Latest Security Advisories

Trigona ransomware operators are now using a custom command-line exfiltration tool to steal data from compromised environments more efficiently. The tool enhances their data theft capabilities during ransomware attacks, allowing for faster and more streamlined data extraction before encryption. This development represents an evolution in Trigona's attack methodology, making their operations more sophisticated and potentially more damaging to victims.

UNC6692 threat actor conducts social engineering attacks by impersonating IT helpdesk employees via Microsoft Teams. The group convinces victims to accept chat invitations from fake accounts to deploy custom SNOW malware suite. This represents a novel use of enterprise collaboration platforms for initial access and malware deployment.

A NoSQL injection vulnerability in multiple versions of Rocket.Chat can lead to account takeover of the first user with a generated token when an OAuth app is configured. The vulnerability affects versions prior to 8.3.0, 8.2.1, 8.1.2, 8.0.3, 7.13.5, 7.12.6, 7.11.6, and 7.10.9. This is a critical security flaw that allows attackers to compromise user accounts through NoSQL injection attacks. The vulnerability specifically targets OAuth configurations and can result in complete account takeover. Patches are available in the specified fixed versions.

Yadea T5 Electric Bicycles manufactured in 2024 and later contain a critical authentication vulnerability in their keyless entry system. The vulnerability stems from the use of the EV1527 fixed-code RF protocol without proper security mechanisms like rolling codes or cryptographic challenge-response. Attackers can perform replay attacks by intercepting legitimate key fob transmissions, allowing complete unauthorized vehicle operation. This represents a significant security flaw affecting the physical security of electric bicycles through RF signal manipulation.

CVE-2026-39987 is a critical pre-authorization remote code execution vulnerability in Marimo that allows unauthenticated attackers to gain shell access and execute arbitrary system commands. This vulnerability poses a high security risk as it requires no authentication and can lead to complete system compromise. The vulnerability has been documented by CISA and tracked on GitHub security advisories. Given the nature of remote code execution without authentication requirements, this represents a severe security flaw that could be easily exploited by malicious actors. Organizations using Marimo should prioritize patching this vulnerability immediately.

hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, potentially abusing latent credentials to upload packages or perform administrative actions. Some unauthenticated actions could also be exploited, such as creating new user accounts. This vulnerability affects the security of package uploads and administrative functions on the hackage server platform.

CISA issued an advisory for CVE-2025-70994 affecting all versions of Yadea T5 Electric Bicycles. The vulnerability involves weak authentication mechanisms that allow local attackers to intercept key fob transmissions and forge signals to unlock and start the bicycle, potentially leading to vehicle theft. The vulnerability has a CVSS score of 7.3 (High). Yadea did not respond to CISA's coordination attempts. Users are advised to use external locking mechanisms and keep systems updated. The vulnerability requires local access and user interaction but does not require privileges.

Kofax Capture (Tungsten Capture) version 6.0.0.0 exposes an unauthenticated .NET Remoting HTTP channel on port 2424 through the Ascent Capture Service. The vulnerability uses a deprecated remoting channel with a publicly known endpoint identifier. Remote unauthenticated attackers can exploit .NET Remoting object unmarshalling to instantiate System.Net.WebClient objects. This enables arbitrary file read/write operations on the server filesystem. Attackers can coerce NTLMv2 authentication to attacker-controlled hosts for credential disclosure. The vulnerability can lead to denial of service, remote code execution, or lateral movement depending on service privileges.

SpiceJet's online booking system contains two high-severity vulnerabilities that allow unauthorized access to passenger data. CVE-2026-6375 enables unauthenticated users to query passenger name records (PNRs) through predictable identifiers due to missing authorization checks. CVE-2026-6376 allows access to full passenger booking details using only PNR and last name without authentication. Both vulnerabilities affect all versions of the SpiceJet Online Booking System and could lead to sensitive information disclosure. SpiceJet has not responded to CISA's coordination attempts, leaving the vulnerabilities unpatched.

A stored Cross-Site Scripting (XSS) vulnerability exists in hackage-server where user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization. This allows attackers to inject malicious scripts that execute when users interact with the affected pages. The vulnerability affects the Haskell package repository infrastructure and could be exploited to compromise user accounts or steal sensitive information. The stored nature of the XSS makes it particularly dangerous as the malicious payload persists in the application.

A critical XSS vulnerability in hackage-server and hackage.haskell.org allows malicious package maintainers to serve HTML and JavaScript files directly on the main domain. When users with HTTP credentials browse affected package pages or documentation, their sessions can be hijacked. Attackers can then upload packages, modify documentation, amend maintainer information, change package metadata, or perform any authorized actions on behalf of the compromised user. The vulnerability stems from serving user-provided HTML and JavaScript content without proper sanitization or domain isolation.

Critical authentication bypass vulnerability (CVE-2025-65856) in Hangzhou Xiongmai Technology XM530 IP cameras allows unauthenticated remote attackers to access sensitive device information and live video streams. The vulnerability affects firmware V5.00.R02.000807D8.10010.346624.S.ONVIF_21.06 where the ONVIF implementation fails to enforce authentication on 31 critical endpoints. CVSS score of 9.8 (Critical). Vendor has not responded to CISA requests for mitigation. Proof of concept is publicly available. Devices are deployed worldwide in commercial facilities.

