Trending vulnerabilities

What: Improper neutralization of special elements in GitHub Enterprise Server git push options allows authenticated attackers to achieve remote code execution via header injection. CVSS 8.8 HIGH.

Why it matters: GitHub patched across six versions (3.14.25 through 3.19.4) within ~3 weeks of disclosure. Vendor statement indicates no in-the-wild exploitation detected pre-patch. Not KEV-listed. Social chatter amplifies severity but confirms vendor response; no public PoC or active exploitation reported.

Where it's seen: Blog posts from security firms (Wiz), industry newsletters, and threat-tracking accounts recycling vendor advisory. Posts emphasize RCE impact and patch urgency; no defender triage questions or PoC drops observed.

What: Buffer overflow in Shenzhen Libituo LBT-T300-HW1 apply.cgi start_lan function via Channel/ApCliSsid argument manipulation; affects firmware ≤1.2.8. CVSS 8.8 (HIGH).

Why it matters: Public exploit disclosed; vendor unresponsive to early disclosure. Remote attack vector on IoT/network device. Not KEV-listed yet, but active PoC availability and vendor non-response elevate triage priority for organizations running affected hardware.

Where it's seen: Automated CVE alert feeds and security news aggregators (CVEarity, Bluesky infosec accounts, threat radar services, journalist coverage). No evidence of widespread in-the-wild scanning or mass exploitation chatter; mostly alert automation and early researcher sharing.

What: Remote buffer overflow in Shenzhen Libituo LBT-T300-HW1 Web Management Interface (versions ≤1.2.8) via VPN argument manipulation; CVSS 8.8 (HIGH).

Why it matters: Published same day with no patch available; vendor unresponsive to disclosure. Post #3 claims active exploitation, but lacks corroborating PoC, scanning data, or defender triage reports. Not KEV-listed. Most posts are feed/alert aggregation; no security researcher validation yet.

Where it's seen: Vulnerability feed chatter, alert automation, one unsubstantiated claim of "being exploited now" on X. No vendor advisory, no public PoC, no defender questions in forums.

What: Buffer overflow in Edimax BR-6208AC router (≤v1.02) via /goform/setWAN pptpDfGateway parameter; CVSS 8.8 (HIGH), unauthenticated remote code execution risk.

Why it matters: Public exploit available same day as disclosure; vendor unresponsive to early notice; no patch released. Real attack surface on consumer/small-business routers in the wild.

Where it's seen: Feed-flooding from CVE aggregators and IoT security vendors within hours of publication. Defender advisory tone ("segment devices now") signals urgent triage concern. No mass-scanning reports yet but PoC availability raises imminent exploitation risk.

What: Eval injection vulnerability in the agno library (versions <2.x), affecting AI agent applications. CVSS and EPSS data unavailable.

Why it matters: NVD metadata not yet enriched; no KEV listing, no published CVE details, no PoC confirmation, and no vendor advisory visible. The signal is a single developer's internal pull request upgrading agno to patch the flaw—credible but isolated. Without independent confirmation or public advisory, exploitation status remains unclear.

Where it's seen: Chatter limited to one GitHub/social account posting about an internal dependency upgrade. No journalist coverage, no researcher PoCs, no defender triage activity observed.

What: HTTP Request Smuggling in Starlet (Perl web server) through v0.31 via improper header precedence—Content-Length prioritized over Transfer-Encoding in violation of RFC 7230, enabling request smuggling via reverse proxies.

Why it matters: Published today with no CVSS/EPSS scores, no KEV listing, and no public PoC or vendor advisory detected. Social signal is purely automated feed republication from NVD/CVE databases. No defender triage or patch activity reported.

Where it's seen: Five low-engagement posts, all feed-driven mirrors (CVEnew, Vulmon, Bluesky aggregators). No researcher analysis, no vendor statement, no exploitation chatter.

What: Unrestricted file upload in CRMEB Java admin component (UploadServiceImpl.java) affecting versions up to 1.3.4; CVSS 4.7 (medium severity).

Why it matters: Public exploit available; vendor non-responsive to disclosure. However, not KEV-listed and CVSS is low-medium, suggesting limited real-world traction. Chatter is mostly automated CVE feed republication with no defender reports or active exploitation signals.

Where it's seen: Automated CVE alert bots (CVEarity, VulmonFeeds, CVEnew) syndicated the NVD entry within hours of publication. No security researcher analysis, PoC walkthrough, or victim reports detected.

What: SQL injection in youlaitech youlai-boot getUserList endpoint (Users Controller) via argument order manipulation; affects versions ≤2.21.1; CVSS 6.3 MEDIUM.

Why it matters: Public exploit disclosure exists and vendor did not respond to early notification. However, CVE is not KEV-listed, no EPSS score available, and no evidence of active in-the-wild exploitation or mass scanning reported in social chatter. Appears to be automated CVE feed amplification rather than defender triage activity.

