipulation of query results through techniques like UNION-based injection. The vulnerability propagates from configuration input in config.py, through factory.py, to the SQL query construction in sqlite.py. Exploitation requires the ability to influence configuration input, and successful exploitation leads to internal schema disclosure and full query result tampering. This issue has been fixed in version 4.5.133.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 4:17 am UTC

CVE-2026-40313 - PraisonAI: ArtiPACKED Vulnerability via GitHub Actions Credential Persistence

CVE ID :CVE-2026-40313
Published : April 14, 2026, 4:17 a.m. | 6 hours, 26 minutes ago
Description :PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the GITHUB_TOKEN (and sometimes ACTIONS_RUNTIME_TOKEN) into the .git/config file for persistence, and if any subsequent workflow step uploads artifacts (build outputs, logs, test results, etc.), these tokens can be inadvertently included. Since PraisonAI is a public repository, any user with read access can download these artifacts and extract the leaked tokens, potentially enabling an attacker to push malicious code, poison releases and PyPI/Docker packages, steal repository secrets, and execute a full supply chain compromise affecting all downstream users. The issue spans numerous workflow and action files across .github/workflows/ and .github/actions/. This issue has been fixed in version 4.5.140.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 4:17 am UTC

CVE-2026-40289 - PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions

CVE ID :CVE-2026-40289
Published : April 14, 2026, 4:17 a.m. | 6 hours, 26 minutes ago
Description :PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on its /ws WebSocket endpoint. The server binds to 0.0.0.0 by default and only validates the Origin header when one is present, meaning any non-browser client that omits the header is accepted without restriction. An unauthenticated network attacker can connect, send a start_session message, and the server will route it to the first idle browser-extension WebSocket (effectively hijacking that session) and then broadcast all resulting automation actions and outputs back to the attacker. This enables unauthorized remote control of connected browser automation sessions, leakage of sensitive page context and automation results, and misuse of model-backed browser actions in any environment where the bridge is network-reachable. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 4:17 am UTC

CVE-2026-40288 - PraisonAI: Critical RCE via `type: job` workflow YAML

CVE ID :CVE-2026-40288
Published : April 14, 2026, 4:17 a.m. | 6 hours, 26 minutes ago
Description :PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run loads a YAML file with type: job, the JobWorkflowExecutor in job_workflow.py processes steps that support run: (shell commands via subprocess.run()), script: (inline Python via exec()), and python: (arbitrary Python script execution)—all without any validation, sandboxing, or user confirmation. The affected code paths include action_run() in workflow.py and _exec_shell(), _exec_inline_python(), and _exec_python_script() in job_workflow.py. An attacker who can supply or influence a workflow YAML file (particularly in CI pipelines, shared repositories, or multi-tenant deployment environments) can achieve full arbitrary command execution on the host system, compromising the machine and any accessible data or credentials. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 4:17 am UTC

CVE-2026-40287 - PraisonAI has RCE via Automatic tools.py Import

CVE ID :CVE-2026-40287
Published : April 14, 2026, 4:17 a.m. | 6 hours, 26 minutes ago
Description :PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py at startup without any validation, sandboxing, or user confirmation. An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. This compromises the full PraisonAI process, the host system, and any connected data or credentials. This issue has been fixed in version 4.5.139.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 4:17 am UTC

CVE-2026-1607 - Surbma | Booking.com <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

CVE ID :CVE-2026-1607
Published : April 14, 2026, 4:17 a.m. | 6 hours, 26 minutes ago
Description :The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `surbma-bookingcom` shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 4:17 am UTC

CVE-2026-6264 - Critical Security fix for the Talend JobServer and Talend Runtime

CVE ID :CVE-2026-6264
Published : April 14, 2026, 3:16 a.m. | 7 hours, 27 minutes ago
Description :A critical vulnerability in the Talend JobServer and Talend Runtime allows unauthenticated remote code execution via the JMX monitoring port. The attack vector is the JMX monitoring port of the Talend JobServer. The vulnerability can be mitigated for the Talend JobServer by requiring TLS client authentication for the monitoring port; however, the patch must be applied for full mitigation. For Talend ESB Runtime, the vulnerability can be mitigated by disabling the JobServer JMX monitoring port, which is disabled by default from the R2024-07-RT patch.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 3:16 am UTC

CVE-2026-6227 - BackWPup <= 5.6.6 - Authenticated (Administrator+) Local File Inclusion via 'block_name' Parameter

