Remote Code Execution (RCE)
Remote Code Execution (RCE) is the ability for an attacker to execute arbitrary commands or code on a target machine or process. RCE vulnerabilities represent the most critical class of security bugs — they give an attacker the same level of control as a system administrator.
RCE can manifest through many different attack vectors. Command injection occurs when user input is passed unsanitized to system shell commands. Deserialization attacks exploit unsafe object reconstruction in languages like Java, PHP, Python, and .NET. Server-Side Template Injection (SSTI) allows code execution through template engines like Jinja2, Twig, or Freemarker. File upload vulnerabilities can lead to RCE when executable files bypass upload filters and are served by the web server.
In modern applications, RCE often appears in less obvious places: expression language injection in Java frameworks, prototype pollution leading to code execution in Node.js, unsafe use of eval() or dynamic code loading, and vulnerabilities in PDF generators, image processors, and other libraries that shell out to system commands.
RCE bugs consistently command the highest payouts in bug bounty programs because the impact is total system compromise. Chaining lower-severity bugs into RCE — such as SSRF to cloud metadata to code execution — is a common and highly rewarded approach.
This page collects RCE techniques, exploitation writeups, and research across all major platforms and languages.
From Wikipedia
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-06-11 NEW 2026 | Claroty finds authentication bypass RCEflaws in Vertiv UPS management cards that could disrupt data center operations advanced | Claroty finds authentication bypass, RCE flaws in Vertiv UPS management cards that could disrupt data center operations https://ift.tt/MqaXLNb |
| 2026-06-11 NEW 2026 | Oracle Emergency Security Update to Fix Critical RCE Vulnerability news | Oracle has released an emergency security update addressing a critical Remote Code Execution (RCE) vulnerability. This vulnerability, if exploited, could allow attackers to gain unauthorized control of affected systems. Users are strongly advised to apply this patch as soon as possible to mitigate the risk of compromise. No specific payout amount for bug bounties was mentioned in the provided content. → cybersecuritynews.com |
| 2026-06-11 NEW 2026 | Hackers Exploit Langflow Vulnerability for Remote Code Execution news | A critical vulnerability has been discovered in Langflow, a popular tool for developing and deploying large language model applications. Attackers can exploit this flaw to achieve remote code execution on affected systems. This allows malicious actors to gain unauthorized access and control over vulnerable servers, posing a significant security risk to users and organizations relying on Langflow. Further details about the exploit and its impact can be found at the provided link. No specific bounty payout amount was mentioned. → securityweek.com |
| 2026-06-11 NEW 2026 | Attackers Exploit Critical Langflow Flaw for Remote Code Execution news | Attackers are exploiting a critical vulnerability in Langflow, a tool for building and managing LLM applications, enabling remote code execution. This flaw allows unauthorized individuals to gain control of affected systems. The exact impact and affected versions are still being investigated, but the severity suggests a significant security risk for users of the platform. Further details are available at the provided link. → gbhackers.com |
| 2026-06-11 NEW 2026 | Critical OpenSSL Vulnerabilities Enable Remote Code Execution Attacks news | Critical vulnerabilities have been discovered in OpenSSL, allowing for remote code execution. This means attackers can potentially gain full control of affected systems without needing physical access. The severity of these flaws means immediate patching and updates are crucial for all users of OpenSSL. Further details and mitigation strategies can be found at the provided link. No specific bounty payout amount was mentioned in the content. → cybersecuritynews.com |
| 2026-06-11 NEW 2026 | Patch Tuesday June 2026: 211 Fixes Critical CVEs news | Microsoft's June 2026 Patch Tuesday addresses 211 vulnerabilities, including critical ones. The update aims to patch security flaws across various Microsoft products, enhancing overall system security. Further details about the specific CVEs and their impact are available via the provided link. |
| 2026-06-11 NEW 2026 | Max severity Ivanti Sentry vulnerability now exploited in attacks news | A critical vulnerability in Ivanti Sentry is now being actively exploited in attacks. This high-severity flaw has been confirmed to be in the wild, posing a significant risk to users of the Ivanti Sentry product. Details on the specific nature of the exploit and the potential impact are still emerging, but the active exploitation indicates a serious security threat. Users are urged to take immediate action to patch or mitigate this vulnerability to protect their systems. No bounty payout amount was mentioned. → bleepingcomputer.com |
| 2026-06-11 NEW 2026 | Ivanti Endpoint Manager Mobile Vulnerability Enables Remote Code Execution Attacks news | A critical vulnerability in Ivanti Endpoint Manager Mobile allows attackers to achieve remote code execution (RCE) without authentication. This flaw could enable widespread compromise of systems. The vulnerability was discovered and reported, but no specific payout amount was mentioned. Users are urged to update their software to patch this severe security risk. → cybersecuritynews.com |
| 2026-06-11 NEW 2026 | CodeBreach: Infiltrating the AWS Console Supply Chain and Hijacking AWS GitHub Repositories via CodeBuild advanced Supply Chain | Wiz Research discovered a critical supply chain vulnerability that abused a CodeBuild misconfiguration to take over key AWS GitHub repositories - including the JavaScript SDK powering the AWS Console. → wiz.io |
| 2026-06-11 NEW 2026 | 10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums news AuthN | A critical unauthenticated authentication bypass vulnerability has been discovered in phpBB by Aikido Security. This flaw, present since 2014, allows any user to take over any account with a single HTTP request. The vulnerability impacts tens of millions of users across thousands of forums, posing a significant security threat. → aikido.dev |
| 2026-06-10 NEW 2026 | This Microsoft Defender zero-day could give hackers unprecedented access to your system news 2 min read | Writeup of RoguePlanet, a race-condition zero-day vulnerability impacting Windows 10 and 11, which grants SYSTEM privileges. Disclosed by Chaotic Eclipse, this is the researcher's seventh such finding, following previous issues like BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma. ThreatLocker confirmed the exploit's viability, noting that application allowlisting can serve as a defense against its execution. → techradar.com |
| 2026-06-10 NEW 2026 | Ivanti Sentry Flaw Allows Code Execution as Root news | A critical vulnerability has been discovered in Ivanti Sentry, a product used for mobile device management. This flaw allows attackers to execute arbitrary code with root privileges on affected systems. This significant security risk could lead to complete compromise of the device. Further details and potential mitigation strategies are being investigated. → securityboulevard.com |
| 2026-06-10 NEW 2026 | Critical Ivanti Sentry flaw allows root-level remote code execution (CVE-2026-10520) news 2 min read | Analysis of CVE-2026-10520, an OS command injection vulnerability in Ivanti Sentry, details how unauthenticated attackers can achieve root-level remote code execution. This critical flaw, along with CVE-2026-10523 (authentication bypass), affects versions prior to 10.5.2, 10.6.2, and 10.7.1. WatchTowr researchers provided technical details and a script for detecting exposure, noting the vulnerability stems from an unauthenticated API accepting internal configuration commands. → helpnetsecurity.com |
| 2026-06-10 NEW 2026 | Ivanti Fortinet and SAP Release Patches for Multiple Critical Vulnerabilities news 2 min read | Patches address critical vulnerabilities in Ivanti Sentry (CVE-2026-10520, CVE-2026-10523), FortiSandbox (CVE-2026-25089), and SAP products like NetWeaver and Commerce Cloud (CVE-2026-44748, CVE-2026-27671, CVE-2026-22732, CVE-2026-40128). These flaws enable arbitrary code execution, command injection, authentication bypass, and directory traversal, potentially leading to remote code execution and information disclosure. → thehackernews.com |
| 2026-06-10 NEW 2026 | Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE news 1 min read | Writeup of CVE-2026-5027, a path traversal vulnerability in Langflow exploited for unauthenticated RCE. The flaw in the `POST /api/v2/files` endpoint allows attackers to write files to arbitrary locations using '../' sequences. Exploitation can lead to arbitrary code execution, especially since Langflow's auto-login is enabled by default. This follows other exploited Langflow CVEs like CVE-2026-0770 and CVE-2025-34291. → thehackernews.com |
| 2026-06-10 NEW 2026 | OpenSSL patches critical vulnerability enabling remote code execution news 2 min read | Library patches address 18 vulnerabilities, including critical CVE-2026-45447, a heap user-after-free bug in PKCS#7 verification that can lead to remote code execution. Moderate flaws allow decryption and forgery, with one bypassing authentication via fake certificates. Low-severity issues also resolved, impacting DoS and private key security. |
| 2026-06-10 NEW 2026 | Microsoft Releases June 2026 Patch Tuesday Updates news | Microsoft's June 2026 Patch Tuesday updates are now available. These regular security patches address various vulnerabilities and aim to improve the overall security posture of Microsoft products. Users are advised to install these updates promptly to protect their systems from potential threats. |
| 2026-06-10 NEW 2026 | Ivanti urges Sentry users to patch two critical bugs news | Ivanti is urging users of its Sentry product to immediately patch two critical vulnerabilities. Exploitation of these flaws could lead to significant security risks. The company has not disclosed specific payout amounts for any bug bounty related to these issues. Users are strongly advised to apply the necessary updates to protect their systems. → theregister.com |
| 2026-06-10 NEW 2026 | Record Microsoft Patch Tuesday fresh zero-day news 4 min read | Library addressing a record-breaking Microsoft Patch Tuesday, featuring fixes for nearly 200 vulnerabilities. Highlights include CVE-2026-42897 (Exchange Server), CVE-2026-45586 (CTFMON privilege escalation), CVE-2026-49160 (HTTP.sys denial of service), and multiple Windows BitLocker bypasses. The surge in AI-assisted vulnerability discovery necessitates rapid patch deployment to combat N-day threats like those demonstrated by Anthropic's Frontier Red Team. → helpnetsecurity.com |
| 2026-06-10 NEW 2026 | 10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums news 2 min read | Tool discovery by Aikido Attack identified a critical Authentication Bypass vulnerability in phpBB, potentially leading to Remote Code Execution. This flaw impacts versions up to 3.3.16 and 4.0.0-a2, and was promptly patched in version 3.3.17 following a rapid disclosure via HackerOne. Exploitation can grant unauthorized session access, exposing private messages or full administrative control. → aikido.dev |
| 2026-06-10 NEW 2026 | Microsoft Patches Record 206 Flaws Including Three Zero-Days and Critical RCE Bugs news 4 min read | Reference detailing Microsoft's June 2026 security update, patching 206 vulnerabilities including three zero-days: CVE-2026-45586 (GreenPlasma), CVE-2026-50507 (bitskrieg), and CVE-2026-49160 (HTTP2/Bomb). This release addresses critical remote code execution flaws like CVE-2026-45657, CVE-2026-47291, and CVE-2026-44815, alongside a Windows BitLocker bypass (CVE-2026-45585) with a YellowKey PoC. The surge in patches is linked to AI-assisted vulnerability discovery. → thehackernews.com |
| 2026-06-10 NEW 2026 | Hugging Face Transformers flaw enabled remote code news | A critical vulnerability in the Hugging Face Transformers library allowed for remote code execution (RCE). This flaw, detailed in a recent security advisory, could have enabled attackers to compromise systems by exploiting specific functionalities within the library. Hugging Face has released patches to address this security risk, urging users to update their installations promptly to prevent potential exploitation. Further details on the affected versions and remediation steps are available through the provided link. |
| 2026-06-10 NEW 2026 | Ivanti: Max severity Sentry flaw allows code execution as root news 2 min read | Writeup of CVE-2026-10520, a maximum-severity OS command injection vulnerability in Ivanti Sentry, allowing root code execution. Patched in Sentry versions R10.5.2, R10.6.2, and R10.7.1, this flaw joins CVE-2026-10523, an authentication bypass for rogue admin account creation. Ivanti has no evidence of exploitation for these flaws, but advises immediate upgrades due to past targeting of Ivanti products. → bleepingcomputer.com |
| 2026-06-10 NEW 2026 | Unauthenticated RCE as QSECOFR via IBM i Management Central — port 5555, client-controlled verify flag, no credentials required (V7R4 and earlier) news 10 min read | Tool for unauthenticated Remote Code Execution on IBM i Management Central (port 5555) targeting V7R4 and earlier. This tool exploits a vulnerability in the custom MGTC packet protocol, specifically within the `McPacketableAuthenticationData` structure. By manipulating the `verify` flag to skip validation and providing a crafted `userId`, an attacker can execute arbitrary CL commands as the QSECOFR user without requiring credentials. The exploit bypasses authentication checks by setting `verify` to 0 and utilizing specific class IDs like `McStartRequest` with `McEndpointManagedCmdData` and `McManagedCmdDefinition`. |
| 2026-06-10 NEW 2026 | Security Advisory: Critical RCE Vulnerabilities in React Server Components (CVE-2025-55182) news 4 min read Deser | Advisory detailing CVE-2025-55182, a critical RCE vulnerability affecting React 19 and Next.js versions through unsafe deserialization in the React Server Components (RSC) "Flight" protocol. Exploitation requires a single crafted HTTP request and impacts any framework embedding RSC, including Vite and Parcel plugins. Immediate patching of React and Next.js is recommended, alongside validation of third-party frameworks and implementation of defense-in-depth controls like runtime sandboxing and WAF rules. → snyk.io |
| 2026-06-10 NEW 2026 | Wait, binding.gyp Can Do What? Exploring npm's Weirdest Build System intermediate 15 min read Supply Chain | Library for identifying vulnerabilities in `binding.gyp` files, which `npm` executes during package installation. This library explores how attackers can abuse `binding.gyp`'s command expansion feature and Python `eval()` sandbox to execute arbitrary code, as demonstrated by the Miasma worm which exploited Red Hat packages and others like `@vapi-ai/server-sdk`. It details techniques for escaping the `eval()` sandbox to achieve arbitrary code execution, even when no explicit lifecycle scripts are present in `package.json`. → aikido.dev |
| 2026-06-10 NEW 2026 | Six Proto6 Vulnerabilities in protobuf.js Expose Node.js Apps to RCE and DoS news 2 min read | Writeup detailing six Proto6 vulnerabilities in protobuf.js (CVE-2026-44289 through CVE-2026-44295), impacting Node.js applications. These flaws, stemming from improper schema and metadata handling, can lead to remote code execution (RCE) and denial-of-service (DoS) through unbounded recursion, unsafe option paths, prototype pollution, and crafted field names or schema names. Exploitation is particularly concerning in data and AI ecosystems, affecting tools like Baileys and CI/CD pipelines, with CVE-2026-44291 posing the most severe RCE risk via prototype pollution. → thehackernews.com |
| 2026-06-10 NEW 2026 | More Evidence That Words Don't Mean What We Thought They Meant (Ivanti Sentry Pre-Auth OS Command Injection CVE-2026-10520) news 8 min read | Analysis of CVE-2026-10520 in Ivanti Sentry reveals a critical pre-authenticated OS command injection vulnerability. Exploiting this flaw allows remote, unauthenticated attackers to achieve root-level remote code execution by crafting specific input strings processed by the `handleMessage` endpoint. The vulnerability stems from improper handling of user-supplied `message` parameters, which are parsed and directly passed into internal commands, enabling the injection of arbitrary OS commands. This advisory details the affected versions and the technical path leading to this high-severity flaw. → labs.watchtowr.com |
| 2026-06-09 NEW 2026 | Critical Veeam RCE flaw Lets Low-Privilege Users Take Over Backup Servers news 1 min read | Writeup of CVE-2026-44963, a critical RCE vulnerability in Veeam Backup & Replication 12.x, allowing low-privileged domain users to compromise backup servers. This flaw, with a CVSS v4 score of 9.4, could enable attackers to delete or encrypt backups, steal data, and extract credentials for further network compromise. A previous critical vulnerability, CVE-2025-23121, was patched in June 2025. → securityaffairs.com |
| 2026-06-09 NEW 2026 | CVE-2026-45247: Critical Magento RCE Vulnerability in Mirasvit Cache Warmer news | A critical Remote Code Execution (RCE) vulnerability, CVE-2026-45247, has been discovered in the Mirasvit Cache Warmer extension for Magento. This flaw allows attackers to execute arbitrary code on the affected Magento installations. Users are strongly advised to update their Mirasvit Cache Warmer extension to the latest version immediately to mitigate this security risk. → securityboulevard.com |
| 2026-06-09 NEW 2026 | Redis RCE Vulnerability Puts Servers at Risk of Remote Code Execution news | A critical Redis vulnerability allows for remote code execution (RCE), potentially compromising servers. Attackers can exploit this flaw to run arbitrary commands on affected systems. The vulnerability poses a significant security risk to any server running an unpatched Redis instance. Users are strongly advised to update their Redis installations to the latest version to mitigate this threat and prevent unauthorized access and control. → securityboulevard.com |
| 2026-06-09 NEW 2026 | Critical Veeam Vulnerability Allows RCE Attacks on Backup Servers news | A critical vulnerability in Veeam Backup Enterprise Manager (VBEM) allows unauthenticated remote code execution (RCE). Attackers can exploit this flaw by crafting a malicious network request, potentially leading to complete system compromise. This affects all supported versions of VBEM. Users are strongly advised to update to the latest patch to mitigate this severe security risk. No specific bounty payout amount was mentioned. → cybersecuritynews.com |
| 2026-06-09 NEW 2026 | Veeam Backup & Replication RCE Flaw Lets Domain Users Run Remote Code news | Writeup of CVE-2026-44963, a critical remote code execution flaw in Veeam Backup & Replication impacting version 12.3.2.4465 and earlier. This vulnerability, with a CVSS score of 9.4, allows authenticated domain users to execute code on the Backup Server. Veeam has released patches, addressing the issue in version 12.3.2.4854, and noting that version 13.x builds are not affected due to architectural changes. → thehackernews.com |
| 2026-06-09 NEW 2026 | New Veeam vulnerability exposes backup servers to RCE attacks news 2 min read | Writeup detailing CVE-2026-44963, a critical remote code execution flaw in Veeam Backup & Replication (VBR) versions 12.3.2.4465 and earlier, which allows authenticated domain users to compromise backup servers. This vulnerability impacts domain-joined installations, a configuration that deviates from Veeam's best practices. The article highlights the history of VBR flaws being exploited by ransomware gangs like Akira, Fog, Frag, FIN7, and Cuba, and notes that reverse-engineering of patches is likely to occur. Veeam has released patches in version 12.3.2.4854. → bleepingcomputer.com |
| 2026-06-09 NEW 2026 | Vulnerabilities in Logseq software news 1 min read | Writeup on CVE-2026-9279 and related vulnerabilities in Logseq software. This analysis details how an IPC handler bypass via shell metacharacters in arguments to `child_process.spawn` allows arbitrary shell command execution. Additional vulnerabilities include improper path validation in preload scripts leading to file manipulation, stored XSS in `package.json`'s name field, and a sandbox escape flaw enabled by a disabled CSP, allowing arbitrary JavaScript execution in the host context. Version v0.10.15 was confirmed vulnerable. |
| 2026-06-09 NEW 2026 | Active Exploitation Alert: CVE-2026-42271 and CVE-2026-48710Unauthenticated RCE in LiteLLM AI Gateway via Starlette Host Header Bypass news 5 min read | Writeup details active exploitation of CVE-2026-42271, an unauthenticated RCE in LiteLLM AI Gateway, by chaining it with a Starlette Host header bypass (CVE-2026-48710). This chain enables attackers to execute arbitrary commands on vulnerable systems, leading to full compromise. Exploitation is widespread, with the vulnerabilities listed on CISA's KEV catalog. The article explains the technical exploitation flow and suggests upgrading LiteLLM to version 1.83.7 and Starlette to 1.0.1 as mitigation. → rescana.com |
| 2026-06-09 NEW 2026 | Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands news | Attackers are actively exploiting a critical Remote Code Execution (RCE) vulnerability in LiteLLM, an open-source library that simplifies LLM integration. This flaw allows them to run arbitrary commands on affected systems, posing a significant security risk. Users are strongly advised to update LiteLLM to the latest version immediately to patch this vulnerability and protect their applications from malicious exploitation. → cybersecuritynews.com |
| 2026-06-09 NEW 2026 | LiteLLM And Starlette Bugs Combine For Critical RCE Risk news 1 min read | Writeup detailing the chained exploitation of LiteLLM's CVE-2026-42271 and Starlette's CVE-2026-48710. This combination allows unauthenticated remote code execution, enabling attackers to steal AI credentials and compromise infrastructure. The vulnerability affects LiteLLM versions 1.74.2 through 1.83.6 and requires upgrading LiteLLM to 1.83.7+ and Starlette to 1.0.1+. → opensourceforu.com |
| 2026-06-09 NEW 2026 | Claude Mythos: Preparing for a World Where AI Finds and Exploits Vulnerabilities Faster Than Ever advanced 10 min read AI | Analysis of Anthropic's Claude Mythos, an AI model capable of autonomously discovering zero-day vulnerabilities and generating exploits. This capability signals a future where AI-driven vulnerability research accelerates, leading to more CVEs in the short term and necessitating an AI-focused AppSec program for defense in the medium-to-long term. The trend suggests attackers will leverage AI, requiring defenders to adapt by integrating AI into security tooling and workflows to proactively identify and remediate flaws. → wiz.io |
| 2026-06-09 NEW 2026 | Securing AI Applications From Inception to Deployment intermediate 5 min read AI | Library extending Wiz AI-APP to the code layer, Wiz Code integrates with IDEs and the CLI to detect AI-specific risks during development. It validates exploitability at runtime using an AI attacker, Red Agent, then automates remediation with Green Agent, generating context-aware fixes and delegating tasks to coding agents. This unified approach aligns with OWASP Top 10 for LLM Applications 2025 and Agentic Applications 2026, securing the entire AI application lifecycle from inception to production. → wiz.io |
| 2026-06-09 NEW 2026 | Securing GitHub: Wiz Research uncovers Remote Code Execution in GitHub.com and GitHub Enterprise Server (CVE-2026-3854) news 10 min read | Writeup of CVE-2026-3854, an RCE vulnerability in GitHub's git infrastructure, identified by Wiz Research. The flaw in the X-Stat header parsing allowed authenticated users to execute arbitrary commands on backend servers via a crafted git push. Exploitation leverages injection of fields like `rails_env`, `custom_hooks_dir`, and `repo_pre_receive_hooks` to bypass sandboxing and achieve command execution. This impacts both GitHub.com and GitHub Enterprise Server, with immediate patching recommended for GHES customers. → wiz.io |
| 2026-06-09 NEW 2026 | How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM news 9 min read Python Supply Chain | Library detailing the compromise of the `litellm` Python package via a poisoned Trivy security scanner. The attack chain, attributed to threat actor TeamPCP, involved rewriting Git tags in Trivy's GitHub Action, leading to credential exfiltration used to publish malicious `litellm` versions. These versions utilized source injection and a `.pth` file for payload delivery, a technique mapped to MITRE ATT\&CK T1546.018. The payload performed extensive data collection, encrypted and exfiltrated information, and established local persistence and Kubernetes lateral movement. → snyk.io |
| 2026-06-09 NEW 2026 | Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT news 7 min read Supply Chain | Library that details a supply chain attack on the popular npm package `axios`. Malicious versions, `1.14.1` and `0.30.4`, were briefly published, including a hidden dependency `plain-crypto-js` which deployed a cross-platform RAT. The attack leveraged a compromised maintainer account and a purpose-built malicious dependency with a postinstall script that obfuscated its presence and delivered platform-specific payloads for macOS, Windows, and Linux. → snyk.io |
| 2026-06-09 NEW 2026 | 21 0-Day Vulnerabilities in FFmpeg Enables Remote Code Execution Attacks news | Twenty-one zero-day vulnerabilities have been discovered in FFmpeg, a widely used multimedia framework. These flaws allow attackers to execute arbitrary code remotely on vulnerable systems. The vulnerabilities could be exploited to compromise systems processing multimedia files, potentially leading to data theft or further system manipulation. Users and organizations relying on FFmpeg are urged to update to the latest versions to patch these critical security holes and prevent potential attacks. → cybersecuritynews.com |
| 2026-06-09 NEW 2026 | Everest Forms Vulnerability Exploited to Hack WordPress Sites news 1 min read | Library for securing WordPress sites. Everest Forms Pro, a popular contact and survey plugin, has a critical vulnerability (CVE-2026-3300, CVSS 9.8) allowing unauthenticated attackers to inject and execute arbitrary PHP code via the Complex Calculation feature. This enables attackers to create admin accounts or deploy web shells, resulting in site takeover. Exploitation in the wild began April 13th, with attackers creating admin accounts like 'diksimarina'. Users should update to Everest Forms Pro version 1.9.13 or newer. → securityweek.com |
| 2026-06-08 NEW 2026 | Ubiquiti UniFi OS server vulnerabilities allow unauthenticated remote code execution news | Writeup of chained Ubiquiti UniFi OS server vulnerabilities (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) allowing unauthenticated remote code execution and root privilege escalation. Bishop Fox researchers demonstrated how improper access control and path traversal bypass authentication, leading to command injection and trivial privilege escalation via passwordless sudo. A detection script is available to identify vulnerable instances. → scworld.com |
| 2026-06-08 NEW 2026 | Gogs patches critical zero-day enabling remote code execution news 3 min read | Library addressing a critical zero-day argument injection vulnerability in Gogs, allowing authenticated, non-admin users to achieve remote code execution. This flaw, affecting versions up to 0.14.2 and 0.15.0+dev, enables attackers to compromise servers, access private repositories, steal credentials, and alter source code. Rapid7 researcher Jonah Burgess discovered and reported the vulnerability, which is exploitable on default configurations with open registration and no repository creation limits. The fix, implemented in Gogs version 0.14.3, addresses a similar attack vector to previously patched issues like CVE-2024-39933 and CVE-2025-8110. → bleepingcomputer.com |
| 2026-06-08 NEW 2026 | Critical UniFi OS RCE Chain Grants Root Access Without Credentials advanced | A critical remote code execution (RCE) vulnerability chain has been discovered in UniFi OS, allowing attackers to gain root access without needing credentials. This severe flaw bypasses authentication, enabling full system compromise. Details of the vulnerability and its exploitation are now public. → gbhackers.com |
| 2026-06-08 NEW 2026 | Critical UniFi OS bug lets hackers gain root without authentication news 3 min read | Writeup detailing an unauthenticated root remote code execution chain against Ubiquiti UniFi OS Server, exploiting CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910. Researchers from Bishop Fox discovered how improper access control, path traversal, and command injection flaws can be combined to bypass authentication and gain root privileges. A detection script is available to identify vulnerable instances. → bleepingcomputer.com |
| 2026-06-08 NEW 2026 | Google Protocol Buffers flaw turns schemas into shells advanced 3 min read | Library with six vulnerabilities affecting protobuf.js, a popular JavaScript implementation of Google's Protocol Buffers format. These flaws include remote code execution (CVE-2026-44291), prototype pollution, and prototype injection (CVE-2026-44292), stemming from improper handling of schema and metadata. Attackers can manipulate schemas to inject executable code, impacting software supply chains. Patches are available for protobuf.js and the associated command-line tools. → csoonline.com |
| 2026-06-08 NEW 2026 | UniFi OS Server Critical RCE Chain Allows Root Access Without Credentials advanced | A critical Remote Code Execution (RCE) vulnerability chain in UniFi OS Server allows attackers to gain root access without needing any credentials. This severe flaw enables complete control over the system, posing a significant security risk to users of UniFi devices. Exploiting this vulnerability could lead to widespread compromise and data breaches. → cybersecuritynews.com |
| 2026-06-08 NEW 2026 | Critical Redis RCE Vulnerability Enable Attackers to Gain Complete Control to Host Server advanced | A critical Remote Code Execution (RCE) vulnerability has been discovered in Redis, allowing attackers to gain complete control over host servers. This vulnerability poses a significant security risk, as it enables unauthorized access and manipulation of sensitive data and system resources. Further details on the exploit and its potential impact can be found at the provided link. No specific payout amount for this vulnerability was mentioned. → cybersecuritynews.com |
| 2026-06-08 NEW 2026 | Critical Buffer Overflow Vulnerability in PAN-OS Exploited in-the-Wild news 1 min read AuthN | CVE-2026-0300 is a critical buffer overflow vulnerability in Palo Alto Networks PAN-OS's User-ID Authentication Portal, allowing unauthenticated remote code execution with root privileges. Actively exploited in the wild, the flaw requires only network access and is particularly dangerous when the portal is exposed externally on ports 6081 or 6082. Recommended mitigations include patching, restricting portal access, and disabling it if not needed. → wiz.io |
| 2026-06-08 NEW 2026 | Qinglong task scheduler RCE vulnerabilities exploited in the wild for cryptomining news 5 min read AuthN | Library detailing two authentication bypass vulnerabilities in Qinglong (CVE-2026-3965, CVE-2026-4047) that enabled unauthenticated remote code execution, exploited for cryptomining. It covers how attackers reset credentials or directly bypassed authentication via case-sensitive path matching, then injected scripts to download and run a cryptominer binary. The article emphasizes auditing middleware, treating self-hosted panels as attack surfaces, monitoring resource usage, and keeping Docker images updated. → snyk.io |
| 2026-06-08 NEW 2026 | JavaScript Prototype Pollution Deep Dive : — Reconnaissance, Exploitation & Bug Bounty Guideline intermediate XSS | This guide offers a deep dive into JavaScript Prototype Pollution, a misunderstood vulnerability. It covers reconnaissance, exploitation from cross-site scripting (XSS) to remote code execution (RCE), and real-world bug bounty case studies. The content explores attack vectors, entry points, advanced exploit chains, and includes tooling/automation for detection, along with defense and remediation strategies. A production-ready Python scanner is also mentioned. The article aims to demystify this vulnerability for security professionals and bug bounty hunters. → infosecwriteups.com |
| 2026-06-08 NEW 2026 | Microsoft Edge Vulnerability Lets Remote Attackers Execute Arbitrary Code news | A critical vulnerability in Microsoft Edge allows remote attackers to execute arbitrary code, posing a significant security risk. This flaw, detailed in the provided link, enables unauthorized code execution without user interaction. Further details on the vulnerability's technical nature and impact are available at the linked source. No bug bounty payout amount is mentioned in the provided content. → gbhackers.com |
| 2026-06-08 NEW 2026 | Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in binding.gyp intermediate 10 min read Supply Chain | Library for detecting and mitigating the Node-gyp Supply Chain Compromise, a self-propagating npm worm that exploits `binding.gyp` files for code execution. This malware, tracked as "Miasma" by StepSecurity and "Node-gyp Supply Chain Compromise - June 2026" by Snyk, injects malicious code during `npm install` by abusing `node-gyp`'s configuration phase. The payload harvests credentials from developer and CI/CD environments, including AWS, GCP, Azure, and GitHub Actions, then exfiltrates them via attacker-controlled GitHub repositories and maintains persistence through GitHub Actions workflows. It self-propagates by republishing affected packages, impacting 57 packages across hundreds of malicious versions. → snyk.io |
| 2026-06-08 NEW 2026 | From XSS to RCE (dompdf 0day) intermediate 10 min read XSS | Library for rendering PDFs from HTML that suffers from Remote Code Execution. By injecting CSS with a malicious font and enabling remote file access, an attacker can trick dompdf into caching a `.php` file in its font cache. This cached file can then be executed by accessing it directly, leading to RCE. |
| 2026-06-08 NEW 2026 | Hacking Auto-GPT and escaping its docker container intermediate 17 min read AI | Library detailing an attack on Auto-GPT that exploits indirect prompt injection to achieve arbitrary code execution. The exploit involves tricking Auto-GPT into processing attacker-controlled website content via the `browse_website` command, leading to unauthorized command execution. The library also covers a trivial Docker escape vulnerability, allowing access to the host system, and a path traversal exploit in non-Docker versions, both fixed in v0.4.3. |
| 2026-06-08 NEW 2026 | Intigriti Bug Bytes #236 - May 2026 🚀 news 7 min read Bug Bounty | Library for Burp Suite, Intigriti Quick Scope (IQS), fetches programs from the Researcher API to auto-configure project scope and headers, simplifying workflow for researchers. This issue also highlights exploits for SQL injection, bypasses for Chrome's Sanitizer API, and RCE in Google Cloud, alongside discussions on AI in security, NIS2 compliance, and practical red teaming techniques. → intigriti.com |
| 2026-06-08 NEW 2026 | SPIP RCE + Docker SUID Escape | THM Publisher intermediate | This TryHackMe Publisher challenge focuses on exploiting a vulnerable SPIP CMS. The initial steps involve Nmap reconnaissance to identify open ports and services, revealing SPIP CMS running on the target. Subsequent web enumeration using FFUF helps uncover hidden paths within the SPIP-based Community Magazine. The content does not mention a bug bounty payout amount. → infosecwriteups.com |
| 2026-06-08 NEW 2026 | Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 news 3 min read | Analysis of PAN-OS CVE-2026-0257 details active exploitation by an unknown threat actor bypassing authentication in GlobalProtect portal and gateway components. This vulnerability, added to CISA's KEV catalog, allows unauthorized VPN connections. The brief includes indicators of compromise such as specific IP addresses and suspicious host IDs for detection in GlobalProtect logs, and advises reviewing the Palo Alto Networks security advisory for mitigations. → unit42.paloaltonetworks.com |
| 2026-06-08 NEW 2026 | Looting UniFi Controllers: Detecting and Weaponizing CVE-2026-22557 intermediate 20 min read AuthZ | Tool for detecting and weaponizing CVE-2026-22557, an unauthenticated path traversal vulnerability in UniFi Network Application's guest captive portal. This critical flaw, with a CVSS score of 10.0, allows attackers to read arbitrary files from customized portals, potentially exfiltrating backups containing administrative credentials for all managed devices. The accompanying tool from Bishop Fox safely identifies vulnerable controllers, while this analysis details attack paths, exploitability preconditions, and mitigation strategies, including patching to updated versions like 10.1.89 or later. → bishopfox.com |
| 2026-06-08 NEW 2026 | Popping Root on UniFi OS Server: Unauthenticated RCE Chain Detection & Analysis advanced 18 min read AuthZ | Tool for detecting unauthenticated RCE chains on UniFi OS Server, specifically addressing CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910. This vulnerability allows attackers to bypass authentication, perform path traversal, and achieve command injection leading to root privileges. The tool aids defenders in identifying exposed systems and recommends immediate patching, network segmentation, and secret rotation, as exploitation grants access to sensitive data and control over managed devices. → bishopfox.com |
| 2026-06-08 NEW 2026 | Breaking the Sound Barrier, Part II: Exploiting CVE-2024-54529 advanced 13 min read Fuzzing | Writeup detailing the exploitation of CVE-2024-54529, a type confusion vulnerability in macOS's CoreAudio daemon. The author describes the process of turning the crash into a working exploit by establishing a pointer chain to control object types and ultimately hijack control flow. This involved developing custom tools like an object dumper using TinyInst and performing static analysis with IDAPython to navigate heap intricacies and overcome initial exploitation hurdles with CFString objects. The analysis also explored and ruled out an out-of-bounds read primitive, highlighting the importance of version-specific vulnerabilities. → projectzero.google |
| 2026-06-08 NEW 2026 | A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens advanced 5 min read Mobile | Writeup detailing a two-exploit chain achieving root on the Google Pixel 10, bypassing Pixel 9 privilege escalation with a novel VPU driver vulnerability (CVE-2026-0000). The Dolby UDC exploit, patched in December 2025, was adapted for Pixel 10 by addressing RET PAC, and a new vulnerability in the /dev/vpu driver allowed arbitrary kernel read-write via an unbounded `mmap` handler, patched in the February 2026 security bulletin. → projectzero.google |
| 2026-06-07 NEW 2026 | Mirasvit Vulnerability Exploited to Execute Code on Magento Servers news 2 min read | Writeup of CVE-2026-45247, a critical PHP object injection vulnerability in Mirasvit's Full Page Cache Warmer for Magento 2, allowing unauthenticated remote code execution. Exploitation occurs via crafted serialized PHP objects in the CacheWarmer cookie, leading to arbitrary code execution on Magento and Adobe Commerce servers. Organizations using versions prior to 1.11.12 are vulnerable, and detection indicators include CacheWarmer cookie values starting with specific base64 strings. → securityweek.com |
| 2026-06-06 NEW 2026 | Critical UniFi OS Auth Bypass Flaws Lead to Unauthenticated Root RCE news | Researchers discovered critical authentication bypass vulnerabilities in UniFi OS, allowing unauthenticated remote code execution (RCE) with root privileges. These flaws exploit weaknesses in how UniFi OS handles user authentication, enabling attackers to gain full control of vulnerable devices without needing valid credentials. This serious security issue could lead to widespread compromise of networks using UniFi equipment. → gbhackers.com |
| 2026-06-06 NEW 2026 | Critical Vulnerability in Hugging Face Transformers Enables Remote Code Execution Attacks news | A critical vulnerability has been discovered in Hugging Face's Transformers library, potentially allowing remote code execution attacks. This flaw, detailed in a recent advisory, exposes users to significant security risks. The library is widely used for natural language processing tasks, making this a widespread concern for developers and organizations relying on it. Specific details regarding the nature of the vulnerability and its exploitability are available in the linked advisory. No bug bounty payout amount is mentioned in the provided content. → cybersecuritynews.com |
| 2026-06-06 NEW 2026 | Malicious Hugging Face Models Could Trigger Remote Code Execution news 3 min read | Vulnerability in Hugging Face Transformers library, CVE-2026-4372, allows remote code execution by loading malicious AI models. Researchers discovered that a crafted `config.json` file within a model can bypass the `trust_remote_code=False` security control, leading to the automatic execution of arbitrary Python code during a standard `from_pretrained()` call. This flaw poses a significant supply chain risk, as millions of users may have downloaded vulnerable versions, potentially exposing sensitive assets like cloud credentials and API tokens. → techrepublic.com |
| 2026-06-05 NEW 2026 | Hugging Face Transformers Security Flaw Allows Remote Code Execution news | A security vulnerability in Hugging Face Transformers, a popular library for natural language processing, has been discovered. This flaw allows for remote code execution, meaning attackers could potentially run malicious code on a user's system. The library's complex parsing logic is identified as the root cause. Users are advised to update to the latest version to patch this critical vulnerability. The content does not specify a bug bounty payout amount. → gbhackers.com |
| 2026-06-05 NEW 2026 | Android Update Patches Exploited Zero-Day 123 Other Vulnerabilities news 1 min read | Update addressing 124 Android vulnerabilities, including the actively exploited, high-severity privilege escalation zero-day CVE-2025-48595 in the Android Framework. The patch also fixes 18 critical vulnerabilities affecting System, Framework, and Qualcomm components, along with numerous high-severity flaws across various components and vendors like Imagination Technologies and MediaTek. One System vulnerability, CVE-2026-0059, is noted for remote code execution potential. → securityweek.com |
| 2026-06-05 NEW 2026 | VS Code Vulnerability Allows One-Click GitHub Token Theft news 2 min read | Writeup details a VS Code vulnerability allowing one-click GitHub token theft via specially crafted Jupyter notebooks on github.dev. Exploiting this zero-day involves hidden code simulating keystrokes to install a malicious extension, which then exfiltrates the user's GitHub access token. This grants attackers read/write access to repositories, including private ones. The vulnerability also affects the desktop version of VS Code, potentially leading to remote code execution, though it appears unpatched there. → securityweek.com |
| 2026-06-05 NEW 2026 | Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites news 3 min read | Writeup on CVE-2026-3300, a critical remote code execution vulnerability affecting Everest Forms Pro WordPress plugin, allowing unauthenticated attackers to execute arbitrary PHP code and gain full site control via its Calculation Addon. Exploitation is active, with attackers creating rogue administrator accounts. The article also details skimmer attacks abusing Stripe as a C2 and data exfiltration sink, and a large-scale operation named GorgonAgora impersonating brands with Medusa.js storefronts. → thehackernews.com |
| 2026-06-05 NEW 2026 | Microsoft Edge Vulnerability Allows Remote Attackers to Execute Arbitrary Code news | A critical vulnerability in Microsoft Edge enables remote attackers to execute arbitrary code on affected systems. This security flaw, detailed in a recent report, poses a significant risk as it allows malicious actors to gain control of a user's device without requiring any interaction. The exact payout for reporting this bug was not disclosed. Users are advised to ensure their Microsoft Edge browsers are updated to the latest version to mitigate this threat. → cybersecuritynews.com |
