╔════[ CRITICAL_CVE ]═════════

│ CVE ID :CVE-2025-62718
  
Published : April 9, 2026, 3:16 p.m. | 19 minutes ago
  
Description :Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0.
  
Severity: 9.3 | CRITICAL
  
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

┌─[ METADATA ]───────────────────────┐
│ Source: https://cvefeed.io
| CVE ID :CVE-2025-62718 
| Severity: 9.3 | CRITICAL
└────────────────────────────────────┘

╔════[ CRITICAL_CVE ]═════════

│ CVE ID :CVE-2025-57735
  
Published : April 9, 2026, 11:16 a.m. | 4 hours, 19 minutes ago
  
Description :When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+



Users are recommended to upgrade to version 3.2.0, which fixes this issue.
  
Severity: 9.1 | CRITICAL
  
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

┌─[ METADATA ]───────────────────────┐
│ Source: https://cvefeed.io
| CVE ID :CVE-2025-57735 
| Severity: 9.1 | CRITICAL
└────────────────────────────────────┘

╔════[ CRITICAL_CVE ]═════════

│ CVE ID :CVE-2026-34179
  
Published : April 9, 2026, 10:16 a.m. | 5 hours, 19 minutes ago
  
Description :In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin.
  
Severity: 9.1 | CRITICAL
  
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

┌─[ METADATA ]───────────────────────┐
│ Source: https://cvefeed.io
| CVE ID :CVE-2026-34179 
| Severity: 9.1 | CRITICAL
└────────────────────────────────────┘

╔════[ CRITICAL_CVE ]═════════

│ CVE ID :CVE-2026-34178
  
Published : April 9, 2026, 10:16 a.m. | 5 hours, 19 minutes ago
  
Description :In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise.
  
Severity: 9.1 | CRITICAL
  
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

┌─[ METADATA ]───────────────────────┐
│ Source: https://cvefeed.io
| CVE ID :CVE-2026-34178 
| Severity: 9.1 | CRITICAL
└──────────────────���─────────────────┘

╔════[ CRITICAL_CVE ]═════════

│ CVE ID :CVE-2026-34177
  
Published : April 9, 2026, 10:16 a.m. | 5 hours, 19 minutes ago
  
Description :Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root.
  
Severity: 9.1 | CRITICAL
  
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

┌─[ METADATA ]───────────────────────┐
│ Source: https://cvefeed.io
| CVE ID :CVE-2026-34177 
| Severity: 9.1 | CRITICAL
└────────────────────────────────────┘

╔════[ CRITICAL_CVE ]═════════

│ CVE ID :CVE-2026-5854
  
Published : April 9, 2026, 7:16 a.m. | 8 hours, 19 minutes ago
  
Description :A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument merge results in os command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
  
Severity: 10.0 | HIGH
  
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

┌─[ METADATA ]───────────────────────┐
│ Source: https://cvefeed.io
| CVE ID :CVE-2026-5854 
| Severity: 10.0 | HIGH
└────────────────────────────────────┘

╔════[ CRITICAL_CVE ]═════════

│ CVE ID :CVE-2026-5853
  
Published : April 9, 2026, 7:16 a.m. | 8 hours, 19 minutes ago
  
Description :A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setIpv6LanCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument addrPrefixLen leads to os command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
  
Severity: 10.0 | HIGH
  
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

┌─[ METADATA ]───────────────────────┐
│ Source: https://cvefeed.io
| CVE ID :CVE-2026-5853 
| Severity: 10.0 | HIGH
└────────────────────────────────────┘

╔════[ CRITICAL_CVE ]═════════

│ CVE ID :CVE-2026-5852
  
Published : April 9, 2026, 7:16 a.m. | 8 hours, 19 minutes ago
  
Description :A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument igmpVer causes os command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
  
Severity: 10.0 | HIGH
  
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

┌─[ METADATA ]───────────────────────┐
│ Source: https://cvefeed.io
| CVE ID :CVE-2026-5852 
| Severity: 10.0 | HIGH
└────────────────────────────────────┘

╔════[ CRITICAL_CVE ]═════════

│ CVE ID :CVE-2026-5851
  
Published : April 9, 2026, 6:16 a.m. | 9 hours, 19 minutes ago
  
Description :A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable results in os command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
  
Severity: 10.0 | HIGH
  
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

┌─[ METADATA ]───────────────────────┐
│ Source: https://cvefeed.io
| CVE ID :CVE-2026-5851 
| Severity: 10.0 | HIGH
└────────────────────────────────────┘

╔════[ CRITICAL_CVE ]═════════

│ CVE ID :CVE-2026-5850
  
Published : April 9, 2026, 6:16 a.m. | 9 hours, 19 minutes ago
  
Description :A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument pptpPassThru leads to os command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
  
Severity: 10.0 | HIGH
  
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

┌─[ METADATA ]───────────────────────┐
│ Source: https://cvefeed.io
| CVE ID :CVE-2026-5850 
| Severity: 10.0 | HIGH
└────────────────────────────────────┘

╔════[ CRITICAL_CVE ]═════════

│ CVE ID :CVE-2026-1830
  
Published : April 9, 2026, 5:16 a.m. | 10 hours, 19 minutes ago
  
Description :The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.
  
Severity: 9.8 | CRITICAL
  
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

┌─[ METADATA ]───────────────────────┐
│ Source: https://cvefeed.io
| CVE ID :CVE-2026-1830 
| Severity: 9.8 | CRITICAL
└────────────────────────────────────┘