CVE ID :CVE-2026-6227
Published : April 14, 2026, 3:16 a.m. | 7 hours, 27 minutes ago
Description :The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to include arbitrary PHP files on the server via crafted traversal sequences (e.g., `....//`), which can be leveraged to read sensitive files such as `wp-config.php` or achieve remote code execution in certain configurations. Administrators have the ability to grant individual users permission to handle backups, which may then allow lower-level users to exploit this vulnerability.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 3:16 am UTC

CVE-2026-4388 - Form Maker by 10Web <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box

CVE ID :CVE-2026-4388
Published : April 14, 2026, 3:16 a.m. | 7 hours, 27 minutes ago
Description :The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 3:16 am UTC

CVE-2026-34984 - External Secrets Operator has DNS exfiltration via getHostByName in its v2 template engine

CVE ID :CVE-2026-34984
Published : April 14, 2026, 3:16 a.m. | 7 hours, 27 minutes ago
Description :External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Versions 2.2.0 and below contain a vulnerability in runtime/template/v2/template.go where the v2 template engine removes env and expandenv from Sprig's TxtFuncMap() but leaves the getHostByName function accessible to user-controlled templates. Since ESO executes templates within the controller process, an attacker who can create or update templated ExternalSecret resources can invoke controller-side DNS lookups using secret-derived values. This creates a DNS exfiltration primitive, allowing fetched secret material to be leaked via DNS queries without requiring direct outbound network access from the attacker's workload. The impact is a confidentiality issue, particularly in environments where untrusted or lower-trust users can author templated ExternalSecret resources and the controller has DNS resolution capability. This issue has been fixed in version 2.3.0.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Latest Vulnerabilities | 14 Apr 2026 | 3:16 am UTC

ZDI-CAN-28694: AVG

A CVSS score 7.3 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2026-04-09, 5 days ago. The vendor is given until 2026-08-07 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 9 Apr 2026 | 5:00 am UTC

ZDI-CAN-29340: OriginLab

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'rgod' was reported to the affected vendor on: 2026-04-09, 5 days ago. The vendor is given until 2026-08-07 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 9 Apr 2026 | 5:00 am UTC

ZDI-CAN-30385: OpenSSL

A CVSS score 3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N severity vulnerability discovered by 'TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-04-09, 5 days ago. The vendor is given until 2026-08-07 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 9 Apr 2026 | 5:00 am UTC

ZDI-CAN-29335: OriginLab

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'rgod' was reported to the affected vendor on: 2026-04-09, 5 days ago. The vendor is given until 2026-08-07 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 9 Apr 2026 | 5:00 am UTC

ZDI-CAN-30380: Apple

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Michael DePlante (@izobashi) of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-04-09, 5 days ago. The vendor is given until 2026-08-07 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 9 Apr 2026 | 5:00 am UTC

ZDI-CAN-30375: Adobe

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'DongHyeon Hwang (kind_killerwhale)' was reported to the affected vendor on: 2026-04-09, 5 days ago. The vendor is given until 2026-08-07 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 9 Apr 2026 | 5:00 am UTC

ZDI-CAN-29543: Oracle

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Mat Powell of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-04-08, 6 days ago. The vendor is given until 2026-08-06 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 8 Apr 2026 | 5:00 am UTC

ZDI-CAN-30364: Linux

A CVSS score 7.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L severity vulnerability discovered by 'Nicholas Zubrisky (@NZubrisky) of TrendAI Research' was reported to the affected vendor on: 2026-04-08, 6 days ago. The vendor is given until 2026-08-06 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 8 Apr 2026 | 5:00 am UTC

ZDI-CAN-29429: BlueZ

A CVSS score 7.1 AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'p0her' was reported to the affected vendor on: 2026-04-08, 6 days ago. The vendor is given until 2026-08-06 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 8 Apr 2026 | 5:00 am UTC

ZDI-CAN-29259: MaterialX

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'David Bors (@davidxbors), Catalin Iovita (@cataliniovita)' was reported to the affected vendor on: 2026-04-08, 6 days ago. The vendor is given until 2026-08-06 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 8 Apr 2026 | 5:00 am UTC

ZDI-CAN-29542: Oracle

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Mat Powell of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-04-08, 6 days ago. The vendor is given until 2026-08-06 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 8 Apr 2026 | 5:00 am UTC

ZDI-CAN-29338: OriginLab

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'rgod' was reported to the affected vendor on: 2026-04-08, 6 days ago. The vendor is given until 2026-08-06 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 8 Apr 2026 | 5:00 am UTC

