Trending vulnerabilities

What: Windows Shell protection mechanism failure (CVE-2026-32202, CVSS 4.3, EPSS 0.07) allows remote spoofing and zero-click NTLM credential theft via SMB.

Why it matters: KEV-listed 2026-04-28; Microsoft confirmed active exploitation in-the-wild; CISA issued patch deadline (May 12); researchers flag CVSS underestimation—zero-click credential relay enabling domain lateral movement. Incomplete patch of prior flaw means unpatched systems remain exposed.

Where it's seen: Threat intel and SOC teams reporting APT28 exploitation; vendor patching alerts (April Patch Tuesday); federal remediation timeline; security practitioners debating CVSS accuracy and SMB blocking strategies; no public PoC but exploitation confirmed by Microsoft/CISA.

What: SQL injection in LiteLLM proxy (AI gateway) allowing unauthenticated database access to API keys for OpenAI, Anthropic, AWS and other upstream providers. CVSS/EPSS scores unavailable.

Why it matters: Social chatter consistently reports in-the-wild exploitation within 36 hours of public disclosure. Posts describe active weaponization targeting credential vaults in production AI infrastructure. Multiple security vendors and analysts flagging urgent patch requirement. No KEV listing evident in metadata, but defender urgency and rapid exploitation timeline are strong signals of real compromise activity.

Where it's seen: X and Bluesky posts from security researchers, vendor advisories, and threat intelligence accounts repeating near-identical "36 hours to exploitation" narrative. Framing emphasizes AI supply-chain risk and credential exposure severity.

What: Remote buffer overflow in Shenzhen Libituo LBT-T300-HW1 Web Management Interface (versions ≤1.2.8) via VPN argument manipulation; CVSS 8.8 (HIGH).

Why it matters: Published same day with no patch available; vendor unresponsive to disclosure. Post #3 claims active exploitation, but lacks corroborating PoC, scanning data, or defender triage reports. Not KEV-listed. Most posts are feed/alert aggregation; no security researcher validation yet.

Where it's seen: Vulnerability feed chatter, alert automation, one unsubstantiated claim of "being exploited now" on X. No vendor advisory, no public PoC, no defender questions in forums.

What: Buffer overflow in Shenzhen Libituo LBT-T300-HW1 apply.cgi start_lan function via Channel/ApCliSsid argument manipulation; affects firmware ≤1.2.8. CVSS 8.8 (HIGH).

Why it matters: Public exploit disclosed; vendor unresponsive to early disclosure. Remote attack vector on IoT/network device. Not KEV-listed yet, but active PoC availability and vendor non-response elevate triage priority for organizations running affected hardware.

Where it's seen: Automated CVE alert feeds and security news aggregators (CVEarity, Bluesky infosec accounts, threat radar services, journalist coverage). No evidence of widespread in-the-wild scanning or mass exploitation chatter; mostly alert automation and early researcher sharing.

What: Buffer overflow in Edimax BR-6428nC router firmware (up to v1.16) in /goform/setWAN endpoint via pptpDfGateway parameter. CVSS 8.8 (HIGH). Remote, unauthenticated exploitation possible.

Why it matters: Public exploit disclosed same day as NVD publication; vendor unresponsive to early notification; no patch available. IoT device installed base at risk of RCE if remotely accessible.

Where it's seen: Security news feeds (Patchstack, OffSeq radar, Vulmon) and threat aggregators amplifying NVD entry within hours. Chatter driven by automated CVE feeds; one source explicitly flags unpatched state and recommends immediate mitigation.

What: Incomplete patch in Apache MINA 2.1.X and 2.2.X branches allows remote code execution via deserialization bypass in AbstractIoBuffer.resolveClass(). CVSS 9.8 CRITICAL.

Why it matters: Prior fix for CVE-2026-41635 omitted from later branches, re-exposing classname allowlist bypass. Applications calling IoBuffer.getObject() are vulnerable. Vendor patched in 2.1.12 and 2.2.7 as of May 1, 2026. No KEV listing yet, no public PoC observed in posts.

Where it's seen: Security feed aggregators posting vendor advisory summary same day as publication. Chatter is alert-style, urging immediate upgrade to patched versions. No researcher PoC or in-the-wild exploitation reports in trending posts.

What: HTTP Request Smuggling in Starlet (Perl web server) through v0.31 via improper header precedence—Content-Length prioritized over Transfer-Encoding in violation of RFC 7230, enabling request smuggling via reverse proxies.

Why it matters: Published today with no CVSS/EPSS scores, no KEV listing, and no public PoC or vendor advisory detected. Social signal is purely automated feed republication from NVD/CVE databases. No defender triage or patch activity reported.

