https://vulnerability.circl.lu/sightings/feed 2026-06-01T03:59:39.925749+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent sightings. https://vulnerability.circl.lu/sighting/bc1d2d52-37b4-4486-b443-5d86fe163e84/export 2026-06-01T03:59:40.008972+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "bc1d2d52-37b4-4486-b443-5d86fe163e84", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23733", "type": "seen", "source": "https://gist.github.com/alon710/eb25db4a01805c42059e24903b5ab96b", "content": "", "creation_timestamp": "2026-01-24T21:23:36.000000Z"} 2026-01-24T21:23:36+00:00 https://vulnerability.circl.lu/sighting/5c4fc3fa-f497-45d8-922e-c60c80800780/export 2026-06-01T03:59:40.008898+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "5c4fc3fa-f497-45d8-922e-c60c80800780", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23735", "type": "seen", "source": "https://gist.github.com/alon710/d087383ad13375511b2c1165a278566e", "content": "", "creation_timestamp": "2026-01-24T21:24:03.000000Z"} 2026-01-24T21:24:03+00:00 https://vulnerability.circl.lu/sighting/9b0ac81f-af26-4c8a-936a-0b8db4f342b9/export 2026-06-01T03:59:40.008823+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "9b0ac81f-af26-4c8a-936a-0b8db4f342b9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23735", "type": "seen", "source": "https://gist.github.com/alon710/95477fa5cbe88286938656473c76c7a9", "content": "", "creation_timestamp": "2026-01-24T22:28:46.000000Z"} 2026-01-24T22:28:46+00:00 https://vulnerability.circl.lu/sighting/e29f2af5-c375-4fb0-8b81-0d8498eafbf8/export 2026-06-01T03:59:40.008749+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "e29f2af5-c375-4fb0-8b81-0d8498eafbf8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23735", "type": "seen", "source": "https://gist.github.com/alon710/6eed3cb62a9127c97662b882f464883d", "content": "", "creation_timestamp": "2026-01-24T22:28:49.000000Z"} 2026-01-24T22:28:49+00:00 https://vulnerability.circl.lu/sighting/c850b3a2-db31-40db-a129-456b8f895134/export 2026-06-01T03:59:40.008672+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "c850b3a2-db31-40db-a129-456b8f895134", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23738", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3me72d5vhru2o", "content": "", "creation_timestamp": "2026-02-06T13:50:26.100027Z"} 2026-02-06T13:50:26.100027+00:00 https://vulnerability.circl.lu/sighting/84bc9e58-b273-4bdd-99f9-c07a34527470/export 2026-06-01T03:59:40.008579+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "84bc9e58-b273-4bdd-99f9-c07a34527470", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23739", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3me72d5vhru2o", "content": "", "creation_timestamp": "2026-02-06T13:50:26.219065Z"} 2026-02-06T13:50:26.219065+00:00 https://vulnerability.circl.lu/sighting/9e3c9690-05d2-4baa-b049-219c583692d6/export 2026-06-01T03:59:40.007333+00:00 Joseph Lee https://vulnerability.circl.lu/user/syspect {"uuid": "9e3c9690-05d2-4baa-b049-219c583692d6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-2373", "type": "seen", "source": "https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2026-2373", "content": "", "creation_timestamp": "2026-03-17T03:16:14.000000Z"} 2026-03-17T03:16:14+00:00 https://vulnerability.circl.lu/sighting/721d3eee-c473-4a31-8a5f-a4b8d8232446/export 2026-06-01T03:59:40.007229+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "721d3eee-c473-4a31-8a5f-a4b8d8232446", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23737", "type": "seen", "source": "https://gist.github.com/alon710/f37dde72118656f1c6b1cac083cc2cb1", "content": "# GHSA-9M65-766C-R333: GHSA-9M65-766C-R333: Type Confusion in Seroval Leading to Unintended Function Execution in TanStack Start\n\n> **CVSS Score:** 7.1\n> **Published:** 2026-05-14\n> **Full Report:** https://cvereports.com/reports/GHSA-9M65-766C-R333\n\n## Summary\nA type confusion vulnerability in the `seroval` deserialization library (CWE-843) exposes TanStack Start server functions to unintended sibling function invocation. Upstream, this flaw can lead to remote code execution (CVE-2026-23737).