Free 30-min security demo — We'll scan your real code and show live findings, no commitment Book Now
In-depth technical analysis of recently disclosed vulnerabilities in open-source software. Every post includes the vulnerable code, the fix, real-world impact, and how SAST catches it.
CVE-2024-6387 is a critical signal handler race condition in OpenSSH's sshd that allows unauthenticated remote code execution as root on glibc-based Linux systems — a vulnerability class that was supposedly fixed 18 years ago.
CVE-2024-21626 is a high-severity container escape in runc that allows attackers to break out of Docker, Kubernetes, and other container runtimes by exploiting an internal file descriptor leak to gain access to the host filesystem.
CVE-2023-50585: Critical stack overflow vulnerability in Tenda A18 v15.13.07.09 formSetDeviceName function allows unauthenticated remote code execution via buffer overflow.
CVE-2023-50643 enables remote arbitrary code execution in Evernote for macOS v10.68.2 through unsafe Electron RunAsNode configuration, achieving CVSS 9.8 critical severity.
CVE-2023-49235: Remote code execution vulnerability in TRENDnet TV-IP1314PI through unsafe popen() usage with inadequate debug information filtering, enabling unauthenticated command injection.
CVE-2023-51126 is a critical command injection vulnerability in FLIR AX8 thermal cameras up to firmware 1.46.16, allowing remote code execution through unsanitized user input in the res.php endpoint.
CVE-2023-7220 is a critical stack-based buffer overflow in Totolink NR1800X firmware affecting the loginAuth function, enabling remote code execution without authentication.
CVE-2023-7221 is a critical buffer overflow vulnerability in Totolink T6 4.1.9cu.5241_B20210923 affecting the HTTP POST login handler, enabling remote code execution with CVSS 9.8.
CVE-2023-31446 is a critical command injection vulnerability in Cassia Gateway firmware allowing unauthenticated remote code execution with root privileges through unsanitized queueUrl parameters.
CVE-2024-21646 exposes critical integer overflow in Azure uAMQP C library when processing crafted binary type data, enabling remote code execution across dependent AMQP clients.
CVE-2023-49237: Critical OS command injection vulnerability in TRENDnet IP camera firmware allows unauthenticated remote code execution via unfiltered URL parameters in language pack unpacking functionality.
CVE-2024-21650 is a critical remote code execution flaw in XWiki Platform affecting user registration. Attackers exploit unsanitized first/last name fields to execute arbitrary code on vulnerable instances.
CVE-2023-49236 exploits unvalidated sscanf input in TRENDnet TV-IP1314PI, enabling remote code execution through malicious RTSP scale parameters.
CVE-2024-0321 is a critical stack-based buffer overflow in GPAC prior to v2.3-DEV enabling remote code execution through malformed media files.
CVE-2024-22087 is a critical stack-based buffer overflow in Pico HTTP Server's URI handling that allows unauthenticated remote code execution via oversized request paths.
CVE-2024-22051 exploits integer overflow in CommonMarker's GFM table parser, allowing unauthenticated remote attackers to cause heap corruption and achieve RCE via oversized marker rows.
CVE-2023-51277 exposes a critical macOS entitlement vulnerability in Jupyter Notebook Viewer allowing unauthorized task access and potential privilege escalation in release builds.
CVE-2024-22086 is a critical stack-based buffer overflow in Cherry HTTP server's URI handling that enables unauthenticated remote code execution through malformed requests.
CVE-2024-22088 exploits a critical use-after-free vulnerability in Lotos WebServer's buffer management, triggered by long URIs through mishandled realloc operations, enabling remote code execution.
CVE-2023-50921 exposes critical pre-authentication privilege escalation in GL.iNet routers through unsafe add_user API endpoint, affecting 12 device models across firmware versions 4.3.7-4.5.0.
CVE-2023-46308 is a critical prototype pollution vulnerability in Plotly.js before v2.25.2 allowing __proto__ manipulation through plot API calls, enabling arbitrary code execution.
CVE-2024-21623 exposes critical expression injection vulnerability in OTClient's SonarCloud workflow, enabling remote command execution and secret exfiltration.
No vulnerabilities match your filter.
Offensive360 SAST detects the vulnerability patterns documented here — plus thousands more — across 60+ programming languages. See what's hiding in your source code.