ZDI-CAN-30379: OpenSSL

A CVSS score 6.5 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L severity vulnerability discovered by 'FuzzOps of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-04-08, 6 days ago. The vendor is given until 2026-08-06 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 8 Apr 2026 | 5:00 am UTC

ZDI-CAN-29541: Oracle

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Mat Powell of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-04-08, 6 days ago. The vendor is given until 2026-08-06 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 8 Apr 2026 | 5:00 am UTC

ZDI-CAN-29333: OriginLab

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'rgod' was reported to the affected vendor on: 2026-04-08, 6 days ago. The vendor is given until 2026-08-06 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 8 Apr 2026 | 5:00 am UTC

ZDI-CAN-29330: Backblaze

A CVSS score 6.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H severity vulnerability discovered by 'hamdi' was reported to the affected vendor on: 2026-04-07, 7 days ago. The vendor is given until 2026-08-05 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 7 Apr 2026 | 5:00 am UTC

ZDI-CAN-29165: Koha

A CVSS score 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Shukrulloh Raximov' was reported to the affected vendor on: 2026-04-07, 7 days ago. The vendor is given until 2026-08-05 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 7 Apr 2026 | 5:00 am UTC

ZDI-CAN-29318: Fabric.js

A CVSS score 4.0 AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N severity vulnerability discovered by 'nedlir' was reported to the affected vendor on: 2026-04-07, 7 days ago. The vendor is given until 2026-08-05 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 7 Apr 2026 | 5:00 am UTC

ZDI-CAN-29327: Backblaze

A CVSS score 6.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H severity vulnerability discovered by 'hamdi' was reported to the affected vendor on: 2026-04-07, 7 days ago. The vendor is given until 2026-08-05 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 7 Apr 2026 | 5:00 am UTC

ZDI-CAN-29326: Backblaze

A CVSS score 6.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H severity vulnerability discovered by 'hamdi' was reported to the affected vendor on: 2026-04-07, 7 days ago. The vendor is given until 2026-08-05 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 7 Apr 2026 | 5:00 am UTC

ZDI-CAN-30351: Splunk

A CVSS score 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Vladislav Berghici of TrendAI Research' was reported to the affected vendor on: 2026-04-07, 7 days ago. The vendor is given until 2026-08-05 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 7 Apr 2026 | 5:00 am UTC

ZDI-CAN-29328: Backblaze

A CVSS score 6.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H severity vulnerability discovered by 'hamdi' was reported to the affected vendor on: 2026-04-07, 7 days ago. The vendor is given until 2026-08-05 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 7 Apr 2026 | 5:00 am UTC

ZDI-CAN-28208: Allegra

A CVSS score 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N severity vulnerability discovered by 'Swagat Kumar Mishra' was reported to the affected vendor on: 2026-04-07, 7 days ago. The vendor is given until 2026-08-05 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 7 Apr 2026 | 5:00 am UTC

ZDI-CAN-29324: Backblaze

A CVSS score 6.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H severity vulnerability discovered by 'hamdi' was reported to the affected vendor on: 2026-04-07, 7 days ago. The vendor is given until 2026-08-05 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 7 Apr 2026 | 5:00 am UTC

ZDI-26-255: (0Day) Labcenter Electronics Proteus PDSPRJ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Labcenter Electronics Proteus. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-5493.

Source: ZDI: Published Advisories | 6 Apr 2026 | 5:00 am UTC

ZDI-26-254: (0Day) Labcenter Electronics Proteus PDSPRJ File Parsing Type Confusion Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Labcenter Electronics Proteus. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-5496.

Source: ZDI: Published Advisories | 6 Apr 2026 | 5:00 am UTC

ZDI-26-256: (0Day) Labcenter Electronics Proteus PDSPRJ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Labcenter Electronics Proteus. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-5494.

Source: ZDI: Published Advisories | 6 Apr 2026 | 5:00 am UTC

ZDI-26-257: (0Day) Labcenter Electronics Proteus PDSPRJ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Labcenter Electronics Proteus. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-5495.

Source: ZDI: Published Advisories | 6 Apr 2026 | 5:00 am UTC

ZDI-CAN-29886: Adobe

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Brandon Evans' was reported to the affected vendor on: 2026-04-02, 12 days ago. The vendor is given until 2026-07-31 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 2 Apr 2026 | 5:00 am UTC

ZDI-26-251: Foxit PDF Reader Update Service Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

This vulnerability allows local attackers to escalate privileges on affected installations of Foxit PDF Reader. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-3775.

