alon710

CVE-2026-26131: CVE-2026-26131: Local Elevation of Privilege via Incorrect Default Permissions in .NET 10.0

CVSS Score: 7.8 Published: 2026-03-11 Full Report: https://cvereports.com/reports/CVE-2026-26131

Summary

CVE-2026-26131 is a critical Elevation of Privilege (EoP) vulnerability affecting Microsoft .NET 10.0 on Linux platforms. It is caused by incorrect default permissions applied during the build process, rendering core runtime components world-writable and susceptible to local binary planting and privilege escalation.

TL;DR

alon710

CVE-2026-32094: CVE-2026-32094: Argument Injection via Incomplete Shell Escaping in shescape

CVSS Score: 6.9 Published: 2026-03-11 Full Report: https://cvereports.com/reports/CVE-2026-32094

Summary

The shescape library prior to version 2.1.10 fails to properly escape square brackets when targeting Unix-like shells. This omission allows attackers to leverage shell pathname expansion (globbing) to perform argument injection attacks, potentially exposing sensitive local files.

TL;DR

alon710

CVE-2026-31892: CVE-2026-31892: Argo Workflows WorkflowTemplate Security Bypass via podSpecPatch

CVSS Score: 8.9 Published: 2026-03-11 Full Report: https://cvereports.com/reports/CVE-2026-31892

Summary

CVE-2026-31892 is a high-severity security bypass vulnerability in Argo Workflows that permits authenticated users to override administrative security constraints. By injecting a malicious podSpecPatch payload during workflow submission, attackers can achieve container escape and node-level privilege escalation, defeating the Strict template referencing protections.

TL;DR

alon710

CVE-2026-31863: CVE-2026-31863: Authentication Bypass via Brute Force in Anytype Heart gRPC API

CVSS Score: 3.6 Published: 2026-03-11 Full Report: https://cvereports.com/reports/CVE-2026-31863

Summary

The Anytype Heart middleware library fails to restrict excessive authentication attempts on its local gRPC client API. This vulnerability allows a local, unprivileged attacker to bypass challenge-based authentication by brute-forcing a 4-digit authorization code, resulting in unauthorized access to the Anytype application backend and the user's local data.

TL;DR

alon710

CVE-2024-34447: CVE-2024-34447: Hostname Verification Bypass in Bouncy Castle Java JSSE

CVSS Score: 7.5 Published: 2024-05-03 Full Report: https://cvereports.com/reports/CVE-2024-34447

Summary

A vulnerability in the Bouncy Castle Crypto Package for Java (BCJSSE) permits adversaries to bypass TLS hostname verification. By exploiting a fallback mechanism that evaluates the peer's IP address instead of the intended hostname, an attacker capable of DNS spoofing can conduct Adversary-in-the-Middle (AitM) attacks to intercept encrypted traffic.

TL;DR

alon710

CVE-2024-29857: CVE-2024-29857: Denial of Service via Algorithmic Complexity in Bouncy Castle ECC

CVSS Score: 7.5 Published: 2024-05-09 Full Report: https://cvereports.com/reports/CVE-2024-29857

Summary

An algorithmic complexity exhaustion vulnerability exists in the Bouncy Castle cryptographic libraries for Java and C# .NET. The vulnerability affects the processing of Elliptic Curve Cryptography (ECC) parameters defined over binary finite fields. Remote attackers can trigger unbounded resource consumption and cause a denial of service (DoS) by supplying specially crafted X.509 certificates with excessively large field degree parameters.

TL;DR

alon710

CVE-2026-26988: CVE-2026-26988: Critical SQL Injection in LibreNMS ajax_table.php Endpoint

CVSS Score: 9.1 Published: 2026-02-20 Full Report: https://cvereports.com/reports/CVE-2026-26988

Summary

LibreNMS versions up to 25.12.0 are vulnerable to an unauthenticated SQL injection in the address search functionality. The flaw allows remote attackers to execute arbitrary database queries via the ajax_table.php endpoint.

TL;DR

alon710

CVE-2026-28472: CVE-2026-28472: Device Identity Verification Bypass in OpenClaw Gateway WebSocket Handshake

CVSS Score: 8.1 Published: 2026-03-05 Full Report: https://cvereports.com/reports/CVE-2026-28472

Summary

CVE-2026-28472 is a critical security vulnerability in the OpenClaw automation platform affecting all versions prior to 2026.2.2. The vulnerability resides in the gateway's WebSocket connection handshake logic, where a flaw in authentication sequence allows unauthenticated attackers to bypass device identity verification. In environments utilizing secondary authentication providers, this can result in unauthorized operator access to the gateway.

TL;DR

alon710

CVE-2026-1566: CVE-2026-1566: Privilege Escalation via Improper Authorization in LatePoint WordPress Plugin

CVSS Score: 8.8 Published: 2026-03-02 Full Report: https://cvereports.com/reports/CVE-2026-1566

Summary

CVE-2026-1566 is a high-severity privilege escalation vulnerability in the LatePoint WordPress plugin affecting versions 5.2.7 and earlier. Authenticated attackers with Agent privileges can manipulate the wordpress_user_id parameter during customer creation to link their account to an administrator, enabling full site takeover via password reset mechanisms.

TL;DR

alon710

CVE-2026-31829: CVE-2026-31829: Server-Side Request Forgery in Flowise HTTP Node

CVSS Score: 7.1 Published: 2026-03-11 Full Report: https://cvereports.com/reports/CVE-2026-31829

Summary

Flowise versions prior to 3.0.13 are vulnerable to a High-severity Server-Side Request Forgery (SSRF) flaw in the HTTP Node component. Attackers with access to modify chatflows can force the server to execute unauthorized requests against internal network boundaries, cloud metadata endpoints, and local services.

TL;DR