Where it's seen: Five low-engagement posts, all feed-driven mirrors (CVEnew, Vulmon, Bluesky aggregators). No researcher analysis, no vendor statement, no exploitation chatter.

What: Eval injection vulnerability in the agno library (versions <2.x), affecting AI agent applications. CVSS and EPSS data unavailable.

Why it matters: NVD metadata not yet enriched; no KEV listing, no published CVE details, no PoC confirmation, and no vendor advisory visible. The signal is a single developer's internal pull request upgrading agno to patch the flaw—credible but isolated. Without independent confirmation or public advisory, exploitation status remains unclear.

Where it's seen: Chatter limited to one GitHub/social account posting about an internal dependency upgrade. No journalist coverage, no researcher PoCs, no defender triage activity observed.

What: Path-traversal vulnerability in ConnectWise ScreenConnect ≤23.9.7 enabling remote code execution or data breach; CVSS 8.4, EPSS 0.84.

Why it matters: KEV-listed as of 28 April 2026 with confirmed active exploitation in the wild. CISA formally added the flaw four days ago, signaling urgent defender action required across remote-access deployments.

Where it's seen: CISA KEV notice driving global awareness; multilingual security bulletins (English, Japanese) circulating on Bluesky; practitioner alerts advising immediate patching of exposed ScreenConnect instances; low current engagement relative to trending CVEs but high organizational impact.

What: Buffer overflow in Edimax BR-6208AC router (≤v1.02) via /goform/setWAN pptpDfGateway parameter; CVSS 8.8 (HIGH), unauthenticated remote code execution risk.

Why it matters: Public exploit available same day as disclosure; vendor unresponsive to early notice; no patch released. Real attack surface on consumer/small-business routers in the wild.

Where it's seen: Feed-flooding from CVE aggregators and IoT security vendors within hours of publication. Defender advisory tone ("segment devices now") signals urgent triage concern. No mass-scanning reports yet but PoC availability raises imminent exploitation risk.

What: Argo CD 3.2.0–3.2.10 and 3.3.0–3.3.8 ServerSideDiff feature allows unauthenticated or low-privileged users to read cleartext Kubernetes Secret data (CVSS 7.7 HIGH).

Why it matters: Published today; no KEV listing yet, but metadata shows patched versions exist (3.2.11, 3.3.9). Social chatter includes operational guidance (checking IncludeMutationWebhook flag, inventory exposure paths), suggesting early defender awareness. No public PoC mentioned, but condition-based analysis posted indicates researchers have working understanding of the flaw.

Where it's seen: Social posts (Bluesky) mixing incident alerting, triage steps, and vendor patch guidance. Posts appear within 1 hour of NVD publication, indicating coordinated disclosure follow-up. Engagement focuses on upgrade urgency and secret inventory, not proof-of-concept sharing.

What: Unrestricted file upload in CRMEB Java admin component (UploadServiceImpl.java) affecting versions up to 1.3.4; CVSS 4.7 (medium severity).

Why it matters: Public exploit available; vendor non-responsive to disclosure. However, not KEV-listed and CVSS is low-medium, suggesting limited real-world traction. Chatter is mostly automated CVE feed republication with no defender reports or active exploitation signals.

Where it's seen: Automated CVE alert bots (CVEarity, VulmonFeeds, CVEnew) syndicated the NVD entry within hours of publication. No security researcher analysis, PoC walkthrough, or victim reports detected.

What: SQL injection in youlaitech youlai-boot getUserList endpoint (Users Controller) via argument order manipulation; affects versions ≤2.21.1; CVSS 6.3 MEDIUM.

Why it matters: Public exploit disclosure exists and vendor did not respond to early notification. However, CVE is not KEV-listed, no EPSS score available, and no evidence of active in-the-wild exploitation or mass scanning reported in social chatter. Appears to be automated CVE feed amplification rather than defender triage activity.

Where it's seen: Automated CVE alert aggregators and security feeds (CVEarity, CVEnew, VulmonFeeds, Vulmon) republishing NVD description same-day publication; no researcher analysis, PoC links, or patch advisories present in top posts.

What: Unsafe deserialization vulnerability in mem0ai mem0 vector store (FAISS) via pickle.load/dump in versions up to 1.0.11; remote exploitation possible; CVSS 6.3 MEDIUM.

Why it matters: Public exploit available and patch issued (commit 62dca096f9236010ca15fea9ba369ba740b86b7a) within 24 hours of publication. Deserialization via pickle is a known remote code execution vector. Not yet KEV-listed, but rapid vendor response and public PoC indicate active research interest rather than speculative coverage.

Where it's seen: Automated CVE feeds (CVEnew, VulmonFeeds, infoflowcloud) echoing NVD description; no independent researcher analysis, no defender triage reports visible in top posts.