Source: ZDI: Published Advisories | 2 Apr 2026 | 5:00 am UTC

ZDI-26-252: Mozilla Firefox IonMonkey Switch Statement Optimization Type Confusion Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2026-4698.

Source: ZDI: Published Advisories | 2 Apr 2026 | 5:00 am UTC

ZDI-26-253: Microsoft Visual Studio Code mcp.json Command Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Visual Studio Code. User interaction is required to exploit this vulnerability in that the target open a malicious project. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-21518.

Source: ZDI: Published Advisories | 2 Apr 2026 | 5:00 am UTC

ZDI-CAN-29653: Adobe

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'DongHyeon Hwang (kind_killerwhale)' was reported to the affected vendor on: 2026-04-01, 13 days ago. The vendor is given until 2026-07-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 1 Apr 2026 | 5:00 am UTC

ZDI-CAN-30215: TrendAI

A CVSS score 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Lays (@_L4ys) of TRAPA Security' was reported to the affected vendor on: 2026-04-01, 13 days ago. The vendor is given until 2026-07-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 1 Apr 2026 | 5:00 am UTC

ZDI-CAN-30180: TrendAI

A CVSS score 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Lays (@_L4ys) of TRAPA Security' was reported to the affected vendor on: 2026-04-01, 13 days ago. The vendor is given until 2026-07-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 1 Apr 2026 | 5:00 am UTC

ZDI-CAN-29388: Avast

A CVSS score 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'aviel zohar' was reported to the affected vendor on: 2026-04-01, 13 days ago. The vendor is given until 2026-07-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 1 Apr 2026 | 5:00 am UTC

ZDI-CAN-30288: Samsung

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Michael DePlante (@izobashi) of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-04-01, 13 days ago. The vendor is given until 2026-07-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 1 Apr 2026 | 5:00 am UTC

ZDI-CAN-30179: TrendAI

A CVSS score 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Lays (@_L4ys) of TRAPA Security' was reported to the affected vendor on: 2026-04-01, 13 days ago. The vendor is given until 2026-07-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 1 Apr 2026 | 5:00 am UTC

ZDI-CAN-30002: TrendAI

A CVSS score 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Lays (@_L4ys) of TRAPA Security' was reported to the affected vendor on: 2026-04-01, 13 days ago. The vendor is given until 2026-07-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 1 Apr 2026 | 5:00 am UTC

ZDI-CAN-29483: Apple

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Michael DePlante (@izobashi) of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-04-01, 13 days ago. The vendor is given until 2026-07-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 1 Apr 2026 | 5:00 am UTC

ZDI-CAN-30003: Microsoft

A CVSS score 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'mad31k' was reported to the affected vendor on: 2026-04-01, 13 days ago. The vendor is given until 2026-07-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 1 Apr 2026 | 5:00 am UTC

ZDI-CAN-30052: Microsoft

A CVSS score 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'mad31k' was reported to the affected vendor on: 2026-04-01, 13 days ago. The vendor is given until 2026-07-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 1 Apr 2026 | 5:00 am UTC

ZDI-CAN-28149: Bosch Rexroth

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'kimiya' was reported to the affected vendor on: 2026-03-31, 14 days ago. The vendor is given until 2026-07-29 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 31 Mar 2026 | 5:00 am UTC

ZDI-CAN-28718: TrendAI

A CVSS score 5.6 AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H severity vulnerability discovered by 'Zeze and Sharkkcode with TeamT5' was reported to the affected vendor on: 2026-03-31, 14 days ago. The vendor is given until 2026-07-29 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 31 Mar 2026 | 5:00 am UTC

ZDI-CAN-29337: OriginLab

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'rgod' was reported to the affected vendor on: 2026-03-31, 14 days ago. The vendor is given until 2026-07-29 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 31 Mar 2026 | 5:00 am UTC

ZDI-CAN-30346: BlackBerry

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Mat Powell of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-03-31, 14 days ago. The vendor is given until 2026-07-29 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 31 Mar 2026 | 5:00 am UTC

ZDI-CAN-28898: GIMP

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2026-03-31, 14 days ago. The vendor is given until 2026-07-29 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 31 Mar 2026 | 5:00 am UTC

ZDI-CAN-29536: pdfforge

A CVSS score 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Natnael Samson (@NattiSamson)' was reported to the affected vendor on: 2026-03-31, 14 days ago. The vendor is given until 2026-07-29 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 31 Mar 2026 | 5:00 am UTC

ZDI-CAN-29370: Oracle

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Dvir Gozlan' was reported to the affected vendor on: 2026-03-31, 14 days ago. The vendor is given until 2026-07-29 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 31 Mar 2026 | 5:00 am UTC

ZDI-26-250: Linux Kernel Analog Device Driver Improper Validation of Array Index Local Privilege Escalation Vulnerability

This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.2. The following CVEs are assigned: CVE-2026-23092.