| 2026-06-04 NEW 2026 | Critical Redis vulnerability CVE-2026-23479 allows remote code execution news 1 min read | Writeup of CVE-2026-23479, a critical use-after-free vulnerability in Redis allowing remote code execution. Discovered by Team Xint Code, the exploit chains Lua scripting and memory manipulation to overwrite function pointers in the Global Offset Table, enabling execution of arbitrary commands via `system()`. Affecting Redis versions 7.2.0 and later, this flaw requires authenticated access with specific ACL privileges, commonly found in default cloud deployments. Patches are available in Redis versions 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3. → scworld.com |
| 2026-06-04 NEW 2026 | Critical vulnerability in Hugging Face Transformers library allowed arbitrary code execution news | Writeup on CVE-2026-4372 in Hugging Face Transformers, a critical remote code execution vulnerability allowing attacker-controlled AI models to execute arbitrary code. Exploitable via a malicious payload in model configuration files when loading with `from_pretrained()`, even with `trust_remote_code=False` and the `kernels` package installed. Versions 4.56.0 through 5.2.x were affected, with millions of downloads. Hugging Face patched this in version 5.3.0. → scworld.com |
| 2026-06-04 NEW 2026 | 9.8 Mirasvit bug actively exploited on Magento servers news 3 min read | Writeup of CVE-2026-45247, a critical 9.8 Mirasvit bug in the Full Page Cache Warmer extension for Magento and Adobe Commerce, is actively exploited for remote code execution. Exploitation involves bypassing storefront authentication via malicious base64 encoded payloads in the CacheWarmer HTTP cookie. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog, urging federal agencies to patch by June 6. The flaw poses a significant supply chain risk due to Magento's prevalence in e-commerce, potentially exposing payment credentials, API keys, customer data, and enabling deeper business system access. Organizations must prioritize patching to version 1.11.12 and actively hunt for post-exploitation artifacts. → scworld.com |
| 2026-06-04 NEW 2026 | Everest Forms Pro Vulnerability Allows Remote Code Execution on WordPress Sites news 2 min read | Vulnerability in Everest Forms Pro, CVE-2026-3300, permits unauthenticated attackers to execute remote code on WordPress sites. The flaw, residing in the Calculation add-on, allows injection of PHP code via the `eval()` function due to insufficient sanitization of single quotes. Exploits observed include registering administrator accounts like "diksimarina" and planting webshells, with over 29,300 blocked attempts detected by Wordfence. The issue is patched in version 1.9.13. → infosecurity-magazine.com |
| 2026-06-04 NEW 2026 | Critical Hugging Face Transformers flaw ran attacker code on a routine model load news 3 min read | Library vulnerability affecting Hugging Face's Transformers, specifically CVE-2026-4372, allowed attackers to execute arbitrary code by slipping malicious payloads into model configuration files. This critical flaw bypassed the `trust_remote_code=False` setting, leading to silent system compromise and potential theft of sensitive data like cloud credentials and API keys. Exploitable versions range from 4.56.0 through 5.2.x when the `kernels` package is installed, with a fix released in version 5.3.0. |
| 2026-06-04 NEW 2026 | Hackers Actively Exploiting WordPress Plugin Vulnerability to Inject Malicious PHP Code news | Hackers are actively exploiting a vulnerability in a WordPress plugin to inject malicious PHP code. This allows them to compromise websites, steal sensitive data, and disrupt operations. The vulnerability has been detected in multiple sites, and its widespread exploitation poses a significant threat to WordPress users. It is crucial for users to update their plugins to the latest versions to patch this security flaw and protect their websites from further attacks. → cybersecuritynews.com |
| 2026-06-04 NEW 2026 | Hugging Face Transformers RCE flaw enables stealthy compromise via AI model configs news 5 min read | Library vulnerability in Hugging Face Transformers (CVE-2026-4372) allows attackers to achieve remote code execution by including a specially crafted `_attn_implementation_internal` parameter in model configuration files. This bypasses the `trust_remote_code=false` protection, enabling the execution of arbitrary Python code from attacker-controlled repositories without user prompts or runtime warnings, particularly impacting users with GPU-accelerated inference due to the optional `kernels` dependency. → csoonline.com |
| 2026-06-04 NEW 2026 | Redis Use-After-Free Remote Code Execution Vulnerability (CVE-2026-23479) news | A critical use-after-free vulnerability in Redis (CVE-2026-23479) allows for remote code execution. This means an attacker could potentially gain control of a server running a vulnerable Redis instance. The vulnerability arises from a flaw in how Redis handles memory after an object has been freed. This could lead to serious security breaches, allowing unauthorized access and modification of data. Users are advised to update their Redis installations to a patched version as soon as possible to mitigate this risk. → securityboulevard.com |
| 2026-06-04 NEW 2026 | CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog news | CISA has added an exploited Magento remote code execution (RCE) vulnerability, CVE-2026-45247, to its Known Exploited Vulnerabilities (KEV) catalog. This addition signifies that the vulnerability is actively being exploited in the wild and poses a significant threat. Organizations using Magento are urged to prioritize patching or mitigating this vulnerability to prevent potential cyberattacks. The KEV catalog is a crucial resource for cybersecurity professionals to identify and address the most critical threats. → thehackernews.com |
| 2026-06-03 2026 | CERT-In flags security vulnerabilities in Microsoft Office app news | Writeup on CERT-In advisories detailing high-severity vulnerabilities in Microsoft Office and Microsoft 365 Copilot, including CVE-2026-45659, which allows remote code execution via untrusted data deserialisation. The flaws, potentially exploitable through malware-laced documents, risk data theft, and require immediate updates to Office via the Word app's Account settings to apply Microsoft's patches. |
| 2026-06-03 2026 | Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479) news 3 min read | Tool: An autonomous AI security tool by Team Xint Code identified CVE-2026-23479, a two-year-old use-after-free vulnerability in Redis (CWE-416). This flaw, introduced in Redis 7.2.0 and present in multiple branches until May 2026 fixes, allows for remote code execution (RCE) by overwriting the Global Offset Table (GOT) to redirect function calls. The exploit chain, detailed by Wiz, involves leaking a heap address via Lua scripting, manipulating client memory to achieve a use-after-free, and then overwriting GOT entries, notably `strcasecmp()` to `system()`, especially in default Redis Docker deployments with partial RELRO. → thehackernews.com |
| 2026-06-03 2026 | Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at Risk news 3 min read | Library detailing a critical vulnerability in six Microsoft Android apps, including Word and Excel, where a single debug flag, `setIsDebugMode(true)`, left in production code allowed untrusted apps to intercept Microsoft account access tokens. This flaw, affecting billions of downloads and assigned CVE-2026-41100, -41101, and -41102, enabled potential supply chain attacks by granting attackers access to sensitive data like emails and documents. The issue was identified by Enclave and has since been patched by Microsoft. → securityweek.com |
| 2026-06-03 2026 | CISA flags two-year-old Oracle flaw as actively exploited in attacks news 2 min read | Advisory regarding CVE-2024-21182, a critical Oracle WebLogic Server vulnerability, now actively exploited. CISA mandated federal agencies patch this flaw, exploitable remotely by unauthenticated attackers via T3 or IIOP to gain unauthorized access. Over 1,500 vulnerable Oracle WebLogic servers have been identified online. This advisory highlights the urgency of patching known vulnerabilities, especially those flagged by CISA as being actively exploited. → bleepingcomputer.com |
| 2026-06-03 2026 | Attackers exploit Palo Alto GlobalProtect flaw days after disclosure news 4 min read | Library for analyzing the CVE-2026-0257 vulnerability affecting Palo Alto GlobalProtect, which allows credential-less authentication bypass into enterprise networks. Attackers can forge authentication override cookies using public keys to establish unauthorized VPN sessions, a method that bypasses traditional security measures and poses a significant risk in zero-trust environments. The flaw exploits how PAN-OS handles cookies without proper signature verification, enabling stealthy network access without malware or stolen credentials. |
| 2026-06-03 2026 | CVE-2026-34197 Jolokia Exposure Enables RCE in Apache ActiveMQ news 10 min read | Writeup of CVE-2026-34197, a remote code execution vulnerability in Apache ActiveMQ Classic, stemming from insecure exposure of broker management via the Jolokia HTTP/JMX interface. This allows attackers to interact with privileged operations, potentially leading to broker-side processing of malicious configuration content. Validation confirmed exploit path feasibility in controlled, insecure environments, highlighting a significant enterprise security concern due to ActiveMQ's critical infrastructure role. |
| 2026-06-03 2026 | Critical Vulnerability in HP VoIP Phones Enables Enterprise Network Breaches news 2 min read | Writeup of CVE-2026-0826, a critical stack-based buffer overflow in HP Poly Voice VoIP phones impacting models like the VVX 150-450 and Trio 8800-8300 series. The vulnerability, exploitable via crafted SIP INVITE requests with malicious Session Description Protocol attributes when Interactive Connectivity Establishment (ICE) is enabled, allows for remote code execution with root privileges by leveraging Return Oriented Programming chains to bypass ASLR and NX mitigations. Disabling ICE or updating firmware mitigates the risk. → securityweek.com |
| 2026-06-02 2026 | HP Poly VoIP vulnerability sets the stage for executive voice deepfakes news 3 min read | Writeup of CVE-2026-0826, a critical buffer overflow vulnerability in HP Poly VoIP phones, allows unauthenticated attackers to gain root access and perform eavesdropping or record audio for AI-enabled voice deepfakes. Discovered by Rapid7, the flaw in the SDP parsing code, even with ASLR enabled, enables exploit execution via Metasploit. This vulnerability highlights the growing threat of embedded device compromise for both traditional espionage and modern AI-driven fraud. → csoonline.com |
| 2026-06-02 2026 | Attackers are exploiting Palo Alto Networks defect that initially flew under the radar news 3 min read | Writeup of CVE-2026-0257, an actively exploited authentication-bypass vulnerability in Palo Alto Networks firewalls, allowing remote attackers to establish VPN connections. Initially rated medium, it was escalated to critical by Palo Alto Networks, CISA, and Rapid7 due to observed exploitation in the wild. The exploit, requiring a specific configuration of GlobalProtect with authentication override cookies and certificate reuse, involves forging a valid authentication cookie using the appliance's public TLS certificate. Attackers are opportunistically targeting this vulnerability for initial access, adapting quickly to published research. → cyberscoop.com |
| 2026-06-02 2026 | 19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access news 2 min read | Library of proof-of-concept code for CVE-2024-XXXX, a 19-year-old Linux kernel vulnerability named CIFSwitch, allowing low-privileged users to gain root access. The vulnerability exploits the CIFS subsystem's handling of SMB authentication, enabling attackers to manipulate key descriptions and inject malicious Name Service Switch modules via the cifs.upcall helper when certain Linux distributions like Linux Mint, CentOS, and Rocky Linux have cifs-utils installed. → securityweek.com |
| 2026-06-02 2026 | Threat Actors Reportedly Target CVE-2026-41089 Flaw news 2 min read | Writeup of CVE-2026-41089, a critical Windows Netlogon vulnerability, detailing its exploitation by threat actors for remote code execution. This stack-based buffer overflow, accessible by unauthenticated attackers via crafted network requests, allows privileged code execution on domain controllers. Authorities like the Centre for Cybersecurity Belgium have issued warnings, urging immediate patching due to its high CVSS score of 9.8 and its potential to compromise entire networks. → thecyberexpress.com |
| 2026-06-02 2026 | TP-Link Router Security Bug Enables Remote Command Execution Attacks news | A critical security vulnerability in TP-Link routers allows for remote command execution. This flaw enables attackers to compromise the devices without requiring user interaction or authentication, potentially leading to widespread network breaches. Further details on the exploit and affected models are available via the provided link. → gbhackers.com |
| 2026-06-02 2026 | Critical Windows Netlogon Vulnerability in Attackers Crosshairs news 2 min read | Writeup of CVE-2026-41089, a critical Windows Netlogon vulnerability, details its exploitation for remote code execution by threat actors. This stack-based buffer overflow flaw allows unauthenticated attackers to target domain controllers, potentially gaining system privileges. The Centre for Cybersecurity Belgium warns of active in-the-wild exploitation, urging immediate patching despite Microsoft's initial assessment. This vulnerability poses a significant risk due to Netlogon's role in domain authentication. → securityweek.com |
| 2026-06-02 2026 | RedHat Linux Kernel Multiple Vulnerabilities news 2 min read | Bulletin detailing multiple vulnerabilities affecting RedHat Linux Kernel, including CVE-2024-56547 and others. Exploits can lead to denial of service, remote code execution, data manipulation, and security restriction bypass across various Red Hat Enterprise Linux and OpenShift Container Platform versions, impacting architectures like aarch64, s390x, ppc64le, and x86_64. → hkcert.org |
| 2026-06-01 2026 | Critical Magento Cache Plugin Vulnerability Enables Remote Code Execution Attacks news | A critical vulnerability has been discovered in a Magento cache plugin, allowing remote code execution (RCE) attacks. This flaw could enable attackers to compromise Magento websites. Further details and potential mitigation strategies are available via the provided link. No specific bounty payout amount is mentioned in the content. → gbhackers.com |
| 2026-06-01 2026 | IBM WebSphere Server Vulnerable to Remote Code Execution Attack Via Crafted Request news | IBM WebSphere Application Server has a critical remote code execution (RCE) vulnerability. Attackers can exploit this flaw by sending a specially crafted request, allowing them to execute arbitrary code on the server. This poses a significant security risk, potentially leading to unauthorized access and control of affected systems. Organizations using IBM WebSphere should prioritize patching and mitigating this vulnerability to protect their environments. → cybersecuritynews.com |
| 2026-06-01 2026 | Critical Magento Cache Plugin Vulnerability Enables Remote Code Execution Attacks news | A critical vulnerability has been discovered in a Magento cache plugin, allowing attackers to execute arbitrary code remotely. This flaw poses a significant security risk for e-commerce stores using the affected plugin, as it could lead to complete system compromise. Merchants are strongly advised to immediately update or remove the plugin to mitigate potential attacks. The exact bounty payout for this vulnerability was not disclosed. → cybersecuritynews.com |
| 2026-06-01 2026 | Critical Flowise Flaw Gives Attackers Full Server Control news 2 min read | Library for securing open-source AI platforms, specifically addressing CVE-2026-40933 in Flowise. This vulnerability allows attackers to achieve remote code execution (RCE) by importing a malicious workflow file, enabling them to run arbitrary server commands via the Custom MCP tool's stdio transport. The provided patch can be bypassed, and the most effective mitigation involves disabling stdio transport or switching to Server-Sent Events (SSE). → infosecurity-magazine.com |
| 2026-06-01 2026 | Weekly Recap: New Linux Flaw PAN-OS Exploit AI-Powered Attacks OAuth Phishing and More news 12 min read | Reference of actively exploited vulnerabilities including CVE-2026-0257 in PAN-OS, a critical zero-day RCE in Gogs, and multiple CVEs affecting WordPress, GitLab, and Microsoft products, with recent attacks leveraging AI for faster exploitation and information gathering, alongside the takedown of the GlassWorm C2 operation via trojanized VS Code extensions. → thehackernews.com |
| 2026-06-01 2026 | Palo Alto VPN bug graduates from advisory to active exploitation news 2 min read | Analysis of active exploitation of a Palo Alto VPN bug, highlighting the growing trend of AI-assisted attacks targeting API-driven applications and the emergence of AI malware like Shai-Hulud worming Red Hat npm packages. This shifts focus from traditional vulnerabilities to sophisticated AI-driven threats, with implications for election security and the rise of AI integration in development tools such as GitHub Copilot and RAD Studio extensions. → theregister.com |
| 2026-06-01 2026 | Windows Netlogon RCE exploited domain controllers at risk (CVE-2026-41089) news 2 min read | Writeup on CVE-2026-41089, a critical Windows Netlogon RCE vulnerability, details its exploitation in the wild against domain controllers. This stack-based buffer overflow flaw allows remote code execution via crafted network requests. Microsoft has released patches, and Acros Security offers micropatches for legacy systems. Security teams are advised to patch immediately, restrict Netlogon traffic, and monitor for exploitation indicators like unexpected service crashes or anomalous traffic. → helpnetsecurity.com |
| 2026-06-01 2026 | Critical Windows Netlogon RCE flaw now exploited in attacks news 2 min read | Writeup on CVE-2026-41089, a critical Windows Netlogon RCE flaw, details its exploitation by threat actors. This stack-based buffer overflow in the Netlogon RPC interface allows unprivileged attackers to achieve remote code execution on domain controllers. Patched by Microsoft during May 2026 Patch Tuesday, it affects all supported Windows Server versions. The Centre for Cybersecurity Belgium has warned of active exploitation in the wild. → bleepingcomputer.com |
| 2026-06-01 2026 | Flowises MCP implementation can run ghost commands intermediate 2 min read | Vulnerability in Flowise’s MCP stdio implementation, CVE-2026-40933, allows for one-click remote code execution in self-hosted deployments. Attackers can exploit a sandboxing failure in attacker-controlled MCP configurations, leading to server-side code execution with the privileges of the Flowise process, potentially granting root-level access in containerized environments. While Flowise has implemented several hardening measures, they have been found to be bypassable. The recommended complete mitigation is disabling MCP stdio by setting `CUSTOM_MCP_PROTOCOL=sse`. → csoonline.com |
| 2026-06-01 2026 | Gogs Zero-Day Exposes Servers to Remote Code Execution news 2 min read | Writeup of a Gogs zero-day vulnerability (CVSS 9.4) enabling remote code execution. Exploitable by authenticated attackers via pull requests with malicious branch names, this argument injection flaw allows for command execution as the Gogs server process user. Rapid7 developed a Metasploit module to automate the exploit and provided IoCs for detection. The vulnerability impacts default-configured Gogs servers on Windows, Linux, and macOS, particularly those with multiple user accounts. → securityweek.com |
| 2026-06-01 2026 | Windows Netlogon 0-Click RCE Vulnerability Now Actively Exploited In The Wild news | A critical 0-click Remote Code Execution (RCE) vulnerability in Windows Netlogon is now being actively exploited. This means attackers can compromise systems without any user interaction. The vulnerability, detailed in a linked article, poses a significant security threat to Windows environments. Details regarding specific exploit methods and potential mitigation strategies are likely available within the linked content, emphasizing the urgency for organizations to address this threat. No bug bounty payout amount is mentioned. → cybersecuritynews.com |
| 2026-05-30 2026 | New 7-Zip security flaw could put hundreds of millions of systems at risk news | A newly discovered security vulnerability in 7-Zip, a popular file archiving utility used by millions, poses a significant risk to systems worldwide. The flaw, dubbed "7-Zip Double Vulnerability," allows attackers to execute arbitrary code. While no specific payout amount is mentioned, the potential impact is substantial, affecting numerous users and systems that rely on 7-Zip for file compression and decompression. Prompt patching and updates are recommended for users to mitigate this threat. |
| 2026-05-30 2026 | Notepad patches critical bugs: shortest path to malware execution news | Notepad++ has released patches for critical vulnerabilities that could allow for the "shortest path" to malware execution. These security flaws, if exploited, posed a significant risk to users by enabling malicious code to run. The software vendor has addressed these issues, urging users to update their Notepad++ installations to the latest version to protect themselves from potential threats. No specific payout amount for the discovered bugs was mentioned in the provided content. → cybernews.com |
| 2026-05-30 2026 | Notepad vulnerabilities could enable arbitrary code execution on Windows systems news 3 min read | Library of information detailing two arbitrary code execution vulnerabilities, CVE-2026-48778 and CVE-2026-48800, affecting Notepad++ versions up to 8.9.6. These flaws, rated High (CVSS 7.8), allow local attackers to execute commands by manipulating `shortcuts.xml` and `config.xml` files. A third crash bug, CVE-2026-48770, was also patched. Exploitation requires the attacker to have write access to user profile directories or trick the user into opening a poisoned settings folder. → csoonline.com |
| 2026-05-30 2026 | CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks news 1 min read | Writeup of CVE-2026-35616, an actively exploited critical FortiClient EMS vulnerability with a CVSS score of 9.1, allowing unauthenticated remote code execution. Threat actors are abusing an improper access control flaw, bypassing API authentication to escalate privileges. Exploits have involved disguised Fortinet patches delivering the EKZ Infostealer malware, which exfiltrates credentials. CISA added this zero-day to its Known Exploited Vulnerabilities catalog. Fortinet has released hotfixes for versions 7.4.5 and 7.4.6, with a permanent fix in 7.4.7. → securityaffairs.com |
| 2026-05-30 2026 | Exploit Code Published for Critical Flowise RCE Vulnerability news 2 min read | Writeup on CVE-2026-40933, a critical remote code execution vulnerability in Flowise impacting self-hosted instances. This systemic command injection flaw, originating from Anthropic's MCP protocol and facilitated by Flowise's unsafe serialization of stdio commands, allows attackers to execute arbitrary OS commands by convincing a user to import a crafted chatflow. Exploitation can lead to full server compromise, with credentials and connected services at risk. Obsidian Security has published proof-of-concept code demonstrating this exploit. → securityweek.com |
| 2026-05-30 2026 | Imperva Customers Protected Against CVE-2026-45247 in Mirasvit Full Page Cache Warmer for Magento news | Imperva's services are protecting its customers from vulnerabilities in Mirasvit's Full Page Cache Warmer for Magento, specifically addressing CVE-2026-45247. This protection shields Magento e-commerce sites from potential attacks targeting this specific security flaw within the cache warmer extension. No bug bounty payout amount is mentioned. → securityboulevard.com |
| 2026-05-29 2026 | No fix yet for critical Gogs RCE bug - exploit module is out news 3 min read | Writeup on a critical Remote Code Execution (RCE) vulnerability in the open-source Git service Gogs. As of May 2024, no fix has been released, and an exploit module is publicly available. The researcher reported the vulnerability in March, but maintainers have not responded. → theregister.com |
| 2026-05-29 2026 | Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit intermediate 3 min read | Writeup on CVE-2026-39987 exploitation impacting Marimo, detailing how attackers leverage an LLM agent for post-exploitation. The agent autonomously exfiltrated cloud credentials and an SSH private key from AWS Secrets Manager, subsequently used to access an SSH bastion server and extract an internal PostgreSQL database schema and contents rapidly. Indicators of LLM involvement include improvisational database dumping, machine-consumable command streams with delimiters, and the agent feeding its own previous output into subsequent actions. → thehackernews.com |
| 2026-05-29 2026 | New Gogs 0-Day Flaw Enables Remote Code Execution on Servers news 3 min read | Library allows authenticated users to run arbitrary commands on a Gogs server via a critical 0-day vulnerability affecting the "Rebase before merging" feature. The flaw, discovered by Rapid7 Labs and impacting versions 0.14.2 and 0.15.0+dev, stems from unsanitized branch names being passed to Git commands, enabling the injection of an "--exec" flag for remote code execution. This allows attackers to access sensitive data, steal credentials, and pivot to other systems, with a Metasploit module available for exploitation. → gbhackers.com |
| 2026-05-29 2026 | Critical Notepad Vulnerabilities Allow Attackers to Execute Arbitrary Code news 2 min read | Writeup on Notepad++ v8.9.6.1 patching CVE-2026-48778 and CVE-2026-48800, which enable arbitrary code execution by manipulating `config.xml` or `shortcuts.xml` respectively. Attackers can exploit these vulnerabilities through direct file writes, malicious shortcuts, cloud sync poisoning, or social engineering by crafting specific XML tags that are then passed unsafely to `ShellExecute()`, allowing for the execution of arbitrary executables. → cybersecuritynews.com |
| 2026-05-29 2026 | Google Chrome Multiple Vulnerabilities news | Reference listing multiple Google Chrome vulnerabilities, including CVE-2026-9110 through CVE-2026-9124 and CVE-2026-9126. Exploitation can lead to remote code execution, denial of service, security restriction bypass, and sensitive information disclosure. Updates to version 148.0.7778.178/179 address these issues on Linux, Mac, and Windows. → hkcert.org |
| 2026-05-29 2026 | Notepad Fixes CVE-2026-48770 RCE Vulnerability news 3 min read | Writeup of CVE-2026-48778, a critical Notepad++ RCE vulnerability, detailing how improper handling of the `config.xml` file's `<GUIConfig name=”commandLineInterpreter”>` parameter allows attackers to execute arbitrary commands by manipulating application settings. The entry also mentions CVE-2026-48770 and CVE-2026-48800, highlighting the risk of configuration-based attack surfaces and advising immediate updates to Notepad++ version 8.9.6.1. → thecyberexpress.com |
| 2026-05-29 2026 | Critical Samba Vulnerability Enables Remote Code Execution Attacks news 2 min read | Library patches address CVE-2026-4480, a critical Samba vulnerability enabling unauthenticated remote code execution via command injection through the `%J` substitution parameter in print commands. Exploitation occurs when Samba fails to sanitize shell meta characters, allowing attackers to inject malicious commands. Affected systems include those not using `printing = cups` or `printing = iprint`. Mitigations involve quoting `%J` or removing it from `smb.conf`. SafeBreach, ZeroPath, and Securin Labs reported the flaw, with fixed Samba versions 4.22.10, 4.23.8, and 4.24.3 released. → cybersecuritynews.com |
| 2026-05-29 2026 | VS Code Remote-SSH RCE Lets Attackers Pivot From Developer Machines to Cloud Servers news 2 min read | Writeup on a Visual Studio Code Remote-SSH RCE vulnerability allowing attackers to pivot from compromised developer machines to cloud environments like AWS EC2 and Azure VMs. The flaw stems from a Time-of-Check to Time-of-Use race condition in how the extension handles bootstrap scripts, enabling attackers to inject malicious payloads executed on the target server after a successful, even MFA-protected, login. This bypasses authentication by exploiting trust in developer workflows, affecting millions of installations including Remote Explorer and cloud-specific toolkits. → cybersecuritynews.com |
| 2026-05-29 2026 | Microsoft Edge Multiple Vulnerabilities news 2 min read | Bulletin detailing multiple vulnerabilities in Microsoft Edge, including CVE-2026-9872 through CVE-2026-10022. Exploitation could lead to remote code execution, denial of service, security restriction bypass, information disclosure, and data manipulation. Users should update to Microsoft Edge version 148.0.3967.96 or later to mitigate these risks. → hkcert.org |
| 2026-05-29 2026 | Google Chrome Multiple Vulnerabilities news 2 min read | Analysis of multiple vulnerabilities in Google Chrome versions prior to 148.0.7778.215 (Linux), 148.0.7778.215/216 (Mac), and 148.0.7778.216/217 (Windows). These vulnerabilities, identified under CVE-2026-9872 through CVE-2026-10022, can lead to remote code execution, denial of service, security restriction bypass, information disclosure, and data manipulation on affected systems. Applying the vendor-issued updates is the recommended solution. → hkcert.org |
| 2026-05-28 2026 | Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code news 3 min read | Tool for exploiting a critical RCE vulnerability in Gogs, allowing authenticated users to execute arbitrary code by creating a pull request with a malicious branch name that injects the `--exec` flag into `git rebase`. This flaw, rated 9.4 on the CVSS system and unpatched, enables attackers to compromise servers, access repositories, and potentially cause cross-tenant data breaches. A Metasploit module automates the exploit chain against Linux and Windows targets. Mitigation includes restricting user and repository creation and auditing rebase merge settings. → thehackernews.com |
| 2026-05-28 2026 | Critical Notepad Flaw Could Enable Remote Code Execution Attacks news 2 min read | Writeup on Notepad++ vulnerabilities CVE-2026-48770, CVE-2026-48778, and CVE-2026-48800, detailing how improper handling of config.xml, specifically the `commandLineInterpreter` parameter, can lead to arbitrary code execution via the "Open Containing Folder in cmd" feature. Attack vectors include direct file modification, malicious shortcuts using `-settingsDir`, cloud-synced configurations, and social engineering. Remediation requires upgrading to Notepad++ 8.9.6.1. → gbhackers.com |
| 2026-05-28 2026 | New Gogs zero-day flaw lets hackers get remote code execution news 3 min read | Library for analyzing Gogs zero-day RCE vulnerabilities, including an unpatched argument injection flaw enabling remote code execution via specially crafted pull requests and malicious branch names. This critical vulnerability, affecting Gogs 0.14.2 and 0.15.0+dev, allows authenticated attackers to compromise servers, access private repositories, and extract credentials. The flaw resembles previously patched argument injection issues like CVE-2024-39933 and CVE-2024-39932, but targets a different code path. → bleepingcomputer.com |
| 2026-05-28 2026 | Microsoft Fixes SharePoint RCE Flaw Affecting On-Prem Servers news 2 min read | Library of security updates fixes CVE-2026-45659, a critical RCE vulnerability in Microsoft SharePoint Server affecting on-premises versions. Discovered by MEOW, this flaw allows authenticated attackers with minimal privileges to execute malicious code remotely through improper data deserialization. The vulnerability carries a CVSS score of 8.8 and impacts SharePoint Server Subscription Edition, 2019, and 2016. Microsoft urges immediate application of security updates and recommends strengthening access controls and monitoring. |
| 2026-05-28 2026 | Wide-ranging 7-zip vulnerability with 8.8 CVE rating allows for code execution hundreds of millions of machines potentially at risk news 3 min read | Writeup of CVE-2023-23752, a critical vulnerability in 7-Zip affecting hundreds of millions of machines. This flaw allows for arbitrary code execution simply by opening a crafted archive, with no user interaction required beyond opening the file. Exploitable across Windows, Linux, and macOS, and integrated into numerous third-party applications and CI/CD pipelines, the vulnerability impacts widely used .7z, .zip, and .rar formats. Users are strongly advised to update to version 26.01 immediately. |
| 2026-05-28 2026 | FortiClient Code Execution Vulnerability Exploited to Deploy EKZ Malware news 2 min read | Writeup of CVE-2026-35616 in FortiClient EMS details how attackers exploit improper access control to deploy the EKZ Infostealer. The vulnerability allows unauthenticated API access, enabling threat actors to modify endpoint policies and weaponize the legitimate `on_connect` directive for script execution. This leads to managed endpoints downloading and running a PowerShell payload that installs EKZ, a credential stealer targeting Chromium and Gecko browsers, exfiltrating passwords, cookies, and autofill data. → cybersecuritynews.com |
| 2026-05-28 2026 | Microsoft SharePoint Server Flaw Enables Remote Code Execution Attacks intermediate 2 min read | Analysis of CVE-2026-45659, a critical remote code execution flaw in Microsoft SharePoint Server. This vulnerability, stemming from deserialization of untrusted data (CWE-502), carries a CVSS v3.1 score of 8.8 and can be exploited over a network with low attack complexity and no user interaction, requiring only authenticated access. Exploitation allows attackers to execute arbitrary code within the SharePoint server context, potentially leading to lateral movement, privilege escalation, and data breaches. Microsoft has released security updates to patch this high-priority vulnerability. → gbhackers.com |
| 2026-05-28 2026 | Angular Language Service Extension Flaws Allow Remote Code Execution intermediate 2 min read | Library containing vulnerabilities in the Angular Language Service VS Code extension (Angular.ng-template) before version 21.2.4. Exploits include JSDoc Markdown command injection and unsafe handling of TypeScript SDK configurations, allowing attackers to achieve remote code execution through malicious project files. These flaws bypass VS Code's Workspace Trust model, enabling arbitrary command execution during workspace initialization or via user interaction with tooltips. Affected CWEs include CWE-79, CWE-94, CWE-427, and CWE-494. → gbhackers.com |
| 2026-05-27 2026 | Microsoft Issues Out-of-Band SharePoint Patch news | Microsoft has released an out-of-band patch for SharePoint to address a critical security vulnerability. This urgent update is necessary to protect users from potential exploits targeting the platform. The specific details of the vulnerability and the patch are available via the provided link. No bug bounty payout information is mentioned in this content. → darkreading.com |
| 2026-05-27 2026 | SharePoint Has a New RCE Flaw. If You Haven't Patched Yet Go Do That. news 1 min read | Writeup of CVE-2026-45659, a high-severity Microsoft SharePoint remote code execution vulnerability. Exploitable by authenticated attackers with minimal Site Member permissions, the flaw stems from deserialization of untrusted data and does not require complex conditions. Microsoft has released patches for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. This follows other recent SharePoint targeting, including CVE-2026-32201 being added to CISA's KEV catalog. → securityaffairs.com |
| 2026-05-27 2026 | Microsoft Edge Multiple Vulnerabilities news | Bulletin on Microsoft Edge vulnerabilities, including CVE-2026-9110 through CVE-2026-9124 and CVE-2026-9126, which allow remote code execution, denial of service, security restriction bypass, and sensitive information disclosure. Affected versions are prior to 148.0.3967.83. The solution is to update to version 148.0.3967.83 or later. → hkcert.org |
| 2026-05-26 2026 | Multiple Angular Language Service Extension Vulnerabilities Enable RCE Attacks news 2 min read | Library exploits in the Angular Language Service Visual Studio Code extension, specifically GHSA-ccq4-xmxr-8hcq, enable RCE via JSDoc hover command injection and insecure TypeScript SDK configuration loading. Attackers can craft malicious JSDoc comments or workspace settings to execute arbitrary commands on developer systems, bypassing VS Code's Workspace Trust. Versions prior to 21.2.4 are affected, with patches available in release 21.2.4. → cybersecuritynews.com |
| 2026-05-26 2026 | Microsoft SharePoint Server Vulnerability Enables Remote Code Execution Attacks news 2 min read | Library for securing Microsoft SharePoint Server, addressing CVE-2026-45659, a critical vulnerability enabling remote code execution via deserialization of untrusted data. The flaw, exploitable by authenticated users with Site Member permissions through a network attack with low complexity, requires immediate patching. Mitigations include applying security updates, auditing permissions, monitoring logs for suspicious activity, isolating internet-facing instances, and potentially enabling WAF rules against malicious deserialization payloads. → cybersecuritynews.com |
| 2026-05-26 2026 | Microsoft Patches SharePoint Remote Code Execution Bug news | Microsoft has released a security update to address a critical remote code execution (RCE) vulnerability in SharePoint Server. This bug, if exploited, could allow an unauthenticated attacker to gain control of a vulnerable system. The vulnerability is present in multiple versions of SharePoint Server, including: SharePoint Enterprise Server 2013, SharePoint Foundation 2013, SharePoint Enterprise Server 2016, and SharePoint Server Subscription Edition. Users are strongly advised to apply the patches immediately to protect their systems from potential compromise. → sqmagazine.co.uk |
| 2026-05-26 2026 | Chrome Security Update Patches Two Critical RCE Flaws: One Exploit Still Public Unpatched news 5 min read | Library for detecting and mitigating browser-based threats, including two critical RCE flaws patched in Chrome (CVE-2026-9111, CVE-2026-9110). It also addresses the publicly disclosed, unpatched Browser Fetch API vulnerability, which enables persistent background connections and potential botnet enrollment across Chromium-based browsers like Edge and Brave, requiring manual updates or enterprise patch management for protection. → techtimes.com |
| 2026-05-26 2026 | Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions news 1 min read | Advisory for CVE-2026-45659, an important severity remote code execution vulnerability in Microsoft SharePoint. This flaw, assigned a CVSS score of 8.8, allows an authenticated attacker with minimum Site Member permissions to execute code over a network. Microsoft has released patches across various server versions to address this deserialization of untrusted data vulnerability, discovered by researcher MEOW. → thehackernews.com |
| 2026-05-26 2026 | High-severity SharePoint RCE bug patched by Microsoft (CVE-2026-45659) news 1 min read | Writeup of CVE-2026-45659, a high-severity SharePoint RCE vulnerability patched by Microsoft. This flaw allows authenticated attackers to execute arbitrary code remotely on vulnerable SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016 instances through deserialization of untrusted data, requiring low attack complexity without user interaction. → helpnetsecurity.com |
| 2026-05-26 2026 | Active Exploitation of CVE-2026-5426 in KnowledgeDeliver LMS Enables Godzilla (BLUEBEAM) Web Shell and Cobalt Strike Attacks news 5 min read | Analysis of CVE-2026-5426 in KnowledgeDeliver LMS reveals exploitation of hardcoded ASP.NET machineKey values, enabling unauthenticated remote code execution. Threat actors deploy the Godzilla (BLUEBEAM) web shell and Cobalt Strike BEACON payloads, targeting Japanese enterprises and educational institutions. Attackers leverage ViewState deserialization for initial access, install web shells for persistence, and employ social engineering to deliver Cobalt Strike to user endpoints, leading to widespread compromise. → rescana.com |
| 2026-05-25 2026 | From Auth Bypass to RCE: A 4-Vulnerability Exploit Chain in DataEase advanced 6 min read | Writeup of a 4-vulnerability exploit chain in DataEase, including CVE-2026-40899, CVE-2026-40900, and CVE-2026-40901, alongside a previously disclosed authentication bypass. This chain enables unauthenticated remote command execution and data exposure by leveraging a JDBC blocklist bypass for arbitrary file read, stacked SQL injection for database manipulation, and Quartz deserialization for RCE. The exploit targets DataEase versions up to v2.10.21, and users should upgrade to v2.10.21 or later. → ox.security |
| 2026-05-25 2026 | nginx-poolslip Flaw Enables DoS and Remote Code Execution news 2 min read | Analysis of CVE-2026-9256, "nginx-poolslip," reveals a critical heap-based buffer overflow in NGINX Plus and Open Source, exploitable remotely by unauthenticated attackers for denial-of-service or remote code execution. Exploitation involves crafting rewrite directives with overlapping PCRE capture groups and leverages a multi-stage ASLR bypass via heap probing and Heap Feng Shui techniques, ultimately enabling interactive root-level shell access. Mitigation includes patching affected NGINX versions and replacing unnamed PCRE capture groups with named ones in rewrite rules. → cyberpress.org |
| 2026-05-24 2026 | Critical Active Exploitation Alert: CVE-2026-48172 in LiteSpeed cPanel Plugin Enables Root Privilege Escalation news 4 min read | Alert detailing CVE-2026-48172, a critical privilege escalation vulnerability in LiteSpeed cPanel Plugin versions 2.3 through 2.4.4. This flaw allows authenticated users to execute arbitrary scripts as root due to incorrect privilege assignment in the `lsws.redisAble` function. The vulnerability, classified under CWE-266, is actively exploited in the wild by opportunistic threat actors, leading to full system compromise and potential deployment of malware or ransomware. Mitigation involves upgrading the plugin to version 2.4.7+ or uninstalling it, and reviewing logs for exploitation indicators like `cpanel_jsonapi_func=redisAble`. → rescana.com |
| 2026-05-24 2026 | Drupal Remote Code Execution vulnerability news 1 min read | Vulnerability describing a Drupal Remote Code Execution flaw impacting various versions of Drupal 8.9 and later, up to Drupal 11.3.10, allows attackers to execute code, manipulate data, elevate privileges, and disclose sensitive information. Patches are available for Drupal 8.9, Drupal 9.5, and updates are recommended for Drupal 10.4.x through 11.3.x. End-of-life versions like Drupal 8 and 9 may have other unaddressed vulnerabilities. → hkcert.org |
| 2026-05-23 2026 | Nginx-poolslip Vulnerability Enables DoS and Code Execution Attacks news 2 min read | Library detailing CVE-2026-9256, the nginx-poolslip vulnerability affecting NGINX Plus and Open Source. This flaw, residing in `ngx_http_rewrite_module`, allows remote, unauthenticated attackers to trigger a heap buffer overflow (CWE-122) via crafted requests using overlapping PCRE capture groups in rewrite directives. Exploitation can lead to denial-of-service or code execution by hijacking the memory pool's cleanup handler pointer, a distinct code path to corruption. → cybersecuritynews.com |
| 2026-05-22 2026 | Attackers Can Exploit a Claude Code RCE Flaw to Take Command of System news 3 min read | Library for securing developer models, this entry details a critical RCE vulnerability in Anthropic's Claude Code (version 2.1.118). Attackers could exploit a parsing flaw in the `eagerParseCliFlag` function via crafted deeplinks to inject arbitrary commands, bypassing trust prompts and taking control of a victim's system. The vulnerability was discovered by Joernchen of 0day.click and has since been patched. |
| 2026-05-22 2026 | Update Chrome now: Critical bugs could let attackers run code news 2 min read | Vulnerabilities in Chrome's WebRTC and UI allow remote code execution and UI spoofing. CVE-2026-9111, a use-after-free vulnerability in WebRTC, enables arbitrary code execution on Linux via a crafted HTML page. CVE-2026-9110, an inappropriate UI implementation on Windows, permits UI spoofing by an attacker who has compromised the renderer process. Updates to Chrome stable versions 148.0.7778.178/179 are available. |
| 2026-05-22 2026 | Trend Micro Apex One Multiple Vulnerabilities news | Writeup detailing multiple vulnerabilities in Trend Micro Apex One, including CVE-2026-34926, CVE-2026-34927, CVE-2026-34928, CVE-2026-34929, CVE-2026-34930, CVE-2026-45206, CVE-2026-45207, and CVE-2026-45208. Exploitation of CVE-2026-34926 is actively occurring, allowing pre-authenticated local attackers to inject malicious code for remote code execution, elevation of privilege, and data manipulation. → hkcert.org |