What: Unsafe deserialization in SGLang's HuggingFace Transformer handler (get_tokenizer function) affecting versions up to 0.5.9. CVSS 5.6 MEDIUM.

Why it matters: Published yesterday with no vendor response, no KEV listing, and no confirmed PoC. Social chatter conflates unrelated authorization bypass claims (NextChat MCP) with the deserialization flaw. High complexity + difficult exploitability per NVD reduce practical risk. Chatter is largely automated feed replication.

Where it's seen: Vuln alert feeds and automated CVE tracking accounts dominating; one speculative post claiming RCE but without supporting evidence or PoC link.

What: Integer overflow in libssh2 ≤1.11.1 userauth_password function allowing remote manipulation of authentication credentials (CVSS 7.3 HIGH).

Why it matters: Published 24 hours ago; no KEV listing yet, no public PoC confirmed in chatter, no vendor advisory or patch release details evident. Posts are automated feed republications of NVD metadata with no analyst commentary, PoC links, or defender triage signals.

Where it's seen: Standard CVE feed aggregators (Vulmon, CVEnew) and security news bots cross-posting identical descriptions. No security researcher threads, no exploitation reports, no remediation guidance beyond patch mention.

What: Authentication bypass in WordPress "Temporary Login" plugin (v1.0.0 and earlier) via malformed token parameter; CVSS 9.8 CRITICAL allowing unauthenticated account takeover.

Why it matters: High-severity flaw with trivial exploitation (single crafted GET request); no KEV listing yet but social chatter claims 40,000+ vulnerable sites. No public PoC confirmed in posts, but vulnerability is straightforward to exploit given the documented flaw in empty() and sanitize_key() handling.

Where it's seen: Social media amplification (Twitter, Bluesky) from security feeds and researchers; vendor advisory expected imminently; defender awareness is building but no in-the-wild exploitation reports yet.

What: Unbounded WebSocket frame reassembly in Bandit (Elixir web server) versions 0.5.0–<1.11.0 allows unauthenticated remote DoS via memory exhaustion; affects Phoenix and LiveView applications directly.

Why it matters: Published May 1, 2026; no KEV listing yet but high-severity resource-exhaustion flaw in widely-deployed framework. No public PoC observed in chatter, but vulnerability is straightforward to trigger—continuation frames without size limits. Phoenix/LiveView users are already being advised to patch or limit connections. Vendor (mtrudel) has patched in 1.11.0.

Where it's seen: Initial disclosure posts on Twitter and Bluesky linking to CVE feeds and threat radar; mostly rebroadcasting the NVD description. Defender guidance surfacing ("monitor usage, limit connections"). No PoC code or mass-scanning reports yet.

What: Improper rate-limiting on two-factor authentication endpoint in CodeWise Tornet Scooter Mobile App 4.75 (iOS/Android); CVSS 3.7 (LOW).

Why it matters: Low CVSS score, difficult exploitability, vendor unresponsive but no KEV listing or confirmed in-the-wild exploitation. Public PoC disclosed, but social chatter is purely automated CVE feed rebroadcasts with no defender triage or incident reporting evident.

Where it's seen: Generic CVE alert bots and security feeds republishing NVD description verbatim within hours of publication. No vendor advisories, researcher analysis, or operational security discussion observed.

What: Logic bug in OWASP CRS rule 922110 allowing multipart requests with malicious charsets in early parts to bypass detection if later parts contain legitimate charsets (CVSS 9.3 CRITICAL). Affects CRS <4.22.0 and <3.3.8.

Why it matters: Patches released (CRS 4.22.0 and 3.3.8); vendor actively addressing. High CVSS reflects WAF bypass potential. No KEV listing, no public PoC confirmed in posts, no in-the-wild exploitation reports yet. Chatter is primarily patch notification, not exploitation discussion.

Where it's seen: Repetitive social posts (mostly same account variants) announcing patch availability. Appears to be coordinated awareness campaign rather than organic security community reaction. No defender triage questions or PoC repositories mentioned.

What: n8n workflow automation platform (versions <1.121.0) allow unauthenticated remote code execution via form-based workflows, exposing file access and potential full server compromise. CVSS 10.0 critical.

Why it matters: n8n acts as a central hub connecting OAuth credentials, cloud storage, and IAM systems. Unauthenticated RCE drastically widens blast radius—attackers gain direct access to chained API tokens and sensitive integrations without login. Fix released January 2026; public research disclosed (Cyera report) driving active discussion.

Where it's seen: Security researchers and engineers amplifying the Cyera "Ni8mare" research report across Bluesky and X. Posts emphasize the lack of authentication gating and integration risk. No KEV listing yet, but high CVSS and public advisory fuel urgent patching conversations.