Multiple critical vulnerabilities affecting over 70 models of Milesight AIOT cameras including authorization bypass, hard-coded credentials, cryptographic key issues, command injection, and heap-based buffer overflow. CVSS scores range from 6.8 to 9.8. Successful exploitation could crash devices or allow remote code execution. Affects commercial facilities sector worldwide with company headquarters in China.

Hackers compromised Docker images, VSCode and Open VSX extensions for the Checkmarx KICS analysis tool to harvest sensitive data from developer environments. This supply chain attack targets development tools and infrastructure, potentially affecting numerous software development organizations using the compromised KICS security analysis tool. The breach demonstrates the continued targeting of developer toolchains as an attack vector.

Critical vulnerability CVE-2026-3893 affects Carlson Software VASCO-B GNSS Receiver versions below 1.4.0. The device lacks authentication mechanisms, allowing remote attackers with network access to directly modify configuration and operational functions without credentials. This missing authentication for critical functions has a CVSS score of 9.4 (Critical). The vulnerability affects critical manufacturing infrastructure worldwide. Carlson Software recommends updating to version 1.4.0 or greater to address this issue. No known public exploitation has been reported to CISA at this time.

Critical path traversal vulnerability (CVE-2026-6074) in Intrado 911 Emergency Gateway (EGW) versions 5.x, 6.x, and 7.x allows unauthenticated attackers with network access to access the management interface and read, modify, or delete files. The vulnerability has a CVSS score of 9.8 (Critical) and affects emergency services infrastructure worldwide. Intrado released a software update on March 2nd, 2026, and has contacted customers to coordinate patching. The vulnerability was reported anonymously to CISA and no known public exploitation has been reported.

CVE-2025-62373 affects Pipecat versions 0.0.41 through 0.0.93, an open-source Python framework for building real-time voice and multimodal conversational agents. The vulnerability exists in the LivekitFrameSerializer class which uses unsafe pickle.loads() deserialization on WebSocket data without validation. Attackers can send malicious pickle payloads to achieve remote code execution on servers using this component. The vulnerable code is in src/pipecat/serializers/livekit.py around line 73. Version 0.0.94 contains a fix. The affected component is optional, non-default, and now deprecated.

SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where the text parameter is not properly sanitized. Unauthenticated remote attackers can exploit this to read arbitrary database data, reset administrator passwords, and gain unauthorized access to the Admin Panel's Packages Manager. This access potentially enables remote code execution on affected systems. The vulnerability affects the activity index endpoint and allows complete compromise of SocialEngine installations.

The official Bitwarden CLI package (@bitwarden/cli@2026.4.0) on npm was compromised with malicious code that installs a credential stealer targeting developer secrets, GitHub Actions, and AI tool configurations. The malware uses a preinstall hook to bootstrap the Bun JavaScript runtime and execute a 9.7 MB obfuscated payload. Stolen data is encrypted with AES-256-GCM and sent to audit.checkmarx.cx, a domain impersonating Checkmarx. When GitHub tokens are found, the malware injects malicious workflows into repositories to extract CI/CD secrets, creating a supply chain attack vector.

CISA analyzed FIRESTARTER malware, a backdoor used by APT actors for persistence on Cisco Firepower and Secure Firewall devices running ASA or FTD software. The malware exploits CVE-2025-20333 and CVE-2025-20362 to gain initial access and maintains persistence even after firmware updates and device reboots. FIRESTARTER installs hooks in LINA to execute arbitrary shell code and can survive patching efforts. Only a hard power cycle can remove the malware's persistence mechanism.

Socket researchers discovered that Bitwarden CLI version 2026.4.0 was compromised as part of the ongoing Checkmarx supply chain campaign. The attack leveraged a compromised GitHub Action in Bitwarden's CI/CD pipeline, with malicious code published in the bw1.js file. This compromise follows the same GitHub Actions supply chain attack vector identified in the broader Checkmarx campaign affecting multiple repositories. The attack represents an active supply chain compromise targeting development tools and CI/CD pipelines.

CVE-2026-41564 affects CryptX versions before 0.088 for Perl, where cryptographic modules fail to reseed PRNG state after forking. The vulnerability causes child processes to share identical PRNG state, leading to predictable randomized operations including key generation. Two ECDSA or DSA signatures from different processes can expose the private signing key through nonce-reuse attacks. This particularly impacts preforking web servers like Starman where crypto objects are inherited by worker processes. The flaw affects multiple cryptographic modules including RSA, DSA, DH, ECC, Ed25519, and X25519 implementations.

Bitwarden CLI has been compromised as part of an ongoing Checkmarx supply chain campaign discovered by Socket. The affected package version is @bitwarden/cli@2026.4.0, with malicious code published in 'bw1.js' file included in the package contents. This represents an active supply chain attack targeting the popular password manager's command-line interface tool. The attack appears to have leveraged compromised package distribution to inject malicious code into legitimate software. Organizations using the affected Bitwarden CLI version should take immediate action to assess potential impact.

The Breeze Cache plugin for WordPress contains a critical arbitrary file upload vulnerability in versions up to 2.4.4. The vulnerability exists in the 'fetch_gravatar_from_remote' function due to missing file type validation. Unauthenticated attackers can exploit this to upload arbitrary files to the server, potentially enabling remote code execution. The vulnerability requires the 'Host Files Locally - Gravatars' feature to be enabled, which is disabled by default. This represents a high-severity security risk for WordPress sites using the affected plugin versions.