| 2026-05-21 2026 | Unpatched ChromaDB flaw leaves servers open to remote code execution news 3 min read | Vulnerability, ChromaToast (CVE-2026-45829), in ChromaDB's API server allows unauthenticated remote code execution by exploiting a race condition where malicious AI models hosted on Hugging Face are fetched and loaded before authentication is checked. This critical flaw, affecting versions 1.0.0 to 1.5.8, enables attackers to gain shell access with the server's permissions, potentially accessing sensitive data. Researchers advise using the Rust implementation or restricting network access until a patch is available. → csoonline.com |
| 2026-05-21 2026 | Critical Chrome Vulnerabilities Enables Remote Code Execution Attacks news 1 min read | Writeup detailing Chrome's 16 patched vulnerabilities, including two Critical severity flaws: CVE-2026-9111 (Use-After-Free in WebRTC) and CVE-2026-9110 (Inappropriate Implementation in UI), which enable remote code execution. Nine High-severity flaws, such as CVE-2026-9112 and CVE-2026-9113, and five Medium-severity issues, including out-of-bounds reads (CVE-2026-9121, CVE-2026-9122) and heap buffer overflows (CVE-2026-9123), were also addressed. → cybersecuritynews.com |
| 2026-05-21 2026 | Microsoft Warns of Two Actively Exploited Defender Vulnerabilities news 2 min read | Advisory detailing CVE-2026-41091, a privilege escalation flaw in Microsoft Defender allowing SYSTEM access, and CVE-2026-45498, a denial-of-service bug. Both are actively exploited, with potential links to RedSun, UnDefend, and BlueHammer zero-days. Updates to Microsoft Defender Antimalware Platform address these. A separate heap-based buffer overflow, CVE-2026-45584, is also noted but not exploited. These are among multiple Microsoft vulnerabilities recently added to CISA's Known Exploited Vulnerabilities catalog. → thehackernews.com |
| 2026-05-21 2026 | Experts warn of active exploitation of critical NGINX flaw CVE-2026-42945 news 2 min read | Writeup of CVE-2026-42945, also known as NGINX Rift, detailing a critical heap buffer overflow in NGINX Plus and Open Source impacting the `ngx_http_rewrite_module`. This vulnerability arises from how rewrite directives with unnamed PCRE capture groups and specific replacement string patterns interact with the script engine, potentially leading to a controlled buffer overflow. While actively exploited, remote code execution requires specific NGINX configurations and the disabling of ASLR on modern Linux systems, making widespread RCE attacks less likely according to expert analysis. → securityaffairs.com |
| 2026-05-21 2026 | New NGINX 0-Day RCE "nginx-poolslip" Affects Millions of NGINX Servers news 2 min read | Vulnerability concerning nginx-poolslip, a zero-day RCE affecting NGINX 1.31.0, allows attackers to bypass ASLR for system compromise. Discovered by NebSec, it exploits memory pool handling and targets the latest release, potentially impacting millions. This follows the CVE-2026-42945 heap buffer overflow. Interim mitigations include restricting admin interfaces, enabling ASLR, auditing configurations for specific directives, and considering alternatives like Cloudflare Pingora. → cybersecuritynews.com |
| 2026-05-21 2026 | Chrome Flaw Enable Remote Code Execution news 2 min read | Writeup of Chrome vulnerabilities, including two Critical flaws (CVE-2026-9111 Use-After-Free in WebRTC and CVE-2026-9110 Inappropriate Implementation in UI) enabling remote code execution on Windows, macOS, and Linux. Nine High-severity vulnerabilities were also patched, spanning memory corruption in GPU, QUIC, Service Worker, GFX, and XR components, some of which are known to facilitate sandbox escapes and RCE exploit chains. → cyberpress.org |
| 2026-05-21 2026 | Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks news 2 min read | Analysis of CVE-2026-9082, a critical Drupal Core vulnerability affecting PostgreSQL sites, enables remote code execution and privilege escalation. Exploitable by anonymous users, this flaw stems from a database abstraction API weakness. Searchlight Cyber has released proof-of-concept code, highlighting the urgency for sites using PostgreSQL to update to patched Drupal versions, including 11.3.10, 10.6.9, and others, which also contain upstream Symfony and Twig security updates. → thehackernews.com |
| 2026-05-20 2026 | Max-severity vulnerability in ChromaDB allows unauthenticated remote code execution news 1 min read | Vulnerability in ChromaDB's Python FastAPI server (CVE-2026-45829) allows unauthenticated remote code execution. Attackers can exploit this flaw, present in versions 1.0.0 through 1.5.8, by sending a crafted API request that forces the server to load and execute a malicious model from external sources before authentication. HiddenLayer discovered this maximum-severity vulnerability, which impacts agentic AI applications using ChromaDB as their vector database. Mitigation involves using the Rust frontend, restricting network access, and scanning model artifacts. → scworld.com |
| 2026-05-20 2026 | Critical RCE SQL Injection and Privilege Escalation Vulnerabilities Affecting Ivanti Endpoint Manager Fortinet FortiClient EMS (CVE-2026-21643) SAP VMware and n8n: CVE Analysis Exploitation and Patch Guidance news 5 min read | Analysis of critical RCE, SQL Injection, and Privilege Escalation vulnerabilities affecting Ivanti Endpoint Manager (CVE-2025-11622, CVE-2025-9713), Fortinet FortiClient EMS (CVE-2026-21643), SAP, VMware, and n8n. This advisory details exploitation vectors, including insecure deserialization and path traversal on Ivanti, and improper Site header handling on Fortinet, which can lead to unauthenticated RCE. The analysis covers affected versions, active exploitation trends, and mitigation strategies such as immediate patching and monitoring for suspicious activity across these enterprise platforms. → rescana.com |
| 2026-05-20 2026 | New NGINX Vulnerability Allow Remote Attackers to Trigger Malicious Code news 2 min read | Writeup on CVE-2026-8711, a heap-based buffer overflow in NGINX JavaScript (njs) versions 0.9.4-0.9.8. Exploitable via the `js_fetch_proxy` directive when combined with `ngx.fetch()` and client-controlled variables. This vulnerability, classified as CWE-122, can lead to denial-of-service and, under certain conditions like disabled ASLR, remote code execution within the NGINX worker process. The fix is available in njs 0.9.9. → cybersecuritynews.com |
| 2026-05-20 2026 | New NGINX Vulnerability Exposes Servers to Malicious Code Execution news 2 min read | Writeup of CVE-2026-8711, a heap-based buffer overflow in NGINX's JavaScript module affecting versions 0.9.4 through 0.9.8. Exploitation via the `js_fetch_proxy` directive with client-controlled variables and `ngx.fetch()` calls can lead to denial-of-service or, in systems without ASLR, remote code execution. F5 advisory K000161307 details the vulnerability, recommending an upgrade to njs 0.9.9 or later or refactoring configurations. → gbhackers.com |
| 2026-05-20 2026 | CVE-2026-45829: ChromaDB FastAPI ChromaToast RCE Exploit Now news 4 min read | Writeup on CVE-2026-45829, the ChromaToast vulnerability affecting ChromaDB's FastAPI server. This unauthenticated RCE flaw stems from improper handling of embedding function configurations, allowing attackers to supply malicious HuggingFace models with `trust_remote_code: true`. The vulnerability is triggered before authentication checks, leading to code execution on affected deployments, with an estimated 73% of internet-exposed instances vulnerable. Mitigation involves preferring the Rust-based deployment or restricting network access. → thecyberexpress.com |
| 2026-05-20 2026 | New NGINX Vulnerability Allows Remote Code Execution Attacks news 2 min read | Writeup of CVE-2026-8711, a critical heap buffer overflow in NGINX JavaScript (njs) versions 0.9.4-0.9.8. This vulnerability, triggered by `js_fetch_proxy` with client-controlled variables, can lead to remote code execution (RCE) if ASLR is disabled. The article also discusses the "NGINX Rift" vulnerability chain (CVE-2026-42945), which has seen in-the-wild exploitation. Mitigation involves auditing directives, enabling ASLR, and monitoring logs. → cyberpress.org |
| 2026-05-20 2026 | PoC Exploit Released for 20-Year Old PostgreSQL RCE Vulnerability intermediate 2 min read | Writeup on CVE-2026-2005, a two-decade-old PostgreSQL remote code execution vulnerability in the pgcrypto extension. The flaw, a heap-based buffer overflow in PGP session key parsing, allows arbitrary memory read/write, leading to PostgreSQL superuser privilege escalation and OS command execution via features like "COPY FROM PROGRAM." Exploitation, demonstrated by a PoC from Varik Matevosyan on GitHub, requires specific PostgreSQL builds and utilizes Python tools like psycopg2 and pwntools. → cybersecuritynews.com |
| 2026-05-20 2026 | Mozilla Products Multiple Vulnerabilities news 1 min read | Bulletin detailing multiple vulnerabilities affecting Mozilla Products including Firefox, Firefox ESR, Firefox for iOS, and Thunderbird. Exploitable by remote attackers, these issues can lead to denial of service, remote code execution, information disclosure, security restriction bypass, elevation of privilege, and spoofing. Specific CVEs such as CVE-2026-8388, CVE-2026-8391, and CVE-2026-8401 are listed, with patches available for affected versions including Firefox 151 and Thunderbird 151. → hkcert.org |
| 2026-05-19 2026 | TP-Link Photoshop OpenVPN Norton VPN vulnerabilities news 3 min read | Writeup detailing eight vulnerabilities in TP-Link Archer AX53 routers, including stack-based buffer overflow (CVE-2026-30814) and OS command injection (CVE-2026-30815, CVE-2026-30816, CVE-2026-30817, CVE-2026-30818, TALOS-2025-2307, TALOS-2025-2308, TALOS-2025-2309). It also covers privilege escalation in Adobe Photoshop via the Microsoft Store (CVE-2026-34632), a reachable assertion leading to DoS in OpenVPN (CVE-2026-35058), and privilege escalation in Norton VPN via the Microsoft Store (CVE-2025-58074). → blog.talosintelligence.com |
| 2026-05-19 2026 | Unpatched ChromaDB Vulnerability Can Lead to Server Takeover news 2 min read | Writeup of CVE-2026-45829, dubbed ChromaToast, a pre-authentication RCE vulnerability in ChromaDB. This flaw allows unauthenticated attackers to execute arbitrary code, gain shell access, and compromise sensitive data, including API keys and secrets. Exploitation involves tricking the server into downloading and executing a malicious HuggingFace model before authentication. The vulnerability affects ChromaDB versions since 1.0.0, with an estimated 73% of internet-accessible deployments exposed. HiddenLayer and researcher Azraelxuemo have reported the issue without response from Chroma. → securityweek.com |
| 2026-05-19 2026 | Critical SEPPmail Gateway Flaws Allow Remote Code Execution and Mail Traffic Theft news 2 min read | Flaws in SEPPmail Secure Email Gateway, including CVE-2026-2743 (pre-authenticated RCE via arbitrary file write) and CVE-2026-44128 (unauthenticated RCE through Perl code injection), permit remote code execution and mail traffic interception. Other vulnerabilities like CVE-2026-44127 (LFI) and CVE-2026-7864 (debug exposure) enable access to sensitive files and environment variables. These issues affect versions prior to the 15.x patched releases, allowing attackers to gain control, read or modify traffic, and access credentials. → cybersecuritynews.com |
| 2026-05-19 2026 | PoC Code Published for Critical NGINX Vulnerability news 2 min read | Writeup detailing CVE-2026-42945, a critical heap buffer overflow in NGINX's `ngx_http_rewrite_module` that can lead to denial-of-service or remote code execution. The vulnerability arises from a two-pass script engine process where an undersized buffer is allocated due to an unpropagated flag when a rewrite replacement contains a question mark. Exploitation involves manipulating request URIs with escapable characters to control the overflow size and employing cross-request heap feng shui to corrupt cleanup pointers for RCE. Patched versions include NGINX Plus 37.0.0 and NGINX open source 1.31.0. → securityweek.com |
| 2026-05-19 2026 | Critical Marimo Security Vulnerability Enables Remote Code Execution Attacks news 3 min read | Vulnerability CVE-2026-39987 is a pre-authentication remote code execution flaw in Marimo versions ≤ 0.22.x, specifically within the `/terminal/ws` WebSocket endpoint. An attacker can exploit this by connecting to the unauthenticated endpoint, which spawns a system-level shell, enabling arbitrary command execution and potential deployment of malware like NKAbuse, with payloads hosted on Hugging Face Spaces. This critical gap in authentication allows attackers to gain full control of exposed systems, often used for AI and data science prototyping. → cybersecuritynews.com |
| 2026-05-19 2026 | SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access news 2 min read | Writeup of SEPPMail Secure E-Mail Gateway vulnerabilities including CVE-2026-2743 for path traversal leading to RCE, CVE-2026-7864 for information exposure, CVE-2026-44125 for missing authorization, CVE-2026-44126 for deserialization, CVE-2026-44127 for path traversal and file deletion, CVE-2026-44128 for eval injection, and CVE-2026-44129 for template engine vulnerabilities. These flaws allow unauthenticated attackers to execute arbitrary code, read mail traffic, and gain network access, with some fixed in versions 15.0.2.1, 15.0.3, and 15.0.4. → thehackernews.com |
| 2026-05-19 2026 | 20-Year-Old PostgreSQL Flaw Gets Public PoC Exploit for Remote Code Execution news 3 min read | Library for exploiting CVE-2026-2005, a two-decade-old PostgreSQL flaw in the pgcrypto extension leading to remote code execution. This vulnerability allows attackers to achieve arbitrary read/write memory access via a heap-based buffer overflow in PGP session key parsing, ultimately escalating privileges to PostgreSQL superuser. The public PoC, demonstrating a multi-stage exploit that bypasses ASLR, leverages crafted PGP messages and PostgreSQL’s "COPY FROM PROGRAM" feature to execute arbitrary OS commands. → gbhackers.com |
| 2026-05-19 2026 | Attackers are exploiting critical NGINX vulnerability (CVE-2026-42945) news 3 min read | Writeup of CVE-2026-42945, a critical NGINX vulnerability dubbed NGINX Rift. Attackers are exploiting this memory corruption flaw to trigger denial-of-service conditions and potentially achieve unauthenticated remote code execution via crafted HTTP requests. The vulnerability affects NGINX Open Source and NGINX Plus, as well as certain F5 products, stemming from a bug in the `ngx_http_rewrite_module` and specifically triggered by rewrite directives with unnamed regex captures and question marks. Fixes are available for NGINX Open Source and Plus, with mitigations including the use of named captures. → helpnetsecurity.com |
| 2026-05-19 2026 | SEPPmail Gateway Flaws Expose Organizations to RCE and Email Traffic Interception news 3 min read | Writeup of SEPPmail Gateway vulnerabilities including CVE-2026-2743, CVE-2026-7864, CVE-2026-44127, and CVE-2026-44128, allowing pre-authenticated RCE via arbitrary file write in the LFT module and Perl code injection in the GINA v2 interface. Attackers can chain these flaws to gain full control of email gateways, intercept sensitive email traffic, and access confidential communications and credentials, posing significant risks to organizations, particularly in the DACH region. → gbhackers.com |
| 2026-05-19 2026 | Critical n8n Vulnerabilities Expose Automation Nodes to Full RCE news 2 min read | Writeup on critical n8n vulnerabilities CVE-2026-44789, CVE-2026-44790, and CVE-2026-44791, which allow attackers to achieve full remote code execution. These flaws impact the HTTP Request node via prototype pollution (CWE-1321), the Git node through argument injection (CWE-88) for arbitrary file reads, and the XML node with a patch bypass. Versions below 1.123.43, 2.20.7, and 2.22.1 are affected. → cybersecuritynews.com |
| 2026-05-18 2026 | Hackers Actively Exploiting Critical NGINX RCE Vulnerability in the Wild news 2 min read | Writeup on CVE-2026-42945, a critical NGINX heap buffer overflow vulnerability actively exploited in the wild. Researchers have observed real-world attacks allowing unauthenticated attackers to crash NGINX worker processes via crafted HTTP requests. While full remote code execution is unlikely due to ASLR, denial-of-service conditions are readily achievable. Exploitation requires specific NGINX rewrite configurations, but the large number of potentially vulnerable internet-facing NGINX servers necessitates urgent patching and mitigation. → cybersecuritynews.com |
| 2026-05-18 2026 | Critical NGINX Vulnerability Lets Hackers Launch Remote Code Execution Attacks news 2 min read | Writeup on CVE-2026-42945, a critical NGINX vulnerability allowing unauthenticated attackers to crash servers or execute remote code via specially crafted HTTP requests triggering a heap buffer overflow. Exploitation is possible under specific conditions, such as ASLR being disabled, and requires a particular rewrite configuration. Millions of NGINX servers are exposed, and active exploitation has been observed, necessitating prompt patching and configuration audits. → gbhackers.com |
| 2026-05-18 2026 | Ivanti Fortinet SAP VMware n8n Patch RCE SQL Injection Privilege Escalation Flaws news 4 min read | Patches released for Ivanti Xtraction (CVE-2026-8043), Fortinet (CVE-2026-44277, CVE-2026-26083), SAP (CVE-2026-34260, CVE-2026-34263), VMware Fusion (CVE-2026-41702), and n8n (CVE-2026-42231, CVE-2026-42232, CVE-2026-44791, CVE-2026-44789, CVE-2026-44790) address critical vulnerabilities including SQL injection, prototype pollution, authentication bypass, and privilege escalation. → thehackernews.com |
| 2026-05-18 2026 | Marimo Security Flaw Enables remote code execution Attacks news 2 min read | Writeup on CVE-2026-39987, a critical pre-authentication RCE in Marimo, a Python notebook framework, allowing unauthenticated attackers to hijack a live system shell via an unprotected `/terminal/ws` WebSocket endpoint. Exploitation can lead to full system compromise, data exfiltration, and lateral movement, especially in Dockerized AI/ML environments. A Nuclei detection template is available. All Marimo versions ≤ 0.22.x are affected; upgrade to 0.23.0 or later. → cyberpress.org |
| 2026-05-18 2026 | Hackers Exploit Critical NGINX RCE Vulnerability in the Wild news 2 min read | Writeup of CVE-2026-42945, "NGINX Rift," detailing a critical heap buffer overflow in the `ngx_http_rewrite_module`. This vulnerability, affecting numerous NGINX versions, enables remote code execution when ASLR is disabled and a denial-of-service condition via worker process crashes otherwise. Exploitation is actively occurring in the wild, with a proof-of-concept readily available. Patched versions of NGINX are now available, and Cloudflare has released a WAF rule update. → cyberpress.org |
| 2026-05-18 2026 | Critical Marimo RCE Flaw Could Let Attackers Execute Malicious Code Remotely news 2 min read | Library for mitigating CVE-2026-39987, a critical RCE flaw in the Marimo Python notebook framework. This vulnerability allows unauthenticated attackers to spawn a system-level shell via the `/terminal/ws` WebSocket endpoint, potentially leading to full infrastructure compromise. Exploitation has been observed with NKAbuse malware, leveraging simple WebSocket clients to execute commands. Affected Marimo versions prior to 0.23.0 require immediate upgrading, with interim mitigations including network access restrictions and non-root execution. → gbhackers.com |
| 2026-05-18 2026 | n8n Security Flaws Could Let Attackers Achieve Remote Code Execution news 2 min read | Writeup of n8n security flaws (CVE-2026-44789, CVE-2026-44790, CVE-2026-44791) detailing how prototype pollution, argument injection in the Git node, and patch bypass in the XML node can be chained for remote code execution. These critical vulnerabilities, requiring only low-privilege authenticated access, enable attackers to perform arbitrary file reads and compromise the entire n8n instance by manipulating workflow logic. → gbhackers.com |
| 2026-05-18 2026 | Exploitation of Critical NGINX Vulnerability Begins news 2 min read | Writeup detailing the active exploitation of CVE-2026-42945, known as Nginx Rift, a critical-severity heap buffer overflow in NGINX's `ngx_http_rewrite_module`. This vulnerability, present for 16 years and patched by F5, can lead to denial-of-service or remote code execution depending on system configurations like ASLR. VulnCheck warns that threat actors are already leveraging this flaw via crafted HTTP requests, with public proof-of-concept code enabling potential RCE and demanding urgent attention for affected NGINX deployments. → securityweek.com |
| 2026-05-18 2026 | Experts warn of active exploitation of critical NGINX flaw CVE-2026-42945 news 2 min read | Writeup of CVE-2026-42945, the "NGINX Rift" heap buffer overflow vulnerability affecting NGINX Plus and NGINX Open Source. Actively exploited shortly after disclosure, the flaw resides in `ngx_http_rewrite_module` and is triggered by specific rewrite directive configurations involving unnamed PCRE capture groups and question marks. While remote code execution is possible, it requires disabling Address Space Layout Randomization (ASLR) and knowledge of the vulnerable configuration, making widespread RCE attacks unlikely according to experts. → securityaffairs.com |
| 2026-05-18 2026 | Claude Code Vulnerability Allows Attackers to Run Commands Through Crafted Deeplinks news 2 min read | Writeup of Claude Code RCE vulnerability allowing arbitrary command execution via crafted deeplinks, exploiting a flaw in `eagerParseCliFlag` that mishandles `--settings=` within URL parameters. This technique, discovered by Joernchen, impacts Claude Code versions prior to 2.1.118 and demonstrates the risks of naive string parsing for CLI arguments, particularly when combined with deeplink handlers that inject user-controlled input into critical application logic. → gbhackers.com |
| 2026-05-18 2026 | Claude Code RCE Vulnerability Allow Attackers Execute Commands via Malicious Deeplinks news 2 min read | Writeup of RCE in Anthropic's Claude Code, allowing attackers to execute arbitrary shell commands via crafted `claude-cli://` deeplinks. The vulnerability, disclosed by Joernchen, exploited an `eagerParseCliFlag` function that naively processed `--settings=` flags embedded within deeplink parameters, bypassing workspace trust dialogs on macOS. Anthropic fixed the flaw in version 2.1.118. → cyberpress.org |
| 2026-05-18 2026 | US cyber agency warns of active exploitation of Microsoft Exchange Server spoofing vulnerability news 1 min read | Catalog entry for CVE-2026-42897, a Microsoft Exchange Server spoofing vulnerability allowing arbitrary JavaScript execution in Outlook Web Access. Exploitable via specially crafted emails, this cross-site scripting flaw has a CVSS score of 8.1 and is actively being exploited. Microsoft offers a temporary mitigation and is developing a permanent fix. |
| 2026-05-18 2026 | Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious Deeplinks news 2 min read | Library for understanding the Claude Code RCE vulnerability, which allows arbitrary command execution through malicious deeplinks by exploiting a naive command-line argument parser. The flaw, identified by Joernchen of 0day.click and now patched in version 2.1.118, weaponizes the `claude-cli://` handler and bypasses workspace trust dialogs by injecting malicious `SessionStart` hooks into the `--prefill` parameter. The vulnerability highlights risks associated with context-blind argument parsing, particularly within deeplink handlers. → cybersecuritynews.com |
| 2026-05-17 2026 | NGINX CVE-2026-42945 Exploited in the Wild Causing Worker Crashes and Possible RCE news 2 min read | Library updates address critical NGINX CVE-2026-42945, a heap buffer overflow in ngx_http_rewrite_module causing worker crashes and potential RCE when ASLR is disabled. Also, two openDCIM vulnerabilities, CVE-2026-28515 (missing authorization) and CVE-2026-28517 (OS command injection), are actively exploited and can be chained with CVE-2026-28516 (SQL injection) for RCE, reportedly by attackers using AI tools like Vulnhuntr. → thehackernews.com |
| 2026-05-17 2026 | CVE-2026-42945: NGINX Rewrite Heap Overflow Enables Remote DoS & Potential RCE news 5 min read | Writeup of CVE-2026-42945, an NGINX rewrite heap overflow vulnerability, details its exploitation via crafted HTTP requests, particularly when using unnamed PCRE captures with a question mark in the replacement string. This flaw, present in versions from 0.6.27 through 1.30.0, can lead to Denial of Service through worker crashes or potential Remote Code Execution, especially with ASLR disabled. A proof-of-concept demonstrating RCE has been published. → socradar.io |
| 2026-05-16 2026 | Microsofts Patch Tuesday Update Targets 120 Security Flaws news | Microsoft's latest Patch Tuesday update addresses 120 security vulnerabilities, a significant release aimed at bolstering system security. This update is critical for users to install to protect their systems from potential exploits. The specific details of each vulnerability and the affected products are available in Microsoft's official release notes. The content does not mention any specific bug bounty payout amounts. → techrepublic.com |
| 2026-05-15 2026 | A remote code execution vulnerability has been discovered in NGINX; the affected versions are listed below. news 2 min read | Writeup of CVE-2026-42945, an 18-year-old heap buffer overflow in NGINX, enabling unauthenticated remote code execution when specific rewrite, if, or set directives are used with unnamed PCRE capture groups. DepthFirst's analysis highlights memory corruption issues, with potential exploitation on systems lacking ASLR. The vulnerability's severity is rated differently by NGINX (medium) and NIST (critical/high), depending on exploitability conditions. Affected users should update NGINX and review configurations for vulnerable directive combinations. → gigazine.net |
| 2026-05-15 2026 | Amazon Redshift JDBC Driver Flaws Enable Remote Code Execution news 2 min read | Library for Amazon Redshift JDBC Driver, specifically addressing CVE-2026-8178, which enables remote code execution. Versions prior to 2.2.2 are vulnerable due to unsafe class loading from connection parameters, allowing attackers to execute arbitrary code within the Java Virtual Machine (JVM) context without authentication. Exploitation can impact confidentiality, integrity, and availability. Users must upgrade to version 2.2.2 or later and review connection URL construction. → cyberpress.org |
| 2026-05-15 2026 | Nginx Remote Code Execution Vulnerability (CVE-2026-42945) Notice news | Nginx has a critical remote code execution (RCE) vulnerability, tracked as CVE-2026-42945. This flaw allows attackers to execute arbitrary code on affected Nginx servers. The exact impact and exploitability details are still emerging, but it represents a significant security risk for websites and applications relying on Nginx. Users are advised to monitor official Nginx advisories for patches and mitigation strategies. No bug bounty payout amount is mentioned in this notice. → securityboulevard.com |
| 2026-05-15 2026 | Google Chrome Multiple Vulnerabilities news 1 min read | Writeup detailing multiple vulnerabilities in Google Chrome, affecting versions prior to 148.0.7778.167 (Linux) and 148.0.7778.167/168 (Mac/Windows). Exploitation of these CVEs, including CVE-2026-8509 through CVE-2026-8587, could lead to remote code execution, denial of service, security restriction bypass, spoofing, cross-site scripting, and information disclosure. Users are advised to update to the patched versions. → hkcert.org |
| 2026-05-14 2026 | Critical NGINX Rift vulnerability discovered present for 18 years news | Writeup of CVE-2026-42945, NGINX Rift, a critical heap buffer overflow vulnerability in NGINX Plus and Open Source affecting versions 0.6.27 through 1.30.0 and R32 through R36. Triggered by specific rewrite directives with unnamed PCRE capture groups and a question mark in the replacement string, exploitation can lead to remote code execution or denial-of-service. Patches were released April 21, 2026. → scworld.com |
| 2026-05-14 2026 | AI agent finds 18-year-old remote code execution flaw in Nginx news 3 min read | Tool for finding vulnerabilities, this LLM-powered system discovered four bugs in Nginx, including CVE-2026-42945, a critical heap buffer overflow in the `ngx_http_rewrite_module` that allows for remote code execution by exploiting specific rewrite directive configurations. This flaw, impacting Nginx versions 0.6.27 to 1.30.0 and Nginx Plus, was patched in later releases. Additional vulnerabilities CVE-2026-42946, CVE-2026-42934, and CVE-2026-40701 were also identified, leading to denial of service, memory leaks, or data modification. → csoonline.com |
| 2026-05-14 2026 | CVE-2026-42945: Critical NGINX Rewrite Flaw news 3 min read | Writeup detailing CVE-2026-42945, an 18-year-old heap buffer overflow in NGINX's ngx_http_rewrite_module. This critical vulnerability, also known as NGINX Rift, affects NGINX Open Source (0.6.27-1.30.0) and NGINX Plus (R32-R36), enabling denial of service or potential remote code execution via crafted HTTP requests. Exploitation occurs when rewrite directives use unnamed PCRE captures with a replacement string containing a question mark, followed by specific other directives. Mitigation involves upgrading to patched versions or temporarily replacing unnamed captures with named ones. → socprime.com |
| 2026-05-14 2026 | Critical Canon MailSuite Vulnerability Enables Remote Code Execution Attacks news 2 min read | Writeup of JVN#35567473, a stack-based buffer overflow vulnerability in Canon's GUARDIANWALL MailSuite. Exploiting the `pop3wallpasswd` command allows attackers to achieve Remote Code Execution (RCE) without authentication, affecting versions 1.4.00 through 2.4.26. Canon has released a patch, and a temporary workaround involves disabling the administration screen. → cybersecuritynews.com |
| 2026-05-14 2026 | Critical Windows DNS Client Flaw Enables Remote Code Execution news 2 min read | Writeup of CVE-2026-41096, a critical Windows DNS Client heap-based buffer overflow in DNSAPI.dll, allowing attackers to execute arbitrary code remotely without user interaction or prior authentication by returning specially crafted DNS responses. Microsoft released cumulative updates to fix this vulnerability affecting Windows 11, Server 2022, and Server 2025, addressing a significant attack surface and the potential for rapid lateral movement within networks. → cyberpress.org |
| 2026-05-14 2026 | Critical MongoDB Vulnerability Allow Attackers to Execute Arbitrary Code news 1 min read | Library for securing MongoDB deployments against CVE-2026-8053, a critical vulnerability enabling arbitrary code execution. This flaw allows attackers full server control, data exfiltration, and ransomware deployment. While MongoDB Atlas users are automatically protected, self-hosted deployments require immediate patching to the latest community edition builds and log monitoring for suspicious activity. → cybersecuritynews.com |
| 2026-05-14 2026 | ThreatsDay Bulletin: PAN-OS RCE Mythos cURL Bug AI Tokenizer Attacks and 10 Stories news 9 min read | Library for threat intelligence, detailing exploited PAN-OS RCE (CVE-2026-0300) with EarthWorm and ReverseSocks5 payloads, private AI chats leveraging Trusted Execution Environments for Meta AI, a zero-auth data leak impacting Schemata's AI training platform, the FCC's router update deadline extension, Operation GriefLure's APT phishing targeting Vietnam and Philippines with RATs, a multi-stage intrusion using weaponized PowerShell disguised as JPEGs for ConnectWise ScreenConnect, an aid-themed infostealer using LNK files and Python implants, GhostLock's PoC demonstrating denial of file access via SMB share locking, AI scan results for cURL identifying a low-severity bug, and an MoU between Indian agencies for fraud-risk intelligence sharing. → thehackernews.com |
| 2026-05-14 2026 | 18-year-old NGINX vulnerability allows DoS potential RCE news 4 min read | Library for detecting CVE-2026-42945, an 18-year-old heap buffer overflow in NGINX's ngx_http_rewrite_module, which can lead to denial of service and, under specific conditions like disabled ASLR, remote code execution. This flaw, affecting versions 0.6.27 through 1.30.0, arises from inconsistent state handling during URI processing when 'rewrite' and 'set' directives are used together. The library would likely target this vulnerability and potentially the three other memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) discovered alongside it. → bleepingcomputer.com |
| 2026-05-14 2026 | Critical Exim vulnerability allows remote code execution news | Writeup of CVE-2026-45185, a critical user-after-free vulnerability in Exim mail transfer agent impacting versions prior to 4.99.3 that use GnuTLS with STARTTLS and CHUNKING enabled. This flaw allows unauthenticated remote attackers to execute arbitrary code by exploiting a condition during the TLS shutdown process with chunked SMTP traffic. OpenSSL builds are unaffected. The vulnerability, discovered by Federico Kirschbaum, has a fix available in Exim 4.99.3. → scworld.com |
| 2026-05-14 2026 | Windows DNS Client Security Flaw Exposes Systems to Remote Code Execution news 2 min read | Writeup on CVE-2026-41096, a critical heap-based buffer overflow in the Windows DNS Client (dnsapi.dll) that allows remote code execution. Exploitable over the network without user interaction or privileges, it has a CVSS score of 9.8. Attackers can trigger this vulnerability by sending a specially crafted DNS response, potentially leading to full system compromise. Microsoft released patches in May 2026. → gbhackers.com |
| 2026-05-14 2026 | New Exim Vulnerability Enables Arbitrary Code Execution Attacks news 2 min read | Writeup of CVE-2026-45185, "Dead.Letter," a critical use-after-free vulnerability in Exim versions 4.97-4.99.2 (GnuTLS builds with STARTTLS and BDAT enabled). This flaw enables unauthenticated remote code execution by corrupting heap memory through a single-byte write primitive, which researchers escalated using glibc heap manipulation or by targeting Exim function pointers. Exploitation is expedited by LLM-assisted exploit generation. Immediate upgrade to Exim 4.99.3 or mitigation by switching to OpenSSL builds or disabling BDAT is recommended. → cyberpress.org |
| 2026-05-14 2026 | Critical Exim Mailer Flaw Enables Remote Code Execution Attacks news 5 min read | Writeup on CVE-2026-45185, nicknamed "Dead.Letter," detailing a critical use-after-free vulnerability in Exim mail transfer agents compiled with GnuTLS. This flaw allows unauthenticated attackers to achieve remote code execution by crafting SMTP commands that trigger memory corruption during TLS shutdown amidst BDAT chunk processing. The vulnerability's exploitability is amplified by Exim's custom pool allocator, enabling attackers to corrupt heap metadata and gain control via function pointer overwrites. Mitigation includes upgrading Exim, switching to OpenSSL, or disabling BDAT support. → gbhackers.com |
| 2026-05-14 2026 | PoC Released for 18-Year-Old NGINX Flaw Allowing Remote Code Execution news 2 min read | Writeup of CVE-2026-42945 (NGINX Rift), a critical 18-year-old heap buffer overflow vulnerability in NGINX’s `ngx_http_rewrite_module` discovered by depthfirst's AI. This unauthenticated RCE flaw affects NGINX versions from 0.6.27 to 1.30.0 and impacts various F5 and NGINX products. The article also details CVE-2026-42946 (excessive memory allocation), CVE-2026-40701 (use-after-free), and CVE-2026-42934 (out-of-bounds read). Immediate upgrades to NGINX 1.31.0 or 1.30.1 are recommended. → gbhackers.com |
| 2026-05-14 2026 | 18-Year-Old NGINX Flaw Enables Remote Code Execution Attacks news 2 min read | Writeup of CVE-2026-42945 (NGINX Rift), an 18-year-old heap buffer overflow in `ngx_http_rewrite_module` enabling unauthenticated RCE. This critical vulnerability, found by AI, affects NGINX versions 0.6.27 through 1.30.0 and various NGINX Plus, Instance Manager, App Protect WAF, and Ingress Controller products. Exploitation involves crafted HTTP requests, and mitigation includes upgrading to NGINX 1.31.0 or 1.30.1 or isolating rewrite and set directives. The analysis also uncovered CVE-2026-42946, CVE-2026-40701, and CVE-2026-42934. → cyberpress.org |
| 2026-05-14 2026 | Windows DNS Client Vulnerability Enables Remote Code Execution Attacks news 2 min read | Writeup of CVE-2026-41096, a critical heap-based buffer overflow in the Windows DNS Client's DNSAPI.dll component. This vulnerability, with a CVSS score of 9.8, allows remote code execution by sending a crafted DNS response, enabling attackers to compromise endpoints without user interaction or authentication. Microsoft addressed this flaw in their May 12, 2026 Patch Tuesday release with cumulative updates for Windows 11 and Server 2022/2025. → cybersecuritynews.com |
| 2026-05-14 2026 | New MongoDB Vulnerability Risks Remote Code Execution news 2 min read | Library of patches addresses CVE-2026-8053, a critical MongoDB vulnerability enabling remote code execution and potential system compromise. While MongoDB Atlas users are secured, self-hosted deployments running versions 5.0 and later require immediate patching via updated Community and Enterprise builds (7.0.31, 8.0.20, 8.2.7) to prevent data extraction, malware deployment, and network pivoting. → cyberpress.org |
| 2026-05-14 2026 | Critical 18-Year-Old NGINX Vulnerability Enables Remote Code Execution Attacks news 2 min read | Writeup detailing CVE-2026-42945, an 18-year-old NGINX vulnerability in the `ngx_http_rewrite_module` that enables unauthenticated remote code execution. Triggered by a state mismatch in the two-pass script engine when `rewrite` and `set` directives are used together, particularly with a question mark in the `rewrite` directive, it leads to a heap buffer overflow. Researchers developed an RCE exploit chaining heap manipulation and structure spraying, affecting various F5/NGINX products. Immediate upgrades to NGINX 1.30.1 or 1.31.0 are recommended. |
| 2026-05-14 2026 | Critical 18-Year-Old NGINX Vulnerability Enables Remote Code Execution Attacks news 2 min read | Analysis of CVE-2026-42945, an 18-year-old heap buffer overflow in NGINX's `ngx_http_rewrite_module`, reveals a critical flaw exploitable for unauthenticated remote code execution. Introduced in 2008 and present up to version 1.30.0, the vulnerability arises from a state mismatch in the rewrite and set directives' two-pass processing when a question mark is present, leading to a heap overflow during the second pass. depthfirst autonomously discovered this, along with three other memory corruption bugs, and a public proof-of-concept demonstrates chaining heap manipulation and structure spraying for reliable RCE, particularly when ASLR is disabled. The flaw impacts numerous F5/NGINX products, prompting an urgent upgrade recommendation. → cybersecuritynews.com |
| 2026-05-14 2026 | Critical NGINX exploit: hackers can crash servers run remote code without authentication news | A critical vulnerability has been discovered in NGINX, a popular web server. Attackers can exploit this flaw to crash servers and execute remote code without needing any authentication. This means unauthenticated users could potentially gain control of compromised servers. The severity of this exploit poses a significant risk to systems running NGINX. → cybernews.com |
| 2026-05-14 2026 | 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE news 3 min read | Writeup detailing CVE-2026-42945, a critical heap buffer overflow vulnerability in NGINX's `ngx_http_rewrite_module`, codenamed NGINX Rift. This 18-year-old flaw, discovered by depthfirst, allows unauthenticated remote code execution or denial-of-service through crafted HTTP requests, particularly when using unnamed PCRE captures with a question mark in rewrite directives. The writeup also covers related vulnerabilities: CVE-2026-42946 (excessive memory allocation), CVE-2026-40701 (use-after-free), and CVE-2026-42934 (out-of-bounds read). → thehackernews.com |
| 2026-05-14 2026 | Critical SandboxJS Escape Vulnerability Enables Host Takeover news 3 min read | Library update addressing CVE-2026-43898 in SandboxJS, a critical JavaScript sandboxing library. This vulnerability, with a CVSS score of 10.0, allowed attackers to escape the sandbox via a leaked `LispType.Call` callback, enabling arbitrary code execution on the host system. The flaw was rooted in allowing sandboxed code to read properties like `caller` and `arguments` of functions. Version 0.9.6 patches this by blocking such access. → cybersecuritynews.com |
| 2026-05-14 2026 | SAP Rushes Emergency Security Updates For Critical Commerce Cloud & S/4HANA Vulnerabilities news | SAP has released emergency security updates to address critical vulnerabilities in its Commerce Cloud and S/4HANA software. These vulnerabilities pose a significant risk, and the urgent patching indicates a high level of severity. Organizations using these SAP products are strongly advised to apply the updates immediately to protect their systems from potential exploitation. The specific details of the vulnerabilities and the affected components have not been disclosed beyond the product names. |
| 2026-05-14 2026 | Palo Alto Products Multiple Vulnerabilities news 2 min read | Writeup of multiple vulnerabilities affecting Palo Alto products, including GlobalProtect App and PAN-OS. Attackers can exploit these flaws to achieve elevation of privilege, denial of service, remote code execution, cross-site scripting, and security restriction bypass. Specific CVEs identified include CVE-2026-0249, CVE-2026-0250, and CVE-2026-0251, among others. Affected versions span across PAN-OS 10.2, 11.1, 11.2, 12.1, and various GlobalProtect App releases. → hkcert.org |
| 2026-05-14 2026 | Microsoft's agentic security system MDASH uncovers four critical Windows RCE flaws news 3 min read | Tool: Microsoft's MDASH, an agentic security system orchestrating over 100 AI agents, has discovered 16 previously unknown Windows vulnerabilities, including four critical remote code execution flaws. These include CVE-2026-33827, a use-after-free in tcpip.sys, and CVE-2026-33824, a double-free in the IKEv2 service. MDASH utilizes frontier and distilled AI models, domain plugins, and a pipeline of prepare, scan, validate, dedup, and prove stages to identify complex bugs missed by traditional scanners. |
| 2026-05-13 2026 | Mays Patch Tuesday hauls out 132 CVEs news 7 min read | Analysis of Microsoft's May Patch Tuesday release details 132 CVEs across 20 product families, with 29 Critical severity vulnerabilities. Notable issues include elevation of privilege via an SSO plugin for Jira & Confluence (CVE-2026-41103), remote code execution in Windows Netlogon (CVE-2026-41089) and DNS Client (CVE-2026-41096), and six Microsoft Office/Word remote code execution vulnerabilities exploitable via Preview Pane. The release also addresses vulnerabilities in Adobe Commerce and includes an AMD CPU issue. |
| 2026-05-13 2026 | Fortinet fixes two critical RCE flaws in FortiAuthenticator and FortiSandbox news 2 min read | Patches addressing two critical RCE vulnerabilities, CVE-2026-44277 in FortiAuthenticator (improper access control) and CVE-2026-26083 in FortiSandbox (missing authorization), have been released by Fortinet. These flaws allow unauthenticated attackers to execute arbitrary code via specifically crafted requests. Fortinet also provided updates for other flaws, including CVE-2025-53844, CVE-2025-53870, and CVE-2025-53680 in FortiOS and FortiAP products. → csoonline.com |
| 2026-05-13 2026 | New critical Exim mailer flaw allows remote code execution news 2 min read | Writeup of CVE-2026-45185, a critical user-after-free vulnerability in Exim mail transfer agent versions 4.97 through 4.99.2 compiled with GnuTLS. This flaw allows unauthenticated remote code execution by exploiting a TLS shutdown issue during BDAT chunked SMTP traffic. XBOW's AI-assisted research aided in developing a proof-of-concept exploit, highlighting the evolving landscape of vulnerability discovery and exploitation. → bleepingcomputer.com |
| 2026-05-13 2026 | Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises news 2 min read | Vulnerability writeup of CVE-2026-40361, a critical zero-click use-after-free bug in Microsoft Outlook and Word, allowing remote code execution via email previews. Discovered by Haifei Li, developer of Expmon, this flaw, similar to the decade-old BadWinmail (CVE-2015-6172), bypasses enterprise firewalls and targets users by exploiting Outlook's email rendering engine, making plain-text rendering a potential mitigation. Microsoft rates exploitation as "more likely." → securityweek.com |
