- Joined
- Mar 1, 2021
Pretty big news, the MITRE foundations support for the CVE program is set to expire today:
MITRE’s Support for CVE Program Set to Expire | Archive
MITRE’s Support for CVE Program Set to Expire | Archive
CVE and Zero-Day General - Because there's so many at this rate there may as well be a general thread for it
- Thread starter HahaYes
- Start date
-
Want to keep track of this thread?
Accounts can bookmark posts, watch threads for updates, and jump back to where you stopped reading.
Create account
- Joined
- Aug 21, 2018
You can't have 0days, if there is nobody to keep track of them.
On a more cynical note, i know that the CVE database is just kept stocked by useful idiots and idealists.
Almost every "Security researcher" knows that a good RCE is worth money which in turn is worth more than a mention in some hall of fame page.
On a more cynical note, i know that the CVE database is just kept stocked by useful idiots and idealists.
Almost every "Security researcher" knows that a good RCE is worth money which in turn is worth more than a mention in some hall of fame page.
Last edited:
użytkownik
kiwifarms.net
- Joined
- Feb 2, 2023
- Joined
- Mar 1, 2021
Not surprised at all given how crucial the CVE program is. Can't wait for exactly the same thing to happen in 11 months lmao
- Joined
- Mar 13, 2022
Crosspost:
- Joined
- May 5, 2022
Should've used mercurial, pijul or Fossil, but who am I kidding, two use Rust and another uses SQL.
DARCS ftw
Thread tax. I'm suprised there's not more word about this.
Published: 2025-07-08
Updated: 2025-07-08
Title: SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability
Description:Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over a network.
9.8 CRITICAL 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL /RC
- Joined
- May 5, 2022
Spectre/Meltdown v2? All Zen chips affected.
Code:
CVE-2024-363505.6 (Medium) AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:NA transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information.
CVE-2024-363575.6 (Medium) AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:NA transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries.
CVE-2024-363483.8 (Low) AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:NA transient execution vulnerability in some AMD processors may allow a user process to infer the control registers speculatively even if UMIP[3] feature is enabled, potentially resulting in information leakage.
CVE-2024-363493.8 (Low) AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:NA transient execution vulnerability in some AMD processors may allow a user process to infer TSC_AUX even when such a read is disabled, potentially resulting in information leakage.- Joined
- May 5, 2022
I nominate this bug for the glownigger of the year award.
Belkin pulled the age old "whoops we forgot to remove hardcoded passwords" and may not have changed it for all these years CVE-2025-8730 (CVSS 8.9). This is a router from 2015.
Ouch :CVE-2023-5388 (CVSS 6.5) Good job gentoo being a year late per the usual by skipping the 3.9x versionf of NSS.
Here's the OpenSSL bug.
Autodialersiallators will not poo in the loo saaaar CVE-2025-2611 (9.3 CVSS)
Belkin pulled the age old "whoops we forgot to remove hardcoded passwords" and may not have changed it for all these years CVE-2025-8730 (CVSS 8.9). This is a router from 2015.
CIA NIGGERS!
Ouch :CVE-2023-5388 (CVSS 6.5) Good job gentoo being a year late per the usual by skipping the 3.9x versionf of NSS.
Here's the OpenSSL bug.
Autod
Last edited:
- Joined
- Nov 4, 2017
First, fucking lol at using a Belkin router after this shit where they would randomly redirect your web request to an ad for their security software. You get what you fucking deserve, etc.
Second, it requires the web interface being accessible. If you are retarded enough to have your web interface accessible via external, I don't know what to tell you. And if you aren't using an isolated guest network for your
Third, lol not using a router with 3rd party open source firmware available. Just absolute fucking lol.
- Joined
- May 5, 2022
- Joined
- Nov 25, 2023
Somewhat late, but still. Unity-related: CVE-2025-59489
"Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location"
That's a lot of video games and a lot of platforms.
"Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location"
That's a lot of video games and a lot of platforms.
Last edited:
- Joined
- Jul 14, 2024
it looks like this is the kind of thing that could only be taken advantage of by third party tools that hook into unity. while thinking of what could possibly even fit that description - i am immediately reminded of the game Sulfur that runs on unity and its small modding community is entirely reliant on a mod loader that a chinese guy made and uploaded to github that is not open source and uses a bunch of provided DLL's to hook into the game.
which is basically the exact disclosed exploit chain here. hey, the developers said it's fine, what could possibly go wrong?