A code injection vulnerability (CVE-2026-39440) has been identified in Funnelforms LLC FunnelFormsPro plugin that allows remote code inclusion. The vulnerability affects all versions of FunnelFormsPro from an unspecified starting version through version 3.8.1. This is classified as an 'Improper Control of Generation of Code' weakness that enables attackers to execute arbitrary code remotely. The vulnerability represents a critical security flaw in the WordPress plugin that could allow complete system compromise. Organizations using affected versions should prioritize patching or mitigation measures immediately.

A code injection vulnerability (CVE-2026-39440) has been discovered in FunnelFormsPro plugin by Funnelforms LLC that allows remote code inclusion attacks. The vulnerability affects all versions of FunnelFormsPro from an unspecified starting version through version 3.8.1. This is classified as an 'Improper Control of Generation of Code' vulnerability that enables attackers to execute remote code inclusion attacks. The vulnerability represents a critical security flaw that could allow attackers to execute arbitrary code on affected systems. Organizations using the affected versions of FunnelFormsPro should prioritize patching or mitigation measures.

A newly discovered state-backed threat actor named GopherWhisper has been identified conducting attacks against government entities. The group uses a custom Go-based toolkit and leverages legitimate communication services including Microsoft 365 Outlook, Slack, and Discord for command and control communications. This represents a sophisticated APT campaign that abuses trusted platforms to evade detection while targeting government infrastructure.

Anthropic announced Project Glasswing, an AI model highly effective at discovering software vulnerabilities. The company postponed public release due to security concerns and instead provided access to major tech companies including Apple, Microsoft, Google, and Amazon to find and patch bugs before adversaries can exploit them. The underlying model, Mythos Preview, demonstrated significant capability in automated vulnerability detection, raising questions about who will handle the remediation of AI-discovered security flaws.

CISA has ordered U.S. federal agencies to patch a Microsoft Defender privilege escalation vulnerability known as BlueHammer that has been actively exploited in zero-day attacks. The flaw allows attackers to escalate privileges on affected systems. Federal agencies must apply patches to address this critical security vulnerability that poses significant risk to government systems.

CVE-2026-6887 affects Borg SPM 2007, a sales management system developed by BorG Technology Corporation (sales ended in 2008). The vulnerability allows unauthenticated remote attackers to perform SQL injection attacks, enabling them to inject arbitrary SQL commands into the database. Attackers can exploit this vulnerability to read sensitive data from the database, modify existing records, or delete database contents entirely. Despite the product being discontinued, systems may still be in use and vulnerable to attack. The vulnerability poses significant risk due to the lack of authentication requirements and the potential for complete database compromise.

Unit 42 research demonstrates how multi-agent AI systems can autonomously conduct attacks against cloud environments. The study reveals critical insights into AI-powered offensive capabilities and their potential impact on cloud security. The research provides lessons learned from building autonomous cloud attack systems. This represents an emerging threat vector combining artificial intelligence with cloud-targeted attacks. The findings emphasize the need for proactive security measures against AI-driven threats.

CVE-2026-6886 affects Borg SPM 2007, a product developed by BorG Technology Corporation that ended sales in 2008. The vulnerability allows authentication bypass, enabling unauthenticated remote attackers to log into the system as any user. This represents a critical security flaw that completely circumvents the authentication mechanism. The affected product is legacy software that is no longer sold or likely supported. Remote exploitation capability makes this a high-severity issue despite the product's age.

Apple released iOS/iPadOS 26.4.2 and iOS/iPadOS 18.7.8 updates to address a single vulnerability in Notification Services. The vulnerability is identified as CVE-2026-28950 and has been actively exploited in the wild. This is a targeted security update focusing specifically on fixing this exploited flaw. The update affects both iOS and iPadOS platforms across multiple versions. Apple's rapid response indicates the severity of this vulnerability.

CVE-2026-6885 affects Borg SPM 2007 developed by BorG Technology Corporation, which had sales ended in 2008. The vulnerability allows arbitrary file upload by unauthenticated remote attackers. Attackers can upload and execute web shell backdoors on the server. This enables arbitrary code execution with remote access capabilities. The product is legacy software that is no longer sold or supported. Despite being end-of-life, systems may still be running this vulnerable software in production environments.

A previously undocumented China-aligned APT group called GopherWhisper has infected 12 Mongolian government systems. The group uses a wide array of tools mostly written in Go programming language, employing injectors and loaders to deploy and execute various backdoors. This represents a significant targeting of Mongolian governmental institutions by Chinese threat actors using sophisticated Go-based malware arsenal.

Vercel discovered additional compromised customer accounts in a security incident linked to Context.ai that enabled unauthorized access to internal systems. The company expanded its investigation to include more compromise indicators and reviewed network requests. This represents an ongoing data breach affecting multiple customer accounts with potential for unauthorized system access.

Froxlor server administration software contains a privilege escalation vulnerability prior to version 2.3.6. The DataDump.add() function constructs export destination paths from user input without proper symlink validation, bypassing security controls added for CVE-2023-6069. When ExportCron runs as root, it executes 'chown -R' on resolved symlink targets, allowing customers to take ownership of arbitrary system directories. This represents a complete system compromise scenario where unprivileged users can escalate to root-level access through symlink manipulation.

Froxlor server administration software prior to version 2.3.6 contains a vulnerability in the DomainZones::add() function that accepts arbitrary DNS record types without proper validation. The flaw allows authenticated customers to bypass content validation by submitting DNS types not covered by the validation chain (NAPTR, PTR, HINFO). Newline characters in the content field are not sanitized and survive processing, enabling injection of arbitrary DNS records and BIND directives ($INCLUDE, $ORIGIN, $GENERATE) into domain zone files. The vulnerability is fixed in version 2.3.6.