| 2026-05-13 2026 | Fortinet Ivanti Patch Critical Vulnerabilities news 2 min read | Advisories detail critical vulnerabilities patched by Fortinet and Ivanti. Fortinet addressed CVE-2026-44277 and CVE-2026-26083, both CVSS 9.1 critical code execution flaws in FortiAuthenticator and FortiSandbox respectively, alongside CVE-2025-53844, a high-severity out-of-bounds write in FortiOS. Ivanti's patches include CVE-2026-8043, a critical CVSS 9.6 file write vulnerability in Xtraction, plus high-severity SQL injection and OS command injection flaws in Endpoint Manager and Virtual Traffic Manager. → securityweek.com |
| 2026-05-13 2026 | Microsofts agentic AI system found four critical Windows RCE flaws news 2 min read | Library utilizing over 100 specialized AI agents, codenamed MDASH, discovered four critical Windows RCE flaws, including CVE-2026-40361 and CVE-2026-40364. This system, developed by Microsoft’s Autonomous Code Security team, demonstrated strong performance on internal and public benchmarks like CyberGym, identifying all 21 injected vulnerabilities in a private Windows driver without false positives, and achieving high recall rates against historical Microsoft Security Response Center vulnerabilities. → helpnetsecurity.com |
| 2026-05-13 2026 | Microsoft Patches 138 Vulnerabilities Including DNS and Netlogon RCE Flaws news 6 min read | Patches from Microsoft address 138 vulnerabilities, including critical RCE flaws in Windows DNS (CVE-2026-41096) and Netlogon (CVE-2026-41089), along with Azure DevOps information exposure (CVE-2026-42826) and Azure Managed Instance for Apache Cassandra code execution (CVE-2026-33109). Additional fixes target Microsoft Dynamics 365, Azure Logic Apps, Microsoft Teams, Azure Cloud Shell, Azure Entra ID, Windows Hyper-V, and a Microsoft SSO Plugin for Jira & Confluence (CVE-2026-41103), with several identified by Microsoft's AI-driven discovery system MDASH. An AMD vulnerability (CVE-2025-54518) related to CPU cache isolation is also patched. → thehackernews.com |
| 2026-05-13 2026 | Critical Fortinet FortiSandbox Flaw Enables Remote Code Execution news 1 min read | Writeup on Fortinet FortiSandbox remote code execution vulnerability, CWE-862. This missing authorization flaw in the web UI allows unauthenticated attackers to execute malicious code on affected on-premises, Cloud, and PaaS environments by sending crafted HTTP requests, bypassing authentication entirely and potentially turning the security appliance into a network intrusion launchpad. → cyberpress.org |
| 2026-05-13 2026 | Critical Exim GnuTLS Flaw Enables Remote Code Execution news 2 min read | Writeup of EXIM-Security-2026-05-01.1, a critical use-after-free vulnerability affecting Exim mail transfer agents compiled with GnuTLS. This flaw allows remote attackers to corrupt server memory and achieve arbitrary code execution by exploiting a specific interaction between the BDAT command and TLS session teardown. The vulnerability, present in Exim versions 4.97 through 4.99.2, is addressed in version 4.99.3. → cyberpress.org |
| 2026-05-13 2026 | Critical Fortinet FortiSandbox Vulnerability Enables Code Execution Attacks news 2 min read | Writeup of CVE-2026-26083, a critical Fortinet FortiSandbox vulnerability enabling unauthenticated remote code execution. This missing authorization flaw in the Web UI affects on-premises, cloud, and PaaS variants, with a CVSSv3 score of 9.1. Exploiting this vulnerability allows attackers to compromise the entire threat detection pipeline by executing arbitrary commands on the underlying system, impacting confidentiality, integrity, and availability. Affected versions require immediate patching or migration to fixed releases. → cybersecuritynews.com |
| 2026-05-13 2026 | Microsoft May 2026 Patch Tuesday Fixes 120 Flaws news 5 min read | Updates for Microsoft May 2026 Patch Tuesday address 120 vulnerabilities, including critical remote code execution flaws in Microsoft Office, SharePoint (CVE-2026-40365), Windows DNS Client (CVE-2026-41096), and Dynamics 365 (CVE-2026-42898). Also fixed is a Windows GDI RCE vulnerability via Microsoft Paint (CVE-2026-35421). The release also enhances File Explorer with expanded archive support, adds an Xbox-inspired desktop experience, and introduces secure batch file processing. → thecyberexpress.com |
| 2026-05-13 2026 | Defense at AI speed: Microsofts new multi-model agentic security system tops leading industry benchmark beginner 15 min read | Library for agentic AI-driven vulnerability discovery, codename MDASH, utilizes over 100 specialized agents and an ensemble of models to find and prove exploitable bugs. This system orchestrated across frontier and distilled models achieved top scores on industry benchmarks, including identifying 16 new vulnerabilities in Windows networking and authentication, four of which were Critical remote code execution flaws in components like the TCP/IP stack and IKEv2 service. MDASH's end-to-end pipeline includes stages for preparation, scanning, validation, deduplication, and proof, demonstrating a move towards production-grade, enterprise-scale AI vulnerability defense. → microsoft.com |
| 2026-05-13 2026 | May Patch Tuesday roundup: Critical holes in Windows Netlogon DNS and SAP S/4HANA news 5 min read | Report detailing Microsoft's May Patch Tuesday, highlighting critical vulnerabilities in Windows Netlogon (CVE-2026-41089) and Windows Server DNS Client (CVE-2026-41096), both with CVSS 9.8 scores. It also addresses a severe remote code execution flaw in Microsoft Dynamics 365 On Premises (CVE-2026-42898), a privilege escalation in the Microsoft SSO plugin for Jira/Confluence (CVE-2026-41103), and an SQL injection in SAP S/4HANA Enterprise Search (CVE-2026-34260). → csoonline.com |
| 2026-05-13 2026 | PHP SOAP Extension Flaw Could Let Attackers Execute Code Remotely intermediate 3 min read | Library for detecting vulnerabilities in PHP's SOAP extension and core functions. This includes high-severity Remote Code Execution (RCE) via Use-After-Free in ext-soap (CVE-2026-6722), and moderate Use-After-Free (CVE-2026-7261), NULL pointer dereference (CVE-2026-7262), and out-of-bounds reads (CVE-2026-7258, CVE-2026-6104). Patches are available for PHP versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6. → gbhackers.com |
| 2026-05-12 2026 | Microsoft Patch Tuesday May 2026 - 120 Vulnerabilities Fixed Including 29 Critical RCE Flaws news 3 min read | Reference of Microsoft's May 2026 Patch Tuesday, addressing 120 vulnerabilities including 29 critical RCE flaws. Key fixes target Microsoft Dynamics 365 (CVE‑2026‑42898, CVE‑2026‑42833), Office and Word (CVE‑2026‑42831, CVE‑2026‑40363, CVE‑2026‑40358), Windows DNS Client (CVE‑2026‑41096), Netlogon (CVE‑2026‑41089), Windows Graphics/Win32k (CVE‑2026‑40403), Windows GDI (CVE‑2026‑35421), Native Wi‑Fi Miniport (CVE‑2026‑32161), SharePoint Server (CVE‑2026‑40365), and Hyper‑V (CVE‑2026‑40402). The bulletin also includes patches for AI assistants like M365 Copilot and developer tools such as Visual Studio Code. → cybersecuritynews.com |
| 2026-05-12 2026 | Microsoft Patch Tuesday for May 2026 Snort rules and prominent vulnerabilities news 4 min read | Library of Snort rules addresses Microsoft's May 2026 Patch Tuesday vulnerabilities, including 31 critical issues like RCE flaws in Azure, Windows services, Microsoft Office, and SharePoint. Specific CVEs highlighted include CVE-2026-32161 (Windows Native WiFi Miniport Driver), CVE-2026-33109 and CVE-2026-33844 (Azure Managed Instance for Apache Cassandra), CVE-2026-35421 (Windows GDI), CVE-2026-40358, CVE-2026-40361, CVE-2026-40363, CVE-2026-40364, CVE-2026-40366, and CVE-2026-4067 (Microsoft Office/Word), CVE-2026-40365 (Microsoft SharePoint), CVE-2026-40403 (Windows Win32K – GRFX), CVE-2026-41089 (Windows Netlogon), CVE-2026-41096 (Windows DNS Client), CVE-2026-42831 (Office for Android), and CVE-2026-42898 (Microsoft Dynamics 365). → blog.talosintelligence.com |
| 2026-05-12 2026 | Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator news 1 min read | Writeup detailing critical RCE vulnerabilities in Fortinet products. CVE-2026-44277, an Improper Access Control flaw in FortiAuthenticator, and CVE-2026-26083, a missing authorization weakness in FortiSandbox, allow unauthenticated attackers to execute unauthorized code via crafted requests. These flaws, while not reported as exploited in the wild, follow a pattern of actively exploited Fortinet vulnerabilities, including previous issues in FortiClient EMS. → bleepingcomputer.com |
| 2026-05-12 2026 | New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution news 2 min read | Library addressing CVE-2026-45185, a critical use-after-free vulnerability in Exim's BDAT message body parsing when using GnuTLS. This flaw allows attackers to trigger heap corruption and potential code execution by sending specific TLS close_notify alerts followed by cleartext data during BDAT transfers. The issue impacts Exim versions 4.97 through 4.99.2, with a fix available in version 4.99.3. → thehackernews.com |
| 2026-05-12 2026 | Critical PHP SOAP Extension Vulnerabilities Enables Remote Code Execution Attacks news 2 min read | Library of patches addresses critical vulnerabilities in PHP's ext-soap component, including CVE-2026-6722 enabling unauthenticated Remote Code Execution through XML graph deduplication and Use-After-Free flaws (CVE-2026-7261). Additional issues involve NULL pointer dereference (CVE-2026-7262) leading to Denial of Service and an out-of-bounds read in native urldecode() (CVE-2026-7258). A buffer overrun in the mbstring extension (CVE-2026-6104) is also patched. Updates are available for PHP versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6. → cybersecuritynews.com |
| 2026-05-12 2026 | Open WebUI File Upload Vulnerability Enables 1-Click RCE Attack news 2 min read | Library for securing Open WebUI against a stored XSS flaw, allowing 1-click RCE and account hijacking via profile picture uploads. The vulnerability, discovered by Metin Yunus Kandemir, exploits the backend's failure to validate SVG files containing embedded JavaScript when uploaded with a base64-encoded `data:image/svg+xml` prefix. This allows attackers to craft reverse shell payloads, execute code within user contexts, and steal local storage tokens and chat logs. Administrators can mitigate by restricting media types in `users.py`. → gbhackers.com |
| 2026-05-12 2026 | Cline AI Agent Flaw Allows Attackers to Launch RCE Attacks news 2 min read | Writeup of CVE-2026-44211, a critical RCE vulnerability in the Cline AI coding assistant's kanban package. Versions before v2.13.0 are affected, allowing attackers to exploit a missing Origin header validation on a WebSocket server to leak workspace information, hijack terminals for arbitrary command execution, and terminate agent sessions. The flaw, stemming from CWE-306 and CWE-1385, requires no user interaction beyond visiting a malicious website. → gbhackers.com |
| 2026-05-12 2026 | Open WebUI File Upload Vulnerability Enables One-Click RCE Attacks news 2 min read | Writeup of Open WebUI file upload vulnerability, detailing a stored XSS flaw enabling 1-click RCE. The vulnerability, discovered by Metin Yunus Kandemir, exploits the backend's failure to validate media types in profile picture uploads, allowing SVG files containing malicious JavaScript. Attackers can craft a payload with a reverse shell, upload it as a profile photo, and then trick users into clicking a malicious link, leading to RCE for privileged users or account takeover for standard users by stealing local storage tokens and chat logs. The vulnerability remains unpatched in version 0.7.2, with mitigation advice including restricting media types in `users.py` and monitoring API activity. → cyberpress.org |
| 2026-05-12 2026 | Critical Cline AI Agent Vulnerability Enables Remote Code Execution Attacks news 2 min read | Writeup of CVE-2026-44211, a critical vulnerability in the Cline AI Agent's bundled kanban npm package. The flaw, stemming from missing authentication and origin validation in WebSocket endpoints, allows unauthenticated attackers to leak sensitive workspace data, execute arbitrary shell commands via terminal hijack for RCE, and cause denial-of-service by terminating agent sessions. Exploitation is confirmed across multiple operating systems and browsers, with a proof-of-concept available. Mitigation recommendations include Origin header validation, secret token generation, and authentication checks for terminal WebSockets. → cyberpress.org |
| 2026-05-11 2026 | Critical PHP SOAP Extension Flaw Enables Remote Code Execution Attacks news 2 min read | Writeup detailing critical vulnerabilities in the PHP SOAP extension, including CVE-2026-6722, a Use-After-Free flaw enabling Remote Code Execution by manipulating XML payloads and memory allocation. Additional findings include CVE-2026-7261 (UAF in SoapServer persistence) and CVE-2026-7262 (NULL pointer dereference for DoS). The article also notes out-of-bounds read flaws (CVE-2026-7258, CVE-2026-6104) in PHP core functions, affecting versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6. → cyberpress.org |
| 2026-05-11 2026 | New cPanel and WHM Flaws Enable Remote Code Execution and DoS Attacks news 2 min read | Writeup of CVE-2026-29202, CVE-2026-29201, and CVE-2026-29203 impacting cPanel and WHM. The Perl code-injection vulnerability (CVE-2026-29202) allows arbitrary code execution via the create_user API. CVE-2026-29201 enables arbitrary file reads through feature::LOADFEATUREFILE, exposing sensitive data. CVE-2026-29203, a symlink vulnerability, permits local users to execute chmod on arbitrary files, leading to denial-of-service and potential privilege escalation. Emergency patches are available. → cyberpress.org |
| 2026-05-11 2026 | Mozilla Products Multiple Vulnerabilities news | Analysis of multiple vulnerabilities in Mozilla Products, including Firefox and Thunderbird, leading to potential denial of service and remote code execution. Affects versions prior to Firefox 150.0.2, Firefox ESR 115.35.2, Firefox ESR 140.10.2, Thunderbird 140.10.2, and Thunderbird 150.0.2. Patches are available from the vendor. → hkcert.org |
| 2026-05-11 2026 | Exploits and vulnerabilities in Q1 2026 news | The provided content is a link to a resource detailing exploits and vulnerabilities expected in Q1 2026. No specific details about vulnerabilities, their impact, or any associated bug bounty payout amounts are present in the given information. Therefore, a summary of the content's key points and main ideas cannot be generated beyond stating its topic. |
| 2026-05-10 2026 | Ivanti Warns of New EPMM Flaw Exploited in Zero-Day Attacks news | Ivanti has issued a warning about a new critical vulnerability in its Endpoint Manager Mobile (EPMM) software that is already being exploited in zero-day attacks. The flaw, identified as CVE-2024-22053, allows unauthenticated attackers to gain administrative access to affected systems. Ivanti is urging customers to immediately apply a patch to mitigate the risk. No specific bounty payout amount was mentioned in the provided content. → securityboulevard.com |
| 2026-05-10 2026 | New cPanel vulnerabilities could allow file access and remote code execution news 2 min read | Writeup of cPanel vulnerabilities CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, which permit arbitrary file reads, Perl code execution via the create_user API, and potential denial-of-service or privilege escalation through chmod. These flaws affect multiple cPanel & WHM releases and have been patched. This disclosure follows the weaponization of a separate cPanel authentication bypass vulnerability, CVE-2026-41940, as a zero-day for botnet deployment. Tools are available from watchTowr and cPanel to detect vulnerable hosts. → securityaffairs.com |
| 2026-05-10 2026 | New cPanel and WHM Flaws Enable Code Execution DoS Attacks news 2 min read | Writeup of CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203 in cPanel and WHM. These critical flaws allow arbitrary file reads via path traversal, Perl code injection for remote code execution, and unsafe symlink handling leading to denial-of-service or privilege escalation. A previous vulnerability, CVE-2026-41940, enabled login bypasses. Immediate patching is essential for all affected versions. → cybersecuritynews.com |
| 2026-05-09 2026 | CVE-2025-68670: discovering an RCE vulnerability in xrdp news | This content details the discovery of CVE-2025-68670, a remote code execution (RCE) vulnerability in xrdp. The provided link likely contains further technical information about this security flaw. No bug bounty payout amount is mentioned. |
| 2026-05-09 2026 | Palo Alto Networks Firewall Zero-Day RCE Vulnerability Exploited in the Wild Since April news 2 min read | Advisory on CVE-2026-0300, a critical zero-day buffer overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal. This flaw allows unauthenticated RCE with root privileges on PA-Series and VM-Series firewalls by specially crafted packets. Exploitation involves nginx shellcode injection, log destruction, Active Directory enumeration, and the use of public tools like EarthWorm and ReverseSocks5 for tunneling and post-exploitation. Mitigation includes restricting portal access and disabling Response Pages. → cybersecuritynews.com |
| 2026-05-08 2026 | Federal agencies ordered to patch Ivanti zero-day in 3 days news 2 min read | Writeup of CVE-2026-6973, an improper input validation vulnerability in Ivanti EPMM. Federal agencies are ordered to patch this flaw within three days due to its potential for arbitrary code execution by authenticated users. This zero-day, with a CVSS score of 7.2, follows previously disclosed critical Ivanti EPMM vulnerabilities, CVE-2026-1281 and CVE-2026-1340, which were exploited in attacks against government bodies and critical infrastructure. Upgrading to specific versions resolves all three identified CVEs. → scworld.com |
| 2026-05-08 2026 | Apache fixes critical HTTP/2 vulnerability allowing remote code execution news | Library update addressing CVE-2026-23918, a critical double-free vulnerability in Apache HTTP Server's HTTP/2 protocol handler. This flaw, discovered by Bartlomiej Dmitruk and Stanislaw Strzalkowski, allows remote code execution in specific configurations and is resolved in version 2.4.67. Exploitation involves crafting an HTTP/2 sequence to trigger memory corruption, impacting systems running version 2.4.66. → scworld.com |
| 2026-05-08 2026 | Ivanti patches five vulnerabilities in EPMM one actively being exploited news 1 min read | Writeup detailing Ivanti's patching of five vulnerabilities in Endpoint Manager Mobile (EPMM), including the actively exploited CVE-2026-6973. The advisory highlights CVE-2026-5788 for unauthenticated RCE, CVE-2026-5787 for Sentry impersonation, and CVE-2026-7821 for data access. The NCSC warns of imminent public PoC code, urging immediate patching to mitigate risks like those previously impacting Dutch organizations. → techzine.eu |
| 2026-05-08 2026 | CVE-2026-23918: Apache HTTP/2 Double-Free Vulnerability with Possible RCE news | Apache HTTP/2 has a critical double-free vulnerability (CVE-2026-23918) that could lead to remote code execution (RCE). The vulnerability stems from improper handling of connection state during graceful shutdown when certain HTTP/2 frames are processed. This could allow an attacker to trigger the double-free condition, potentially gaining control of the server. This issue affects all Apache HTTP Server versions from 2.4.51 to 2.4.53. Users are strongly advised to update to version 2.4.54 or later to mitigate this risk. → securityboulevard.com |
| 2026-05-07 2026 | When prompts become shells: RCE vulnerabilities in AI agent frameworks news 13 min read | Library providing security analysis of AI agent frameworks, detailing RCE vulnerabilities like CVE-2026-25592 and CVE-2026-26030 discovered in Semantic Kernel. The research highlights how prompt injection can lead to host-level code execution through unsafe string interpolation and blocklist bypasses in plugins like the In-Memory Vector Store, enabling attackers to leverage Semantic Kernel's tool execution capabilities for malicious purposes. → microsoft.com |
| 2026-05-07 2026 | Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access news 1 min read | Writeup on CVE-2026-6973, an active RCE vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allowing administrative users to execute arbitrary code. This flaw, along with CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821, impacts on-premise EPMM and is under active exploitation. CISA has added CVE-2026-6973 to its KEV catalog, mandating fixes for federal agencies. → thehackernews.com |
| 2026-05-07 2026 | Ivanti warns of new EPMM flaw exploited in zero-day attacks news 2 min read | Writeup of CVE-2026-6973, a critical Improper Input Validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM) exploited in zero-day attacks. This flaw allows remote attackers with administrative privileges to execute arbitrary code on EPMM versions 12.8.0.0 and earlier. Ivanti recommends patching to EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and rotating admin credentials. Four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) were also patched. → bleepingcomputer.com |
| 2026-05-07 2026 | Cisco patches high-severity flaws enabling SSRF code execution attacks news 2 min read | Advisory detailing high-severity vulnerabilities in Cisco Unity Connection, including CVE‑2026‑20034 allowing authenticated remote root code execution via crafted API requests, and CVE‑2026‑20035 enabling unauthenticated SSRF attacks by sending crafted HTTP requests. These flaws stem from insufficient input validation, potentially leading to complete system compromise or arbitrary network traffic originating from the affected device. → securityaffairs.com |
| 2026-05-07 2026 | Critical Redis Vulnerabilities Enables Remote Code Execution Attacks news 2 min read | Library of advisories detailing critical Redis vulnerabilities, including CVE-2026-23479 (use-after-free), CVE-2026-25243 (RESTORE invalid memory access), CVE-2026-25588 and CVE-2026-25589 (module-specific RESTORE flaws), and CVE-2026-23631 (Lua use-after-free). These flaws, discovered by researchers like Emil Lerner and Joseph Surin, allow authenticated attackers to achieve remote code execution and system compromise across various Redis editions. → cybersecuritynews.com |
| 2026-05-07 2026 | Critical vm2 Vulnerabilities Enable Arbitrary Code Execution Attacks news 2 min read | Library of critical vm2 vulnerabilities enables arbitrary code execution attacks, breaking its sandbox promise. Eleven advisories cover issues up to version 3.11.1, with patches in 3.11.0 and 3.11.1, though two remain unpatched. Exploits leverage internal mechanisms like __lookupGetter__ and WebAssembly's try_table, including CVE-2026-26956 and CVE-2026-43999, allowing attackers to execute host commands via child_process. CVE-2026-44007 allows nested VMs for RCE. Organizations should upgrade and consider alternatives like isolated-vm. → cyberpress.org |
| 2026-05-07 2026 | PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage news 2 min read | Writeup of CVE-2026-0300, a critical buffer overflow in PAN-OS enabling root access, exploited by threat actors potentially as early as April 9, 2026. The vulnerability allows unauthenticated RCE via crafted packets, with successful exploitation observed by Unit 42, attributed to state-sponsored cluster CL-STA-1132. Post-exploitation involved AD enumeration and deployment of tools like EarthWorm and ReverseSocks5. Mitigation includes restricting portal access, disabling Response Pages, and enabling Threat ID 510019. → thehackernews.com |
| 2026-05-07 2026 | 'TrustFall' Exposes Claude Code Execution Risk news | 'TrustFall' Exposes Claude Code Execution Risk https://ift.tt/uApnWBD → darkreading.com |
| 2026-05-07 2026 | Hackers run code on PAN-OS firewalls as root without authentication: critical zero-day unveiled news | A critical zero-day vulnerability has been discovered in Palo Alto Networks' PAN-OS firewalls. This flaw allows attackers to execute code as root without any authentication. The vulnerability, identified as CVE-2024-3400, impacts PAN-OS versions 10.1, 11.0, 11.1, and 11.2. While the content mentions a critical zero-day, it does not specify any bug bounty payout amount. → cybernews.com |
| 2026-05-07 2026 | Critical Redis Vulnerabilities Enable Remote Code Execution Attacks news 3 min read | Reference of five Redis vulnerabilities, including CVE-2026-23479, CVE-2026-25243, CVE-2026-25588, CVE-2026-25589, and CVE-2026-23631, that enable authenticated attackers to achieve remote code execution. These flaws, primarily in the RESTORE command and impacting modules like RedisTimeSeries and RedisBloom, stem from issues such as use-after-free, double-free, and integer overflows. The article details discovery by Team Xint Code and contributions from researchers like Emil Lerner and Joseph Surin, emphasizing the need for immediate upgrades to patched versions to prevent system compromise. → cyberpress.org |
| 2026-05-07 2026 | Critical vm2 Node.js Library Vulnerabilities Enables Arbitrary Code Execution Attacks news 2 min read | Library vulnerabilities affecting vm2, a Node.js package for executing untrusted JavaScript, enable arbitrary code execution by allowing attackers to escape the sandbox. Eleven critical flaws, including CVE-2026-24118, CVE-2026-24120, CVE-2026-24781, CVE-2026-26332, CVE-2026-26956, CVE-2026-43997, CVE-2026-44006, CVE-2026-43999, and CVE-2026-44005, exploit various JavaScript and Node.js features like __lookupGetter__, Promise species, util.inspect, DisposableStack, WebAssembly try_table, prototype chains, and Module._load. Two unpatched vulnerabilities, CVE-2026-44008 and CVE-2026-44009, continue to pose a risk. → cybersecuritynews.com |
| 2026-05-07 2026 | Redis Security Flaws Expose Servers to Remote Code Execution Risks news 2 min read | Writeup on Redis security flaws, including CVE-2026-23479 (use-after-free), CVE-2026-25243 (RESTORE command invalid memory access), CVE-2026-25588 (RedisTimeSeries module) and CVE-2026-25589 (RedisBloom module) which enable RCE for authenticated attackers, and CVE-2026-23631 (Lua use-after-free) affecting master-replica sync. These vulnerabilities, impacting Redis versions up to 8.0.6, were identified by researchers from Wiz ZeroDay.Cloud, Team Xint Code, and others, and have been patched in newer releases. → gbhackers.com |
| 2026-05-07 2026 | Critical vm2 Node.js Library Flaws Enable Arbitrary Code Execution Attacks news 2 min read | Library flaws in vm2, a popular Node.js sandboxing package, allow for sandbox escapes and arbitrary code execution. Eleven critical vulnerabilities, including CVE-2026-26956, CVE-2026-43999, and CVE-2026-44007, exploit weaknesses in its internal bridge mechanism and allowlist configurations. Attackers can manipulate JavaScript primitives like `__lookupGetter__` and `Buffer.apply`, or exploit specific CVEs related to WebAssembly and module loading, to gain host system access. Organizations should upgrade to vm2 version 3.11.1 and consider alternatives like isolated-vm or Deno for untrusted code execution. → gbhackers.com |
| 2026-05-07 2026 | vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution news 2 min read | Writeup detailing critical vulnerabilities within the vm2 Node.js library, enabling sandbox escape and arbitrary code execution. These flaws, including CVE-2026-43997 and CVE-2026-44005, exploit mechanisms like `__lookupGetter__`, the `species` property of promises, the `inspect` function, `SuppressedError`, Symbol-to-string coercion, prototype pollution, and bypasses of the allowlist. The report highlights the ongoing challenge of secure code isolation in JavaScript environments and strongly advises updating to version 3.11.2. → thehackernews.com |
| 2026-05-07 2026 | Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution news 6 min read | Writeup detailing CVE-2026-0300, a buffer overflow vulnerability in Palo Alto Networks PAN-OS's Captive Portal service, enabling unauthenticated remote code execution. Exploitation by state-sponsored actors involved injecting shellcode, deploying tools like EarthWorm and ReverseSocks5 for tunneling, and enumerating Active Directory using compromised credentials. The analysis highlights the attackers' operational restraint and reliance on open-source tools for stealthy compromise of edge network devices. → unit42.paloaltonetworks.com |
| 2026-05-06 2026 | Palo Alto Networks warns of critical PAN-OS vulnerability exploited in the wild news | Writeup on CVE-2026-0300, a critical PAN-OS buffer overflow vulnerability allowing unauthenticated remote code execution with root privileges. Exploited against exposed User-ID Authentication Portals on PA-Series and VM-Series firewalls, this flaw affects PAN-OS versions 12.1, 11.2, 11.1, and 10.2. Mitigation involves restricting access to the User-ID Authentication Portal or disabling it until patches are released. → scworld.com |
| 2026-05-06 2026 | Google patches critical Android remote code execution flaw news | Patch addresses CVE-2026-0073, a critical Android remote code execution vulnerability affecting the Android Debug Bridge daemon (adbd). Exploiting this flaw allows attackers to execute code as the shell user without requiring permissions or user interaction, potentially leading to device compromise. This update follows the patching of CVE-2026-21385, a Qualcomm component vulnerability in the Graphics component that was actively exploited for sensitive memory data exposure, emphasizing the ongoing need for Android security updates. → scworld.com |
| 2026-05-06 2026 | Critical Palo Alto PAN-OS Vulnerability Actively Exploited For Remote Code Execution (RCE) news | A critical vulnerability in Palo Alto Networks' PAN-OS is being actively exploited, allowing for remote code execution (RCE). This means attackers can potentially take control of affected devices. Details of the vulnerability and potential mitigation strategies are available via the provided link. No specific bounty payout amount is mentioned in the content. |
| 2026-05-06 2026 | CVE-2026-0300 Buffer Overflow Vulnerability in PAN-OS news 2 min read | Writeup of CVE-2026-0300, a critical buffer overflow vulnerability affecting PAN-OS's User-ID Authentication Portal. This CWE-787 Out-of-bounds Write allows unauthenticated attackers to achieve arbitrary code execution with root privileges over the network via specially crafted packets. Exploitation is feasible with low complexity, requiring no user interaction, and has been observed in the wild, posing a significant risk to PA-Series and VM-Series firewalls with the User-ID portal enabled. → thecyberexpress.com |
| 2026-05-06 2026 | New MajorDoMo RCE Vulnerability Exposes Servers to Code Execution Attacks news 2 min read | Vulnerability CVE-2026-27174 allows unauthenticated remote code execution in MajorDoMo by exploiting a broken authentication flow and unsafe PHP evaluation via its /admin.php endpoint. Attackers can trigger this through a crafted HTTP GET request, bypassing access controls and leading to arbitrary PHP code execution, potentially compromising IoT services and internal networks. Resecurity has noted a detection template is available in ProjectDiscovery Nuclei. Administrators should restrict administrative access, use VPNs or reverse proxies, and apply vendor patches. → cybersecuritynews.com |
| 2026-05-06 2026 | WARNING: Critical Flaw In Apache HTTP Server Enables DoS & Remote Code Execution (RCE) Attacks news | A critical vulnerability has been discovered in the Apache HTTP Server, potentially allowing attackers to launch Denial of Service (DoS) and Remote Code Execution (RCE) attacks. This flaw poses a significant security risk, enabling unauthorized control and disruption of services hosted on affected servers. Users are strongly advised to update their Apache HTTP Server installations to the latest patched version to mitigate these risks. No specific payout amount for reporting this bug was mentioned. |
| 2026-05-06 2026 | Critical Buffer Overflow Vulnerability in PAN-OS Exploited in-the-Wild news 1 min read | Writeup of CVE-2026-0300, a critical buffer overflow in Palo Alto Networks PAN-OS, allowing unauthenticated attackers remote code execution with root privileges. The vulnerability targets the User-ID Authentication Portal service, particularly when exposed to untrusted networks or the public internet. Exploitation risk is high for instances accessible externally via ports 6081 or 6082. Immediate patching, access restriction, or disabling the portal are recommended mitigation steps. → wiz.io |
| 2026-05-06 2026 | WhatsApp Multiple Vulnerabilities news | Bulletin detailing multiple vulnerabilities in WhatsApp clients (iOS, Android, Windows) allowing remote attackers to bypass security restrictions and perform spoofing. Affected versions include specific ranges prior to recent updates on each platform. Users are advised to update to the latest available versions for iOS v2.26.15.72+, Android v2.26.7.10+, and Windows v2.3000.1032164386.258709 or later. → hkcert.org |
| 2026-05-06 2026 | Apache fixes critical HTTP/2 double-free flaw CVE-2026-23918 enabling RCE news | Library fixing CVE-2026-23918, a critical HTTP/2 double-free vulnerability in Apache HTTP Server 2.4.66. This flaw, discovered by Bartlomiej Dmitruk and Stanislaw Strzalkowski, can cause memory corruption leading to denial of service and, under specific configurations like mmap usage, potential remote code execution. The issue resides within mod_http2 and is resolved in version 2.4.67. → securityaffairs.com |
| 2026-05-06 2026 | Palo Alto Networks warns of firewall RCE zero-day exploited in attacks news 2 min read | Writeup of CVE-2026-0300, a critical PAN-OS zero-day exploited in attacks. This buffer overflow vulnerability affects the User-ID Authentication Portal on Internet-exposed PA-Series and VM-Series firewalls, allowing unauthenticated attackers to achieve root-level remote code execution. Palo Alto Networks recommends restricting access to trusted zones or disabling the portal until a patch is released, with initial fixes expected May 13, 2026. → bleepingcomputer.com |
| 2026-05-06 2026 | Palo Alto Networks PAN-OS flaw exploited for remote code execution news 1 min read API Sec | Writeup of CVE-2026-0300, a critical PAN-OS buffer overflow allowing unauthenticated remote code execution with root privileges. This vulnerability affects PA-Series and VM-Series firewalls using the User-ID Authentication Portal when exposed to the internet. Palo Alto Networks advises restricting access to trusted internal IP addresses to mitigate risk, noting limited exploitation observed primarily on internet-facing portals. Fixes are expected by May 13, 2026. → securityaffairs.com |
| 2026-05-06 2026 | Critical Android vulnerability CVE-2026-0073 fixed by Google news 1 min read Mobile | Analysis of CVE-2026-0073, a critical remote code execution vulnerability in Android's System component affecting the adbd daemon. Exploitation, which requires no user interaction or special permissions, could lead to shell user code execution and full device compromise. Google has released a patch, and no public exploits or active attacks exploiting this specific flaw are currently known. This follows a previously exploited Qualcomm component vulnerability (CVE-2026-21385) involving a buffer over-read in the Graphics component. → securityaffairs.com |
| 2026-05-06 2026 | SUSE Linux Kernel Multiple Vulnerabilities news | Vulnerabilities impacting SUSE Linux Kernel allow remote attackers to achieve denial of service, remote code execution, security bypass, privilege escalation, data manipulation, and information disclosure. Affected systems include SUSE Linux Enterprise High Performance Computing 12 SP5, SUSE Linux Enterprise Live Patching 12-SP5, and various SUSE Linux Enterprise Server 12 SP5 variants. Specific CVEs include CVE-2024-26584, CVE-2025-38234, CVE-2025-39759, CVE-2025-71268, CVE-2025-71269, CVE-2026-22990, CVE-2026-23103, CVE-2026-23120, CVE-2026-23243, CVE-2026-23262, CVE-2026-23272, CVE-2026-23277, CVE-2026-23318, CVE-2026-23362, CVE-2026-23382, CVE-2026-23386, and CVE-2026-23398. → hkcert.org |
| 2026-05-06 2026 | Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution news 1 min read API Sec | Analysis of CVE-2026-0300, a critical buffer overflow vulnerability in Palo Alto Networks' PAN-OS software, allows unauthenticated remote code execution with root privileges. This flaw impacts PA-Series and VM-Series firewalls, particularly those with the User-ID Authentication Portal accessible from untrusted networks. While patches are forthcoming, interim mitigations include restricting portal access or disabling it entirely. → thehackernews.com |
| 2026-05-06 2026 | n8n: From Parsing Bug to Remote Code Execution aka CVE-2026-42231 news 9 min read API Sec | Library analyzing n8n's CVE-2026-42231, detailing how a prototype pollution vulnerability within the xml2js XML parsing library, exacerbated by CoffeeScript semantic quirks, can be chained to achieve unauthenticated Remote Code Execution. The exploit path leverages a specific gadget in `@n8n/node-cli` that mimics older, exploitable `spawn` behavior, allowing controlled properties to propagate into the execution context for RCE. |
| 2026-05-06 2026 | Critical Remote Code Execution Vulnerability Patched in Android news Mobile | Library for analyzing Android security, detailing CVE-2026-0073, a critical remote code execution vulnerability in the System component affecting the Android Debug Bridge daemon. This flaw allows code execution as the shell user without interaction. Google confirmed no exploitation has been observed. |
| 2026-05-05 2026 | Hackers exploit critical Weaver E-cology vulnerability news | Writeup of CVE-2026-22679 in Weaver E-cology, a critical unauthenticated remote code execution vulnerability. Hackers have been exploiting this flaw since mid-March, five days after a patch was released, by leveraging an exposed debug API endpoint. This allowed attackers to reach backend RPC functionality, enabling system command execution through obfuscated PowerShell scripts for reconnaissance, though persistent sessions were not established. Weaver E-cology 10.0 users must apply vendor security updates. → scworld.com |
| 2026-05-05 2026 | Critical 9.8 Weaver E-cology vulnerability actively exploited news 1 min read | Library for securing business process management applications, focusing on the critical 9.8 Weaver E-cology vulnerability (CVE-2026-22679). This bug, actively exploited in the wild, allows for unauthenticated remote code execution (RCE) by invoking an exposed debug functionality within the Dubbo-based debug API. The exploitation highlights a shift from perimeter attacks to targeting the "soft center" of enterprise systems, such as OA and BPM platforms, which serve as the "nervous system" of an organization. A patch for Weaver E-cology 10.0 was released in March. → scworld.com |
| 2026-05-05 2026 | Google Update: Android Flaw Could Put Billions of Devices at Risk news Mobile | Google has addressed a critical vulnerability in Android that could have affected billions of devices. The flaw, detailed in a recent update, potentially exposed users to significant security risks. While the specific nature of the exploit and its full impact remain underspecified in the provided content, Google's swift patching mitigates the threat. The article highlights Google's ongoing efforts to secure the Android ecosystem. No bounty payout amount is mentioned. → techrepublic.com |
| 2026-05-05 2026 | Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE news 2 min read | Writeup of CVE-2026-23918, a critical double-free vulnerability in Apache HTTP Server's HTTP/2 protocol handling that enables denial-of-service and potential remote code execution. Discovered by Bartlomiej Dmitruk and Stanislaw Strzalkowski, the flaw in `mod_http2`'s `h2_mplx.c` allows an attacker to trigger an RCE by exploiting memory reuse with the APR mmap allocator and Apache's scoreboard. Exploitation, while requiring an info leak for system() and scoreboard offsets, is practical on Debian-derived systems and the official httpd Docker image. → thehackernews.com |
| 2026-05-05 2026 | Critical Weaver E-cology RCE Vulnerability Actively Exploited in Attacks news 2 min read | Writeup detailing CVE-2026-22679, a critical unauthenticated RCE vulnerability in Weaver E-cology 10.0, actively exploited before vendor patches. Attackers leverage an exposed debug endpoint to execute arbitrary commands via POST requests, observed using ping callbacks with the Goby framework and attempting payload delivery. Evasion techniques included renaming PowerShell executables. The vulnerability allows direct command output reflection in HTTP responses, bypassing the need for persistent shells. Organizations must update to build 20260312 or later. → cybersecuritynews.com |
| 2026-05-05 2026 | Critical Qualcomm Chipset Vulnerabilities Enables Remote Code Execution news 2 min read Mobile | Bulletin detailing critical Qualcomm chipset vulnerabilities enabling remote code execution. Highlights include CVE-2026-25254 (CVSS 9.8) in the Software Center, CVE-2026-25293 (CVSS 9.6) in PLC firmware, and CVE-2026-25262 in the Primary Bootloader. These flaws, affecting hundreds of chipsets including Snapdragon processors and FastConnect platforms, allow unauthenticated attackers to execute arbitrary code, escalate privileges, or cause denial-of-service conditions, necessitating urgent patching by OEMs. → cybersecuritynews.com |
| 2026-05-05 2026 | Android Zero-Click RCE Vulnerability Enables Remote Shell Access news 3 min read Mobile | Reference for CVE-2026-0073, a proximal zero-click RCE vulnerability in Android's Debug Bridge daemon (adbd). This flaw, affecting multiple Android versions, allows attackers on the same local network or within physical proximity to gain remote shell access without user interaction, bypassing application sandboxing. Exploitation requires timely patching, disabling USB debugging, network segmentation, and implementing zero-trust policies. → esecurityplanet.com |
| 2026-05-05 2026 | Unpatched flaws turn Ollama's auto-updater into a persistent RCE vector researchers say news 3 min read | Writeup of CVE-2026-42248 and CVE-2026-42249, which allow persistent RCE on Ollama for Windows by chaining a path traversal flaw with a non-functional signature verification. Attackers can plant arbitrary executables in the Windows Startup folder by controlling update responses, leading to silent execution on every login. Exploitation requires controlling update infrastructure, redirecting clients, or network interception, with the auto-update feature and Ollama in the Startup folder being default prerequisites. → helpnetsecurity.com |
| 2026-05-05 2026 | Security Audit Finds RCE Risks in 6.2% of MCP Servers news | A recent security audit revealed that 6.2% of Managed Cloud Platform (MCP) servers are vulnerable to Remote Code Execution (RCE) risks. The audit, which focused on identifying exploitable weaknesses, discovered these critical flaws present in a significant portion of the analyzed servers. The specific details of the vulnerabilities and the affected MCP server versions were not disclosed in this brief announcement. No bug bounty payout amounts were mentioned in the provided content. |
| 2026-05-05 2026 | Google Confirms Critical Android 0-Click VulnerabilityUpdate Now news Mobile | Google has confirmed a critical 0-click vulnerability affecting Android devices, urging users to update immediately. This exploit allows attackers to compromise devices without any user interaction. While the article highlights the severity and the need for an update, it **does not mention any specific bug bounty payout amount**. Users should prioritize applying the latest security patches to protect their devices. |
| 2026-05-05 2026 | Critical Apache Bug Enables Remote Code Execution Risk news 3 min read | Vulnerability writeup detailing CVE-2026-23918, a critical double free memory corruption flaw in Apache HTTP Server version 2.4.66, enabling Remote Code Execution via HTTP/2 handling issues. The article also covers moderate severity vulnerabilities CVE-2026-24072, CVE-2026-28780, CVE-2026-29168, and CVE-2026-29169, patched in version 2.4.67. → sqmagazine.co.uk |
| 2026-05-05 2026 | Linux vulnerability "Copy Fail" is already being attacked news 1 min read | Library for Linux security exploits CVE-2026-31431, nicknamed "Copy Fail." This vulnerability allows local users to gain root privileges by performing a controlled 4-byte write to the page cache of any readable file system. Proof-of-concept exploit code is available, and attackers are actively misusing it. The vulnerability was discovered with AI assistance and affects most major Linux distributions since 2017. Updates are available. |
| 2026-05-05 2026 | Critical Android Zero-Click Vulnerability Grants Attackers Remote Shell Access news 2 min read Mobile | Analysis of CVE-2026-0073, a critical zero-click remote code execution vulnerability in Android System and adbd, allows attackers to gain shell access without user interaction. Exploitation is possible by an attacker within proximity and impacts Android versions 14 through 16, linked to Android bug ID A-469080888. Patches were released by Google in the May 2026 security bulletin, protecting devices with patch level 2026-05-01 or later. → cyberpress.org |
