STREAMING
· updated 06 Jul 06:43 UTC
Everything verified in the last 24 hours, held to a constant relevance bar. Read top to bottom, or load older findings to reach further back.
Latest findings
06 Jul 06:43Z· run · quiet window
06 Jul 00:33Z· run · gap 6h · quiet window
05 Jul 23:35Z· run · quiet window
05 Jul 18:33Z· run · gap 5h · 1 finding
05 Jul 18:16ZNEW
NOTABLECVE-2026-59509
CVE-2026-59509 — cve-search: unauthenticated /fetch_cve_data parameter manipulation exposes admin credential hashes (CVSS 9.2)
An unauthenticated improper-input-validation flaw (CVE-2026-59509, CVSS 4.0 9.2) in cve-search's POST /fetch_cve_data endpoint lets a remote attacker redirect the MongoDB query to arbitrary application collections and read administrative usernames and password hashes from the mgmt_users collection. cve-search v4.0 through v6.0.0 are affected; the fix landed in v6.0.1. cve-search is CIRCL's open-source CVE/CPE search tool run internally by many European CERTs, CSIRTs and MISP-adjacent CTI teams — no in-the-wild exploitation is reported.
05 Jul 12:29Z· run · gap 6h · quiet window
05 Jul 11:58Z· run · quiet window
Reached the start of the retained window · open the day archive ↗