Froxlor server administration software prior to version 2.3.6 contains a critical PHP code injection vulnerability. The PhpHelper::parseArrayToString() function fails to escape single quotes in string literals. When an admin with change_serversettings permission updates MySQL server settings via API, the privileged_user parameter is written unescaped into lib/userdata.inc.php. This allows arbitrary PHP code injection that executes on every page load as the web server user. The vulnerability affects the core userdata.inc.php file which is required on every request through Database::getDB().

Froxlor server administration software versions prior to 2.3.6 contain a path traversal vulnerability in the API endpoints Customers.update and Admins.update. The def_language parameter is not properly validated against available language files, allowing authenticated users to inject path traversal payloads. When Language::loadLanguage() processes these malicious paths, it can lead to arbitrary PHP code execution as the web server user. The vulnerability has been patched in version 2.3.6.

The Breeze Cache plugin for WordPress contains an arbitrary file upload vulnerability in versions up to 2.4.4 due to missing file type validation in the 'fetch_gravatar_from_remote' function. Unauthenticated attackers can exploit this to upload arbitrary files and potentially achieve remote code execution. The vulnerability requires the 'Host Files Locally - Gravatars' feature to be enabled, which is disabled by default. This affects the server security of WordPress sites using the vulnerable plugin versions.

A privilege escalation vulnerability in Paperclip AI server versions prior to 2026.416.0 allows attackers with Agent API keys to execute arbitrary OS commands on the server host. The vulnerability occurs through the /agents/:id API endpoint where agents can update their adapterConfig, and the provisionCommand field is executed by the server runtime. This breaks the trust boundary between agent runtime and server host, enabling remote code execution. The issue is fixed in version 2026.416.0.

Critical vulnerability in Paperclip, a Node.js server and React UI that orchestrates AI agents for business operations. Prior to version 2026.416.0, unauthenticated attackers can achieve full remote code execution on network-accessible instances running in authenticated mode with default configuration. The attack requires no user interaction or credentials, only the target's address. The exploit chain consists of six automated API calls that work against default deployment configurations. Version 2026.416.0 patches this critical security issue.

PsiTransfer, an open source file sharing solution, contains a critical vulnerability prior to version 2.4.3. The issue stems from inconsistent path validation in the upload PATCH flow, where the system validates encoded request paths but writes using decoded parameters. This allows unauthenticated attackers to exploit path traversal via URL encoding discrepancies. In specific deployment configurations with custom PSITRANSFER_UPLOAD_DIR settings, attackers can create malicious config files in the application root. These attacker-controlled JavaScript files are executed upon process restart, leading to remote code execution. The vulnerability affects the /files/:uploadId endpoint and has been patched in version 2.4.3.

Statamic CMS versions prior to 5.73.20 and 6.13.0 contain a vulnerability allowing manipulation of query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, resulting in potential loss of content, assets, and user accounts. The Control Panel exploit requires minimal authentication permissions, while REST and GraphQL API exploits require no permissions but must be explicitly enabled. Sites with unauthenticated REST or GraphQL APIs should prioritize patching. Fixed in versions 5.73.20 and 6.13.0.

radare2 versions prior to 6.1.4 contain a critical command injection vulnerability in the PDB parser's print_gvars() function. Attackers can craft malicious PDB files with newline characters in symbol names to inject arbitrary radare2 commands. The vulnerability occurs through unsanitized symbol name interpolation in the flag rename command. When users run the idp command against a malicious PDB file, the injected commands execute, potentially leading to arbitrary OS command execution through radare2's shell execution operator. This represents a significant security risk for users analyzing untrusted PDB files.

WeKan versions before 8.35 contain a missing authorization vulnerability in Integration REST API endpoints. The vulnerability allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can exploit insufficient authorization checks in JsonRoutes REST handlers to enumerate integrations including webhook URLs, create new integrations, modify or delete existing integrations, and manage integration activities. This represents a privilege escalation vulnerability where lower-privileged users can perform administrative functions.

WeKan versions before 8.35 contain a server-side request forgery (SSRF) vulnerability in webhook integration URL handling. The vulnerability allows attackers who can create or modify integrations to set webhook URLs to internal network addresses. This causes the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads. Additionally, attackers can exploit response handling to overwrite arbitrary comment text without proper authorization checks. The vulnerability stems from the url schema field accepting any string without protocol restriction or destination validation.

WWBN AVideo, an open source video platform, contains a vulnerability in versions up to 29.0 where an incomplete fix for test.php adds escapeshellarg for wget but leaves file_get_contents and curl code paths unsanitized. The URL validation regex /^http/ accepts malicious strings like httpevil.com, allowing potential exploitation. This represents an incomplete security fix that leaves multiple attack vectors open for exploitation through unsanitized input handling.

Beghelli Sicuro24 SicuroWeb embeds end-of-life AngularJS 1.5.2 containing sandbox escape primitives. Combined with template injection, attackers can escape the AngularJS sandbox and achieve arbitrary JavaScript execution in operator browser sessions. This enables session hijacking, DOM manipulation, and persistent browser compromise. Network-adjacent attackers can exploit this via MITM attacks in plaintext HTTP deployments without user interaction.