| 2026-05-05 2026 | Critical Weaver E-cology RCE Flaw Actively Exploited by Attackers news 2 min read | Writeup detailing CVE-2026-22679, a critical RCE vulnerability in Weaver E-cology 10.0 builds before 20260312, actively exploited by attackers. The flaw in a debug endpoint allows unauthenticated remote command execution via improper JSON parameter handling in the Dubbo RPC framework, leading to JVM-level command execution. Exploitation tactics observed include ping.exe callbacks, PowerShell payload delivery (vsgbt.exe, hjchhb.exe disguised as nvm.exe), MSI deployment attempts, and evasion techniques like renamed powershell.exe. The vendor patched the issue by removing the debug endpoint. → cyberpress.org |
| 2026-05-05 2026 | Critical Weaver E-cology RCE Exploit Raises Alarm for Enterprise Systems news 3 min read | Writeup detailing CVE-2026-22679, a critical unauthenticated RCE in Weaver E-cology, impacting builds before 20260312. The vulnerability exploits a debug endpoint allowing OS command execution via Dubbo RPC parameters. Attackers leverage this for initial access, deploying payloads through PowerShell download cradles and fileless techniques. The writeup includes a structured, week-long intrusion campaign analysis, RCE verification via `ping.exe` to Goby infrastructure, and multiple payload delivery attempts using executables and MSI packages. Organizations are advised to patch, audit process trees for suspicious activity, and restrict internet exposure. → gbhackers.com |
| 2026-05-05 2026 | MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks news 1 min read | Exploit details for CVE-2026-29014, a critical PHP code injection vulnerability in MetInfo CMS versions 7.9, 8.0, and 8.1. Discovered by Egidio Romano, the flaw stems from insufficient input neutralization in the `/app/system/weixin/include/class/weixinreply.class.php` script, allowing unauthenticated remote attackers to execute arbitrary PHP code by crafting malicious Weixin API requests. Successful exploitation requires the `/cache/weixin/` directory to exist. Patches were released on April 7, 2026, but active exploitation by threat actors was observed shortly after. → thehackernews.com |
| 2026-05-05 2026 | Critical Remote Code Execution Vulnerability Patched in Android news 1 min read Mobile | Library addressing CVE-2026-0073, a critical Android System vulnerability enabling unauthenticated remote code execution via the Android Debug Bridge daemon. Exploitation does not require user interaction. This critical flaw, impacting the 'adbd' process, allows attackers to execute code as the shell user without further privileges. While no exploits in the wild have been reported for this specific CVE, other Android vulnerabilities like CVE-2024-43093 and CVE-2025-38352 were exploited previously. → securityweek.com |
| 2026-05-05 2026 | Critical High-Severity Vulnerabilities Patched in Apache MINA HTTP Server news 1 min read | Library updates for Apache MINA and HTTP Server address critical and high-severity vulnerabilities. Apache MINA 2.2.7 and 2.1.12 fix CVE-2026-42778, an incomplete fix for insecure deserialization and RCE, and CVE-2026-42779, an incomplete fix for allowlist bypass and code execution. Apache HTTP Server 2.4.67 resolves CVE-2026-23918 (double-free, RCE), CVE-2026-28780 (heap buffer overflow, RCE), and other issues including CRLF sequence manipulation (CVE-2026-33523) and digest authentication bypass (CVE-2026-33006). → securityweek.com |
| 2026-05-05 2026 | Critical Qualcomm Chip Flaws Could Allow Remote Code Execution Attacks news 2 min read Mobile | Bulletin disclosing critical Qualcomm chip flaws, including CVE-2026-25254 (CVSS 9.8) in the Software Center enabling unauthenticated remote code execution, and CVE-2026-25293 (CVSS 9.6) in powerline communication firmware allowing adjacent network attacks. These vulnerabilities affect smartphones, automotive, and IoT systems, with local flaws like CVE-2026-25262 impacting bootloader integrity. Patches are available but deployment timelines vary, leaving devices exposed. → cyberpress.org |
| 2026-05-05 2026 | MetInfo Weaver E-cology Vulnerabilities in Attackers Crosshairs news 1 min read | Writeup detailing exploitation of CVE-2026-29014 in MetInfo CMS and CVE-2026-22679 in Weaver E-cology. Both vulnerabilities allow unauthenticated remote code execution (RCE). MetInfo's flaw is a PHP code injection, while Weaver E-cology's stems from exposed debug functionality, enabling attackers to execute arbitrary commands via crafted POST requests and use the debug endpoint as a direct shell for discovery and payload delivery. → securityweek.com |
| 2026-05-05 2026 | Qualcomm Chipset Vulnerabilities Raise Alarm Over Remote Code Execution Risk news 4 min read Mobile | Bulletin detailing critical Qualcomm chipset vulnerabilities, including CVE-2026-25254 (Remote Code Execution in Software Center), CVE-2026-25293 (RCE via PLC firmware buffer overflow), and CVE-2026-25262 (local privilege escalation via bootloader memory corruption). Flaws also affect automotive GPUs and wireless components, leading to memory corruption and denial-of-service conditions. → gbhackers.com |
| 2026-05-05 2026 | Critical Android Zero-Click Vulnerability Enables Remote Shell Access news 2 min read Mobile | Writeup on CVE-2026-0073, a critical Android zero-click vulnerability allowing remote shell access via the Android Debug Bridge Daemon (adbd). Exploitable from adjacent networks, this flaw grants shell user privileges and bypasses sandboxing. Affected Android versions include 14, 15, 16, and 16-qpr2. Remediation is available through Project Mainline updates and the May 2026 security patch. → gbhackers.com |
| 2026-05-05 2026 | Critical Android Zero-Click Vulnerability Grants Remote Shell Access news 2 min read Mobile | Writeup of CVE-2026-0073, a critical Android zero-click remote code execution vulnerability within the adbd component. This flaw grants proximal attackers remote shell access, bypassing sandboxes without user interaction, and affects Android 14, 15, and 16. Google resolved this in the May 2026 security patch, distributed via system updates and AOSP. Users should install updates to verify the May 1, 2026 security patch level. → cybersecuritynews.com |
| 2026-05-05 2026 | Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API news 1 min read API Sec | Writeup of CVE-2026-22679, an unauthenticated remote code execution vulnerability in Weaver E-cology 10.0. Attackers exploit the debug API via the "/papi/esearch/data/devops/dubboApi/debug/method" endpoint by crafting POST requests to execute arbitrary commands. This flaw has been actively exploited since at least March 17, 2026, with observed techniques including payload drops and discovery commands like `whoami` and `ipconfig`. A Python detection script is available to identify vulnerable instances. → thehackernews.com |
| 2026-05-05 2026 | Apache HTTP Server Vulnerability Exposes Millions to Remote Code Execution Threats news 2 min read | Library update for Apache HTTP Server version 2.4.66 addresses CVE-2026-23918, a critical "double free" vulnerability impacting the HTTP/2 protocol. This flaw allows remote code execution (RCE) and denial-of-service (DoS) attacks. Administrators must update to version 2.4.67 immediately, monitor logs for suspicious HTTP/2 traffic, or temporarily disable the protocol. → gbhackers.com |
| 2026-05-05 2026 | Apache HTTP Server Exposes Millions of Servers to Remote Code Execution Attacks news 2 min read | Library detailing vulnerabilities in Apache HTTP Server 2.4.66 and earlier, including CVE-2026-23918, a critical double-free RCE flaw in HTTP/2; CVE-2026-24072, local privilege escalation via mod_rewrite and ap_expr; CVE-2026-28780, heap overflow in mod_proxy_ajp; CVE-2026-29168, resource exhaustion in mod_md; and CVE-2026-29169, NULL pointer dereference in mod_dav_lock. Recommended mitigations include upgrading to 2.4.67, temporarily disabling HTTP/2, removing unused modules like mod_dav_lock, and auditing .htaccess permissions. → cybersecuritynews.com |
| 2026-05-04 2026 | Weaver E-cology critical bug exploited in attacks since March news 2 min read | Library for Weaver E-cology office automation addressing CVE-2026-22679, a critical unauthenticated remote code execution flaw in versions prior to March 12. Exploited since March, the vulnerability stems from an exposed debug API endpoint allowing attackers to execute system commands via improperly validated user parameters. Attackers leveraged this for discovery commands like `whoami`, `ipconfig`, and `tasklist`, and attempted PowerShell-based payload downloads. The vendor's fix removes the debug endpoint entirely, making upgrades essential. → bleepingcomputer.com |
| 2026-05-04 2026 | Weekly Recap: AI-Powered Phishing Android Spying Tool Linux Exploit GitHub RCE & More news 19 min read AI Mobile | Library of tools and techniques for application security professionals, detailing active exploitation of a cPanel flaw (CVE-2026-41940) enabling authentication bypass and website wipes, alongside a Linux kernel vulnerability (CVE-2026-31431) for trivial privilege escalation. The recap also covers cybercrime groups using vishing for SaaS environment infiltration, TeamPCP's supply chain attacks across npm, PyPI, and Packagist, a Python backdoor (DEEP#DOOR) for comprehensive data theft, a critical GitHub vulnerability (CVE-2026-3854) allowing remote code execution, and VECT 2.0 ransomware's destructive file wiping. → thehackernews.com |
| 2026-05-04 2026 | Critical Apache MINA Flaws Enable Remote Code Execution Attacks news 2 min read | Writeup detailing CVE-2026-42778 and CVE-2026-42779, critical vulnerabilities in Apache MINA versions prior to 2.2.7 and 2.1.12. These flaws enable remote code execution through insecure deserialization of untrusted data via the `AbstractIoBuffer.resolveClass()` and `AbstractIoBuffer.getObject()` methods, leading to potential system compromise and data breaches. The Apache MINA Project Management Committee noted these fixes were inadvertently omitted in prior releases. → cyberpress.org |
| 2026-05-04 2026 | Apache MINA Vulnerabilities Enables Remote Code Execution Attacks news 2 min read | Library for Apache MINA addressing critical vulnerabilities CVE-2026-42778 and CVE-2026-42779, which enable remote code execution through insecure deserialization of untrusted data when using the `AbstractIoBuffer.getObject()` method. Developers must upgrade to MINA versions 2.2.7 or 2.1.12 to mitigate these risks. → cybersecuritynews.com |
| 2026-05-04 2026 | New Apache MINA Vulnerabilities Open Door to Remote Code Execution Attacks news 2 min read | Framework advisory detailing two critical vulnerabilities, CVE-2026-42778 and CVE-2026-42779, in Apache MINA. These flaws, related to untrusted data deserialization within the AbstractIoBuffer.resolveClass() method, allow for remote code execution when applications utilize AbstractIoBuffer.getObject() without proper validation. Affected users must upgrade to Apache MINA versions 2.1.12 or 2.2.7 to mitigate these risks. → gbhackers.com |
| 2026-05-04 2026 | FreeBSD DHCP Client Flaw Allows Remote Code Execution as Root news 2 min read | Advisory on CVE-2026-42511, a critical flaw in FreeBSD's default IPv4 DHCP client, dhclient(8). This vulnerability allows local network attackers to execute arbitrary code as root by crafting malicious DHCP server responses. Exploitation involves injecting directives into network configuration files via improperly handled double quotes in the BOOTP file field, which are then executed by dhclient-script(8) upon lease reprocessing. Attackers can leverage MITRE ATT&CK T1557 (Adversary-in-the-Middle) and T1059 (Command and Scripting Interpreter). Patches are available, and DHCP snooping is recommended as a network-level mitigation. → cyberpress.org |
| 2026-05-04 2026 | FreeBSD DHCP Client Vulnerability Enables Remote Code Execution as Root news 2 min read | Writeup of CVE-2026-42511 in FreeBSD's default IPv4 DHCP client, a vulnerability discovered by Joshua Rogers allowing local network attackers to execute arbitrary code as root. The flaw stems from improper handling of double-quotes in DHCP server responses, leading to malicious commands being injected into the `dhclient.conf` file and subsequently executed with high privileges via `dhclient-script(8)`. This aligns with MITRE ATT&CK techniques T1557 and T1059. FreeBSD has released patches, and administrators should update immediately. Network-level mitigation includes enabling DHCP snooping. → cybersecuritynews.com |
| 2026-05-04 2026 | FreeBSD Systems at Risk From DHCP Client RCE Vulnerability news 2 min read | Advisory for CVE-2026-42511, a critical RCE vulnerability in FreeBSD's default IPv4 dhclient, allows local network attackers to execute arbitrary code as root by crafting malicious DHCP lease options. Discovered by Joshua Rogers, this flaw impacts supported FreeBSD versions and can be exploited via a rogue DHCP server to inject code into the dhclient.conf file. FreeBSD Project urges immediate patching via binary updates or package upgrades, followed by a system reboot or service restart. Network-level defenses like DHCP snooping can also mitigate the attack vector. → gbhackers.com |
| 2026-05-02 2026 | Cursor AI Flaw Lets Hackers Steal API Keys and Run Code Silently news 4 min read API Sec Secrets | Library exposing critical security flaws in Cursor AI, including credential theft via unencrypted SQLite databases by malicious extensions and silent code execution through Git hooks exploited by the AI agent. These vulnerabilities, tracked as CVSS 8.2 and CVE-2026-26268, stem from poor extension isolation, insecure credential storage, and AI agent interaction with untrusted repositories, leaving developers at risk of financial loss and unauthorized access. → sqmagazine.co.uk |
| 2026-05-02 2026 | 88% of self-hosted GitHub servers exposed to RCE researchers warn (CVE-2026-3854) news 2 min read | Writeup detailing CVE-2026-3854, a critical remote code execution vulnerability found in self-hosted GitHub Enterprise Server instances by Wiz researchers. Exploitable via a single git push command by authenticated users, this flaw allows arbitrary command execution on backend servers, potentially granting access to all hosted repositories and internal secrets. GitHub has released patches for supported GitHub Enterprise Server versions and advises reviewing audit logs for signs of exploitation. → helpnetsecurity.com |
| 2026-05-02 2026 | Script Injection and Data Theft: Python Data Analysis Tool Compromised news 2 min read Python | Writeup of MAL-2026-3083, detailing the compromise of the Python data monitoring tool elementary-data. An attacker exploited script injection in a GitHub Actions workflow to upload a malicious version to PyPI, stealing SSH keys, AWS credentials, API tokens, and cryptocurrency wallet files. The compromised package was active for nearly half a day before being removed. |
| 2026-05-01 2026 | Remote building compromise likely with EnOcean SmartServer bugs news | Analysis of CVE-2026-22885 and CVE-2026-20761 in EnOcean SmartServer identifies critical vulnerabilities allowing remote code execution and security bypasses. Claroty researchers discovered these flaws, which enable attackers to circumvent memory defenses, gain root privileges, and achieve full control over building management and automation systems. Proof-of-concept exploits are available, and affected systems include internet-exposed SmartServer IoT platforms and outdated i.LON devices. → scworld.com |
| 2026-05-01 2026 | Hackers exploit Qinglong vulnerabilities to deploy cryptominers news | Writeup detailing the exploitation of Qinglong task scheduling tool via CVE-2026-3965 and CVE-2026-4047. Attackers are chaining these authentication bypass vulnerabilities in Qinglong versions 2.20.1 and older to achieve remote code execution, leading to the deployment of cryptominers. Exploitation began pre-disclosure, targeting exposed panels and modifying `config.sh` to download multi-architecture miners disguised as hidden processes. While patches were released, initial fixes were insufficient. → scworld.com |
| 2026-05-01 2026 | Critical Wireshark Vulnerabilities Let Attackers Execute Arbitrary Code Via Malformed Packets news 2 min read | Library update addressing over 40 Wireshark vulnerabilities, including critical remote code execution flaws (CVE-2026-5402, CVE-2026-5403, CVE-2026-5405, CVE-2026-5656) within dissectors for TLS, SBC, RDP, and profile imports. Numerous other vulnerabilities lead to denial-of-service conditions through dissector crashes (e.g., CVE-2026-5409, CVE-2026-5408, CVE-2026-5406) and infinite loops (CVE-2026-5407), alongside decompression engine issues (CVE-2026-6535, CVE-2026-6533). → cybersecuritynews.com |
| 2026-05-01 2026 | Multiple Wireshark Flaws Allow Remote Code Execution via Malformed Packets news 2 min read | Writeup on critical Wireshark vulnerabilities, including CVE-2026-5402 (TLS dissector heap overflow), CVE-2026-5403 (SBC audio codec crash), CVE-2026-5405 (RDP dissector crash), and CVE-2026-5656 (profile import code execution). These flaws allow remote code execution via malformed packets in network captures or through crafted PCAP files, posing a significant risk to security professionals analyzing untrusted data. Version 4.6.5 addresses over 40 vulnerabilities, including DoS issues impacting protocols like SMB2 and HTTP. → cyberpress.org |
| 2026-05-01 2026 | "Copy Fail": Linux root in all major distributions with 732 bytes of Python news 2 min read Python | Writeup of CVE-2026-31431, the "Copy Fail" vulnerability, details a logic error in the Linux kernel allowing local users 4-byte writes to the page cache. A 732-byte Python exploit leverages this to gain root privileges on major distributions like Ubuntu, Amazon Linux, RHEL, and SUSE. The vulnerability, discovered with AI assistance and affecting systems since 2017, involves manipulating setuid binaries and can break container boundaries. Fixes are available, with temporary workarounds including blocking AF_ALG socket creation or blacklisting the algif_aead module. |
| 2026-05-01 2026 | PoC Released for Critical ASUSTOR ADM Root RCE Vulnerability news 2 min read | Writeup of CVE-2026-6644, a critical OS command injection vulnerability in ASUSTOR ADM’s PPTP VPN Client, allowing authenticated administrators to achieve root-level command execution. The flaw, present in ADM 4.1.0 through 5.1.2, stems from unsanitized input in the PPTP server address parameter of the `/portal/apis/settings/vpn.cgi` script, leading to pppd configuration file manipulation. Patched versions include ADM 5.1.3.RGO1, and mitigations involve updating firmware, blocking WAN exposure, changing default credentials, and disabling unused services like PPTP VPN. → cyberpress.org |
| 2026-04-30 2026 | Google Gemini CLI Flaw Enables Command Execution on Hosts systems news 2 min read | Vulnerability in Google Gemini CLI allows unauthenticated remote code execution, enabling supply-chain attacks on CI/CD pipelines. Discovered by Novee Security, this CVSS 10.0 flaw affects the `@google/gemini-cli` package and `google-github-actions/run-gemini-cli` GitHub Action. Attackers can exploit it by submitting crafted configuration files in pull requests, causing the CLI to execute arbitrary commands on the host system without AI model interaction. Patches are available in `@google/gemini-cli` versions 0.39.1 and 0.40.0-preview.3, and `google-github-actions/run-gemini-cli` version 0.1.22. → cyberpress.org |
| 2026-04-30 2026 | Google's fix for critical Gemini CLI bug might break your CI/CD pipelines news 3 min read Supply Chain | Library for securing AI development layers, addressing vulnerabilities in agentic AI and supply chain risks. It discusses techniques for building secure development environments, managing trust in AI agent skills, and mitigating risks associated with AI models like Claude and Gemini. The library also touches upon hardware supply chain turbulence and identity resilience strategies in the context of AI. → theregister.com |
| 2026-04-30 2026 | New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions news 2 min read Python | Writeup on CVE-2026-31431, "Copy Fail," detailing how an unprivileged local user can achieve root access on Linux distributions since 2017. The vulnerability stems from a logic flaw in the `algif_aead` module of the kernel's cryptographic subsystem, allowing controlled writes to the page cache of any readable file. Exploitation involves a Python script to corrupt the page cache of a setuid binary like `/usr/bin/su`, granting root privileges. This primitive shares similarities with Dirty Pipe (CVE-2022-0847) and offers portable, stealthy, and cross-container exploitation. → thehackernews.com |
| 2026-04-30 2026 | OpenWrt 23.05 Authenticated Remote Code Execution (RCE) Vulnerability: Risk Analysis Impact and Mitigation (CVE-2025-62526) news 5 min read | Analysis of CVE-2025-62526, an authenticated RCE vulnerability in OpenWrt 23.05, details how attackers can compromise devices by exploiting flaws in inter-process communication and sandboxing mechanisms, particularly on Lantiq, Intel, and MaxLinear SoCs. Mitigation involves upgrading to OpenWrt 24.10.4, securing credentials, restricting management interface access, and monitoring for unauthorized changes, with historical exploitation of similar flaws by groups like APT41 and Lazarus serving as a precedent. → rescana.com |
| 2026-04-30 2026 | Critical Authenticated Remote Code Execution Vulnerability in JuzaWeb CMS 3.4.2 (CVE-2025-5425) Exploit in the Wild and Mitigation Guidance news 5 min read | Writeup detailing CVE-2025-5425, a critical authenticated RCE vulnerability in JuzaWeb CMS 3.4.2. This flaw, stemming from broken access control (CWE-266), allows low-privilege users to access the Theme Editor, inject PHP code, and achieve full server compromise. Exploits are publicly available, and exploitation in the wild has been observed. Mitigation involves restricting access to the Theme Editor endpoint and auditing user roles. The vulnerability maps to MITRE ATT&CK techniques T1190 and T1059. → rescana.com |
| 2026-04-30 2026 | Google Gemini CLI Vulnerabilities Allow Attackers to Execute Commands on Host Systems news 2 min read API Sec | Library vulnerability in the Google Gemini CLI allows attackers to execute commands on host systems by exploiting workspace trust in non-interactive CI/CD environments. This infrastructure-level exploit, distinct from prompt injection, bypasses AI agent sandboxing by automatically trusting malicious agent configurations in pull requests, leading to host-level code execution, secret theft, and supply-chain attacks. Patched versions include @google/gemini-cli 0.39.1 or 0.40.0-preview.3, and google-github-actions/run-gemini-cli 0.1.22. → cybersecuritynews.com |
| 2026-04-30 2026 | GitHub rushed to fix a critical vulnerability in less than six hours news 2 min read | Writeup of a critical remote code execution vulnerability in GitHub's internal git infrastructure, discovered using AI models by Wiz Research. GitHub's security team validated the bug bounty report, reproduced the vulnerability, and deployed a fix to GitHub.com and GitHub Enterprise Server in under six hours. The vulnerability, described as "remarkably easy to exploit" despite its complexity, highlights the emerging role of AI in identifying flaws in closed-source binaries. |
| 2026-04-30 2026 | Qinglong Task Scheduler RCE Vulnerabilities Exploited in the Wild news 2 min read API Sec | Writeup of Qinglong task scheduler RCE vulnerabilities (CVE-2026-3965 and CVE-2026-4047) that were actively exploited in early 2026. Unauthenticated attackers leveraged authentication bypass flaws in Qinglong versions 2.20.1 and earlier to achieve remote code execution, enabling them to deploy a cryptominer named .fullgc. The vulnerabilities stem from mismatches between security middleware assumptions and the Express.js framework's routing behavior, specifically concerning URL rewrite rules and case-insensitive URL handling. Updates and auditing are crucial for securing deployments. → cybersecuritynews.com |
| 2026-04-30 2026 | Critical Gemini CLI Flaw Enabled Host Code Execution Supply Chain Attacks news 1 min read Supply Chain | Writeup of the critical Gemini CLI vulnerability (CVE-2024-XXXX, unassigned) discovered by Novee Security, which allowed for host code execution through untrusted agent configurations loaded from workspaces. Attackers could exploit this to steal secrets, gain lateral movement, and conduct supply chain attacks within CI/CD pipelines, bypassing prompt injection. This is distinct from prior research demonstrating hijacking of AI agents like Claude Code Security Review and GitHub Copilot Agent via malicious GitHub comments. → securityweek.com |
| 2026-04-30 2026 | Max-severity RCE flaw found in Google Gemini CLI news 2 min read | Library update fixes a critical remote code execution (RCE) vulnerability in Google Gemini CLI. Disclosed by Novee Security, this flaw (related to CWE-77 and CWE-78) allowed attackers to inject malicious configurations and execute arbitrary commands on the host system, particularly in CI/CD environments processing untrusted input. Patched versions 0.39.1 and 0.40.0-preview.3, along with the run-gemini-cli GitHub Action fix (v0.1.22), address the vulnerability by removing implicit workspace trust and enforcing stricter tool allowlisting, aligning non-interactive execution with interactive safeguards. → csoonline.com |
| 2026-04-30 2026 | CISA adds ConnectWise Microsoft flaws to KEV catalog news 2 min read | Catalog of CVE-2024-1708, a ConnectWise ScreenConnect path traversal vulnerability, and CVE-2026-32202, a Microsoft Windows protection mechanism failure. CVE-2024-1708, patched in ScreenConnect version 23.9.8, could be chained with CVE-2024-1709 for remote code execution. CVE-2026-32202, an incomplete patch for CVE-2026-21510 exploited by APT28, allows NTLM relay attacks via SMB connections when rendering malicious LNK files. Both vulnerabilities are now on CISA's Known Exploited Vulnerabilities catalog, requiring patching by May 12, 2026, for federal agencies. → scworld.com |
| 2026-04-30 2026 | ProFTPDs SQL Injection Vulnerability Enables Remote Code Execution Attacks news 2 min read SQLi | Writeup on CVE-2026-42167, a critical SQL injection vulnerability in ProFTPD's mod_sql extension affecting thousands of deployments. Exploitation can lead to authentication bypass, remote code execution via PostgreSQL's COPY TO PROGRAM, or data theft through blind SQL injection. Patching to version 1.3.9a or disabling SQL logging are recommended mitigation strategies. → cybersecuritynews.com |
| 2026-04-30 2026 | ProFTPD SQL Injection Flaw Opens Door To Remote Code Execution Attacks news 2 min read SQLi | Writeup of CVE-2026-42167, a ProFTPD mod_sql SQL injection vulnerability that allows remote attackers to bypass authentication, escalate privileges, and potentially achieve remote code execution by injecting malicious commands into SQL queries. This flaw, affecting ProFTPD versions prior to 1.3.9a, poses a severe risk to internet-facing FTP servers utilizing SQL-backed logging or authentication, especially when connected to databases like PostgreSQL. Researchers ZeroPath discovered the issue, and it carries a CVSS v3 score of 8.1. → gbhackers.com |
| 2026-04-30 2026 | Qinglong Vulnerabilities Enable RCE Exploited in Attacks news 2 min read | Writeup of Qinglong RCE vulnerabilities, CVE-2026-3965 and CVE-2026-4047, detailing authentication bypasses via URL rewriting and case-sensitive path mismatches. Threat actors are actively exploiting these flaws in the open-source task scheduler to deploy cryptomining malware by resetting admin credentials or directly executing commands, leading to widespread infections on exposed servers. Exploitation began prior to official disclosure, with attackers camouflaging malicious binaries as legitimate processes. The writeup highlights the security anti-pattern of middleware and routing disagreement leading to trivial bypasses. → cyberpress.org |
| 2026-04-30 2026 | Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution news 5 min read | Library addressing Google's CVSS 10 Gemini CLI CI RCE, which allowed attackers to execute arbitrary commands by manipulating configuration files in CI environments, and Cursor's CVE-2026-26268 RCE via malicious Git hooks, plus an unpatched CursorJacking vulnerability enabling extension access to API keys and credentials. → thehackernews.com |
| 2026-04-30 2026 | ProFTPD SQL Injection Flaw Enables Remote Code Execution news 2 min read SQLi | Writeup of CVE-2026-42167, a critical SQL injection vulnerability in ProFTPD's mod_sql extension, enabling remote code execution, authentication bypass, and privilege escalation. Exploitable pre-authentication via crafted usernames in the USER command, this flaw impacts widely deployed ProFTPD instances bundled with popular control panels like cPanel and Plesk. Mitigation involves upgrading to ProFTPD 1.3.9a, disabling mod_sql logging, or restricting SQL backend permissions. → cyberpress.org |
| 2026-04-30 2026 | GitHub Flaw Enables Remote Code Execution With a Single Git Push news 2 min read | Writeup detailing CVE-2026-3854, a vulnerability in GitHub's internal git protocol allowing authenticated users to achieve remote code execution. Exploitation leveraged an injection flaw in the X-Stat header, where semicolon-delimited options, unsanitized by GitHub, could override security controls via a "last-write-wins" parsing model. This flaw affected both GitHub.com and GitHub Enterprise Server, potentially leading to repository compromise and server takeover. Mitigation involves upgrading GHES, enforcing least privilege, monitoring git activity, and hardening configurations. → esecurityplanet.com |
| 2026-04-30 2026 | Critical GitHub RCE bug exposed millions of repositories news 2 min read | Writeup of CVE-2026-3854, a critical RCE vulnerability in GitHub affecting millions of repositories. Exploiting the handling of server-side "git push" operations, specifically the X-STAT component, an authenticated user could execute arbitrary commands via crafted input. This command injection flaw, rated CVSS 8.8, was discoverable using AI-augmented tooling like IDA MCP, and impacted GitHub.com and Enterprise Server, granting full server compromise in self-hosted environments. → infoworld.com |
| 2026-04-29 2026 | GitHub vulnerability CVE-2026-3854 allows code execution with a single git push news 1 min read | Analysis of CVE-2026-3854, a critical GitHub vulnerability allowing remote code execution. This command injection flaw, discovered by Wiz researchers, affects GitHub Enterprise Cloud and Server, enabling attackers with push access to execute arbitrary commands by exploiting unsanitized push option values. The vulnerability, patched by GitHub within two hours, could lead to system compromise and exposure of repositories on GitHub.com, with many instances remaining vulnerable. → scworld.com |
| 2026-04-29 2026 | Hackers exploit RCE flaws in Qinglong task scheduler for cryptomining news 2 min read | Library for securing the Qinglong open-source task scheduler, addressing CVE-2026-3965 and CVE-2026-4047. These vulnerabilities, stemming from authentication bypass and path traversal flaws in versions 2.20.1 and older, allow for remote code execution. Attackers have been exploiting these issues to deploy cryptominers, disguised by the process name '.fullgc,' on developer servers by injecting shell commands into `config.sh` and downloading binaries from `file.551911.xyz`. → bleepingcomputer.com |
| 2026-04-29 2026 | AI Finds 38 Security Flaws in OpenEMR news AI | An AI security tool, DeepScribe, has identified 38 vulnerabilities in OpenEMR, a popular open-source electronic health record system. These flaws range in severity, with DeepScribe flagging 10 as critical. The company plans to disclose these findings responsibly to OpenEMR's development team. This discovery highlights the potential of AI in uncovering security weaknesses in complex software. The specific bounty payout amount for this discovery is not mentioned. → darkreading.com |
| 2026-04-29 2026 | Hugging Face LeRobot Vulnerability Enables Unauthenticated RCE Attacks news 2 min read | Writeup of CVE-2026-25874, a critical RCE vulnerability in Hugging Face's LeRobot, enables unauthenticated attackers to execute arbitrary commands by exploiting insecure Pickle deserialization over unauthenticated gRPC channels in the async inference module. This flaw, affecting versions up to 0.5.1, allows attackers to gain administrative control, exfiltrate sensitive data, and sabotage robot operations. Researchers noted the irony of using unsafe Pickle despite the development of the secure safetensors format, with `# nosec` tags present near vulnerable `pickle.loads()` calls. A patch is planned, but immediate mitigation involves restricting network access and binding the server to localhost. → cybersecuritynews.com |
| 2026-04-29 2026 | Critical Cursor Vulnerability Exposes Developer Workstations To Remote Code Execution news 2 min read | Vulnerability in Cursor (CVE-2026-26268) allows RCE on developer workstations. Attackers exploit Git Hooks and bare repositories, embedding malicious pre-commit scripts within untrusted repositories. Cursor's AI agent, triggered by repository rules or autonomous Git operations like checkouts, executes these hidden scripts, bypassing traditional human action requirements and expanding the attack surface to include AI-assisted workflows and untrusted code processing. → cyberpress.org |
| 2026-04-29 2026 | Critical Chrome Vulnerabilities Enables Remote Code Execution Attacks news 2 min read | Writeup on 30 Chrome vulnerabilities, including critical Use-After-Free flaws like CVE-2026-7363 in Canvas and CVE-2026-7333 in GPU, enabling Remote Code Execution. This update addresses memory mismanagement that can lead to arbitrary code execution via specially crafted webpages, potentially bypassing sandbox protections. Users are strongly advised to update to Chrome version 147.0.7727.137/138. → cybersecuritynews.com |
| 2026-04-29 2026 | LeRobot Vulnerability Enables Unauthenticated Remote Code Execution news Python | A critical vulnerability in LeRobot has been discovered, allowing unauthenticated remote code execution (RCE). This means an attacker can compromise systems without needing any login credentials. The exploit leverages flaws in the robot's software to gain unauthorized control, posing a significant security risk. Further details on the specific exploit can be found via the provided link. The potential impact includes data breaches, system manipulation, and denial-of-service attacks. → letsdatascience.com |
| 2026-04-29 2026 | GitHub fixes RCE flaw that gave access to millions of private repos news 2 min read Supply Chain | Writeup of CVE-2026-3854, a critical RCE vulnerability affecting GitHub.com and GitHub Enterprise Server, allowing attackers with push access to gain read/write access to millions of private repositories. The flaw stems from unsanitized user-supplied options during 'git push' operations, enabling arbitrary code execution and potential server compromise. Administrators of GitHub Enterprise Server instances are urged to upgrade immediately, as a significant percentage remain vulnerable. → bleepingcomputer.com |
| 2026-04-29 2026 | Cursor AI Vulnerability Enables Remote Code Execution news AI | A security researcher discovered a critical vulnerability in Cursor AI that allows for remote code execution. This exploit could enable attackers to gain unauthorized access and control over affected systems. The vulnerability's nature suggests a significant security risk, potentially impacting users of the AI platform. Further details regarding the specific exploit mechanism and potential mitigations were not provided in the initial announcement. → letsdatascience.com |
| 2026-04-29 2026 | Critical GitHub RCE bug exposed millions of repositories news 2 min read Supply Chain | Writeup of CVE-2026-3854, a critical command injection vulnerability in GitHub's Git push processing, specifically within the X-STAT component. This flaw, found by Wiz researchers using AI-augmented tooling, allowed authenticated users to execute arbitrary commands server-side, leading to potential remote code execution and full compromise of GitHub Enterprise Server instances, exposing millions of repositories. Patches were released for GitHub.com and Enterprise Server. → csoonline.com |
| 2026-04-29 2026 | Cursor AI IDE vulnerability allows code execution via hidden Git hooks news 2 min read Supply Chain | Tool for arbitrary code execution in Cursor AI IDE. CVE-2026-26268, a high-severity vulnerability (CVSS 8.1), leverages hidden Git hooks within nested bare repositories. The Cursor AI agent, when performing tasks like `git checkout`, inadvertently triggers these malicious pre-commit hooks, allowing attackers to execute arbitrary code without user interaction. This exploit targets the autonomous nature of AI agents operating on untrusted code, posing a significant risk to developer machines holding sensitive data. → hackread.com |
| 2026-04-29 2026 | Critical GitHub Vulnerability Exposed Millions of Repositories news 2 min read Supply Chain | Writeup of CVE-2026-3854, a critical remote code execution flaw in GitHub's internal Git infrastructure. This injection vulnerability allowed authenticated users to execute arbitrary commands on backend servers via a simple `git push` command, potentially compromising millions of repositories on GitHub Enterprise Server and GitHub.com. Wiz researchers discovered the issue, which affected various GitHub Enterprise offerings, and a patch was subsequently released. → securityweek.com |
| 2026-04-29 2026 | GitHub.com and Enterprise Server Vulnerability Allows Remote Code Execution news 2 min read Supply Chain | Library for identifying and mitigating a critical RCE vulnerability, CVE-2026-3854, in GitHub's git infrastructure. The flaw stemmed from improper neutralization of special elements during repository push operations, allowing authenticated users to execute arbitrary commands by injecting crafted metadata into the X-Stat header. Exploitation involved chaining delimiter injection to bypass security sandboxes, redirect hook directories, and achieve path traversal for arbitrary binary execution, impacting both GitHub.com and Enterprise Server instances. Wiz Research utilized AI-augmented tools like IDA MCP for analysis. → gbhackers.com |
| 2026-04-29 2026 | Critical Google Chrome Flaws Allow Remote Code Execution Exploits news 2 min read | Writeup on critical Google Chrome flaws addressed in version 147.0.7727.137/138, detailing multiple use-after-free vulnerabilities like CVE-2026-7363 in Canvas and CVE-2026-7361 on iOS, alongside memory corruption issues such as heap buffer overflows in Skia (CVE-2026-7353) and type confusion in V8 (CVE-2026-7337). These flaws, discovered using tools like AddressSanitizer and libFuzzer, enable remote code execution through crafted web pages and can be chained for exploit scenarios. → cyberpress.org |
| 2026-04-29 2026 | Mozilla Firefox Multiple Vulnerabilities news | Library of advisories detailing multiple vulnerabilities in Mozilla Firefox. These issues, impacting versions prior to Firefox 150.0.1, Firefox ESR 115.35.1, and Firefox ESR 140.10.1, can lead to remote code execution, security restriction bypass, and information disclosure. Patches are available from the vendor. → hkcert.org |
| 2026-04-29 2026 | GitHub patches critical 'git push' remote code execution bug news 1 min read | Writeup on a critical vulnerability in GitHub's `git push` command, allowing authenticated users to achieve remote code execution on backend infrastructure. Discovered by Wiz researchers using IDA's MCP server, the flaw exploited GitHub's internal protocol by adding malicious options to the `git push` command. GitHub patched the issue on GitHub.com and released a fix for GitHub Enterprise Server. |
| 2026-04-28 2026 | Major Security Flaw In GitHub Enables Remote Code Execution Across Millions of Repositories news | A significant security vulnerability has been discovered in GitHub that could allow for remote code execution across millions of repositories. This flaw, if exploited, could have widespread implications for developers and organizations relying on GitHub for code hosting and collaboration. The exact impact and potential severity are still being assessed, but the discovery highlights the ongoing challenges in securing large-scale software development platforms. Further details on the vulnerability are expected to be released as the situation unfolds and mitigation efforts are implemented. |
| 2026-04-28 2026 | CVE-2026-3854 GitHub flaw enables remote code execution news 3 min read | Writeup of CVE-2026-3854, a critical command injection vulnerability in GitHub Enterprise allowing remote code execution. Exploitable via a crafted git push, attackers can inject malicious metadata, bypass sandbox protections, and run arbitrary commands. Wiz researchers reported the flaw, which GitHub fixed with patches for Enterprise Server versions. The vulnerability underscores risks in inter-service communication and sanitization of user-controlled data in complex systems. → securityaffairs.com |
| 2026-04-28 2026 | GitHub RCE Vulnerability: CVE-2026-3854 Breakdown news 10 min read | Tool for analyzing CVE-2026-3854, a critical RCE vulnerability in GitHub's internal git infrastructure. This flaw, exploitable via a single git push from an authenticated user, allowed arbitrary command execution on GitHub.com's backend servers, potentially exposing millions of repositories. On GitHub Enterprise Server, it granted full server compromise. The analysis details the X-Stat header injection flaw and the exploitation chain involving `rails_env`, `custom_hooks_dir`, and `repo_pre_receive_hooks` fields to bypass sandboxing and achieve remote code execution. → wiz.io |
| 2026-04-28 2026 | Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push news 3 min read Supply Chain | Writeup of CVE-2026-3854, a critical command injection vulnerability in GitHub.com and GitHub Enterprise Server. Exploitable via a single "git push" command, this flaw allows authenticated users with push access to achieve remote code execution by injecting malicious metadata into internal service headers. Researchers from Wiz demonstrated a technique chaining three injections to bypass sandboxing, redirect hooks, and execute arbitrary commands as the git user, potentially leading to cross-tenant repository exposure on GitHub.com. → thehackernews.com |
| 2026-04-28 2026 | Critical GitHub.com and Enterprise Server RCE Vulnerability Enables Full Server Compromise news 2 min read Supply Chain | Writeup of CVE-2026-3854, a critical RCE vulnerability in GitHub's internal git proxy, babeld. This flaw, stemming from improper neutralization of special elements (CWE-77) via semicolon injection in git push options, allows authenticated users to compromise backend servers, access private repositories, and achieve full server takeover on GitHub Enterprise Server (GHES). Exploitation involves chaining three injected fields: `rails_env` to bypass sandboxing, `custom_hooks_dir` to redirect hook scripts, and `repo_pre_receive_hooks` for path traversal. Wiz researchers discovered this vulnerability using AI-augmented reverse engineering with IDA MCP. → cybersecuritynews.com |
| 2026-04-28 2026 | Securing the git push pipeline: Responding to a critical remote code execution vulnerability intermediate 4 min read Supply Chain | Writeup of CVE-2026-3854, a critical remote code execution vulnerability in GitHub's `git push` pipeline. The vulnerability allowed arbitrary command execution on the server by crafting a `git push` command with unsanitized push options that manipulated internal metadata, bypassing sandboxing. GitHub deployed a fix within hours to github.com and released patches for GitHub Enterprise Server, recommending immediate upgrades. The investigation found no evidence of exploitation. → github.blog |
| 2026-04-28 2026 | Hugging Face LeRobot Vulnerability Enables Unauthenticated Remote Code Execution Attacks news 2 min read Supply Chain | Writeup of CVE-2026-25874, a critical RCE vulnerability in Hugging Face's LeRobot framework, enabling unauthenticated attackers to execute arbitrary system commands. The flaw stems from the use of Python's unsafe `pickle.loads()` for deserializing data across gRPC endpoints, compounded by insecure TLS and authentication configurations. Attackers can exploit this by crafting malicious payloads that execute code during deserialization, before validation. Mitigation involves replacing `pickle` with secure alternatives, enabling TLS, and enforcing authentication. → cyberpress.org |
| 2026-04-28 2026 | Hugging Face LeRobot Flaw Opens Door to Remote Code Execution Attacks news 2 min read Supply Chain | Library flaw in Hugging Face's LeRobot, CVE-2026-25874, permits unauthenticated RCE. The vulnerability stems from using `pickle.loads()` for deserializing data over an insecure gRPC channel, allowing attackers to send crafted payloads to execute arbitrary system commands. Exploitation is possible via RPC handlers like `SendPolicyInstructions` and `SendObservations`, especially when the server binds to `0.0.0.0` in production environments. Remediation involves removing pickle serialization, implementing TLS encryption, and enforcing authentication. → gbhackers.com |