\n\n## TL;DR\nTanStack Start is vulnerable to deserialization type confusion via the `seroval` library. Attackers can craft JSON payloads to silently trigger unintended server functions, bypassing request-level middleware and audit logs.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-843\n- **Attack Vector**: Network\n- **Upstream CVSS**: 7.1\n- **TanStack Start CVSS**: Low\n- **Impact**: Unintended Function Execution / Upstream RCE\n- **Exploit Status**: Theoretical / Multi-stage\n\n## Affected Systems\n\n- TanStack Start Server Core\n- Seroval Deserialization Library\n- React Server Components utilizing affected TanStack packages\n- Solid Start utilizing affected TanStack packages\n- **@tanstack/start-server-core**: < 1.167.30 (Fixed in: `1.167.30`)\n- **seroval**: <= 1.5.2 (Fixed in: `1.5.3`)\n\n## Mitigation\n\n- Upgrade `@tanstack/start-server-core` to `1.167.30` or higher.\n- Upgrade `seroval` to `1.5.3` or higher.\n- Enforce strict input validation on all client-exposed server functions.\n- Implement authentication and authorization checks exclusively at the function level via middleware.\n\n**Remediation Steps:**\n1. Identify all projects utilizing TanStack Start or standalone `seroval`.\n2. Execute `npm install @tanstack/start-server-core@latest seroval@latest` to fetch the patched versions.\n3. Verify the dependency tree using `npm ls seroval` to ensure no transitive dependencies are locking an outdated version.\n4. Audit all `createServerFn` implementations to confirm the presence of `.inputValidator()` and `.middleware()` directives.\n5. Deploy the updated application to all environments.\n\n## References\n\n- [TanStack Router Security Advisory](https://github.com/TanStack/router/security/advisories/GHSA-9m65-766c-r333)\n- [Seroval Upstream Advisory](https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3rxj-6cgf-8cfw)\n- [CVE-2026-23737 Details](https://nvd.nist.gov/vuln/detail/CVE-2026-23737)\n- [OSV Data for GHSA-9m65-766c-r333](https://osv.dev/vulnerability/GHSA-9m65-766c-r333)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-9M65-766C-R333) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-14T18:10:29.000000Z"} 2026-05-14T18:10:29+00:00 https://vulnerability.circl.lu/sighting/128f0773-8983-442d-a46d-7af7b61fbe93/export 2026-06-01T03:59:40.007114+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "128f0773-8983-442d-a46d-7af7b61fbe93", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-23734", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116612099529875004", "content": "\u26a0\ufe0f CRITICAL: CVE-2026-23734 in XWiki Platform (xwiki-commons) allows unauthenticated path traversal \u2014 attackers can read config files via crafted 'resource' parameters. Patch to 18.1.0-rc-1, 17.10.3, 17.4.9, or 16.10.17+ now! https://radar.offseq.com/threat/cve-2026-23734-cwe-23-relative-path-traversal-in-x-16518aab #OffSeq #xwiki #vuln", "creation_timestamp": "2026-05-21T10:30:29.608958Z"} 2026-05-21T10:30:29.608958+00:00 https://vulnerability.circl.lu/sighting/135be95b-bcc3-4d8c-a418-348b2c16b518/export 2026-06-01T03:59:40.002854+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "135be95b-bcc3-4d8c-a418-348b2c16b518", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-23734", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mme7ngimaj23", "content": "CRITICAL: XWiki xwiki-commons path traversal lets attackers read config files unauthenticated. Affects <18.1.0-rc-1, <17.10.3, <17.4.9, <16.10.17. Patch immediately! \ud83d\udd12 https://radar.offseq.com/threat/cve-2026-23734-cwe-23-relative-path-traversal-in-x-16518aab #OffSeq #xwiki #security", "creation_timestamp": "2026-05-21T10:30:32.051692Z"} 2026-05-21T10:30:32.051692+00:00