A vulnerability in nimiq-primitives prior to version 1.3.0 allows untrusted P2P peers to cause node panics by announcing election macro blocks with invalid compressed BLS voting keys. The issue occurs when hashing election macro headers that contain invalid validator voting keys, causing the validator.voting_key.uncompress().unwrap() function to panic on invalid bytes. This vulnerability affects Nimiq's Rust implementation and has been patched in version 1.3.0 with no known workarounds available.

TeamPCP threat actors have injected a sophisticated two-stage credential stealer into the xinference PyPI package, compromising the Python package supply chain. This malware is designed to steal user credentials through a multi-stage deployment process. The attack targets developers and users who install the compromised package from the Python Package Index. This represents a significant supply chain attack that could affect numerous Python projects and their users. The incident highlights the ongoing security risks in open-source package repositories.

CVE-2018-25259 affects Terminal Services Manager 3.1, containing a stack-based buffer overflow vulnerability in the computer names field. Local attackers can exploit this vulnerability to execute arbitrary code by triggering structured exception handling. The attack involves crafting malicious input files with shellcode and jump instructions that overwrite the SEH handler pointer. When imported through the add computers wizard, the exploit can execute calc.exe or other payloads. This vulnerability allows for local privilege escalation and arbitrary code execution through a buffer overflow technique.

RustFS distributed object storage system contains an authorization bypass vulnerability in notification target admin API endpoints. The vulnerability exists in rustfs/src/admin/handlers/event.rs where four endpoints use check_permissions helper that validates authentication only without performing admin-action authorization via validate_admin_request. Non-admin users can overwrite admin-defined notification targets by name, causing bucket events to be delivered to attacker-controlled endpoints. This enables cross-user event interception and audit evasion. The vulnerability affects versions prior to 1.0.0-alpha.94 which contains a patch.

OAuth2 Proxy versions 7.5.0 through 7.15.1 contain a configuration-dependent authentication bypass vulnerability. Affected deployments use skip_auth_routes or skip_auth_regex with broad wildcard patterns that can be exploited by attackers using fragment delimiters (#) or URL-encoded forms (%23) in request paths. Unauthenticated attackers can bypass authentication controls to access protected resources. The vulnerability requires specific configuration conditions to be exploitable. Fixed in version 7.15.2 with improved path normalization. Deployments using exact path matching or not using skip-auth options are not affected.

PackageKit versions 1.0.2 through 1.3.4 contain a time-of-check time-of-use (TOCTOU) race condition vulnerability that allows unprivileged local users to install arbitrary RPM packages as root, leading to privilege escalation. The vulnerability involves three bugs in transaction flag handling that allow attackers to overwrite cached transaction flags during execution. The flaw enables installation of packages and execution of RPM scriptlets without authentication. This critical vulnerability has been patched in version 1.3.5.

pyLoad, an open-source Python download manager, has a critical authorization vulnerability in versions up to 0.5.0b3.dev97. The application caches user roles and permissions in sessions at login and continues using these cached values even after administrators change user privileges in the database. This allows logged-in users to retain revoked privileges until logout or session expiry, enabling unauthorized privileged actions. The issue affects core authorization and session consistency mechanisms and cannot be resolved through optional security features. A fix has been implemented in commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1.

The Sendmachine for WordPress plugin contains an authorization bypass vulnerability in the 'manage_admin_requests' function affecting all versions up to 1.0.20. The vulnerability allows unauthenticated attackers to overwrite SMTP configuration settings due to improper user authorization verification. This can enable attackers to intercept all outbound emails from the affected WordPress site, including sensitive password reset emails. The vulnerability poses a high risk as it requires no authentication and can lead to email interception and potential account takeover scenarios.

A memory leak vulnerability in free5GC UDR Policy Control Function (PCF) versions prior to 1.4.3 allows unauthenticated attackers with network access to cause uncontrolled memory growth. The vulnerability is triggered by sending repeated HTTP requests to the OAM endpoint, which registers new CORS middleware on every request due to improper router.Use() call placement. This leads to progressive memory exhaustion and denial of service, preventing user equipment from obtaining AM and SM policies and blocking 5G session establishment. The issue affects the PCF SBI interface and has been patched in version 1.4.3.

LanSpy version 2.0.1.159 contains a local buffer overflow vulnerability in the scan field that allows attackers to overwrite the instruction pointer. The vulnerability can be exploited by providing oversized input with a specific payload structure of 688 bytes of padding followed by 4 bytes of controlled data. This can lead to application crashes or potentially achieve code execution. The vulnerability affects the network scanning tool LanSpy and has been assigned CVE-2018-25268.

CVE-2026-33656 affects EspoCRM versions prior to 9.3.4. The vulnerability exists in the built-in formula scripting engine that allows authenticated administrators to update attachment sourceId fields. Due to lack of input sanitization in EspoUploadDir::getFilePath(), attackers can manipulate the sourceId field to redirect file operations to arbitrary paths within the web server's open_basedir scope. This path traversal vulnerability enables unauthorized file read/write operations. The issue has been fixed in version 9.3.4.

CVE-2026-6356 is a privilege escalation vulnerability affecting web applications that allows standard users to escalate their privileges to super administrator level through parameter manipulation. The vulnerability enables unauthorized access and modification of sensitive information. The flaw appears to be related to improper access controls and parameter validation in web application code. This type of vulnerability poses significant security risks as it can completely compromise application security. The vulnerability has been assigned a high criticality rating due to its potential impact.