| 2026-04-28 2026 | Critical Cursor bug could turn routine Git into RCE news 3 min read Supply Chain | Library for securing AI-augmented IDEs against RCE vulnerabilities, exemplified by CVE-2026-26268 in Cursor IDE. This flaw, which allowed arbitrary code execution via malicious Git repositories and AI agent interaction with Git hooks and bare repositories, is patched in Cursor version 2.5. The exploit leverages Git's documented features, making detection challenging due to its integration into normal development workflows. → csoonline.com |
| 2026-04-28 2026 | Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE news 2 min read | Writeup on CVE-2026-25874, a critical unauthenticated RCE vulnerability in Hugging Face's LeRobot platform. The flaw, found in version 0.4.3, stems from unsafe data deserialization using Python's pickle format within the async inference pipeline, allowing attackers to execute arbitrary code via gRPC calls. This impacts the PolicyServer and robot client components, potentially leading to network compromise, data theft, and safety risks. A fix is planned for version 0.6.0. → thehackernews.com |
| 2026-04-28 2026 | Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 news 2 min read | Writeup on CVE-2026-32202, a Windows Shell spoofing vulnerability actively exploited in the wild. This zero-click flaw, with a CVSS score of 4.3, stems from an incomplete patch for CVE-2026-21510 and allows attackers to steal Net-NTLMv2 hashes via SMB connections. Russian nation-state group APT28 reportedly used it in conjunction with CVE-2026-21513, leveraging malicious LNK files to bypass Microsoft Defender SmartScreen and achieve credential theft. → thehackernews.com |
| 2026-04-27 2026 | Critical Gemini CLI Vulnerability Enables Remote Code Execution Attacks news 2 min read | Tool for patching a critical Gemini CLI RCE vulnerability, affecting @google/gemini-cli and google-github-actions/run-gemini-cli, particularly in CI/CD pipelines. The flaw stems from unsafe workspace trust handling in headless mode and a bypass of tool allowlisting under –yolo mode, enabling remote code execution when processing untrusted content. Google recommends immediate upgrades and review of automation pipeline configurations, especially concerning external contributors. → cybersecuritynews.com |
| 2026-04-27 2026 | Nessus Agent Vulnerability on Windows Allows Arbitrary Code Execution as SYSTEM news 2 min read | Writeup of CVE-2026-33694 details a critical vulnerability in Nessus Agent for Windows, allowing local attackers to achieve arbitrary code execution as SYSTEM by exploiting improper link resolution (CWE-59, "Link Following"). Attackers can leverage Windows junctions to trick the agent into deleting critical system files, leading to privilege escalation. Tenable has released version 11.1.3 to address this high-severity flaw, which has a low attack complexity and requires only low-level user privileges. → cyberpress.org |
| 2026-04-27 2026 | Critical Gemini CLI Vulnerability Enables Remote Code Execution Attacks news 2 min read | Library for securing Gemini CLI and its GitHub Action, addressing critical GHSA-wpqr-6v78-jr5g vulnerability. This flaw enables remote code execution by exploiting untrusted workspace auto-trust in headless mode, bypassed tool allowlists in "Yolo" mode, and improper input validation leading to command injection. Updated versions require explicit trust configurations and enforce strict allowlists to protect CI/CD pipelines and software supply chains from malicious code execution and credential theft. → cyberpress.org |
| 2026-04-27 2026 | PoC Exploit Released for Critical Metabase Enterprise RCE Vulnerability news 2 min read | Exploit for CVE-2026-33725, a critical Metabase Enterprise RCE vulnerability, is now public. This flaw stems from an H2 JDBC INIT injection during serialization imports, allowing attackers to execute arbitrary code and access files. Researchers at Hakai Security released a Python PoC on GitHub that automates the exploit chain, significantly increasing the risk for unpatched Metabase Enterprise versions 1.47.0 through 1.59.3. Immediate patching to versions 1.59.4, 1.58.10, or 1.57.16 is strongly advised. → cyberpress.org |
| 2026-04-27 2026 | Critical Gemini CLI Flaw Raises Supply Chain Security Concerns news 2 min read Supply Chain | Library patches address critical GHSA-wpqr-6v78-jr5g in Google's Gemini CLI and GitHub Action, mitigating Remote Code Execution risks in CI/CD pipelines. The vulnerability exploited trust bypasses in headless and Yolo execution modes, allowing command injection via malicious environment variables and prompt injection without user interaction. Patches require upgrading the NPM package to 0.39.1 or 0.40.0-preview.3, updating the GitHub Action to 0.1.22, and implementing strict workspace trust configurations and tool allowlists. → gbhackers.com |
| 2026-04-27 2026 | Metabase Enterprise RCE Flaw Now Has Public Proof-of-Concept Exploit news 2 min read | Writeup on CVE-2026-33725, a Metabase Enterprise RCE vulnerability, details a public Python exploit published to GitHub. This flaw, stemming from an H2 JDBC INIT injection during Enterprise Edition serialization imports, allows attackers to execute arbitrary database commands, leading to Remote Code Execution and sensitive file access. Affected versions range from 1.47.0 through 1.59.3. Researchers advise immediate patching to versions like 1.59.4 to mitigate this risk. → gbhackers.com |
| 2026-04-27 2026 | Nessus Agent Vulnerability on Windows Enables Arbitrary Code Execution with SYSTEM Privileges news 2 min read | Vulnerability in Nessus Agent on Windows allows arbitrary code execution with SYSTEM privileges by exploiting a symlink attack. Attackers can create a Windows junction to redirect the agent's file deletion routine, corrupting the system and enabling payload execution at the highest privilege level. Tenable has released a patch in Nessus Agent version 11.1.3. → cybersecuritynews.com |
| 2026-04-26 2026 | Anthropic's model context protocol includes a critical remote code execution vulnerability news AI | A critical remote code execution (RCE) vulnerability has been discovered in Anthropic's model context protocol. This flaw allows attackers to execute arbitrary code on a system through the protocol. The specifics of the vulnerability and its potential impact are detailed in the linked article, but no bug bounty payout amount is mentioned. → msn.com |
| 2026-04-24 2026 | Microsofts April Security Update of High-Risk Vulnerability Notice for Multiple Products news | Microsoft's April Security Update addresses high-risk vulnerabilities across multiple products. The notice, detailed in a linked article, highlights critical security flaws requiring immediate attention for users of affected Microsoft software. While the article itself does not specify a bug bounty payout, the update aims to patch these significant security risks to protect users from potential exploitation. → securityboulevard.com |
| 2026-04-24 2026 | Hackers exploit file upload bug in Breeze Cache WordPress plugin news 2 min read | Library for detecting and preventing arbitrary file uploads, specifically addressing CVE-2026-3844 in the Breeze Cache WordPress plugin. This critical vulnerability, with a severity score of 9.8, allows unauthenticated attackers to achieve remote code execution (RCE) by exploiting a missing file-type validation in the ‘fetch_gravatar_from_remote’ function when the “Host Files Locally - Gravatars” add-on is enabled. Versions up to 2.4.4 are affected. → bleepingcomputer.com |
| 2026-04-24 2026 | Tenable Research Uncovers Remote Code Execution Vulnerability in Microsoft GitHub Repository Exposing CI/CD Pipeline to Unauthorized Code Execution news 2 min read Supply Chain | Analysis of a critical Remote Code Execution vulnerability (CVSSv4 9.3) in a Microsoft GitHub repository, specifically within its CI/CD workflow using GitHub Actions. Attackers could inject malicious Python code into issue descriptions, triggering automatic execution on the GitHub runner and exfiltrating sensitive secrets like GITHUB_TOKEN, thereby compromising the software supply chain and potentially allowing unauthorized code execution. → cxodigitalpulse.com |
| 2026-04-24 2026 | 20th April Threat Intelligence Report news 3 min read | Library of threat intelligence covering the week of April 20th, detailing data breaches at Booking.com and McGraw-Hill, supply chain compromise of EssentialPlugin, and Basic-Fit. AI threats include weaponized Claude Code and GPT-4 for government breaches, phishing campaigns impersonating Claude AI, and prompt injection on GitHub agents. Vulnerabilities addressed include Apache ActiveMQ CVE-2026-34197, Splunk CVE-2026-20204, Microsoft Defender CVE-2026-33825, and Windows Task Host CVE-2025-60710. Other intelligence covers brand impersonation phishing, ZionSiphon malware targeting industrial control, Russian C2 infrastructure, and a fake Ledger Live app. |
| 2026-04-23 2026 | Anthropic's model context protocol includes a critical remote code execution vulnerability news | Anthropic's model context protocol includes a critical remote code execution vulnerability https://ift.tt/uJoCxjU → msn.com |
| 2026-04-22 2026 | Mozilla Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities news | Mozilla Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities https://ift.tt/6dEs8aC → gbhackers.com |
| 2026-04-22 2026 | Terrarium Sandbox: Critical Vulnerability Allows Root Code news | Terrarium Sandbox: Critical Vulnerability Allows Root Code https://ift.tt/xt7SA8a → secnews.gr |
| 2026-04-22 2026 | Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities news 1 min read | Release of Firefox 150, patching 41 vulnerabilities including high-severity flaws CVE-2026-6746 (DOM) and CVE-2026-6747 (WebRTC), which enable remote code execution through use-after-free and uninitialized memory bugs. This update also addresses memory corruption in Web Codecs, Canvas2D, WebRender, and privilege escalation flaws. AI tools assisted in identifying some of these vulnerabilities. → cyberpress.org |
| 2026-04-22 2026 | Critical SGLang Flaw (CVE-2026-5760) Enables RCE via Malicious AI Models news 1 min read | Writeup of CVE-2026-5760 in SGLang, a critical flaw enabling remote code execution via malicious AI models. Attackers can craft a GGUF model with a malicious tokenizer.chat_template to exploit an unsandboxed Jinja2 environment, triggering server-side template injection and executing arbitrary Python code. This high-severity vulnerability, requiring no authentication, impacts SGLang deployments serving LLMs. → cxodigitalpulse.com |
| 2026-04-22 2026 | CVE-2025-68454: Craft CMS Twig SSTI RCE Vulnerability news 5 min read | Writeup detailing CVE-2025-68454, an authenticated Remote Code Execution vulnerability in Craft CMS versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16. Exploitation occurs via Server-Side Template Injection (SSTI) using the Twig map filter in text fields within Settings or the System Messages utility. Attackers with administrative privileges or access to System Messages can achieve arbitrary code execution by crafting malicious Twig payloads. Mitigation involves updating to patched versions 5.8.21 or 4.16.17, disabling allowAdminChanges, and restricting access to sensitive utilities. → sentinelone.com |
| 2026-04-22 2026 | 15,000 Jenkins Servers at Risk from RCE Vulnerability (CVE-2025-53652) news 2 min read | Analysis of CVE-2025-53652, a critical command injection flaw in the Jenkins Git Parameter plugin, reveals its potential for remote code execution (RCE) on unauthenticated servers. VulnCheck's report details how this vulnerability, present in approximately 15,000 internet-facing Jenkins instances, allows attackers to inject malicious commands. While a patch exists, it can be manually disabled, necessitating detection rules to identify exploitation attempts. → hackread.com |
| 2026-04-22 2026 | React2Shell (CVE-2025-55182): RSC Flight Decoder Remote Code Execution news 2 min read | Writeup of CVE-2025-55182, a critical RCE in React Server Components (RSC) that affects frameworks like Next.js. Attackers exploit a flaw in the flight protocol decoding, where improperly handled prototype chain lookups allow arbitrary code execution on the server. The vulnerability stems from not checking for own properties during object deserialization. Mitigation involves upgrading React packages, restricting exposure of RSC routes, and deploying IPS/WAF rules to detect malicious multipart payloads. |
| 2026-04-22 2026 | Ivanti EPMM: Another Pre-Auth RCE (CVE-2026-1281 and CVE-2026-1340) news 2 min read | Writeup on CVE-2026-1281 and CVE-2026-1340 in Ivanti EPMM details pre-authentication remote code execution vulnerabilities. Attackers can exploit these by sending crafted requests to run arbitrary code on unpatched instances, as researchers at WatchTowr discovered. Ivanti has released an RPM patch, but it is removed upon version upgrades, requiring reapplication. These vulnerabilities were actively exploited in the wild before disclosure, and public PoC code increases immediate risk. |
| 2026-04-22 2026 | CVE-2025-57738: Apache Syncope Groovy Injection RCE news 4 min read | Writeup of CVE-2025-57738, an Apache Syncope Groovy injection vulnerability allowing RCE. Vulnerable versions compile administrator-uploaded Groovy implementations using a bare `GroovyClassLoader`, enabling static initializer blocks to execute arbitrary JVM API commands like `Runtime.exec()` or `ProcessBuilder` with full process privileges. The PoC script `CVE-2025-57738.py` demonstrates this by uploading a malicious class that executes a command and writes output to `/tmp/pwned`. Patched versions implement sandboxing using Jenkins’ Script Security infrastructure to block dangerous API calls. |
| 2026-04-22 2026 | Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain news 2 min read | Analysis of the Model Context Protocol (MCP) reveals a fundamental design flaw enabling Arbitrary Command Execution (RCE) across its SDK implementations in Python, TypeScript, Java, and Rust. This systemic vulnerability, affecting over 7,000 projects including LiteLLM, LangChain, and Flowise, stems from unsafe defaults in STDIO transport, leading to identified CVEs like CVE-2026-30623 and CVE-2025-49596. The flaw allows attackers to inject commands through various means, including prompt injection and network requests, potentially compromising sensitive data and impacting the AI supply chain, despite Anthropic classifying the behavior as "expected." → thehackernews.com |
| 2026-04-22 2026 | Critical RCE Vulnerability in Anthropic MCP Inspector (CVE-2025-49596) news 11 min read | Writeup of CVE-2025-49596, a critical RCE in Anthropic's MCP Inspector, details how attackers can exploit default insecure configurations and the 0.0.0.0-day browser vulnerability to execute arbitrary code on a developer's machine. This allows for data theft and network lateral movement, posing a significant risk to AI teams and enterprise adopters. The vulnerability stems from the MCP Inspector's lack of default authorization and its interaction with browser handling of the 0.0.0.0 IP address. |
| 2026-04-22 2026 | CVE-2025-24893: XWiki SSTI Unauthenticated RCE Exploit news | Tool for exploiting CVE-2025-24893 in XWiki, enabling unauthenticated RCE via Server-Side Template Injection. The vulnerability lies in the SolrSearch endpoint, which processes user input through the Groovy template engine without proper sanitization. Attackers can inject malicious Groovy expressions via the `text` query parameter to execute arbitrary commands on the server, with output reflected in the RSS response. The provided Python script facilitates single command execution or interactive shell access. |
| 2026-04-22 2026 | CVE-2026-34197: ActiveMQ RCE via Jolokia API news 6 min read | Writeup detailing CVE-2026-34197, a remote code execution vulnerability in Apache ActiveMQ Classic. Exploitation leverages the Jolokia API to invoke `addNetworkConnector` with a crafted `vm://` URI, forcing the broker to fetch and execute a remote Spring XML configuration file. This technique, similar to CVE-2023-46604, allows arbitrary OS command execution. The vulnerability is unauthenticated on ActiveMQ versions 6.0.0–6.1.1 due to CVE-2024-32114. |
| 2026-04-22 2026 | Google Antigravity in Crosshairs of Security Researchers Cybercriminals news 2 min read | Writeup on Google Antigravity vulnerabilities, detailing a sandbox escape flaw allowing arbitrary code execution through insufficient input sanitization during file search operations, which bypasses Secure Mode and can be triggered via indirect prompt injection. Additionally, researchers discovered a fake website distributing a trojanized installer that deploys stealer malware, targeting browser data, cryptocurrency wallets, and employing techniques like clipboard hijacking, keystroke logging, and hidden desktop tradecraft. → securityweek.com |
| 2026-04-22 2026 | Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution Container Escape news 2 min read | Writeup of CVE-2026-5752, a critical sandbox escape vulnerability in Cohere AI's Terrarium, allowing root code execution via JavaScript prototype chain traversal within the Pyodide WebAssembly environment. This flaw enables attackers with local access to execute arbitrary system commands, access sensitive files like "/etc/passwd," reach other network services, and potentially escape containers. Since the open-source project is unmaintained, mitigations focus on disabling code submission, network segmentation, Web Application Firewall deployment, and rigorous container monitoring. → thehackernews.com |
| 2026-04-22 2026 | Fake SVG puts 750000 websites at risk: hackers can seize the web server news | Fake SVG puts 750,000 websites at risk: hackers can seize the web server https://ift.tt/BwtOzhU → cybernews.com |
| 2026-04-22 2026 | Adobe Acrobat Reader: Prototype pollution vulnerability enables remote code execution news 3 min read | Writeup of CVE‑2026‑34621, a prototype pollution vulnerability in Adobe Acrobat Reader's JavaScript engine, enabling remote code execution through malicious PDFs. Exploitation involves manipulating object prototypes to inject arbitrary properties, overriding security-critical internal functions. This flaw, affecting Acrobat DC and Reader DC, has been observed in spear-phishing campaigns by financially motivated actors. Adobe has released patches, and interim mitigations include disabling JavaScript and strengthening email security controls. |
| 2026-04-21 2026 | 22 BRIDGE:BREAK Flaws Expose 20000 Lantronix and Silex Serial-to-IP Converters news 2 min read | Writeup of BRIDGE:BREAK vulnerabilities affecting Lantronix and Silex serial-to-IP converters. Forescout Research Vedere Labs identified 22 flaws, including remote code execution (CVE-2026-32955, CVE-2025-67041), DoS (CVE-2015-5621), authentication bypass (CVE-2026-32960), and device takeover (FSCT-2025-0021), in devices like Lantronix EDS3000PS Series and Silex SD330-AC, potentially allowing attackers to hijack devices and tamper with data. → thehackernews.com |
| 2026-04-21 2026 | Google Fixes Critical RCE Flaw in AI-Based Antigravity Tool news | Google Fixes Critical RCE Flaw in AI-Based Antigravity Tool https://ift.tt/1QOIZsB → darkreading.com |
| 2026-04-21 2026 | Apache Syncope RCE Vulnerability Detailed After Public Exploit Code Release news 2 min read | Writeup detailing CVE-2025-57738, a high-severity RCE vulnerability in Apache Syncope affecting 2.x, 3.x prior to 3.0.14, and 4.x before 4.0.2. The flaw stems from unchecked Groovy code compilation via a bare GroovyClassLoader, allowing authenticated administrators to execute arbitrary JVM commands using `Runtime.exec()` or `ProcessBuilder`. This is compounded by CWE-653 and a lack of sandboxing. Patches in Syncope 3.0.14 and 4.0.2 implement a multi-layered Groovy sandbox using Jenkins' Script Security, including a SecureASTCustomizer and runtime blacklists. Previous Syncope RCEs include CVE-2023-26360 and CVE-2024-27348. → gbhackers.com |
| 2026-04-21 2026 | Actively exploited Apache ActiveMQ flaw impacts 6400 servers news 2 min read | Writeup on CVE-2026-34197, a code injection vulnerability in Apache ActiveMQ Classic, impacting over 6,400 exposed servers. Discovered by Horizon3 researcher Naveen Sunkavally, the flaw allows authenticated actors to execute arbitrary code due to improper input validation. Patched in versions 6.2.3 and 5.19.4, this actively exploited vulnerability has been a repeated target, with CISA urging federal agencies to secure their systems. Exploitation indicators include suspicious broker connections with VM transport and the brokerConfig=xbean:http:// parameter. Previous exploited ActiveMQ flaws include CVE-2016-3088 and CVE-2023-46604. → bleepingcomputer.com |
| 2026-04-21 2026 | Tenable Research Uncovers Remote Code Execution Vulnerability in Microsoft GitHub Repository news 2 min read | Writeup of a critical RCE vulnerability in a Microsoft GitHub repository, discovered by Tenable Research. The flaw, exploitable via Python string injection in issue creation, allows attackers to exfiltrate GITHUB_TOKEN secrets, potentially enabling unauthorized modification of repository content and compromising the software supply chain. This highlights the attack surface presented by CI/CD infrastructure and emphasizes the need for strict security controls, permission reviews, and pipeline monitoring. |
| 2026-04-21 2026 | Hackers Could Weaponize GGUF Models to Achieve RCE on SGLang Inference Servers news 2 min read | Writeup of CVE-2026-5760 in SGLang, detailing how attackers can achieve Remote Code Execution (RCE) by weaponizing malicious GGUF model files. The vulnerability stems from Server-Side Template Injection (SSTI) in SGLang's reranking functionality, exploiting an insecure Jinja2 configuration to execute arbitrary Python code within the inference server. This flaw, similar to "Llama Drama" (CVE-2024-34359) and vLLM vulnerabilities, highlights supply chain risks in AI and emphasizes treating model files as untrusted input. → cyberpress.org |
| 2026-04-21 2026 | Tenable Research Uncovers Remote Code Execution Vulnerability in Microsoft GitHub Repository Exposing CI/CD Pipeline to Unauthorized Code Execution news 2 min read | Writeup detailing a Remote Code Execution (RCE) vulnerability in a Microsoft GitHub repository affecting CI/CD pipelines. The flaw, a Python string injection within GitHub Actions workflows, allowed attackers to exfiltrate GITHUB_TOKEN secrets by creating a malicious GitHub issue, leading to potential unauthorized code execution and supply chain compromises. Recommendations include implementing strict security controls, reviewing token permissions, and monitoring automated workflows. |
| 2026-04-21 2026 | Critical Anthropics MCP Vulnerability Enables Remote Code Execution Attacks news 2 min read | Analysis of critical Anthropic MCP vulnerability, impacting over 150 million downloads and potentially 200,000 servers, reveals architectural flaws enabling Arbitrary Command Execution (RCE). OX Security identified exploitation vectors including Unauthenticated UI Injection, Hardening Bypasses in Flowise, Zero-Click Prompt Injection in AI IDEs like Windsurf and Cursor, and Malicious Marketplace Distribution. Exploits were confirmed on LiteLLM, LangChain, and IBM’s LangFlow, resulting in multiple CVEs, with patched vulnerabilities like CVE-2026-30623 and CVE-2026-33224, while others remain unpatched in GPT Researcher, Agent Zero, and DocsGPT. → cybersecuritynews.com |
| 2026-04-21 2026 | Malicious GGUF Models Could Trigger Remote Code Execution on SGLang Servers news 2 min read | Vulnerability CVE-2026-5760 in SGLang allows remote code execution via maliciously crafted GGUF models. Threat actors can compromise inference servers by uploading a weaponized model to platforms like HuggingFace, which, when loaded by a victim, triggers Server-Side Template Injection through an insecure Jinja2 configuration. This allows arbitrary Python commands to execute on the host machine, similar to the Llama Drama bug (CVE-2024-34359) and sharing an attack surface with vLLM's DoS flaw (CVE-2025-61620). → gbhackers.com |
| 2026-04-21 2026 | SGLang Enables Remote Code Execution via Malicious GGUF Models news | SGLang Enables Remote Code Execution via Malicious GGUF Models https://ift.tt/IRetcHV → letsdatascience.com |
| 2026-04-20 2026 | Critical RCE vulnerability in protobuf.js; Exploit code published news | Library for securing JavaScript applications, detailing GHSA-xq3m-2v4x-88gg, a critical RCE in protobuf.js versions 8.0.0 and 7.5.4. Exploitation involves malicious schemas enabling arbitrary code injection via unsafe dynamic code generation. Endor Labs recommends upgrading protobuf.js to patched versions (8.0.1, 7.5.5), auditing dependencies, treating schema loading as untrusted input, and considering precompiled schemas to mitigate risks. → scworld.com |
| 2026-04-20 2026 | Google Chrome Multiple Vulnerabilities news 1 min read | Writeup detailing multiple vulnerabilities in Google Chrome, including CVE-2026-6296 through CVE-2026-6364. Exploitation of these weaknesses can lead to remote code execution, denial of service, information disclosure, and security restriction bypass. Affected versions are prior to 147.0.7727.101 on Linux, and prior to 147.0.7727.101/102 on Mac and Windows. Mitigation involves updating to the latest vendor-released versions. → hkcert.org |
| 2026-04-20 2026 | iTerm2 Flaw Abuses SSH Integration Escape Sequences to Turn Text Into Code Execution news 2 min read | Library that details a vulnerability in iTerm2, enabling arbitrary code execution by abusing SSH integration and terminal escape sequences. Attackers can embed malicious sequences in text files or server responses, impersonating the SSH conductor. When iTerm2 blindly trusts this output, it attempts to send commands back via the local pseudoterminal, which the local shell interprets as direct commands, potentially executing malicious executables at crafted `sshargs` file paths. This flaw, tracked by commit `a9e74599`, exploits trust assumptions in terminal emulators. → cyberpress.org |
| 2026-04-20 2026 | SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files news 2 min read Python | Vulnerability CVE-2026-5760, a critical RCE flaw in SGLang with a CVSS score of 9.8, stems from Jinja2 server-side template injection in GGUF model files loaded via the "/v1/rerank" endpoint. Attackers craft malicious GGUF files with SSTI payloads in the tokenizer.chat_template parameter, leading to arbitrary Python code execution on the SGLang server when the endpoint is accessed. This vulnerability is similar to CVE-2024-34359 and CVE-2025-61620, and mitigation involves using ImmutableSandboxedEnvironment for template rendering. → thehackernews.com |
| 2026-04-20 2026 | Vulnerability exploitation surges often precede disclosure offering possible early warnings news | Vulnerability exploitation surges often precede disclosure, offering possible early warnings https://ift.tt/UAnQyhJ → cybersecuritydive.com |
| 2026-04-20 2026 | 52M-Download protobuf.js Library Hit by RCE in Schema Handling news 2 min read | Library RCE in protobuf.js, a widely used JavaScript package for Google Cloud and Firebase, allows attackers to execute arbitrary code by manipulating schema file names. The vulnerability, GHSA-xq3m-2v4x-88gg, exploits the `Type.generateConstructor` function's dynamic JavaScript generation, treating type names as executable commands. Versions 8.0.0 and earlier, and 7.5.4 and earlier, are affected. A simple regex replacement in type names mitigates the issue, and users should update to protobuf.js 8.0.1 or 7.5.5 immediately. → hackread.com |
| 2026-04-20 2026 | Critical Vulnerability In Flowise Allows Remote Command Execution Via MCP Adapters news 2 min read | Analysis of a critical architectural flaw in Anthropic's Model Context Protocol (MCP) reveals remote command execution vulnerabilities across numerous AI frameworks. This vulnerability, present in official MCP SDKs for Python, TypeScript, Java, and Rust, has resulted in at least ten CVEs impacting platforms like Flowise, LiteLLM, and LangChain. Attack vectors include unauthenticated UI injection, hardening bypasses in protected environments, and zero-click prompt injection, with researchers confirming exploitation on six production platforms and poisoning of MCP registries. Immediate actions include blocking public internet exposure of AI services, treating MCP input as untrusted, sandboxing services, and monitoring for unexpected outbound activity. → cybersecuritynews.com |
| 2026-04-20 2026 | Cisco ISE Vulnerabilities Enable Remote Code Execution news 3 min read | Vulnerabilities in Cisco Identity Services Engine (ISE) and Webex Services enable remote code execution and user impersonation. CVE-2026-20147, CVE-2026-20180, and CVE-2026-20186 affect Cisco ISE, allowing authenticated attackers to execute arbitrary commands and escalate privileges. CVE-2026-20184 impacts Webex Services SSO integration, enabling user impersonation. Patching is essential as no workarounds exist for these critical flaws impacting authentication, collaboration, and network access control systems. → thecyberexpress.com |
| 2026-04-19 2026 | CISA tells feds to patch 13-year-old Apache ActiveMQ bug under active attack news 2 min read | Reference for CVE-2026-34197, a critical remote code execution vulnerability in Apache ActiveMQ Classic. This 13-year-old flaw, now on CISA's Known Exploited Vulnerabilities catalog, allows authenticated attackers to run arbitrary OS commands via the Jolokia management API. The vulnerability is exacerbated by common default credentials and can be chained with CVE-2024-32114 on certain versions to enable unauthenticated exploitation. Patches are available in ActiveMQ versions 5.19.5 and 6.2.3. → theregister.com |
| 2026-04-19 2026 | CVE-2025-22457: Ivanti Connect Secure VPN Zero-Day RCE news | Writeup of CVE-2025-22457, a zero-day stack-based buffer overflow in Ivanti Connect Secure VPN exploited by UNC5221. This vulnerability allows unauthenticated remote code execution and has been used for data exfiltration and backdoor installation. Urgent patching to the latest fixed version is recommended to mitigate exploitation. → arcticwolf.com |
| 2026-04-19 2026 | Advisory: Actively Exploited Unauthenticated RCE in Ivanti Connect Secure (CVE-2025-0282) news 2 min read | Advisory for CVE-2025-0282, an unauthenticated RCE vulnerability in Ivanti Connect Secure and other Ivanti products, disclosed January 8, 2025, and actively exploited since mid-December 2024. This stack overflow allows arbitrary code execution. Exploitation tactics include lateral movement and SPAWN malware deployment, with links to previous Ivanti vulnerability campaigns. Ivanti's Integrity Checker Tool and Mandiant IoCs can identify compromise. |
| 2026-04-19 2026 | Command Injection in Jenkins via Git Parameter (CVE-2025-53652) intermediate 4 min read | Writeup of CVE-2025-53652 in Jenkins, detailing command injection via the Git Parameter plugin. Attackers can exploit unvalidated Git parameters to achieve remote code execution, leveraging Git's GTFObin capabilities to execute arbitrary commands like `sleep` or establish reverse shells. The vulnerability requires a valid session cookie, build name, and Jenkins crumb for exploitation, even in unauthenticated instances. Detection is possible through Suricata rules and analysis of Jenkins job logs. |
| 2026-04-19 2026 | 0xMarcio/cve: Latest CVEs with PoC Exploits intermediate | 0xMarcio/cve: Latest CVEs with PoC Exploits |
| 2026-04-19 2026 | Microsoft WSUS RCE (CVE-2025-59287) Actively Exploited news 6 min read | Analysis of CVE-2025-59287, a critical unauthenticated RCE in Microsoft WSUS, details its exploitation via unsafe deserialization through the GetCookie() or ReportingWebService endpoints. Observed attack chains involve PowerShell execution, network reconnaissance, and exfiltration to attacker-controlled webhooks. Affected systems include various Windows Server versions with the WSUS role enabled. Temporary mitigations include disabling the WSUS role or blocking ports 8530 and 8531. → unit42.paloaltonetworks.com |
| 2026-04-18 2026 | ShowDoc Vulnerability Patched in 2020 Now Used in Active Server Takeovers news 3 min read | Writeup detailing CVE-2025-0520, an unrestricted file upload vulnerability in ShowDoc, allowing remote code execution. Exploitable via uploading PHP web shells to servers lacking patches from October 2020 (version 2.8.7), this N-day vulnerability poses a significant risk for systems that remain unupdated, with over 2,000 exposed instances observed globally, primarily in China. → hackread.com |
| 2026-04-18 2026 | Critical flaw in Protobuf library enables JavaScript code execution news 2 min read | Library vulnerability GHSA-xq3m-2v4x-88gg, a critical RCE flaw in protobuf.js, arises from unsafe dynamic code generation. Attackers can inject arbitrary JavaScript code by supplying malicious schemas, leading to code execution on servers or developer machines. Endor Labs identified the issue, impacting versions 8.0.0/7.5.4 and lower, with patches available in 8.0.1 and 7.5.5. Mitigation involves upgrading, auditing dependencies, and treating schema loading as untrusted input. → bleepingcomputer.com |
| 2026-04-18 2026 | ShowDoc Vulnerability Patched in 2020 Now Used in Active Server Takeovers news 3 min read | Library detailing CVE-2025-0520, an unrestricted file upload vulnerability in ShowDoc, allowing remote code execution. Patched in ShowDoc 2.8.7 in October 2020, this N-day vulnerability is actively exploited by threat actors targeting global servers, especially those running outdated versions. Defense requires updating to ShowDoc 3.8.1 to prevent compromised infrastructure and further attacks. → hackread.com |
| 2026-04-18 2026 | Critical Cisco ISE Vulnerabilities Let Remote Attackers Execute Malicious Code news 2 min read | Advisory detailing two critical Cisco Identity Services Engine (ISE) vulnerabilities: CVE-2026-20147, a CVSS 9.9 RCE flaw allowing arbitrary command execution via crafted HTTP requests with administrative credentials, and CVE-2026-20148, a CVSS 4.9 path traversal vulnerability enabling sensitive file access. Both require administrative access, and Cisco advises immediate upgrades to patched versions, as no workarounds exist. → cybersecuritynews.com |
| 2026-04-17 2026 | Multiple attacks weaponizing critical Marimo RCE identified news | Library of techniques weaponizing Marimo RCE (CVE-2026-39987) against deployed applications. Threat actors exploit this critical vulnerability to deploy NKAbuse malware via Hugging Face, execute reverse shells, steal database and .env credentials, and achieve PostgreSQL and Redis server compromise for data enumeration and exfiltration. → scworld.com |
| 2026-04-17 2026 | Apache ActiveMQ RCE bug to CISA list of exploited vulnerabilities news 2 min read | Writeup detailing CVE-2026-34197, a 13-year-old Apache ActiveMQ RCE vulnerability added to CISA's KEV catalog. Discovered using the Claude AI assistant, this high-severity bug highlights how AI accelerates vulnerability research and weaponization of legacy code. The ActiveMQ flaw, exploitable with default or no credentials in some versions, requires disabling the Jolokia interface or immediate patching to mitigate risks posed by adversaries leveraging AI for rapid code auditing. → scworld.com |
| 2026-04-17 2026 | Marimo Exploits Enable Blockchain Backdoor Spread news | Marimo Exploits Enable Blockchain Backdoor Spread https://ift.tt/vhVgxEe → letsdatascience.com |
| 2026-04-17 2026 | CVE-2026-34197: Apache ActiveMQ Jolokia RCE Vulnerability news 6 min read | CVE-2026-34197 is an authenticated RCE vulnerability in Apache ActiveMQ Classic stemming from how the Jolokia JMX-HTTP bridge handles management operations. Exploitation involves an attacker invoking operations like `addNetworkConnector` with a crafted `brokerConfig` parameter, forcing the broker to load and execute a remote Spring XML configuration file, leading to code execution within the broker JVM. This long-standing behavior, present for nearly 13 years, can be exacerbated by CVE-2024-32114, making it unauthenticated RCE. → securityboulevard.com |
| 2026-04-17 2026 | PoC Exploit Released for FortiSandbox Vulnerability that Allows attacker to execute commands news 2 min read | Writeup detailing CVE-2026-39808, a critical Fortinet FortiSandbox vulnerability. This flaw allows unauthenticated remote command execution with root privileges by manipulating the `jid` GET parameter on the `/fortisandbox/job-detail/tracer-behavior` endpoint. A publicly released PoC exploit leverages this input validation issue to inject commands, exfiltrate output to the web root, and execute arbitrary system commands. Exploitable versions include FortiSandbox 4.4.0 through 4.4.8, with active exploitation anticipated due to the readily available exploit code. → cyberpress.org |
| 2026-04-17 2026 | Hugging Face Abused To Spread Blockchain-Based Backdoor In CVE-2026-39987 Attacks news 2 min read | Library for detecting and analyzing CVE-2026-39987 exploits, which target the Marimo Python notebook platform for remote code execution. Attackers leverage this vulnerability to deploy a variant of the NKAbuse malware, hosted on Hugging Face Spaces, to perform credential harvesting, lateral movement through database enumeration and Redis scanning, and DNS exfiltration. The malware utilizes the NKN blockchain for resilient command-and-control. → cyberpress.org |
| 2026-04-17 2026 | U.S. CISA adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog news 1 min read | Writeup of CVE-2026-34197, a critical flaw in Apache ActiveMQ Classic impacting versions prior to 5.19.4 and 6.2.3. This vulnerability, caused by improper input validation and unsafe code execution, allows authenticated attackers to achieve remote code execution by exploiting the Jolokia JMX-HTTP bridge. The flaw leverages a crafted discovery URI to force the broker to load a malicious remote Spring XML configuration, enabling arbitrary code execution through bean factory methods like `Runtime.exec()`. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating remediation for federal agencies. → securityaffairs.com |
| 2026-04-17 2026 | Microsoft and Adobe Patch Tuesday April 2026 Security Update Review news 9 min read | Analysis of April 2026 Patch Tuesday updates from Microsoft and Adobe reveals 163 vulnerabilities addressed by Microsoft, including eight critical-severity issues and two zero-days: an access-control flaw in Windows Defender and an input validation flaw in Microsoft Office SharePoint, both actively exploited. Adobe patched 56 vulnerabilities across various products, with 38 critical. Notable Microsoft issues include use-after-free flaws in Remote Desktop Client and Microsoft Office, and race conditions in Windows Active Directory and TCP/IP, enabling remote code execution or privilege escalation. |
| 2026-04-17 2026 | Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation news 2 min read | Writeup detailing CVE-2026-34197, a critical Apache ActiveMQ Classic vulnerability allowing code injection via the Jolokia API. This flaw, actively exploited and added to CISA's KEV catalog, has been present for 13 years and is exacerbated by CVE-2024-32114 on certain versions, enabling unauthenticated RCE. Horizon3.ai and SAFE Security highlight its exploitation targeting exposed management endpoints, with Fortinet noting dozens of attempts. Upgrading to versions 5.19.4 or 6.2.3 is recommended. → thehackernews.com |
| 2026-04-16 2026 | Empirical Study on RCE in ML Model Hosting Ecosystems advanced 56 min read | Survey of Remote Code Execution risks in ML model hosting ecosystems, analyzing custom code execution on platforms like Hugging Face and ModelScope. The study employs static analysis tools Bandit, CodeQL, and Semgrep, alongside YARA for pattern detection, to identify vulnerabilities. It also examines platform security mechanisms and developer discussions to understand perceptions, revealing widespread unsafe defaults and developer confusion about executing remote code. → arxiv.org |
| 2026-04-16 2026 | Method Confusion in Go SSTIs Lead to File Read and RCE advanced 3 min read | Library for researching Go Server-Side Template Injection (SSTI) vulnerabilities, focusing on method confusion within the `html/template` module. This library demonstrates how to achieve arbitrary file reads and Remote Code Execution (RCE) by leveraging exported methods of rendered objects, such as the `Secret` method for command execution or the `File` method from the `echo` framework for local file disclosure. → onsecurity.io |
| 2026-04-16 2026 | SmarterTools SmarterMail Pre-Auth RCE (CVE-2025-52691) news 10 min read | Writeup of CVE-2025-52691, a pre-authentication remote code execution vulnerability in SmarterTools SmarterMail. This analysis details how an unauthenticated file upload endpoint, which accepts a JSON-deserializable `contextData` parameter, allows an attacker to control a `guid` property. The patched build 9413 introduces GUID validation, suggesting its exploitation was previously possible by manipulating this field during upload processing, as detailed by Mr Chua Meng Han from CSIT. → labs.watchtowr.com |
| 2026-04-16 2026 | Dissecting and Exploiting CVE-2025-62507: RCE in Redis intermediate 12 min read | Writeup of CVE-2025-62507, a stack buffer overflow in Redis's XACKDEL command, details how an attacker can trigger this vulnerability by providing an excessive number of stream IDs. This overflow allows for overwriting the return address on the stack, potentially leading to remote code execution, especially in unauthenticated Redis instances. The analysis demonstrates exploiting this flaw by crashing the server with carefully crafted commands, revealing the path to weaponized exploits. → jfrog.com |
| 2026-04-16 2026 | Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120) intermediate 12 min read | Writeup detailing CVE-2025-23120, a domain-level RCE in Veeam Backup & Replication. This vulnerability arises from a flawed blacklist-based deserialization mechanism, allowing domain users to achieve SYSTEM privileges on the Veeam server. The attack leverages the .NET Remoting Channel and a specific class, `Veeam.Backup.Model.CDbCryptoKeyInfo`, which ultimately leads to inner deserialization with a blacklist. This writeup follows previous research on CVE-2024-40711, also in Veeam, highlighting the persistent issues with blacklist-based security. → labs.watchtowr.com |
| 2026-04-16 2026 | Exploitation Walkthrough - Ivanti Connect Secure RCE (CVE-2025-0282) intermediate 12 min read | Walkthrough of CVE-2025-0282 in Ivanti Connect Secure, detailing a stack-based buffer overflow in the `ift_handle_1` function. Exploitation involves crafting a malicious `clientCapabilities` block exceeding 256 bytes to trigger an out-of-bounds write. While direct return address overwriting is complicated by a preceding `free()` call on `object_to_be_freed`, an alternative exploitation path leverages a virtual function call at offset 0x48 within `a1`. → labs.watchtowr.com |
| 2026-04-16 2026 | React2Shell Deep Dive: CVE-2025-55182 Exploit Mechanics advanced 10 min read | Library detailing CVE-2025-55182, dubbed "React2Shell," a critical RCE vulnerability in React Server Components. This library breaks down the exploit mechanics, including improper input deserialization and gadget chains, and analyzes in-the-wild attacks observed by Wiz. These attacks range from opportunistic cryptomining and credential harvesting to sophisticated cloud backdoors leveraging Node.js for fileless persistence and Sliver implants for long-term access. The vulnerability has broader implications beyond Next.js, affecting frameworks like Waku and Vite with RSC plugins. → wiz.io |
| 2026-04-16 2026 | Remote Code Execution in Ghost CMS (CVE-2026-29053) intermediate 8 min read | Writeup on CVE-2026-29053, a remote code execution vulnerability in Ghost CMS versions 0.7.2 through 6.19.0. The flaw arises from unsafe expression evaluation within the theming system, where specially crafted themes can exploit a dependency chain involving the `jsonpath` and `static-eval` libraries. Exploitation requires an administrator to upload and activate a malicious theme, leading to arbitrary JavaScript execution on the server during page rendering, potentially impacting supply-chain trust and admin-targeted deception. |
| 2026-04-16 2026 | Ni8mare: Unauthenticated Remote Code Execution in n8n (CVE-2026-21858) intermediate 22 min read | Writeup of CVE-2026-21858, an unauthenticated remote code execution vulnerability in n8n discovered due to a Content-Type confusion bug. Attackers can exploit this flaw by crafting a malicious request that manipulates the `req.body.files` object, allowing them to read arbitrary local files and achieve full takeover of n8n instances. This issue impacts over 100,000 servers globally and has a CVSS score of 10.0. Users should upgrade to n8n version 1.121.0 or later for remediation. |