Where it's seen: Automated CVE alert aggregators and security feeds (CVEarity, CVEnew, VulmonFeeds, Vulmon) republishing NVD description same-day publication; no researcher analysis, PoC links, or patch advisories present in top posts.

What: Authorization bypass in jsbroks COCO Annotator ≤0.11.1 Dataset API via DatasetId parameter manipulation (CVSS 6.5 MEDIUM).

Why it matters: Public exploit disclosed; vendor unresponsive to early notification. No KEV listing yet. Chatter is automated feed aggregation (CVEnew, VulmonFeeds, security blogs) with no defender triage or working PoC confirmation visible in the posts.

Where it's seen: Automated CVE feed tweets and Bluesky repeats. No vendor advisory, no researcher deep-dive, no "I found this in the wild" signals—purely NVD replication within hours of publication.

What: Stored XSS in NEX-Forms WordPress plugin (≤9.1.11) via POST parameter key names; CVSS 7.2 HIGH, affects unauthenticated attackers injecting scripts.

Why it matters: CVE published today with HIGH severity, but not yet KEV-listed. No public PoC or vendor patch announced. Social chatter consists of automated feeds and threat intel aggregators amplifying the advisory itself, with one post advising disabling the plugin due to lack of remediation. No defender triage or in-the-wild exploitation reports.

Where it's seen: Vulnerability feed reshares (VulmonFeeds, threat radar), Japanese-language advisory posts, and generic security alert amplification across Bluesky and X. No vendor statement, no PoC repositories, no developer questions.

What: Unsafe deserialization in SGLang's HuggingFace Transformer handler (get_tokenizer function) affecting versions up to 0.5.9. CVSS 5.6 MEDIUM.

Why it matters: Published yesterday with no vendor response, no KEV listing, and no confirmed PoC. Social chatter conflates unrelated authorization bypass claims (NextChat MCP) with the deserialization flaw. High complexity + difficult exploitability per NVD reduce practical risk. Chatter is largely automated feed replication.

Where it's seen: Vuln alert feeds and automated CVE tracking accounts dominating; one speculative post claiming RCE but without supporting evidence or PoC link.

What: Improper rate-limiting on two-factor authentication endpoint in CodeWise Tornet Scooter Mobile App 4.75 (iOS/Android); CVSS 3.7 (LOW).

Why it matters: Low CVSS score, difficult exploitability, vendor unresponsive but no KEV listing or confirmed in-the-wild exploitation. Public PoC disclosed, but social chatter is purely automated CVE feed rebroadcasts with no defender triage or incident reporting evident.

Where it's seen: Generic CVE alert bots and security feeds republishing NVD description verbatim within hours of publication. No vendor advisories, researcher analysis, or operational security discussion observed.

What: Windows Shell protection mechanism failure (CVE-2026-32202, CVSS 4.3, EPSS 0.07) allows remote spoofing and zero-click NTLM credential theft via SMB.

Why it matters: KEV-listed 2026-04-28; Microsoft confirmed active exploitation in-the-wild; CISA issued patch deadline (May 12); researchers flag CVSS underestimation—zero-click credential relay enabling domain lateral movement. Incomplete patch of prior flaw means unpatched systems remain exposed.

Where it's seen: Threat intel and SOC teams reporting APT28 exploitation; vendor patching alerts (April Patch Tuesday); federal remediation timeline; security practitioners debating CVSS accuracy and SMB blocking strategies; no public PoC but exploitation confirmed by Microsoft/CISA.

What: Command injection in Edimax BR-6208AC 1.02 L2TP mode via L2TPUserName parameter in /goform/setWAN endpoint (CVSS 6.3 MEDIUM).

Why it matters: Public PoC released; vendor unresponsive to early disclosure. Not KEV-listed yet. Low-end CVSS and lack of urgent patching or active in-the-wild reports suggest limited immediate impact, but unauthenticated remote code execution on consumer routers warrants triage for exposed devices.

Where it's seen: Standard CVE feed amplification (automated feeds and security news accounts). No defender questions, no exploit-in-the-wild confirmation, no vendor advisory.

What: Insecure Direct Object Reference (IDOR) in Frontend File Manager Plugin WordPress through v23.6 allows authenticated Subscriber-level users to access files belonging to other users by tampering with the file_id parameter.

Why it matters: WordPress plugin affecting file access control; affects authenticated users with low privileges escalating to read admin/sensitive files. No KEV listing, no CVSS/EPSS scores, and no public PoC or in-the-wild reports evident in chatter.

Where it's seen: Feed aggregators (CVE trackers, Vulmon) republishing NVD description same-day; no vendor advisory, researcher PoC, or defender triage signals detected.