Xerte Online Toolkits versions 3.15 and earlier contain a critical missing authentication vulnerability in the elFinder connector endpoint. The vulnerability occurs when HTTP redirects to unauthenticated users fail to call exit() or die(), allowing PHP execution to continue processing requests server-side. Unauthenticated attackers can perform extensive file operations including creating, uploading, renaming, duplicating, overwriting, and deleting files in project media directories. This vulnerability can be chained with path traversal and extension blocklist bypasses to achieve remote code execution and arbitrary file read capabilities, making it a severe security risk for affected installations.

CVE-2018-25261 affects Iperius Backup version 5.8.1, containing a local buffer overflow vulnerability in the structured exception handling (SEH) mechanism. Local attackers can exploit this by supplying a malicious file path when creating a backup job. The vulnerability is triggered through a crafted payload in the external file location field. When the backup job executes, it causes a buffer overflow that enables arbitrary code execution. The exploit runs with application privileges, allowing attackers to execute malicious code on the affected system.

Jellystat, an open source statistics app for Jellyfin, contains a critical SQL injection vulnerability in versions prior to 1.1.10. Multiple API endpoints build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. Authenticated users can exploit POST /api/getUserDetails and POST /api/getLibrary endpoints to inject arbitrary SQL, enabling full database read access including admin credentials and API keys. The vulnerability escalates to remote code execution through PostgreSQL's COPY TO PROGRAM feature with stacked queries. The PostgreSQL superuser role in the default docker-compose.yml configuration requires no additional privileges for RCE exploitation.

The Create DB Tables plugin for WordPress versions up to 1.2.1 contains a critical authorization bypass vulnerability. The plugin fails to implement proper capability checks or nonce verification for admin_post action hooks, allowing any authenticated user including Subscribers to access table creation and deletion endpoints. Attackers can exploit the cdbt_delete_db_table() function to execute DROP TABLE SQL queries against any database table, including critical WordPress core tables like wp_users or wp_options. The vulnerability also allows creation of arbitrary database tables through the cdbt_create_new_table() function, potentially enabling complete destruction of WordPress installations.

CVE-2026-34063 affects Nimiq's network-libp2p implementation prior to version 1.3.0. The vulnerability occurs in the libp2p ConnectionHandler state machine which assumes at most one inbound and outbound discovery substream per connection. When a remote peer opens a discovery protocol substream a second time on the same connection, the handler triggers a panic condition instead of failing closed. This causes a remote crash of the networking task, taking the node's p2p networking offline until manual restart. The vulnerability allows remote attackers to cause denial of service by disrupting peer-to-peer networking functionality. A patch is available in version 1.3.0 with no known workarounds.

A vulnerability in uutils coreutils mkfifo command allows unauthorized modification of file permissions on existing files. When mkfifo fails to create a FIFO due to an existing file at the target path, it incorrectly continues execution and calls set_permissions, changing the existing file's permissions to default mode (typically 644). This can expose sensitive files like SSH private keys to unauthorized users on the system by making them readable by others when they should have restricted permissions.

CVE-2018-25272 affects ELBA5 version 5.8.0, allowing remote code execution with SYSTEM level privileges. Attackers can exploit default database connector credentials to decrypt DBA passwords and execute arbitrary commands. The vulnerability enables command execution through xp_cmdshell stored procedure or creation of backdoor users in the BEDIENER table. This represents a critical security flaw providing complete system compromise capabilities to remote attackers.

OAuth2 Proxy versions 7.5.0 through 7.15.1 contain an authentication bypass vulnerability where attackers can spoof the X-Forwarded-Uri header when reverse-proxy and skip-auth configurations are enabled. This allows unauthenticated remote attackers to bypass authentication and access protected routes without valid sessions. The vulnerability affects deployments with --reverse-proxy enabled and at least one --skip-auth-regex or --skip-auth-route rule configured. The issue is patched in version 7.15.2, with several workarounds available for immediate mitigation.

EspoCRM versions prior to 9.3.4 contain a path traversal vulnerability in admin template management endpoints. Authenticated administrators can exploit this flaw by using '../' sequences in 'name' and 'scope' parameters to escape the intended template directory. This allows attackers to read, create, overwrite, or delete arbitrary files with .tpl extensions within the web application's filesystem permissions. The vulnerability affects template path construction due to lack of proper normalization or traversal filtering. Version 9.3.4 addresses this security issue.

OpenRemote IoT platform prior to version 1.22.1 contains a privilege escalation vulnerability in its Keycloak integration. A user with write:admin permissions in one Keycloak realm can exploit the Manager API to update realm roles for users in other realms, including the master realm. The vulnerability exists because the handler uses the realm path segment when communicating with the identity provider but fails to verify that the caller has administrative rights for that realm. This flaw allows attackers who control any user in the master realm to escalate privileges to master realm administrator. The issue has been resolved in version 1.22.1.

OpenRemote, an open-source IoT platform, contains an XML External Entity (XXE) vulnerability in its Velbus asset import functionality prior to version 1.22.0. The vulnerability allows authenticated users to exploit XML parsing without proper XXE hardening, potentially leading to server-side file disclosure and Server-Side Request Forgery (SSRF) attacks. The exploitation is limited to files under 1023 characters. Version 1.22.0 addresses this security issue.

A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability exists in the mkfifo utility of uutils coreutils. The flaw occurs when the utility creates a FIFO and then performs a path-based chmod operation to set permissions. A local attacker with write access to the parent directory can exploit this timing window by swapping the newly created FIFO for a symbolic link between these two operations. This causes the chmod call to be redirected to an arbitrary file, potentially enabling privilege escalation if the mkfifo utility is executed with elevated privileges.

Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server. This represents a critical remote code execution vulnerability that can be exploited without authentication.

CVE-2018-25260 affects MAGIX Music Editor 3.1 with a buffer overflow vulnerability in the FreeDB Proxy Options dialog. The vulnerability allows local attackers to execute arbitrary code by exploiting structured exception handling. Attackers can craft a malicious payload and paste it into the Server field via the CD menu's FreeDB Proxy Options. Code execution is triggered when the malicious settings are accepted by the application. This represents a high-severity local privilege escalation vulnerability in multimedia software.

A vulnerability in uutils coreutils chroot utility allows privilege escalation when using --userspec option. The flaw occurs because getpwnam() is called after entering chroot but before dropping root privileges. On glibc systems, this triggers Name Service Switch to load shared libraries from the new root directory. Attackers with write access to NEWROOT can inject malicious NSS modules to execute arbitrary code as root. This enables full container escape or privilege escalation attacks.

CVE-2018-25265 affects LanSpy version 2.0.1.159, a network scanning tool. The vulnerability is a local buffer overflow in the scan section that allows attackers to execute arbitrary code. Exploitation involves structured exception handling (SEH) mechanisms and egghunter techniques to locate and execute shellcode. Attackers can manipulate the SEH chain and perform controlled jumps to achieve code execution. This requires local access to the system running the vulnerable LanSpy application.

A vulnerability in nimiq-block's Rust implementation allows malicious validators to bypass skip block proof verification. The issue occurs in SkipBlockProof::verify where usize indices are cast to u16, causing out-of-range indices spaced by 65536 to collide onto the same slot during aggregation. This enables attackers with fewer than 2f+1 real signer slots to pass verification by multiplying a single BLS signature. The vulnerability affects versions prior to 1.3.0 and has been patched in that release with no available workarounds.

A new Mirai-based malware campaign is actively exploiting CVE-2025-29635, a high-severity command injection vulnerability in D-Link DIR-823X routers. The vulnerability affects end-of-life router models, allowing attackers to execute remote code execution attacks. Compromised devices are being enlisted into the Mirai botnet for malicious activities. The campaign targets unpatched routers that are no longer receiving security updates from D-Link. This represents an active threat to users of these legacy networking devices.

Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php. The vulnerability exists because the name parameter in rename commands is not properly sanitized for path traversal sequences. Attackers can exploit this by supplying directory traversal sequences in the name value to move files from project media directories to arbitrary filesystem locations. This can lead to overwriting application files, achieving stored cross-site scripting, or when combined with other vulnerabilities, enable unauthenticated remote code execution by moving PHP code files to the application root. The vulnerability affects the file management functionality of the web-based learning platform.

A vulnerability in the chmod utility of uutils coreutils allows bypassing the --preserve-root safety mechanism. The implementation fails to canonicalize paths, only checking for literal '/' matches. Attackers can use path variants like /../ or symbolic links to execute destructive recursive operations on the root filesystem. This can lead to system-wide permission loss through commands like chmod -R 000, potentially causing complete system breakdown. The vulnerability affects the core file permission management utility in Unix-like systems.

ThinkPHP version 5.0.23 contains a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through routing parameters. Attackers can craft malicious requests to the index.php endpoint with function parameters that enable system command execution with application privileges. This vulnerability poses a significant security risk as it requires no authentication and allows full code execution capabilities. The vulnerability has been documented with proof-of-concept exploits available publicly. Organizations using ThinkPHP 5.0.23 should prioritize patching or upgrading to mitigate this critical security flaw.

Microsoft Defender contains an insufficient granularity of access control vulnerability identified as CVE-2026-33825. This security flaw could allow an authorized attacker to escalate privileges locally on affected systems. The vulnerability affects Microsoft's endpoint protection solution and has been assigned a high criticality rating. Official advisories and vulnerability details are available through CISA's National Vulnerability Database and Microsoft Security Response Center. Organizations using Microsoft Defender should prioritize patching and review their current security configurations.

Xerte Online Toolkits versions 3.15 and earlier contain a critical path traversal vulnerability in the elFinder connector endpoint. The vulnerability exists in /editor/elfinder/php/connector.php where the name parameter in rename commands is not properly sanitized. Attackers can exploit this by supplying directory traversal sequences to move files from project media directories to arbitrary filesystem locations. This can lead to overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities for unauthenticated remote code execution. The vulnerability allows moving PHP code files to the application root, significantly increasing the attack surface and potential for system compromise.

Beghelli Sicuro24 SicuroWeb contains a critical vulnerability (CVE-2026-41468) due to embedding the end-of-life AngularJS 1.5.2 framework. The vulnerability combines sandbox escape primitives with template injection to allow arbitrary JavaScript execution in operator browser sessions. Attackers can achieve session hijacking, DOM manipulation, and persistent browser compromise. Network-adjacent attackers can exploit this via MITM attacks in plaintext HTTP deployments without requiring user interaction. The vulnerability affects the security management application used for monitoring and control systems.

Xerte Online Toolkits versions 3.15 and earlier contain a critical missing authentication vulnerability in the elFinder connector endpoint. The vulnerability allows unauthenticated attackers to perform file operations including creating, uploading, renaming, duplicating, overwriting, and deleting files in project media directories. This can be chained with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file read. The issue stems from improper handling of HTTP redirects where PHP execution continues after redirecting unauthenticated callers.

Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server. This vulnerability allows for remote code execution without authentication, making it critical for affected systems.

A new Kyber ransomware operation is actively targeting Windows systems and VMware ESXi endpoints in recent attacks. One variant of this ransomware implements Kyber1024 post-quantum encryption, representing an evolution in ransomware encryption techniques. The gang is conducting ongoing attacks against enterprise infrastructure including virtualization platforms. This represents a concerning development as ransomware groups begin adopting advanced cryptographic methods. The attacks target both Windows workstations and critical virtualization infrastructure.

A vulnerability in the chmod utility of uutils coreutils allows bypassing the --preserve-root safety mechanism. The implementation only validates literal / paths without canonicalization. Attackers can use path variants like /../ or symbolic links to execute destructive recursive operations on the root filesystem. This can lead to system-wide permission loss through commands like chmod -R 000. The vulnerability enables complete system breakdown by circumventing critical safety protections.

A vulnerability in uutils coreutils mkfifo allows unauthorized modification of file permissions when attempting to create a FIFO at a path where a file already exists. The mkfifo command fails to terminate properly and continues to execute a set_permissions call, changing existing file permissions to default mode (often 644). This can expose sensitive files like SSH private keys to other system users, creating a significant security risk for file access control.

A self-propagating supply chain worm called CanisterSprawl has been discovered targeting npm packages to steal developer tokens. The worm spreads through compromised npm packages and uses stolen developer tokens for propagation. It exfiltrates stolen data through an ICP canister infrastructure. The campaign has been detected and tracked by both Socket and StepSecurity security researchers. This represents an active supply chain attack against JavaScript developers using npm packages.

A vulnerability in the chroot utility of uutils coreutils allows privilege escalation when using the --userspec option. The utility resolves user specifications via getpwnam() after entering chroot but before dropping root privileges. On glibc-based systems, this triggers Name Service Switch (NSS) to load shared libraries from the new root directory. If NEWROOT is writable by an attacker, they can inject malicious NSS modules to execute arbitrary code as root, enabling container escape or privilege escalation.

A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability exists in the mkfifo utility of uutils coreutils. The flaw occurs when the utility creates a FIFO and then performs a path-based chmod operation to set permissions. A local attacker with write access to the parent directory can exploit this by swapping the newly created FIFO for a symbolic link between these two operations. This attack redirects the chmod call to an arbitrary file, potentially enabling privilege escalation when the utility runs with elevated privileges. The vulnerability represents a classic race condition where an attacker can manipulate the file system state between security checks and resource usage.

ThinkPHP 5.0.23 contains a critical remote code execution vulnerability (CVE-2018-25270) that allows unauthenticated attackers to execute arbitrary PHP code through routing parameters. Attackers can craft malicious requests to the index.php endpoint with function parameters to execute system commands with application privileges. The vulnerability affects the popular ThinkPHP framework and provides complete system access to unauthorized users. This represents a severe security risk for applications built on the affected ThinkPHP version. The vulnerability has been documented with proof-of-concept exploits available publicly.

Iperius Backup version 5.8.1 contains a local buffer overflow vulnerability in the structured exception handling (SEH) mechanism. The vulnerability allows local attackers to execute arbitrary code by supplying a malicious file path. Attackers can create a backup job with a crafted payload in the external file location field that triggers a buffer overflow when the backup job executes. This enables code execution with application privileges, posing a significant security risk to systems running the affected software.

Docker and Socket discovered malicious images in the official Checkmarx KICS Docker repository, where attackers overwrote existing tags including v2.1.20 and alpine, and introduced a fake v2.1.21 tag. The compromised KICS binary was modified to collect and exfiltrate scan reports containing sensitive infrastructure-as-code data. The compromise extended beyond Docker images to include VS Code extensions with remote code execution capabilities. Organizations that used affected images to scan Terraform, CloudFormation, or Kubernetes configurations should consider exposed secrets potentially compromised. This appears to be part of a broader supply chain attack affecting multiple Checkmarx distribution channels.

LanSpy version 2.0.1.159 contains a critical local buffer overflow vulnerability in its scan section. The vulnerability allows local attackers to execute arbitrary code through exploitation of structured exception handling (SEH) mechanisms. Attackers can craft malicious payloads using advanced techniques including egghunter methods to locate and execute shellcode. The exploit involves SEH chain manipulation and controlled jumps to achieve code execution. This vulnerability poses a high risk as it enables complete system compromise through local privilege escalation.

Terminal Services Manager 3.1 contains a critical stack-based buffer overflow vulnerability in the computer names field. The vulnerability allows local attackers to execute arbitrary code by exploiting structured exception handling (SEH). Attackers can craft malicious input files containing shellcode and jump instructions that overwrite the SEH handler pointer. The exploitation occurs when malicious files are imported through the add computers wizard feature. This vulnerability enables execution of arbitrary payloads including calc.exe or other malicious code. The flaw represents a significant local privilege escalation risk for systems running the affected Terminal Services Manager version.

LanSpy version 2.0.1.159 contains a critical local buffer overflow vulnerability in the scan field that allows attackers to overwrite the instruction pointer. The vulnerability can be exploited by supplying oversized input consisting of 688 bytes of padding followed by 4 bytes of controlled data. This exploitation technique can lead to application crashes or potentially achieve arbitrary code execution. The vulnerability represents a significant security risk for systems running the affected version of LanSpy. Multiple proof-of-concept exploits and advisories are available documenting the technical details of this buffer overflow.