- Joined
- Dec 17, 2019
Notepad++ v8.8.6 had Don Ho complaining about a non-issue CVE in Notepad++. You know, the typical "if the attacker has full privileged access to the system they could do something bad" type of non-issue that's then paraded around as a sign that the software is compromised because it's a CVE.
Which made me think of a stupid joke. Given how a lot of these CVE's are basically non-issues in terms of practical security concerns that are put onto the CVE database by midwits for the sake of showing that they're a "security expert" on their resume becasuse those three letters have that "academic prestige" behind them, CVE's could be referred to as "Curriculum Vitae Expanders".
Which made me think of a stupid joke. Given how a lot of these CVE's are basically non-issues in terms of practical security concerns that are put onto the CVE database by midwits for the sake of showing that they're a "security expert" on their resume becasuse those three letters have that "academic prestige" behind them, CVE's could be referred to as "Curriculum Vitae Expanders".
Title: Windows Notepad App Remote Code Execution Vulnerability
Score: 8.8/10
Improper neutralization of special elements used in a command ('command injection') in Windows Notepad App allows an unauthorized attacker to execute code over a network.
CVE link: https://www.cve.org/CVERecord?id=CVE-2026-20841
Published: 2026-02-10
Updated: 2026-02-11
Versions: affected from 11.0.0 before 11.2510
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged (runs as user)
Impact: High confidentiality, integrity and availability impact.
Summary: This is a remote, easy-to-trigger vulnerability requiring no login, but it does require a user action. If triggered, it can lead to major compromise (data theft + system modification + downtime).
Score: 8.8/10
Improper neutralization of special elements used in a command ('command injection') in Windows Notepad App allows an unauthorized attacker to execute code over a network.
CVE link: https://www.cve.org/CVERecord?id=CVE-2026-20841
Published: 2026-02-10
Updated: 2026-02-11
Versions: affected from 11.0.0 before 11.2510
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged (runs as user)
Impact: High confidentiality, integrity and availability impact.
Summary: This is a remote, easy-to-trigger vulnerability requiring no login, but it does require a user action. If triggered, it can lead to major compromise (data theft + system modification + downtime).
- Joined
- May 5, 2022
Not a CVE or zero day strictly but dev loosing their mind and causing data destruction.
Open source 3rd party telegram client (Nekogram) dev got mogged by the MSS spergs out about politics, made his software to be malware. Sends info back to owner and if he deems you are "associated with political content" he yeets your account.
Coder is some chinese neko gooner fag (telegram) he goes by "Cat ear (power) inverter"
Can some archive... Sorry it autofails my captcha check...
His email btw: chsqwyx@gmail.com
Translation:
Coder is some chinese neko gooner fag (telegram) he goes by "Cat ear (power) inverter"
Can some archive... Sorry it autofails my captcha check...
His email btw: chsqwyx@gmail.com
Translation:
Reactions:
x 6 x 12 x 1
x 6 x 12 x 1
- Joined
- Jul 4, 2022
Now is a good time to install Linux kernel patches. There is a root exploit affecting most kernels commonly used by Linux distributions since 2017. Check out https://copy.fail for exploit details.
CVE link: https://www.cve.org/CVERecord?id=CVE-2026-31431
Vendor: Linux
Product: Linux
Versions: 10 Total
Default Status: affected
affected
CVE link: https://www.cve.org/CVERecord?id=CVE-2026-31431
Vendor: Linux
Product: Linux
Versions: 10 Total
Default Status: affected
affected
- affected at 4.14
- unaffected from 0 before 4.14
- unaffected from 5.10.254 through 5.10.*
- unaffected from 5.15.204 through 5.15.*
- unaffected from 6.1.170 through 6.1.*
- unaffected from 6.6.137 through 6.6.*
- unaffected from 6.12.85 through 6.12.*
- unaffected from 6.18.22 through 6.18.*
- unaffected from 6.19.12 through 6.19.*
- unaffected from 7.0
- Joined
- May 4, 2023
Apache2 remote code execution via HTTP/2 module mod_http2. CVE-2026-23918. Fixed in 2.4.67.