What: Command injection in Edimax BR-6428nC router Web Interface (/goform/setWAN, pppUserName/pptpUserName parameter) affecting firmware up to v1.16; CVSS 6.3 MEDIUM.

Why it matters: Public PoC available and vendor non-responsive to early disclosure. Not yet KEV-listed. Affects consumer routers; exploit is remotely exploitable but requires network access to Web Interface (likely internal or exposed). Medium severity limits immediate urgency.

Where it's seen: Automated feed amplification (CVE feeds, vulnerability aggregators) on publication day; no independent researcher analysis or active exploitation reports visible. Chatter is advisory rebroadcast, not operational defender triage.

What: Insecure Direct Object Reference (IDOR) in WCFM – Frontend Manager for WooCommerce plugin (all versions ≤6.7.25) allows authenticated Vendor-level users to delete arbitrary accounts including admins. CVSS 8.1 HIGH.

Why it matters: Published yesterday; HIGH CVSS score; affects WooCommerce sites with Vendor access model. Chatter emphasizes no patch available yet and recommends immediate access control hardening. No KEV listing or confirmed public PoC yet, but straightforward IDOR attack surface elevates concern for WordPress administrators managing multi-vendor storefronts.

Where it's seen: Security news aggregators and threat radar platforms amplifying NVD advisory within 24 hours of publication; defender-focused posts recommending access restrictions and audit logging; international coverage (Japanese translation present).

What: Incomplete patch in Apache MINA 2.1.X and 2.2.X branches allows remote code execution via deserialization bypass in AbstractIoBuffer.resolveClass(). CVSS 9.8 CRITICAL.

Why it matters: Prior fix for CVE-2026-41635 omitted from later branches, re-exposing classname allowlist bypass. Applications calling IoBuffer.getObject() are vulnerable. Vendor patched in 2.1.12 and 2.2.7 as of May 1, 2026. No KEV listing yet, no public PoC observed in posts.

Where it's seen: Security feed aggregators posting vendor advisory summary same day as publication. Chatter is alert-style, urging immediate upgrade to patched versions. No researcher PoC or in-the-wild exploitation reports in trending posts.

What: SQL injection in LiteLLM proxy (AI gateway) allowing unauthenticated database access to API keys for OpenAI, Anthropic, AWS and other upstream providers. CVSS/EPSS scores unavailable.

Why it matters: Social chatter consistently reports in-the-wild exploitation within 36 hours of public disclosure. Posts describe active weaponization targeting credential vaults in production AI infrastructure. Multiple security vendors and analysts flagging urgent patch requirement. No KEV listing evident in metadata, but defender urgency and rapid exploitation timeline are strong signals of real compromise activity.

Where it's seen: X and Bluesky posts from security researchers, vendor advisories, and threat intelligence accounts repeating near-identical "36 hours to exploitation" narrative. Framing emphasizes AI supply-chain risk and credential exposure severity.

What: Unauthenticated arbitrary file read in Salon Booking System WordPress plugin (≤10.30.25) via path traversal in booking form; CVSS 7.5 HIGH.

Why it matters: Published 24 hours ago with no vendor patch announced yet. Low EPSS (0.26%) suggests minimal active exploitation signal so far, but vulnerability is trivial to exploit—unauthenticated attackers can exfiltrate server files via email attachments. Not KEV-listed. Social chatter urges immediate disablement; defenders should assess plugin deployment and patch availability.

Where it's seen: Threat intel aggregators and infosec news feeds reporting NVD details and CVSS score; minimal discussion of active PoC or in-the-wild attacks as of publication.

What: Out-of-bounds read in MikroTik RouterOS 6.49.8 SCEP endpoint (scep.p library) via malformed transactionID/messageType parameters; CVSS 7.3 HIGH.

Why it matters: Exploit is publicly available and vendor (MikroTik) ignored early disclosure attempts. RouterOS SCEP endpoints are Internet-facing on many networks. No KEV listing yet, but public PoC + vendor non-response + high CVSS elevates risk significantly.

Where it's seen: Same-day social chatter on Bluesky and Twitter from vulnerability feeds; posts are largely automated NVD mirrors with no independent researcher analysis or defender triage signals yet.

What: JIT miscompilation in Firefox/Thunderbird SpiderMonkey WebAssembly component enabling memory corruption (addrof/fakeobj primitives); CVSS 9.8 CRITICAL, patched in Firefox 148 and Thunderbird 148.

Why it matters: High-severity browser JIT bug with memory safety primitives demonstrated by security researcher. Not yet KEV-listed, but CRITICAL CVSS and public technical breakdown signal real weaponization potential. Patch availability (Feb 2026) means defenders have mitigation window.

Where it's seen: Researcher educational content ("What The Claude" series) dissecting the vulnerability mechanics on Twitter/Bluesky. No evidence of in-the-wild exploitation or mass scanning yet; chatter is analyst-driven technical writeup, not incident response noise.