| 2026-04-16 2026 | Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face news 2 min read | Writeup detailing the exploitation of Marimo CVE-2026-39987, which allows remote code execution and deployment of NKAbuse malware. Attackers leverage Hugging Face Spaces, posing as legitimate AI tools, to host dropper scripts and malware binaries. The payload, a variant of NKAbuse, functions as a remote access trojan with capabilities for shell command execution and data exfiltration, including credential theft from environment variables and Redis servers. Exploitation has increased in volume and tactics, with affected users urged to upgrade Marimo to version 0.23.0 or later, or block external access to the `/terminal/ws` endpoint. → bleepingcomputer.com |
| 2026-04-16 2026 | Windows Active Directory Vulnerability Allow Attackers to Execute Malicious Code news 2 min read | Vulnerability CVE-2026-33826 in Windows Active Directory allows remote code execution by attackers with adjacent network access. This critical flaw, stemming from improper input validation (CWE-20) in RPC processing, enables threat actors to compromise core identity servers with low complexity and no user interaction. Microsoft urges immediate application of cumulative updates and monthly rollups for affected Windows Server versions, including specific KB numbers for 2012 R2, 2016, 2019, 2022, and 2025. → cybersecuritynews.com |
| 2026-04-16 2026 | Windows IKE Service Extensions Vulnerability Enables Remote Code Execution (CVE-2026-33824) news 3 min read | Writeup of CVE-2026-33824, a critical remote code execution vulnerability in Windows IKE Service Extensions. This memory management error, a double free condition, allows unauthenticated network-based exploitation via UDP ports 500 and 4500. Affecting multiple Windows versions, it enables attackers to gain system control, particularly impacting VPN infrastructure and exposing internal networks. Microsoft released updates in April 2026 to address this issue. → securityboulevard.com |
| 2026-04-16 2026 | ThreatsDay Bulletin: 17-Year-Old Excel RCEDefender 0-DaySonicWall Brute-Force and 15 More Stories news 12 min read | Library of recent application security vulnerabilities, including a 17-year-old Microsoft Office Excel RCE (CVE-2009-0238), a new Microsoft Defender privilege escalation zero-day (RedSun) and DoS exploit (UnDefend), a targeted cryptocurrency wallet breach via AI social engineering against Zerion, and a fake Ledger app on the Apple App Store that stole $9.5 million. It also covers a new ransomware strain (JanaWare) targeting Turkey, the uncovering of stealthy C2 frameworks (ObsidianStrike, ArchangelC2), and updates to Raspberry Pi OS disabling passwordless sudo by default. → thehackernews.com |
| 2026-04-16 2026 | Splunk Enterprise Update Patches Code Execution Vulnerability news 1 min read | Update for Splunk Enterprise addresses CVE-2026-20204, a high-severity flaw allowing low-privileged users to achieve remote code execution via temporary file handling issues. It also patches medium-severity vulnerabilities in Splunk Enterprise and Cloud Platform related to username formatting and Data Model Acceleration control. Additionally, CVE-2026-20205 in MCP Server, a high-severity vulnerability allowing authenticated attackers to view clear-text user sessions and tokens, is fixed in MCP Server app version 1.0.3. Patches for third-party packages across various Splunk products are also included. → securityweek.com |
| 2026-04-16 2026 | Splunk Enterprise and Cloud Platform Vulnerability Enables Remote Code Execution Attacks news 2 min read | Vulnerability CVE-2026-20204 is a critical flaw in Splunk Enterprise and Cloud platforms, enabling Remote Code Execution (RCE) for attackers with low-privileged access. Exploitation involves uploading a malicious file to a specific temporary directory, triggering unauthorized code execution. The issue, categorized under CWE-377, affects various versions of Splunk Enterprise and Cloud Platform, with affected Splunk Enterprise versions including 10.2 before 10.2.1, 10.0 before 10.0.5, 9.4.0-9.4.9, and 9.3 up to 9.3.10. Mitigation strategies include upgrading to patched versions, disabling the Splunk Web component, or modifying web configurations. → cybersecuritynews.com |
| 2026-04-16 2026 | Weekly Vulnerability Report: Azure AI Spring AI Fortinet Bugs news 3 min read | Report detailing 1,431 vulnerabilities this week, including 270+ with public PoCs and 3 on underground forums. Highlights include CVE-2026-32213 in Azure AI Foundry, CVE-2026-35022 in Claude Code CLI, CVE-2026-22738 in Spring AI, CVE-2026-4631 in Cockpit, and CVE-2026-35616 in Fortinet FortiClient EMS. Also covers ICS vulnerabilities from Siemens, Hitachi Energy, and Yokogawa. |
| 2026-04-16 2026 | Cisco Patches Four Critical Identity Services Webex Flaws Enabling Code Execution news 2 min read | Writeup detailing Cisco's patching of four critical vulnerabilities in Identity Services and Webex Services. CVE-2026-20184, a critical improper certificate validation flaw in Webex SSO, allows unauthenticated user impersonation. CVE-2026-20147, CVE-2026-20180, and CVE-2026-20186 are insufficient input validation flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), enabling authenticated remote code execution and arbitrary command execution with administrative or read-only credentials respectively. → thehackernews.com |
| 2026-04-16 2026 | Splunk Enterprise and Cloud Platform Exposed to Dangerous RCE Vulnerability news 2 min read | Library for patching Splunk Enterprise and Cloud Platform against CVE-2026-20204, a Remote Code Execution vulnerability stemming from improper temporary file handling (CWE-377). Discovered by Gabriel Nitu, this flaw allows low-privileged users to execute arbitrary code by uploading malicious files to the `SPLUNK_HOME/var/run/splunk/apptemp` directory, potentially leading to server takeover. Affected versions include Splunk Enterprise 10.2.0, 10.0.0-10.0.4, 9.4.0-9.4.9, and 9.3.0-9.3.10, and specific Splunk Cloud Platform builds. Immediate updates to patched versions or disabling the Splunk Web component are recommended mitigations. → gbhackers.com |
| 2026-04-16 2026 | Critical Cisco ISE Vulnerabilities Let Remote Attackers Execute Malicious Code news 2 min read | Advisory on CVE-2026-20147 and CVE-2026-20148, critical vulnerabilities in Cisco Identity Services Engine (ISE) and ISE-PIC. CVE-2026-20147, a critical RCE flaw with CVSS 9.9, allows authenticated attackers to execute arbitrary commands and gain root privileges via improper HTTP request input validation. CVE-2026-20148, a medium path traversal flaw (CVSS 4.9), permits authenticated attackers to read sensitive system files. Exploitation impacts network access policy enforcement and authentication. Cisco urges immediate software updates for affected versions. → cyberpress.org |
| 2026-04-16 2026 | Critical Chrome Vulnerabilities Let Attackers Execute Arbitrary Code news 2 min read | Advisory about 31 Chrome vulnerabilities, including five critical ones, patched in version 147.0.7727.101/102. These flaws, primarily memory safety bugs like use-after-free and heap buffer overflows in components such as ANGLE (CVE-2026-6296, $90,000 bounty) and Proxy (CVE-2026-6297, $10,000 bounty), allow arbitrary code execution via crafted HTML. Users should update immediately. → cyberpress.org |
| 2026-04-15 2026 | Windows Active Directory Flaw Opens Door to Malicious Code Execution news 2 min read | Vulnerability CVE-2026-33826, impacting Windows Active Directory and discovered by Aniq Fakhrul, allows authenticated attackers to execute remote code over an adjacent network. This critical flaw, stemming from improper input validation (CWE-20) and exploitable via crafted RPC calls with low complexity, affects numerous Windows Server versions. Microsoft has released security updates as of April 2026 to address this high-impact vulnerability, urging immediate deployment and traffic monitoring. → gbhackers.com |
| 2026-04-15 2026 | Adobe Acrobat Reader vulnerability trapped PDFs and prepress workflow security news 1 min read | Writeup of CVE-2026-34621, a vulnerability in Adobe Acrobat Reader exploiting internal APIs like `util.readFileIntoStream` and `RSS.addFeed` to achieve remote code execution and sandbox bypass. This flaw allowed attackers to exfiltrate local files and gain elevated privileges on prepress workstations, posing a significant risk to production data and connected systems. The vulnerability remained unpatched for months, highlighting workflow security challenges in the graphic arts industry. |
| 2026-04-15 2026 | Microsoft fixes 167 security flaws in April second biggest Patch Tuesday ever news 3 min read | Analysis of Microsoft's April Patch Tuesday, the second-largest security update ever, reveals fixes for 167 vulnerabilities across Windows, Office, and cloud services. Eight critical flaws include actively exploited zero-days in SharePoint Server (CVE-2026-32201) and Office, with some Office RCE vulnerabilities (e.g., CVE-2026-33114) exploitable via preview panes. Other critical issues affect the TCP/IP stack (CVE-2026-33827), Internet Key Exchange (CVE-2026-33824), Remote Desktop Client (CVE-2026-32157), Active Directory (CVE-2026-33826), and .NET Framework DoS (CVE-2026-23666). Additionally, an Elevation of Privilege vulnerability in Defender (CVE-2026-33825) was known pre-patch. |
| 2026-04-15 2026 | Microsoft Patch Tuesday for April 2026 fixed actively exploited SharePoint zero-day news 1 min read | Writeup of Microsoft's April 2026 Patch Tuesday, which fixed 165 vulnerabilities, including an actively exploited SharePoint zero-day, CVE-2026-32201. This critical spoofing vulnerability, likely an XSS flaw, allowed attackers to view or modify sensitive information. Security experts urge rapid patching, noting the release's large size and potential impact on organizations with internet-facing SharePoint servers. → securityaffairs.com |
| 2026-04-15 2026 | April Patch Tuesday Fixes Critical Flaws Across SAP Adobe Microsoft Fortinet and More news 3 min read | Reference detailing critical vulnerabilities patched in April's Patch Tuesday, including an SQL injection in SAP Business Planning and Consolidation (CVE-2026-27681), a remotely exploitable code execution in Adobe Acrobat Reader (CVE-2026-34621), and path traversal flaws in FortiSandbox (CVE-2026-39813, CVE-2026-39808). It also mentions a spoofing vulnerability in Microsoft SharePoint Server (CVE-2026-32201) and numerous other patches from vendors like ABB, AWS, Apple, Cisco, and Linux distributions. → thehackernews.com |
| 2026-04-15 2026 | Critical nginx-ui Vulnerability CVE-2026-33032 Allows Unauthenticated Nginx Takeover news 3 min read | Writeup of CVE-2026-33032, an authentication bypass vulnerability in nginx-ui. This flaw, codenamed MCPwn, allows unauthenticated attackers to seize control of Nginx services by exploiting the /mcp_message endpoint, which bypasses authentication while only enforcing IP whitelisting. Attackers can gain session IDs by leveraging a separate vulnerability (CVE-2026-27944) to decrypt backups and extract sensitive data, including "node_secret" credentials. Exploitation can lead to restarting Nginx, modifying configuration files, and intercepting traffic. The vulnerability is patched in nginx-ui version 2.3.4. → thehackernews.com |
| 2026-04-15 2026 | Microsoft Patch Tuesday: April 2026 news | Microsoft Patch Tuesday: April 2026 https://ift.tt/qU7sl6p → arcticwolf.com |
| 2026-04-15 2026 | Zero Day Initiative The April 2026 Security Update Review news 9 min read | Reference detailing April 2026 security updates from Adobe and Microsoft, covering 61 CVEs in Adobe products like Acrobat Reader and ColdFusion, and 163 CVEs in Microsoft products including Windows, Office, and Azure. Highlights actively exploited vulnerabilities such as CVE-2026-32201 (SharePoint Server Spoofing), CVE-2026-33825 (Microsoft Defender Elevation of Privilege), CVE-2026-33827 (Windows TCP/IP RCE), and CVE-2026-33824 (Windows IKE Service RCE). Also notes critical vulnerabilities in Office, .NET, SQL Server, and Hyper-V, alongside numerous Elevation of Privilege and sandbox escape bugs. |
| 2026-04-15 2026 | Windows Active Directory Vulnerability Allows Attackers to Execute Malicious Code news 2 min read | Writeup detailing CVE-2026-33826, a critical Windows Active Directory vulnerability allowing authenticated attackers to remotely execute malicious code. This flaw, stemming from improper input validation (CWE-20), offers low complexity exploitation via crafted RPC calls within adjacent networks, granting system-level execution. Microsoft has released patches, including KB5082063 and KB50820142, and recommends monitoring RPC traffic and auditing access logs for remediation. → cyberpress.org |
| 2026-04-15 2026 | Microsoft April 2026 Patch Tuesday Fixes 167 Flaws 2 Zero-Days news 6 min read | Library of Microsoft's April 2026 Patch Tuesday fixes details 167 vulnerabilities, including an actively exploited SharePoint zero-day (CVE-2026-32201) and a Defender privilege escalation zero-day (CVE-2026-33825) found using the Diffract fuzzing tool. This release also addresses remote code execution bugs in Office, particularly those exploitable via document preview, and high-severity flaws in products like Remote Desktop Client. |
| 2026-04-15 2026 | Fortinet Patches Critical FortiSandbox Vulnerabilities news 1 min read | Library advisories detail critical vulnerabilities patched by Fortinet, including CVE-2026-39813 for FortiSandbox JRPC API authentication bypass and CVE-2026-39808 for FortiSandbox OS command injection, both exploitable via HTTP requests without authentication. Additionally, CVE-2026-22828, a high-severity buffer overflow in FortiAnalyzer Cloud, was patched, alongside SQL injection bugs in FortiDDoS-F and FortiClientEMS, and various medium- and low-severity issues across other Fortinet products. → securityweek.com |
| 2026-04-15 2026 | Microsoft Issues Patches for SharePoint Zero-Day and 168 Other Vulnerabilities news 4 min read | Library of Microsoft patches addressing 169 vulnerabilities, including zero-day CVE-2026-32201 impacting SharePoint Server, a privilege escalation flaw in Microsoft Defender (CVE-2026-33825) known as BlueHammer, and a critical remote code execution vulnerability in Windows Internet Key Exchange (CVE-2026-33824). The release also included CVEs impacting AMD, Node.js, Windows Secure Boot, and Git for Windows. → thehackernews.com |
| 2026-04-15 2026 | Microsoft Patch Tuesday April 2026 Fixes 167 Bugs news 3 min read | Updates detail Microsoft's April 2026 Patch Tuesday, addressing 167 vulnerabilities. This includes two zero-days: an actively exploited SharePoint Server spoofing flaw and CVE-2026-33825 in Microsoft Defender, allowing SYSTEM-level privilege escalation. Critical fixes address RCE and DoS issues in .NET Framework (CVE-2026-23666), Remote Desktop Client (CVE-2026-32157), Microsoft Office (e.g., CVE-2026-32190), Windows IKE extension (CVE-2026-33824), Active Directory (CVE-2026-33826), and Windows TCP/IP (CVE-2026-33827). → thecyberexpress.com |
| 2026-04-15 2026 | Adobe Acrobat flaw enables remote execution via malicious PDFs news 1 min read | Writeup of CVE-2026-34621, a zero-day vulnerability in Adobe Acrobat and Acrobat Reader that enabled remote code execution through malicious PDFs. Actively exploited for months, the flaw allowed attackers to compromise systems, steal data, and prepare further attacks. Discovered by Haifei Li, the vulnerability affected the handling of internal program objects. Adobe released an emergency update, and users are urged to patch immediately and exercise caution with untrusted PDFs. |
| 2026-04-15 2026 | Adobe Acrobat Remote Code Execution Vulnerability news | Writeup detailing CVE-2026-34621, a high-risk Adobe Acrobat remote code execution vulnerability. Exploitation requires user interaction, typically by opening a malicious file, and leads to arbitrary code execution via Prototype Pollution. Affected versions include Acrobat DC, Acrobat Reader DC, and Acrobat 2024, with patches available for update. → hkcert.org |
| 2026-04-15 2026 | Critical ShowDoc RCE Vulnerability Active Exploited in the Wild news 2 min read | Vulnerability CNVD-2020-26585 is a critical remote code execution flaw in ShowDoc versions prior to 2.8.7. Threat actors actively exploit this by uploading malicious PHP files via the image upload API endpoint (/index.php?s=/home/page/uploadImg). Exploitation involves crafting a POST request with a manipulated filename and embedding an execution command, granting attackers arbitrary code execution on vulnerable servers. Mitigation requires upgrading to ShowDoc 2.8.7+, reviewing logs for suspicious uploads, restricting server access, and configuring WAFs to block malformed requests. → cybersecuritynews.com |
| 2026-04-14 2026 | ShowDoc vulnerability actively exploited news | Library for detecting CVE-2025-0520, an unrestricted file upload vulnerability in ShowDoc versions prior to 2.8.7. This critical flaw, with a CVSS score of 9.4, allows attackers to achieve remote code execution by uploading web shells due to improper file extension validation. Active exploitation in the wild, targeting a U.S.-based honeypot, highlights the ongoing risk posed by this N-day vulnerability. → scworld.com |
| 2026-04-14 2026 | Microsoft Patch Tuesday April 2026 168 Vulnerabilities Fixed Including Actively Exploited 0-day news | Microsoft Patch Tuesday April 2026 – 168 Vulnerabilities Fixed, Including Actively Exploited 0-day https://ift.tt/TbdJPtY → cybersecuritynews.com |
| 2026-04-14 2026 | Microsoft Patch Tuesday for April 2026 - Snort Rule and Prominent Vulnerabilities news 4 min read | Snort rules detect exploitation attempts for Microsoft's April 2026 Patch Tuesday, which includes 165 vulnerabilities. Critical issues addressed by the rules include CVE-2026-23666 (.NET DoS), CVE-2026-33824 (Windows IKE RCE), CVE-2026-33826 (Active Directory RCE), and CVE-2026-33827 (Windows TCP/IP RCE). The update also covers several "more likely" to be exploited important vulnerabilities, such as CVE-2026-0390 (UEFI Secure Boot bypass) and CVE-2026-32201 (SharePoint spoofing). → blog.talosintelligence.com |
| 2026-04-14 2026 | Microsofts April 2026 Patch Tuesday Addresses 163 CVEs (CVE-2026-32201) news 5 min read | Reference of Microsoft's April 2026 Patch Tuesday, addressing 163 CVEs including critical vulnerabilities like CVE-2026-33824 in Windows IKE Service Extensions and CVE-2026-33826 in Windows Active Directory. This release also features patches for zero-day exploits, such as CVE-2026-32201 affecting Microsoft SharePoint Server and the publicly disclosed BlueHammer exploit targeting Microsoft Defender (CVE-2026-33825). Elevation of privilege vulnerabilities constitute the largest portion of this update, followed by information disclosure and remote code execution flaws. → securityboulevard.com |
| 2026-04-14 2026 | Microsoft April 2026 Patch Tuesday Fixes 160 Vulnerabilities Including 2 Zero-Day Flaws news | Microsoft April 2026 Patch Tuesday Fixes 160+ Vulnerabilities, Including 2 Zero-Day Flaws https://ift.tt/YKfCdMi |
| 2026-04-14 2026 | Microsoft April 2026 Patch Tuesday fixes 167 flaws 2 zero-days news | Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days https://ift.tt/nLAl5mZ → bleepingcomputer.com |
| 2026-04-14 2026 | Critical FortiSandbox Vulnerabilities Allow Attackers to Execute Unauthorized Commands news 2 min read | Writeup on two critical FortiSandbox vulnerabilities, CVE-2026-39808 and CVE-2026-39813, both scoring 9.1 CVSSv3. CVE-2026-39808, an OS Command Injection flaw (CWE-78) in the API component, allows unauthenticated remote attackers to execute arbitrary commands. CVE-2026-39813, a Path Traversal vulnerability (CWE-24) in the JRPC API, enables unauthenticated attackers to bypass authentication and escalate privileges. Exploitation requires no prior authentication and has a low attack complexity. Affected FortiSandbox versions require immediate patching. → cybersecuritynews.com |
| 2026-04-14 2026 | Adobe patched zero day in Acrobat that allowed remote code execution news 2 min read | Writeup detailing CVE-2026-34621, an Adobe Acrobat zero-day vulnerability patched by Adobe. This flaw allowed for remote code execution, enabling malware installation on Windows and macOS through maliciously crafted PDF files. The vulnerability, exploited in the wild for at least four months, could grant attackers full control over a victim's system and facilitate data theft across Acrobat DC, Reader DC, and Acrobat 2024. |
| 2026-04-14 2026 | Critical ShowDoc RCE Vulnerability Actively Exploited in the Wild news 2 min read | Writeup of CNVD-2020-26585, a critical unauthenticated remote code execution vulnerability in ShowDoc versions prior to 2.8.7. Attackers can exploit an unrestricted file upload mechanism by sending crafted POST requests to the `/index.php?s=/home/page/uploadImg` path, uploading arbitrary files disguised as test.<>php to bypass filters. Successful exploitation allows arbitrary command execution, data exfiltration, lateral movement, and further malware deployment, with proof-of-concept exploits demonstrating successful code execution. → cyberpress.org |
| 2026-04-14 2026 | Hackers Exploit Critical ShowDoc RCE Flaw in Ongoing Attacks news 2 min read | Writeup on CNVD-2020-26585, a critical remote code execution vulnerability in ShowDoc versions prior to 2.8.7. Attackers exploit an unrestricted file upload mechanism, disguised as image uploads to the `/index.php?s=/home/page/uploadImg` endpoint, to upload webshells bypassing weak extension checks like `test.<>php`. This allows unauthenticated control, enabling data theft and lateral movement. Mitigation involves upgrading ShowDoc, restricting access, deploying WAFs, and monitoring logs. → gbhackers.com |
| 2026-04-14 2026 | Kali Forms Vulnerability Enables Remote Code Execution RCE news 3 min read | Writeup of Kali Forms RCE vulnerability in a popular WordPress plugin, allowing unauthenticated attackers to execute arbitrary PHP code via manipulated form submission data. Exploiting a flaw in the `prepare_post_data()` and `_save_data()` functions, attackers can overwrite internal placeholders used in `call_user_func()` to achieve remote code execution, with observed attacks including authentication bypass using `wp_set_auth_cookie`. The vulnerability, fixed in version 2.4.10, saw immediate exploitation following public disclosure. → thecyberexpress.com |
| 2026-04-14 2026 | ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers news 1 min read | Writeup of CVE-2025-0520, a critical ShowDoc RCE flaw with CVSS 9.4, actively exploited due to unrestricted file upload via improper extension validation. Attackers can upload PHP web shells to execute arbitrary code on unpatched servers running versions before 2.8.7, demonstrating the exploitation of N-day vulnerabilities. → thehackernews.com |
| 2026-04-14 2026 | CISA Adds 6 Known Exploited Flaws in Fortinet Microsoft and Adobe Software news 1 min read | Survey of CISA's Known Exploited Vulnerabilities (KEV) catalog, detailing six critical flaws actively exploited in the wild. This includes an SQL injection in Fortinet FortiClient EMS (CVE-2026-21643), use-after-free in Adobe Acrobat Reader (CVE-2020-9715), privilege escalation via Windows CLFS driver (CVE-2023-36424), deserialization vulnerability in Microsoft Exchange Server (CVE-2023-21529), local privilege elevation in Host Process for Windows Tasks (CVE-2025-60710), and insecure library loading in Microsoft VBA (CVE-2012-1854). → thehackernews.com |
| 2026-04-14 2026 | Cisco warns of critical IMC vulnerabilities ironically the server manager itself has become a point of entry news 2 min read | Advisories detail critical Cisco IMC vulnerabilities including CVE-2026-20093, an authentication bypass allowing remote admin access, and CVE-2026-20094 through CVE-2026-20097, enabling command injection and RCE with root privileges, even for read-only users. These issues highlight the risk of neglecting "internal" management interfaces like IMC, BMC, iLO, and iDRAC, which can serve as prime entry points into data center environments. |
| 2026-04-13 2026 | Seven IBM WebSphere Liberty flaws can be chained into full takeover news 2 min read | Writeup on seven IBM WebSphere Liberty flaws, including CVE-2026-1561 for pre-authentication RCE via SAML Web SSO, CVE-2025-14915 for privilege escalation via AdminCenter, and others related to hardcoded keys and insecure archive extraction, that can be chained for full server compromise and remote code execution. → csoonline.com |
| 2026-04-13 2026 | Marimo vulnerability exploited within hours of disclosure news | Library CVE-2026-39987, a critical RCE in Marimo versions prior to 0.23.0, was exploited within hours of its disclosure. Attackers gained a PTY shell and executed arbitrary commands by exploiting missing authentication on the terminal WebSocket endpoint, demonstrating rapid weaponization of internet-facing vulnerabilities. → scworld.com |
| 2026-04-13 2026 | Marimo RCE Vulnerability Exploited in the Within 10 Hours of Disclosure news 2 min read | Writeup of CVE-2026-39987, a pre-authentication RCE vulnerability in Marimo affecting versions up to 0.20.4, was weaponized within 10 hours of disclosure. The flaw in the `/terminal/ws` WebSocket endpoint allows unauthenticated attackers to gain an interactive shell, leading to the exfiltration of cloud credentials like AWS access keys from `.env` files. Sysdig Threat Research Team observed exploitation originating from IP 49.207.56[.]74, highlighting the rapid targeting of niche software. → cybersecuritynews.com |
| 2026-04-13 2026 | Critical Axios Vulnerability Allows Remote Code Execution news 2 min read | Library with CVE-2026-40175 allows remote code execution by exploiting prototype pollution in header processing. Versions before 1.15.0 are vulnerable, enabling attackers to smuggle requests, bypass AWS IMDSv2, steal IAM credentials, and achieve cloud account takeover through unsanitized header values and problematic third-party dependencies. → cybersecuritynews.com |
| 2026-04-13 2026 | Critical Axios Vulnerability Enables Remote Code Execution PoC Released news 2 min read | Library with CVE-2026-40175, a critical Axios vulnerability (CVSS 9.9), allows RCE by bypassing AWS IMDSv2. This flaw stems from unrestricted cloud metadata exfiltration via header injection, involving a "Gadget" chain that exploits polluted `Object.prototype` and header sanitization weaknesses. Versions prior to 1.13.2 are affected; updating to 1.15.0 or later mitigates the risk of request smuggling and credential exfiltration. → gbhackers.com |
| 2026-04-13 2026 | Juniper Junos OS Multiple Vulnerabilities news 1 min read | Bulletin detailing multiple vulnerabilities in Juniper Junos OS and Junos OS Evolved. These issues, including CVE-2022-24805, CVE-2025-13914, CVE-2025-30650, and numerous others listed in the 2026-04 Security Bulletin, can lead to spoofing, data manipulation, remote code execution, denial of service, information disclosure, privilege elevation, and security restriction bypass. Remediation requires consulting Juniper's vendor website. → hkcert.org |
| 2026-04-13 2026 | Critical Axios Vulnerability Allows Remote Code Execution news 2 min read | Library vulnerability CVE-2026-40175 in Axios, versions prior to 1.13.2, allows for Remote Code Execution and infrastructure compromise. This flaw stems from unrestricted header handling and lack of input sanitization (CWE-113) within `lib/adapters/http.js`. Exploitation requires JavaScript prototype pollution, often in conjunction with SSRF (CWE-918) and HTTP Request Smuggling (CWE-444), to bypass AWS IMDSv2 protections, exfiltrate credentials, and gain full cloud environment control. Upgrading to Axios 1.15.0 or later is essential. → cyberpress.org |
| 2026-04-13 2026 | Marimo RCE Vulnerability Exploited Within 10 Hours of Public Disclosure news 2 min read | Writeup detailing the rapid exploitation of Marimo's RCE vulnerability (CVE-2026-39987, CVSS 9.3) occurring less than 10 hours after public disclosure. This critical flaw in the Python notebook platform allows unauthenticated attackers to gain a full interactive shell via the /terminal/ws endpoint in versions prior to 0.20.4. Attackers were observed exfiltrating sensitive data like AWS credentials by simply establishing a WebSocket connection, demonstrating the increasing speed of weaponized exploits, potentially accelerated by AI automation, without needing public proof-of-concept code. → cyberpress.org |
| 2026-04-13 2026 | Marimo RCE Vulnerability Exploited Within 10 Hours of Public Disclosure news 2 min read | Writeup of Marimo RCE vulnerability (GHSA-2679-6mx9-h9xc, CVE-2026-39987), actively exploited within 10 hours of disclosure. The critical flaw in Marimo versions 0.20.4 and earlier, affecting the `/terminal/ws` endpoint, allows unauthenticated attackers to gain a full interactive shell with the Marimo process's privileges. Attackers quickly weaponized technical details to extract sensitive AWS credentials from exposed `.env` files. Administrators must upgrade Marimo to version 0.23.0 and review logs for unauthorized terminal connections. → gbhackers.com |
| 2026-04-13 2026 | Marimo RCE Flaw Exploited Within Hours of Disclosure news 3 min read | Tool for detecting and mitigating the Marimo RCE vulnerability (CVE-2026-39987), which allows pre-authentication remote code execution via an unauthenticated WebSocket endpoint. Exploitation observed within 10 hours of disclosure, targeting sensitive credentials and infrastructure. Mitigation strategies include patching, access control, credential rotation, least privilege, and enhanced monitoring. → esecurityplanet.com |
| 2026-04-13 2026 | Microsoft Edge Multiple Vulnerabilities news 2 min read | Bulletin detailing multiple vulnerabilities in Microsoft Edge, including CVE-2026-5281 which is actively exploited. Exploitation can lead to remote code execution, denial of service, security restriction bypass, data manipulation, sensitive information disclosure, and spoofing. Affected versions are prior to 147.0.3912.60. Updating to version 147.0.3912.60 or later is recommended. → hkcert.org |
| 2026-04-12 2026 | Google Chrome 147 Security Update: Patches 60 Vulnerabilities Including Critical WebML Remote Code Execution F news 5 min read | Analysis of Google Chrome 147, which patched 60 vulnerabilities including critical heap buffer overflow (CVE-2026-5858) and integer overflow (CVE-2026-5859) flaws in the WebML component. These vulnerabilities, awarded $86,000 in bug bounties, enable remote code execution via crafted web pages. The advisory details technical aspects, exploitation potential, affected versions, and mitigation strategies such as immediate patching. While no in-the-wild exploitation is reported, the significant risk necessitates vigilance, especially concerning APT groups. → rescana.com |
| 2026-04-12 2026 | Critical Marimo pre-auth RCE flaw now under active exploitation news 2 min read | Writeup detailing CVE-2026-39987, a critical pre-authentication RCE vulnerability in Marimo versions 0.20.4 and earlier. Exploitable via the unauthenticated WebSocket endpoint '/terminal/ws', attackers can gain an interactive shell with the Marimo process's privileges. Active exploitation observed within hours of disclosure, with attackers exfiltrating credentials and SSH keys. Sysdig researchers noted a methodical operator targeting high-value information. Mitigation includes upgrading to version 0.23.0, restricting external access, or disabling the '/terminal/ws' endpoint. → bleepingcomputer.com |
| 2026-04-12 2026 | Critical Marimo Python Notebook RCE Vulnerability (CVE-2026-39987) Exploited Within 10 Hours of Disclosure news 5 min read | Analysis of CVE-2026-39987 details a critical RCE vulnerability in Marimo, an open-source Python notebook platform, allowing unauthenticated attackers shell access via a misconfigured WebSocket endpoint. Exploitation occurred within 10 hours of disclosure, focusing on credential harvesting and reconnaissance using T1190, T1552, and T1083 MITRE ATT&CK techniques. Mitigation involves upgrading to Marimo 0.23.0+, auditing logs, and rotating compromised credentials. → rescana.com |
| 2026-04-12 2026 | Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 news 1 min read | Writeup of CVE-2026-34621, an actively exploited Adobe Acrobat Reader flaw. This prototype pollution vulnerability, with a CVSS score of 8.6, allows arbitrary code execution when users open malicious PDF documents. Adobe has released emergency updates for Acrobat DC, Acrobat Reader DC, and Acrobat 2024. Security researcher Haifei Li disclosed the zero-day exploitation, and CISA has added it to their Known Exploited Vulnerabilities catalog. → thehackernews.com |
| 2026-04-11 2026 | Google Chrome Multiple Vulnerabilities news 1 min read | Vulnerability summary detailing multiple issues within Google Chrome versions prior to 147.0.7727.55 on Linux, and 147.0.7727.55/56 on Mac and Windows. Exploitation can lead to information disclosure, denial of service, remote code execution, security restriction bypass, and data manipulation. This bulletin lists CVE-2026-5858 through CVE-2026-5919 as affected vulnerabilities. → hkcert.org |
| 2026-04-11 2026 | CVE-2026-39987: Marimo RCE exploited in hours after disclosure news 2 min read | Writeup of CVE-2026-39987 in Marimo, a Python notebook tool, detailing its pre-authenticated RCE flaw. The vulnerability, actively exploited within 10 hours of disclosure by Sysdig Threat Research Team, allowed attackers to gain a full PTY shell by targeting the unauthenticated `/terminal/ws` WebSocket endpoint. This exploit highlights the rapid threat actor response to disclosures, even for niche software like Marimo, with credential theft occurring in under three minutes. → securityaffairs.com |
| 2026-04-10 2026 | AI Router Vulnerabilities Allow Attackers to Inject Malicious Code and Steal Sensitive Data news 3 min read | Library for securing AI agent LLM API routers, detailing how these intermediaries can be weaponized for malicious code injection and credential exfiltration. Research from UC Santa Barbara highlights vulnerabilities in routers purchased from platforms like Taobao and Shopify, demonstrating attacks including payload injection and autonomous session hijacking. Mitigations include fail-closed policy gates, response-side anomaly screening, and append-only transparency logging. → cybersecuritynews.com |
| 2026-04-10 2026 | GitLab Addresses Multiple Vulnerabilities Linked to DoS and Code Injection news 1 min read | Library addressing multiple GitLab vulnerabilities, including CVE-2026-5173 for exposed websocket methods, improper input validation in the Terraform state lock API, and unauthenticated denial-of-service via GraphQL API queries. Patches also resolve code injection in Code Quality reports, XSS in customizable analytics, and information disclosure risks in CSV exports, protecting self-managed instances. → gbhackers.com |
| 2026-04-10 2026 | Orthanc DICOM Vulnerabilities Lead to Crashes RCE news 2 min read | Library of nine vulnerabilities, CVE-2026-5437 to CVE-2026-5445, impacting the Orthanc DICOM server, allowing for server crashes, data leaks, and remote code execution. These defects stem from insufficient metadata validation, missing checks, and unsafe arithmetic, manifesting as out-of-bounds reads, GZIP and ZIP decompression bombs, HTTP server memory exhaustion, and heap buffer overflows in image parsing and decoding logic. Versions 1.12.10 and earlier are affected; update to 1.12.11 for remediation. → securityweek.com |
| 2026-04-10 2026 | Claude uncovers a 13yearold ActiveMQ RCE bug within minutes news 2 min read | Writeup detailing CVE-2026-34197, a 13-year-old RCE vulnerability in Apache ActiveMQ Classic, uncovered by Anthropic's Claude. The flaw, exploitable via the Jolokia API and a malicious Spring XML file, allows arbitrary system command execution. Researchers used AI to build an exploit chain in minutes, highlighting the potential for AI in vulnerability discovery. This critical flaw affects ActiveMQ Classic versions prior to 5.19.4 and several 6.x releases, with an unauthenticated variant possible in some 6.x versions due to CVE-2024-32114. → csoonline.com |
| 2026-04-10 2026 | Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure news 3 min read Python | Writeup of CVE-2026-39987, a critical pre-authenticated RCE vulnerability in Marimo exploited within 10 hours of disclosure. The flaw, impacting versions prior to 0.20.4, allows unauthenticated attackers to gain a full PTY shell via the terminal WebSocket endpoint. Exploitation observed included credential theft and deployment of NKAbuse, a multi-platform threat leveraging NKN for C2. CISA added CVE-2026-39987 to its KEV catalog, mandating remediation for FCEB agencies. → thehackernews.com |
| 2026-04-10 2026 | Critical Marimo Flaw Exploited Hours After Public Disclosure news 2 min read | Writeup detailing the rapid exploitation of CVE-2026-39987, a critical unauthenticated RCE vulnerability in the Marimo reactive notebook. The flaw, discovered in the terminal WebSocket endpoint due to a lack of authentication validation, allowed attackers to gain an interactive shell and execute arbitrary commands. Exploitation began within nine hours of public disclosure, with attackers quickly moving to exfiltrate credentials and search for sensitive files like SSH keys. Releases up to Marimo 0.20.4 are affected, and users are urged to update to version 0.23.0 or newer. → securityweek.com |
| 2026-04-10 2026 | CISA Warns of Actively Exploited Ivanti EPMM Vulnerability news 1 min read | Reference for CVE-2026-1340, a critical code-injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM). This flaw allows unauthenticated remote code execution, granting attackers control over the mobile management server and connected devices. CISA has issued an urgent directive for federal agencies to remediate this actively exploited vulnerability, and private-sector organizations are strongly encouraged to apply patches immediately due to the significant risks it poses. |
| 2026-04-10 2026 | Critical Chrome Vulnerabilities Let Attackers to Execute Arbitrary Code news 2 min read | Writeup of critical Chrome vulnerabilities, including CVE-2026-5858 and CVE-2026-5859, which are heap buffer overflow and integer overflow flaws in WebML, respectively. These, along with 14 high-severity issues like use-after-free in WebRTC and V8, and heap buffer overflows in WebAudio and ANGLE, could allow arbitrary code execution. Google's fuzzing infrastructure aided in their detection. → cybersecuritynews.com |
| 2026-04-10 2026 | Critical Vulnerability in Ninja Forms Exposes WordPress Sites news 1 min read | Library detailing an arbitrary file upload vulnerability (CVSS 9.8) in Ninja Forms – File Upload Plugin versions up to 3.3.26. This flaw allows unauthenticated attackers to upload malicious files, including PHP scripts, through insufficient file validation and filename manipulation, potentially leading to remote code execution and full website compromise. The vulnerability was discovered by Sélim Lanouar and patched in version 3.3.27. → infosecurity-magazine.com |
| 2026-04-10 2026 | U-Office Force Critical RCE via Insecure Deserialization (CVE-2026-3422) news 1 min read Deser | Writeup of CVE-2026-3422 details an unauthenticated remote code execution vulnerability in U-Office Force, a product of e-Excellence. This critical flaw, rated CVSS 9.8, stems from insecure deserialization, where the application processes maliciously crafted serialized content without proper validation. Attackers can exploit this by crafting specific serialized payloads containing gadget chains, leading to arbitrary code execution on the server. Successful exploitation requires identifying input channels that deserialize data, such as API endpoints or file uploads. → thehackerwire.com |
| 2026-04-10 2026 | IBM Langflow Desktop RCE via Insecure Deserialization news 1 min read Deser | Writeup of CVE-2026-3357, detailing an RCE vulnerability in IBM Langflow Desktop (versions 1.6.0-1.8.2) with a CVSS score of 8.8. Exploitation requires authentication and leverages insecure deserialization within the FAISS component, allowing an attacker to execute arbitrary code by providing malicious serialized data. → thehackerwire.com |
| 2026-04-10 2026 | CVE-2026-21858: Ni8mare Enables Unauthenticated RCE in n8n Webhooks news 5 min read | Writeup detailing CVE-2026-21858 (Ni8mare), an unauthenticated RCE vulnerability in n8n workflow automation software. The flaw arises from content-type confusion, enabling attackers to read arbitrary files, forge admin sessions, and execute commands. This affects n8n versions prior to 1.121.0 and carries a CVSS score of 10.0. The writeup also briefly mentions CVE-2026-21877, N8scape (CVE-2025-68668), and CVE-2025-68613, which allow authenticated RCE. |
| 2026-04-10 2026 | Potentially Critical RCE in OpenSSL (CVE-2025-15467) news 3 min read | Writeup of CVE-2025-15467, a critical RCE vulnerability in OpenSSL affecting versions 3.0 through 3.6. An attacker can exploit this stack overflow by sending a crafted CMS AuthEnvelopedData message with an oversized IV, triggering a buffer overflow before authentication. This vulnerability impacts applications calling specific CMS decryption APIs or using tools like `openssl cms` and `openssl smime`, and can be leveraged for remote code execution. Users should upgrade to patched versions immediately. |
| 2026-04-10 2026 | Wazuh RCE via Deserialization of Untrusted Data (CVE-2026-25769) news 1 min read | Writeup of CVE-2026-25769, a critical RCE vulnerability in Wazuh versions 4.0.0 through 4.14.2. This Deserialization of Untrusted Data flaw, rated 9.1 CVSS, requires initial compromise of a worker node to enable an attacker to execute code with root privileges on the Wazuh master node. The fix is available in Wazuh version 4.14.3. → thehackerwire.com |
| 2026-04-10 2026 | CVE-2025-55182: React and Next.js Deserialization RCE Deep Dive intermediate | CVE-2025-55182: React and Next.js Deserialization RCE Deep Dive → akamai.com |
| 2026-04-10 2026 | Active Exploitation of 7-Zip RCE Vulnerability news 2 min read | Analysis of active exploitation of 7-Zip RCE vulnerability CVE-2025-11001, stemming from improper symbolic link handling in crafted ZIP files. Exploitation allows attackers to overwrite system files or execute arbitrary code. NHS England Digital confirmed active exploitation, urging updates to version 25.0.0 or later, which also addresses CVE-2025-11002. Unpatched systems face risks including ransomware and data theft. |
| 2026-04-10 2026 | Update on React Server Components RCE (CVE-2025-55182 / CVE-2025-66478) news 7 min read | Writeup detailing the evolving exploitation of React Server Components RCE (CVE-2025-55182, CVE-2025-66478), discussing the invalid early PoC, the emergence of scanning utilities from Assetnote, and the eventual discovery of real RCE exploit chains that leverage unsafe export resolution and prototype chain manipulation for arbitrary code execution via mechanisms like `process.mainModule.require('https')` and runtime memory shells, with observed data exfiltration via response body output, OAST/DNSLog callbacks, and Next.js redirect headers. → securityboulevard.com |
| 2026-04-10 2026 | CVE-2025-34291 Exploited in the Wild: LangFlow AI Under Fire news 3 min read | Writeup of CVE-2025-34291, a remote code execution vulnerability in LangFlow, reveals active exploitation in the wild. This cross-site request forgery flaw, stemming from improper CORS and SameSite cookie configurations, allows attackers to impersonate logged-in users and gain full control of AI infrastructure by exploiting Python code execution capabilities. Protection involves hardening LangFlow configurations by disabling authenticated cross-site requests or restricting allowed origins, upgrading to LangFlow 1.7, or utilizing a WAF like CrowdSec to block malicious IPs. |
| 2026-04-10 2026 | New runC Vulnerabilities Expose Docker and Kubernetes to Container Escape news 3 min read | Writeup on CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 in runC, detailing how these vulnerabilities allow container escape through manipulation of bind mounts and /proc filesystem writes. Exploitation requires the ability to start containers with custom mount configurations, enabling attackers to compromise host systems and bypass LSM relabel protections. Versions prior to runC 1.2.8, 1.3.3, or 1.4.0-rc.3 are affected. |
| 2026-04-10 2026 | CVE-2025-39601: WordPress Custom CSS, JS and PHP Plugin CSRF to RCE news 1 min read | Writeup of CVE-2025-39601, a Critical CSRF vulnerability in the WPFactory Custom CSS, JS & PHP plugin for WordPress. Versions up to and including 2.4.1 are affected, allowing unauthenticated attackers to achieve Remote Code Execution (RCE) by injecting malicious PHP code via unauthorized POST requests. Exploitation involves hosting a crafted HTML file that an authenticated administrator visits, triggering the injection of PHP code executed on page load. |
| 2026-04-10 2026 | CVE-2025-7384: Critical WordPress Plugin Unauthenticated RCE news 4 min read | Writeup of CVE-2025-7384, a critical PHP Object Injection vulnerability in the "Database for Contact Form 7, WPforms, Elementor Forms" WordPress plugin. This flaw, with a CVSS score of 9.8, allows unauthenticated attackers to inject arbitrary PHP objects, leading to denial of service and potential remote code execution through malicious deserialization. The exploit can result in the deletion of critical files like `wp-config.php`, affecting over 70,000 installations. While version 1.4.4 patches new exploits, old malicious data in the database remains a risk requiring database sanitization. |