Source: ZDI: Published Advisories | 31 Mar 2026 | 5:00 am UTC

ZDI-CAN-29336: OriginLab

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'rgod' was reported to the affected vendor on: 2026-03-31, 14 days ago. The vendor is given until 2026-07-29 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 31 Mar 2026 | 5:00 am UTC

ZDI-CAN-30175: Microsoft

A CVSS score 5.8 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N severity vulnerability discovered by 'Nelson William Gamazo Sanchez of TrendAI Research' was reported to the affected vendor on: 2026-03-31, 14 days ago. The vendor is given until 2026-07-29 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 31 Mar 2026 | 5:00 am UTC

ZDI-CAN-30243: Google

A CVSS score 6.5 AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H severity vulnerability discovered by 'Nitesh Surana (niteshsurana.com) of TrendAI Research' was reported to the affected vendor on: 2026-03-31, 14 days ago. The vendor is given until 2026-07-29 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 31 Mar 2026 | 5:00 am UTC

ZDI-CAN-29496: dnsmasq

A CVSS score 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Xander Mackenzie | @thetrueartist' was reported to the affected vendor on: 2026-03-31, 14 days ago. The vendor is given until 2026-07-29 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 31 Mar 2026 | 5:00 am UTC

ZDI-CAN-30176: Microsoft

A CVSS score 5.8 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N severity vulnerability discovered by 'Nelson William Gamazo Sanchez of TrendAI Research' was reported to the affected vendor on: 2026-03-31, 14 days ago. The vendor is given until 2026-07-29 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 31 Mar 2026 | 5:00 am UTC

ZDI-CAN-29120: GNU

A CVSS score 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H severity vulnerability discovered by 'PeikaiLi' was reported to the affected vendor on: 2026-03-31, 14 days ago. The vendor is given until 2026-07-29 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 31 Mar 2026 | 5:00 am UTC

ZDI-CAN-29790: Linux

A CVSS score 8.5 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H severity vulnerability discovered by 'DongHyeon Hwang (kind_killerwhale)' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

ZDI-CAN-29522: libgme

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'MICHAEL RANDRIANANTENAINA [https://elkamika.blogspot.com/]' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

ZDI-CAN-29942: MLflow

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Mat Powell of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

ZDI-CAN-29896: Adobe

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

ZDI-CAN-29491: Foxit

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

ZDI-CAN-29838: LiteLLM

A CVSS score 6.4 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N severity vulnerability discovered by 'Javohir Abduxalilov (JavaSec.uz)' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

ZDI-CAN-29494: Foxit

A CVSS score 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

ZDI-CAN-29495: Foxit

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

ZDI-CAN-29663: oFono

A CVSS score 7.4 AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'DongHyeon Hwang (kind_killerwhale)' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

ZDI-CAN-29492: Foxit

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

ZDI-CAN-30015: Adobe

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Mark Vincent Yason (markyason.github.io)' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

ZDI-CAN-29299: OpenPrinting

A CVSS score 7.5 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Jeremy Brown' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

ZDI-CAN-29477: Adobe

A CVSS score 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N severity vulnerability discovered by 'Mark Vincent Yason (markyason.github.io)' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

ZDI-CAN-29413: Linux

A CVSS score 7.5 AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H severity vulnerability discovered by 'GangMin Kim' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

ZDI-CAN-29409: Adobe

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Mark Vincent Yason (markyason.github.io)' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

ZDI-CAN-29939: MLflow

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Mat Powell of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

ZDI-CAN-29940: MLflow

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Mat Powell of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

ZDI-CAN-29941: MLflow

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Mat Powell of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

ZDI-CAN-29433: Adobe

A CVSS score 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N severity vulnerability discovered by 'Mark Vincent Yason (markyason.github.io)' was reported to the affected vendor on: 2026-03-30, 15 days ago. The vendor is given until 2026-07-28 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Source: ZDI: Upcoming Advisories | 30 Mar 2026 | 5:00 am UTC

count: 100