| 2026-04-10 2026 | Sneeit WordPress RCE Exploited in the Wild news 3 min read | Writeup detailing active exploitation of CVE-2025-6389, a critical RCE vulnerability in the Sneeit Framework WordPress plugin, allowing unauthenticated attackers to execute arbitrary PHP functions like `wp_insert_user()` to create administrative backdoors. Exploitation involves crafting HTTP requests to `/wp-admin/admin-ajax.php` and uploading malicious PHP files such as "xL.php" and "up_sf.php." The report also notes concurrent attacks on ICTBroadcast, exploiting CVE-2025-2611 to deliver the "Frost" DDoS botnet, which employs spreader logic and targets specific response indicators before launching attacks. → thehackernews.com |
| 2026-04-10 2026 | Critical Pre-Auth RCE in ChurchCRM Setup Wizard news 2 min read | Writeup of CVE-2026-39337, a critical pre-authentication RCE in ChurchCRM versions prior to 7.1.0. Attackers can inject arbitrary PHP code into the `$dbPassword` variable during the setup wizard's installation process, leading to complete server compromise. This vulnerability is an incomplete fix for CVE-2025-62521, highlighting ongoing input validation issues. → thehackerwire.com |
| 2026-04-10 2026 | Critical Unauthenticated RCE in n8n (CVE-2026-21858, CVSS 10.0) news 2 min read | Writeup on CVE-2026-21858, a critical unauthenticated RCE in n8n versions prior to 1.121.0. Exploitation involves Content-Type confusion in webhook and file-handling logic, allowing attackers to override internal parsing, access sensitive files, forge sessions, and achieve arbitrary code execution. This leads to server takeover, credential theft, and lateral movement. Orca Security aids in identifying and prioritizing remediation for vulnerable n8n instances. |
| 2026-04-10 2026 | TryHackMe Spring AI: CVE-2026-22738 RCE Writeup news | TryHackMe Spring AI: CVE-2026-22738 RCE Writeup |
| 2026-04-10 2026 | Dangerous runC Flaws Allow Hackers to Escape Docker Containers news 2 min read | Vulnerabilities in runC, CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, allow attackers with custom mount configurations to escape Docker and Kubernetes containers by exploiting bind-mounts and symlink race conditions to gain root privileges on the host system. Fixes are available in later runC versions, and mitigations include user namespaces and rootless containers. → bleepingcomputer.com |
| 2026-04-10 2026 | runC Container Escape Vulnerabilities: A Technical Overview intermediate 3 min read | Writeup of runc container escape vulnerabilities, including CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, which allow arbitrary writes to procfs files. Exploitation involves custom mount configurations, potentially leading to host compromise in environments like Kubernetes. Mitigations include updating runc to v1.4.0-rc.3, v1.3.3, or v1.2.8, and employing user namespaces, non-root users, and security modules. |
| 2026-04-10 2026 | New runC Vulnerabilities Allow Container Escape in Docker and Kubernetes news 3 min read | Analysis of three runc vulnerabilities, CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, details how attackers can achieve container escape in Docker and Kubernetes. These exploits leverage race conditions and mount manipulations, specifically involving maskedPaths abuse and /dev/console mount races, to gain root access to host systems by writing to critical procfs files. Mitigation strategies include updating runc, enabling user namespaces, and using rootless containers. |
| 2026-04-10 2026 | Attackers Exploit Critical Langflow RCE as CISA Sounds Alarm news 2 min read | Library for detecting and mitigating remote code execution in Langflow, particularly CVE-2026-33017. This vulnerability allows unauthenticated attackers to execute arbitrary Python code by submitting malicious workflow data via the `build_public_tmp` endpoint. Attackers have weaponized this flaw within hours of disclosure, leading to credential exfiltration and potential software supply chain compromise. Runtime detection is crucial, focusing on exploit behavior like shell command execution and data exfiltration over HTTP, rather than specific CVE signatures. → csoonline.com |
| 2026-04-10 2026 | CVE-2026-33017: How Attackers Compromised Langflow AI Pipelines in 20 Hours intermediate 8 min read | Writeup detailing CVE-2026-33017, an unauthenticated RCE in Langflow, exploited within 20 hours of its advisory. Attackers leveraged the vulnerability's public flow build endpoint to execute arbitrary Python code, exfiltrating credentials and potentially compromising supply chains. Exploitation attempts observed included automated scanning via nuclei templates and custom Python scripts for deeper reconnaissance and data harvesting, highlighting the rapid weaponization trend of newly disclosed vulnerabilities. |
| 2026-04-10 2026 | CVE-2025-3248: RCE Vulnerability in Langflow news 3 min read | Writeup detailing CVE-2025-3248, a critical remote code execution (RCE) vulnerability in Langflow. Exploitation of the `/api/v1/validate/code` endpoint allows unauthenticated arbitrary command execution by embedding malicious Python code within decorators or default function arguments, which are evaluated during AST processing prior to version 1.3.0. Recommendations include immediate upgrades, access restriction via ZTNA, input sandboxing, and monitoring. |
| 2026-04-10 2026 | React2Shell Explained: From Vulnerability Discovery to Exploitation intermediate 13 min read | Library for understanding CVE-2025-55182, the React2Shell vulnerability. This exploit targets React Server Components' React Flight protocol by abusing unsafe deserialization of client-controlled payloads. Successful exploitation allows unauthenticated attackers to achieve remote code execution (RCE) on vulnerable servers, impacting applications built with React 19.0.0-19.2.0 and Next.js App Router versions 16.0.0-16.0.6. The analysis details how attackers manipulate prototype chains and the Function constructor to inject malicious code. → resecurity.com |
| 2026-04-10 2026 | Protecting Against the Critical React2Shell RCE Exposure intermediate 5 min read | Library for identifying and mitigating the critical 'React2Shell' RCE vulnerability (CVE-2025-55182) affecting React Server Components and Next.js. This vulnerability allows unauthenticated attackers to perform server-side code execution via insecure deserialization in the RSC 'Flight' protocol. The library helps secure environments by detailing immediate actions, providing detection rules, and showcasing how SentinelOne's Offensive Security Engine can verify exploitability of affected workloads. → sentinelone.com |
| 2026-04-10 2026 | React2Shell: Node.js RCE Against a Production Next.js App advanced 52 min read | Analysis of CVE-2025-55182, "React2Shell," details a Node.js Remote Code Execution vulnerability in Next.js applications utilizing React Server Components. The exploit leverages the Flight protocol's unsafe deserialization to trigger `child_process.spawnSync()`, allowing arbitrary shell commands with server process privileges. The report reconstructs a six-stage attack campaign, including C2 communication across multiple servers and the use of Lachlan Davidson's "02-meow-rce-poc" for RCE confirmation, despite defensive measures like container restrictions limiting further attacker progression. |
| 2026-04-10 2026 | CVE-2025-68613: RCE via Expression Injection in n8n news 14 min read | Writeup of CVE-2025-68613, a critical RCE vulnerability in n8n's expression evaluation engine. This flaw allows authenticated users to inject malicious JavaScript expressions, escaping the sandbox to execute arbitrary code on the server with n8n process privileges. Exploitation enables attackers to run OS commands, steal secrets, modify files, and gain full server control, impacting over 100,000 instances globally. The vulnerability affects versions from 0.211.0 up to 1.120.3 and early 1.122.x releases, with fixes available in versions 1.120.4, 1.121.1, and 1.122.0+. → resecurity.com |
| 2026-04-10 2026 | Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 news 2 min read | Writeup of CVE-2026-34621, a zero-day vulnerability in Adobe Reader exploited since December 2025 via malicious PDFs. This sophisticated exploit, first observed in "Invoice540.pdf," uses obfuscated JavaScript to harvest sensitive data and potentially deliver subsequent payloads for remote code execution and sandbox escape. The exploit targets privileged Acrobat APIs and has been confirmed to work on the latest Adobe Reader version, necessitating user vigilance and prompt application of the provided security update. → thehackernews.com |
| 2026-04-10 2026 | WWBN AVideo RCE via Persistent PHP File Upload (CVE-2026-33717) news 2 min read | Writeup of CVE-2026-33717, a remote code execution vulnerability in WWBN AVideo. This flaw allows unauthenticated attackers to persistently upload and execute arbitrary PHP files by exploiting improper handling of remote content in the `downloadVideoFromDownloadURL()` function and bypassing cleanup via an invalid `resolution` parameter. Affected versions include WWBN AVideo up to 26.0, and a fix is available in commit `6da79b43484099a0b660d1544a63c07b633ed3a2`. → thehackerwire.com |
| 2026-04-10 2026 | Explorance Blue RCE via Unrestricted File Upload intermediate 2 min read | Writeup of CVE-2025-57794 impacting Explorance Blue, detailing an authenticated unrestricted file upload vulnerability allowing remote code execution. Exploitation requires administrative credentials and is possible on versions prior to 8.14.9 by uploading web shells (e.g., PHP, ASPX, JSP, CFML) to accessible directories. The flaw lies in the application's failure to validate file types, enabling attackers to execute arbitrary code on the server. Explorance has released version 8.14.9 to address this critical issue. → thehackerwire.com |
| 2026-04-10 2026 | From Pre-Auth SSRF to RCE in TruFusion Enterprise intermediate 2 min read | Writeup detailing pre-authentication SSRF (CVE-2025-32355) and path traversal (CVE-2025-59793) vulnerabilities in TRUfusion Enterprise. The SSRF allows an attacker to abuse a misconfigured reverse proxy to access internal services, including an Axis2 interface. This Axis2 service, vulnerable to path traversal, can be exploited with the default 'trubiquity' password to achieve remote code execution by writing arbitrary files to the filesystem. |
| 2026-04-10 2026 | Serverless Security Risks 2026: Mitigating SSRF and RCE Threats intermediate 17 min read SSRF | Library for serverless security, detailing risks like SSRF and RCE by focusing on identity, permissions, and configuration. It explains how short-lived cloud credentials for AWS Lambda, Azure Functions, and Google Cloud Functions become primary targets when exposed, enabling privilege escalation and lateral movement. The library emphasizes that interconnected services, shared dependencies, and insufficient visibility into invocation paths and configurations compound these risks, advocating for continuous monitoring and least-privilege enforcement. |
| 2026-04-10 2026 | Intigriti Challenge: SSRF to RCE via File Upload Bypass intermediate | Intigriti Challenge: SSRF to RCE via File Upload Bypass |
| 2026-04-10 2026 | Precurio Intranet Portal: CSRF to RCE via File Upload intermediate 2 min read | Writeup detailing CVE-2026-32989, a CSRF to RCE vulnerability in Precurio Intranet Portal 4.4. This high-severity flaw (CVSS 8.8) allows an attacker to trick an authenticated user into uploading a malicious file. If the portal stores this file in a web-accessible, executable format, it can lead to arbitrary code execution on the web server. Exploitation requires an authenticated victim and network access to the target portal. → thehackerwire.com |
| 2026-04-10 2026 | Tiandy Easy7 RCE via OS Command Injection (CVE-2026-4585) intermediate 1 min read | Writeup of CVE-2026-4585, a critical OS command injection vulnerability in Tiandy Easy7 Integrated Management Platform (versions prior to 7.17.0). This remote, unauthenticated flaw allows attackers to execute arbitrary commands via the `ImportSystemConfiguration.jsp` endpoint by manipulating the `File` argument. The exploit is publicly disclosed and requires no user interaction, presenting a severe risk of system compromise. → thehackerwire.com |
| 2026-04-10 2026 | OpenMetadata RCE via SSTI in FreeMarker Email Templates intermediate 4 min read SSTI | Writeup of GHSA-5f29-2333-h9c7, detailing a critical Remote Code Execution vulnerability in OpenMetadata version 1.11.2. The vulnerability stems from Server-Side Template Injection (SSTI) within FreeMarker email templates, allowing an administrator to inject malicious code that is then executed by the server. Attack vectors include privilege escalation, data exfiltration, and establishing reverse shells, with significant impacts on confidentiality, integrity, and availability. |
| 2026-04-10 2026 | RCE in Airbyte via Server-Side Template Injection (SSTI) intermediate | Library for securing Airbyte connections, preventing Remote Code Execution (RCE) via Server-Side Template Injection (SSTI) in the connection builder Docker image. This vulnerability, discovered by Mike Cole of Mantel Group, could allow authenticated attackers to execute arbitrary code and expose sensitive information like credentials if a new connector is tested on a compromised instance. |
| 2026-04-10 2026 | File Upload Vulnerability Testing: Bypassing Filters and Getting RCE intermediate 4 min read | Guide detailing techniques for bypassing file upload filters to achieve Remote Code Execution (RCE). It covers extension filter bypasses, including alternative extensions like `.php5`, `.phtml`, `.phar`, and double extensions, as well as Content-Type and magic byte manipulation. The guide also explores filename manipulation for path traversal, `.htaccess` uploads to enable PHP execution for any extension, and exploitation of image processing vulnerabilities like ImageMagick's CVE-2016-3714. It provides web shell payloads and discusses chaining file uploads with other vulnerabilities such as LFI, SSRF, XSS, and XXE. |
| 2026-04-10 2026 | Critical LFI to RCE in WP Ghost Plugin Affecting 200k+ Sites intermediate 3 min read | Writeup of CVE-2025-26909, a critical unauthenticated Local File Inclusion (LFI) to Remote Code Execution (RCE) vulnerability in the WP Ghost WordPress plugin, affecting over 200,000 sites. The vulnerability arises from insufficient sanitization of user input in the `showFile` function, allowing path traversal and arbitrary file inclusion, potentially leading to RCE via techniques like `php://filter` chains or `PHP_SESSION_UPLOAD_PROGRESS`. The issue is fixed in version 5.4.02. |
| 2026-04-10 2026 | AI Workflows Under Fire: Critical RCE Flaws in Langflow news 2 min read | Writeup on critical RCE and file write vulnerabilities in Langflow, a visual framework for AI agents. CVE-2026-33017, rated "Critical," allows unauthenticated RCE by exploiting a flaw in the build public flow endpoint's `exec()` function. CVE-2026-33309 permits authenticated arbitrary file writes through path traversal in the v2 API's file upload handling. Both affect version 1.8.1 and earlier, with recommendations for manual intervention including removing the data parameter from the public flow route and sanitizing multipart filenames. |
| 2026-04-10 2026 | CVE-2026-22812: RCE on a 71k-Star AI Coding Tool With Zero Auth news | CVE-2026-22812: RCE on a 71k-Star AI Coding Tool With Zero Auth |
| 2026-04-10 2026 | Root in One Request: Marimo's Critical Pre-Auth RCE (CVE-2026-39987) news 8 min read | Writeup of CVE-2026-39987, a critical pre-authentication remote code execution vulnerability in the Marimo Python reactive notebook framework. This issue, with a CVSS v4.0 score of 9.3, stems from an unauthenticated WebSocket endpoint for the integrated terminal, allowing attackers to gain an interactive shell as the Marimo process user. The vulnerability has been exploited in the wild, and vulnerable instances are believed to be widespread. Marimo versions prior to 0.23.0 are affected. |
| 2026-04-10 2026 | Lessons From 2025: Zero-Day Exploitation Shaping 2026 news 6 min read | Analysis of 2025 zero-day exploitation reveals critical vulnerabilities in enterprise software like Oracle EBS (CVE-2025-61882), Meta React Server Components (CVE-2025-55182), SAP NetWeaver (CVE-2025-31324), Microsoft SharePoint (CVE-2025-53770), and Citrix NetScaler (CVE-2025-5777). Financially motivated groups and China-aligned actors were prominent exploiters, demonstrating rapid weaponization of public disclosures and the lingering risk even after patches are released. Enterprise software's central role made it a prime target, with exploitation leading to widespread compromise and extortion. |
| 2026-04-10 2026 | Critical Zero-Day RCE in Networking Devices Exposes 70,000+ Hosts news 1 min read | Writeup of CVE-2025-54322, a zero-day RCE in XSpeeder SXZOS networking devices, enabling unauthenticated root-level access. The flaw leverages an unsafe eval() function processing base64-decoded user input from query parameters, bypassing superficial middleware protections. Exploitation chains a time-synchronized nonce header, session cookie validation, and naive payload scan. The vendor's unresponsiveness to disclosures exacerbates the risk to over 70,000 potentially exposed hosts, particularly in industrial and branch office environments. → gbhackers.com |
| 2026-04-10 2026 | Cisco Patches Zero-Day RCE Exploited by China-Linked APT news 2 min read | Reference detailing CVE-2025-20393, a critical remote command execution flaw in Cisco AsyncOS Software for Secure Email Gateway and Web Manager. Exploited by China-linked APT UAT-9686, this vulnerability, with a CVSS score of 10.0, allows arbitrary root command execution via insufficient validation of HTTP requests to the Spam Quarantine feature. Attackers deployed tools like ReverseSSH, Chisel, AquaPurge, and AquaShell. Cisco has released patches and recommends hardening guidelines, including firewalling, disabling unnecessary services, and enforcing strong authentication. → thehackernews.com |
| 2026-04-10 2026 | Critical Redis RCE Vulnerability: CVE-2025-49844 news 5 min read | Writeup on CVE-2025-49844, dubbed #RediShell, detailing a critical Use-After-Free (UAF) vulnerability in Redis. This flaw allows authenticated attackers to execute arbitrary native code on the Redis host by escaping the Lua sandbox with a crafted Lua script. Given Redis's prevalence in cloud environments, this vulnerability poses a significant risk, potentially leading to data exfiltration, lateral movement, and system compromise. The writeup also highlights affected forks like Valkey and managed services such as Amazon ElastiCache, Google Cloud Memorystore, and Azure Cache for Redis. → wiz.io |
| 2026-04-10 2026 | CVE-2025-59287: WSUS Unauthenticated RCE Vulnerability news 5 min read | Writeup detailing CVE-2025-59287, a critical (CVSS 9.8) unauthenticated RCE vulnerability in Windows Server Update Services (WSUS). The flaw stems from unsafe deserialization via .NET BinaryFormatter in WSUS reporting web services, allowing attackers to execute arbitrary code with SYSTEM privileges. Exploitation involves crafted SOAP requests to the GetCookie endpoint containing an encrypted gadget chain payload. Microsoft has released an out-of-band update, and active exploitation has been observed in the wild. → picussecurity.com |
| 2026-04-10 2026 | Ivanti EPMM RCE Vulnerability Chain Exploited in the Wild news 6 min read | Writeup detailing the exploitation of Ivanti EPMM by CVE-2025-4427 and CVE-2025-4428, a chain enabling unauthenticated RCE. The attack bypasses authentication via misconfigured Spring Security and leverages Java Expression Language injection for code execution. Observed in-the-wild activity includes Sliver beacon C2 communication, MySQL database dumping, deployment of JSP web shells, and direct reverse shells. Affected versions include 11.12.0.4 and prior, 12.3.0.1 and prior, 12.4.0.1 and prior, and 12.5.0.0 and prior. → wiz.io |
| 2026-04-10 2026 | CVE-2025-34291: Critical Account Takeover and RCE in Langflow news 7 min read AuthN | Library detailing CVE-2025-34291, a critical vulnerability in Langflow enabling account takeover and RCE through a chain involving permissive CORS settings, SameSite=None for the refresh token cookie, and the unauthenticated `/api/v1/refresh` endpoint, allowing attackers to steal valid access tokens and subsequently exploit the `/api/v1/validate/code` endpoint for code execution. |
| 2026-04-10 2026 | 50,000+ WordPress Sites at Risk from Critical Ninja Forms RCE news 2 min read | Writeup of CVE-2026-0740, a critical RCE vulnerability in the Ninja Forms File Upload plugin affecting over 50,000 WordPress sites. The flaw allows unauthenticated attackers to upload and execute malicious PHP scripts by bypassing file type validation and exploiting path traversal techniques. A partial fix was released in version 3.3.25, with a full patch in 3.3.27. → cyberpress.org |
| 2026-04-10 2026 | Critical Langflow RCE Flaw Exploited in the Wild Within Hours news 3 min read | Writeup of CVE-2026-33017, a critical unauthenticated RCE in Langflow, detailing its exploitation within hours of disclosure. The vulnerability allows attackers to execute arbitrary Python code on exposed instances via the public flow build endpoint. Exploitation attempts involved mass scanning, reconnaissance, and data exfiltration of API keys for OpenAI, Anthropic, and AWS, leading to potential downstream compromises of AI pipelines and connected data stores. |
| 2026-04-10 2026 | CVE-2026-20131: Analysis of Cisco FMC RCE news 4 min read | Analysis of CVE-2026-20131, a critical RCE vulnerability affecting Cisco Secure Firewall Management Center (FMC) Software, details how unauthenticated attackers can execute arbitrary Java code via a specially crafted serialized Java object. This vulnerability, actively exploited in the wild and added to CISA's KEV catalog, allows root privilege escalation and poses a significant risk to network security by potentially compromising entire infrastructures managed by FMC. Exploitation involves sending malicious HTTP requests triggering insecure deserialization, enabling post-exploitation activities like data exfiltration and backdoor installation. |
| 2026-04-10 2026 | n8n Critical Vulnerability (CVE-2026-21858): Unauthenticated RCE news 7 min read | Writeup of CVE-2026-21858, an unauthenticated RCE in n8n, allowing full compromise of locally deployed instances through arbitrary file access, authentication bypass, and command execution. Discovered by Cyera Research Labs and nicknamed 'Ni8mare', this vulnerability highlights automation platforms as high-impact attack surfaces. Remediation involves upgrading n8n, restricting exposure of Forms and Webhooks, and reviewing workflow configurations. → aikido.dev |
| 2026-04-10 2026 | Critical Telnetd Flaw (CVE-2026-32746) Enables Root RCE news 3 min read | Writeup of CVE-2026-32746, a critical out-of-bounds write vulnerability in GNU InetUtils telnetd's LINEMODE Set Local Characters suboption handler. This flaw allows unauthenticated remote attackers to execute arbitrary code as root by sending crafted messages during the initial connection handshake. Discovered by Dream, it affects versions through 2.7 and impacts various systems including FreeBSD, NetBSD, and TrueNAS Core. → thehackernews.com |
| 2026-04-10 2026 | Critical vLLM RCE Allows Server Takeover via Malicious Video URL (CVE-2026-22778) news 5 min read | Library addressing CVE-2026-22778, a critical remote code execution flaw in vLLM. This vulnerability, triggered by a malicious video URL, chains a PIL error information leak for ASLR bypass with a JPEG2000 heap overflow in OpenCV's FFmpeg dependency. Exploitation leads to arbitrary command execution by overwriting function pointers, allowing server takeover. Organizations running vLLM with multimodal video support must upgrade to version 0.14.1 or later immediately. |
| 2026-04-10 2026 | CVE-2026-27825: Critical Unauthenticated RCE and SSRF in mcp-atlassian news 1 min read SSRF | Writeup on CVE-2026-27825, detailing critical unauthenticated RCE and SSRF vulnerabilities in mcp-atlassian. The flaws stem from missing directory confinement and inadequate path traversal validation in attachment download tools, allowing arbitrary file writes for persistence or RCE. A related SSRF issue in header-controlled Atlassian base URLs is also covered. Patched versions 0.17.0 introduce `validate_safe_path()` and `validate_url_for_ssrf()` to mitigate these risks. → arcticwolf.com |
| 2026-04-10 2026 | Unrestricted File Upload Leads to SSRF and RCE intermediate 1 min read | Writeup detailing an unrestricted file upload vulnerability, leveraging ImageMagick and its associated CVEs like CVE-2016-3714 and CVE-2016-3718. This post demonstrates how an attacker can achieve Server-Side Request Forgery (SSRF) and ultimately Remote Code Execution (RCE) through various ImageMagick exploits, including Ghostscript vulnerabilities. The author utilized Burp Suite for initial detection. |
| 2026-04-10 2026 | Complete Defense Against Node.js RCE: Real-World Exploit Analysis advanced 10 min read | Analysis of Node.js RCE vulnerabilities, including CVE-2022-24329, details how attackers exploit `child_process.exec` misuse and improper input validation to achieve command injection. The article contrasts vulnerable code patterns, such as direct passing of user input to `exec`, with secure alternatives like `spawn` or `execFile` and emphasizes strict input validation and sanitization to prevent shell meta-character interpretation. It also discusses the need for an integrated security approach, combining SAST/DAST, cloud workload security with SeekersLab's FRIIM CNAPP, and real-time threat detection via Seekurity SIEM/SOAR, augmented by KYRA AI Sandbox for analyzing suspicious code. |
| 2026-04-10 2026 | Command Injection and RCE in MetaSpore (GHSL-2025-035 to 037) news 5 min read | Writeup detailing command injection (GHSL-2025-035) and RCE (GHSL-2025-037) vulnerabilities in MetaSpore's recommendation service. The command injection allows overwriting arbitrary files and leaking AWS tokens via the `aws s3 sync` command. The RCE is achieved by exploiting an unprotected Consul instance and a Spring Expression Language injection in `spring.application.name`, leading to arbitrary code execution. An additional vulnerability (GHSL-2025-036) involves sensitive Spring Boot Actuator endpoints being exposed without authentication. → securitylab.github.com |
| 2026-04-10 2026 | Microsoft Bing Images OS Command Injection RCE intermediate 2 min read | Writeup of CVE-2026-32191, a critical OS command injection vulnerability in Microsoft Bing Images, allows unauthenticated attackers to achieve remote code execution (RCE) over the network. The flaw stems from improper neutralization of special elements in OS commands, where unsanitized user input is incorporated into system calls, enabling the execution of arbitrary shell commands. Exploitation requires identifying an injection point and crafting payloads to bypass sanitization. → thehackerwire.com |
| 2026-04-10 2026 | AWS RES Root RCE via Crafted Session Name (CVE-2026-5707) intermediate 2 min read | Writeup of CVE-2026-5707, an OS command injection flaw in AWS Research and Engineering Studio (RES) versions 2025.03 through 2025.12.01. A remote authenticated actor can exploit this vulnerability by providing a crafted virtual desktop session name, leading to arbitrary command execution with root privileges on the virtual desktop host. Exploitation requires valid credentials for the RES environment. Users should upgrade to RES version 2026.03 or apply a mitigation patch. → thehackerwire.com |
| 2026-04-10 2026 | Command Injection RCE in Kubernetes Log Query on Windows intermediate | Command Injection RCE in Kubernetes Log Query on Windows → akamai.com |
| 2026-04-10 2026 | Prompt Injection to RCE in AI Agents intermediate 10 min read | Writeup on prompt injection leading to RCE in AI agents, detailing design antipatterns that enable argument injection attacks against pre-approved commands. The article demonstrates one-shot RCE exploits across three AI agent platforms, bypassing human approval through techniques like `go test -exec` and `git show --format`/`ripgrep --pre`. Recommendations focus on limiting impact via sandboxing and argument separation for developers, users, and security engineers. → blog.trailofbits.com |
| 2026-04-10 2026 | Group-Office Critical RCE via Insecure Deserialization (CVE-2026-34838) intermediate 1 min read | Writeup of CVE-2026-34838 in Group-Office, detailing an insecure deserialization flaw in the `AbstractSettingsCollection` model. This critical vulnerability, requiring only authenticated low-privilege access, allows attackers to achieve Arbitrary File Write by injecting a serialized `FileCookieJar` object into setting strings. This file write directly enables Remote Code Execution on affected Group-Office versions prior to 6.8.156, 25.0.90, and 26.0.12. → thehackerwire.com |
| 2026-04-10 2026 | NVIDIA APEX Deserialization RCE (CVE-2025-33244) intermediate 2 min read | Writeup of CVE-2025-33244 in NVIDIA APEX for Linux, detailing a critical deserialization of untrusted data vulnerability. This flaw, impacting PyTorch versions prior to 2.6, allows unauthenticated attackers to achieve arbitrary code execution, denial of service, privilege escalation, data tampering, and information disclosure by crafting malicious serialized data. Exploitation requires identifying the specific deserialization sink within APEX and understanding gadget chains in affected PyTorch versions, with upgrading PyTorch to 2.6 or later recommended as a mitigation. → thehackerwire.com |
| 2026-04-10 2026 | React2Shell and RSC Vulnerabilities: Exploitation Threat Brief intermediate 8 min read | Library rules protecting against React2Shell (CVE-2025-55182), CVE-2025-55183, and CVE-2025-55184 offer protection for React Server Components. Exploitation attempts, including those by Asian-nexus threat groups, were observed shortly after public disclosure, utilizing vulnerability scanners like Nuclei and Burp Suite. Threat actors employed Internet-wide scanning, asset discovery platforms, and metadata analysis, including SSL certificate details, to identify vulnerable deployments, with targeted efforts observed against geopolitical intelligence priorities, government entities, and critical infrastructure. |
| 2026-04-10 2026 | CVE-2025-55182: React Server Components RCE via Flight Payload Deserialization intermediate 4 min read | Writeup of CVE-2025-55182, a critical RCE in React Server Components. This vulnerability allows unauthenticated attackers to achieve arbitrary JavaScript execution on the server by crafting malicious Flight payloads that exploit unsafe deserialization of Chunks. The attack leverages Promise resolution and nested deserialization to control server-side functions, enabling actions like file reading or command execution. Public exploit code exists, and affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0. |
| 2026-04-10 2026 | n8n CVE-2025-68613 RCE Exploitation: A Detailed Guide intermediate 11 min read | Guide to CVE-2025-68613, a critical remote code execution vulnerability in n8n. This flaw, with a CVSS score of 9.9, allows authenticated users to compromise the entire system by injecting JavaScript expressions. Exploitation can lead to arbitrary command execution, file access, secret theft, and lateral movement within connected systems. The guide details the vulnerability's technical underpinnings, impact, and provides exploitation and testing examples across various n8n interfaces and API endpoints. |
| 2026-04-10 2026 | 2025 Zero-Days in Review: Lessons Learned news 22 min read | Survey of 2025 zero-day exploits reveals a continued shift towards enterprise targets, with 48% of tracked vulnerabilities impacting enterprise software and edge devices. State-sponsored espionage groups, particularly those linked to the People's Republic of China (PRC) such as UNC5221 and UNC3886, heavily favored these technologies for initial network access, while commercial surveillance vendors also expanded their exploit chain development. Malware campaigns like BRICKSTORM highlighted a new paradigm of using stolen IP for long-term zero-day development. → cloud.google.com |
| 2026-04-10 2026 | Multiple Threat Actors Exploit React2Shell (CVE-2025-55182) news 8 min read | Writeup detailing exploitation of CVE-2025-55182 ("React2Shell"), a critical RCE in React Server Components, by multiple threat actors including China-nexus espionage groups. Observed payloads include MINOCAT, SNOWLIGHT, HISONIC, COMPOOD backdoors, and XMRIG miners. The writeup highlights exploitation chains and post-compromise behaviors, with specific mention of UNC6600, UNC6586, UNC6588, and UNC6603 actors, and their deployment of these tools. It also addresses misinformation surrounding initial exploit disclosures, noting a GitHub repository that initially contained non-functional AI-generated exploit code before updating with legitimate, obfuscated samples. → cloud.google.com |
| 2026-04-10 2026 | React2Shell: Critical Unauthenticated RCE in React Server Components intermediate 4 min read | Writeup of CVE-2025-55182, a critical unauthenticated RCE vulnerability affecting React Server Components and frameworks like Next.js, dubbed React2Shell. Exploitation in-the-wild has begun, with a working proof-of-concept and Metasploit module available. The vulnerability, with a CVSS of 10.0, allows attackers to execute arbitrary code via malicious HTTP requests. Remediation involves updating affected React packages to versions 19.0.1, 19.1.2, or 19.2.1. Rapid7 customers have detection capabilities via Exposure Command, InsightVM, and Nexpose. → rapid7.com |
| 2026-04-10 2026 | Defending Against React2Shell in React Server Components intermediate 12 min read | Reference detailing CVE-2025-55182 (React2Shell), a critical pre-authentication RCE vulnerability in React Server Components, affecting frameworks like Next.js. The vulnerability, stemming from insecure payload validation and prototype pollution, allows attackers to execute arbitrary code via a single HTTP request. Observed exploits target Windows and Linux environments, deploying coin miners and RATs, and attempting to steal cloud credentials using tools like TruffleHog and Gitleaks. Mitigation includes immediate patching to updated React and Next.js versions, prioritizing internet-facing assets, and potentially using WAF protections. → microsoft.com |
| 2026-04-10 2026 | Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited news 6 min read | Writeup detailing CVE-2025-8110, an actively exploited RCE in Gogs, a self-hosted Git service. This vulnerability is a symlink bypass of a previous RCE (CVE-2024-55947), allowing authenticated users to overwrite files outside the repository via the PutContents API. The exploit chain involves committing a symlink and then using the API to overwrite sensitive files like `.git/config`. Wiz Research discovered this zero-day during an investigation, finding over 700 compromised instances public-facing. A fix is available in Gogs version v0.13.4. → wiz.io |
| 2026-04-10 2026 | SharePoint RCE: Exploitation, Detection, and Mitigation intermediate | SharePoint RCE: Exploitation, Detection, and Mitigation → akamai.com |
| 2026-04-10 2026 | Apache ActiveMQ RCE via Jolokia API (CVE-2026-34197) intermediate 2 min read | Writeup of CVE-2026-34197, an Apache ActiveMQ Classic RCE vulnerability leveraging the Jolokia JMX-HTTP bridge to trigger Remote Code Execution via a crafted discovery URI. Attackers can exploit this by invoking operations like BrokerService.addNetworkConnector, loading a remote Spring XML application context that leads to arbitrary code execution through Runtime.exec(). This flaw, with a CVSS score of 8.8, is particularly critical on versions 6.0.0-6.1.1 due to CVE-2024-32114, which makes exploitation unauthenticated. Patches are available in ActiveMQ Classic 5.19.4 and 6.2.3. |
| 2026-04-10 2026 | CVE-2026-34841: Bruno IDE RCE via Supply Chain Attack news | Analysis of CVE-2026-34841 reveals a critical supply chain attack impacting Bruno IDE versions prior to 3.2.1. This vulnerability stems from a compromised axios npm package dependency, which allowed attackers to deploy a cross-platform Remote Access Trojan. Exploitation necessitates users running `npm install` during the attack window, leading to full system compromise and unauthorized remote control. The recommended mitigation is to upgrade to Bruno version 3.2.1 or later. |
| 2026-04-10 2026 | Telnet Vulnerability Opens Door to Remote Code Execution as Root intermediate 2 min read | Writeup on CVE-2026-32746, a critical vulnerability in GNU inetutils telnetd allowing pre-authentication remote code execution as root. Triggered by a buffer overflow in the LINEMODE Set Local Characters (SLC) handler, exploitation can lead to full system compromise on affected legacy infrastructure, networking equipment, and embedded systems. The flaw enables arbitrary memory writes via a corrupted pointer after exceeding a fixed buffer. Migrating to SSH, disabling telnetd, or blocking port 23 are recommended workarounds. → csoonline.com |
| 2026-04-10 2026 | CVE-2026-23744: Remote Code Execution in MCPJam Inspector PoC news | CVE-2026-23744: Remote Code Execution in MCPJam Inspector PoC |
| 2026-04-10 2026 | Remote Code Execution (RCE) 101 beginner | Remote Code Execution (RCE) 101 → bugcrowd.com |
| 2026-04-10 2026 | How I Got RCE in One of Bugcrowd's Public Programs intermediate | How I Got RCE in One of Bugcrowd's Public Programs |
| 2026-04-10 2026 | From Recon to RCE: Hunting React2Shell (CVE-2025-55182) intermediate | From Recon to RCE: Hunting React2Shell (CVE-2025-55182) → infosecwriteups.com |
| 2026-04-10 2026 | RCE via Unclaimed Node Package: $2,500 Bug Bounty Writeup intermediate | RCE via Unclaimed Node Package: $2,500 Bug Bounty Writeup |
| 2026-04-10 2026 | Max Severity Flowise RCE Vulnerability Now Exploited in Attacks news 2 min read | Library for securing Flowise, an open-source platform for LLM apps. It addresses CVE-2025-59528, a critical RCE vulnerability allowing arbitrary JavaScript code injection via the CustomMCP node. Developers should upgrade to version 3.0.6 or later to mitigate this threat, which has already been observed in active exploitation. Other Flowise vulnerabilities, CVE-2025-8943 and CVE-2025-26319, have also seen in-the-wild exploitation. → bleepingcomputer.com |
| 2026-04-10 2026 | CVE-2026-35056: XenForo RCE Vulnerability for Admin Accounts news 1 min read | Writeup of CVE-2026-35056, a High severity (CVSS 4.0: 8.6) Code Injection vulnerability in XenForo versions prior to 2.3.9 and 2.2.18. This RCE vulnerability allows authenticated admin users to execute arbitrary code remotely. While no public proof-of-concept or active exploitation has been confirmed, users should promptly apply vendor patches and review the official advisory for affected systems. |
| 2026-04-10 2026 | CVE-2026-1731: Critical Unauthenticated RCE in BeyondTrust Remote Support news 2 min read | Writeup of CVE-2026-1731, a critical unauthenticated RCE in BeyondTrust Remote Support and Privileged Remote Access products, which allows attackers to execute arbitrary OS commands. This vulnerability, with a CVSSv4 score of 9.9, affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. While SaaS instances were patched, self-hosted deployments require manual updates. Discovered by Hacktron AI, the flaw was added to CISA's KEV list on February 13, 2026. Rapid7 customers using Exposure Command, InsightVM, and Nexpose can assess their exposure with authenticated checks released February 9, 2026. → rapid7.com |
| 2026-04-10 2026 | PraisonAI Critical RCE via Malicious YAML Parsing (CVE-2026-39890) news 2 min read | Writeup of CVE-2026-39890, a critical RCE vulnerability in PraisonAI, allowing arbitrary JavaScript execution via insecure YAML parsing. The flaw exists in `AgentService.loadAgentFromFile`, which improperly handles dangerous `js-yaml` tags like `!!js/function` and `!!js/undefined` when processing agent definition files. Exploitation involves crafting a malicious YAML file with embedded JavaScript and uploading it to the server, leading to server-side code execution. The vulnerability affects versions prior to 4.5.115 and is mitigated by upgrading. → thehackerwire.com |
| 2026-04-10 2026 | Critical n8n Flaws Allow Remote Code Execution and Credential Exposure news 3 min read | Writeup detailing critical n8n vulnerabilities including CVE-2026-27577 (expression sandbox escape for RCE) and CVE-2026-27493 (unauthenticated expression evaluation via Form nodes). These flaws, along with CVE-2026-27495 (JavaScript Task Runner code injection) and CVE-2026-27497 (Merge node SQL query mode RCE), allow for arbitrary code execution and credential exposure. Patched versions are 2.10.1, 2.9.3, and 1.123.22. → thehackernews.com |
| 2026-04-09 2026 | CISA adds second critical flaw in Ivanti EPMM to exploited vulnerabilities catalog news | CISA adds second critical flaw in Ivanti EPMM to exploited vulnerabilities catalog https://ift.tt/vfeE3wl → cybersecuritydive.com |
| 2026-04-09 2026 | 13-year-old Apache ActiveMQ RCE vulnerability discovered AI assisted in finding exploit news 1 min read | Library for Apache ActiveMQ Classic RCE vulnerability CVE-2026-34197, allowing arbitrary command execution. This 13-year-old flaw, exacerbated by CVE-2024-32114's unauthenticated API access in versions 6.0.0-6.1.1, leverages the Jolokia management API to load external Spring XML configurations. AI assistance, including Claude, aided in identifying the exploit path. Prompt patching to 5.19.4 or 6.2.3+ is critical due to widespread enterprise use and prior attack history. → scworld.com |
| 2026-04-09 2026 | CISA Warns of Critical Ivanti EPMM Code Injection Vulnerability Exploited in Attacks news 2 min read | Advisory on CVE-2026-1340, a critical Ivanti EPMM code injection vulnerability, highlights its active exploitation and addition to CISA's Known Exploited Vulnerabilities catalog. This unauthenticated remote code execution flaw allows attackers to gain administrative control, steal data, deploy malware, and pivot within networks. CISA mandates immediate patching and mitigation for federal agencies and strongly urges private sector adoption of the same rapid response, advising disconnection if a fix is not immediately feasible. → cybersecuritynews.com |
| 2026-04-09 2026 | Claude helps researcher dig up decade-old Apache ActiveMQ RCE vulnerability (CVE-2026-34197) news 2 min read | Writeup detailing CVE-2026-34197, a decade-old RCE vulnerability in Apache ActiveMQ Classic stemming from improper input validation and code injection. This vulnerability, exploitable with default credentials or unauthenticated in certain versions due to CVE-2024-32114, was discovered with AI assistance. Mitigation involves upgrading to ActiveMQ versions 6.2.3 or 5.19.4 and monitoring logs for specific indicators of compromise. CISA has since added CVE-2026-34197 to its Known Exploited Vulnerabilities catalog. → helpnetsecurity.com |
| 2026-04-09 2026 | ThreatsDay Bulletin: Hybrid P2P Botnet 13-Year Apache RCE ClickFix Node.js RAT & 18 More Stories news 13 min read | Library for securing applications, featuring protections against hybrid Phorpiex botnet variants, chained Apache ActiveMQ Classic RCE vulnerabilities (CVE-2026-34197, CVE-2024-32114, CVE-2022-41678), AI-driven DDoS tactics amplified by IoT botnets like TurboMirai, Magecart skimmers hidden in SVG elements affecting Magento stores, and malicious MSI installers delivering Node.js RATs. → thehackernews.com |
| 2026-04-08 2026 | 13-year-old bug in ActiveMQ lets hackers remotely execute commands news 2 min read | Writeup detailing CVE-2026-34197, a 13-year-old remote code execution vulnerability in Apache ActiveMQ Classic affecting versions before 5.19.4 and 6.2.3. Discovered using Claude AI, the flaw allows attackers to execute arbitrary commands by exploiting the Jolokia management API to load external configurations, often chaining with CVE-2024-32114 for unauthenticated access. This issue underscores ActiveMQ's history as a target for attackers, with previous RCEs like CVE-2016-3088 and CVE-2023-46604 appearing on CISA's KEV list. → bleepingcomputer.com |
| 2026-04-08 2026 | Critical Ninja Forms vulnerability allows remote code execution news | Writeup of CVE-2026-0740, a critical vulnerability in Ninja Forms File Uploads affecting WordPress. This flaw allows unauthenticated arbitrary file uploads due to missing file type and extension validation, enabling path traversal to execute code via web shells. Over 3,600 exploitation attempts were blocked by Wordfence recently. Versions up to 3.3.26 are impacted, with a patch available in 3.3.27. → scworld.com |
| 2026-04-08 2026 | RCE Bug Lurked in Apache ActiveMQ Classic for 13 Years news 2 min read | Writeup of CVE-2026-34197, a critical RCE vulnerability in Apache ActiveMQ Classic discovered by Horizon3.ai. This flaw, present for 13 years, can be chained with CVE-2022-41678, allowing attackers to exploit the Jolokia API and VM transport to execute OS commands. In some deployments, it can be combined with CVE-2024-32114 for unauthenticated RCE. Updates to ActiveMQ Classic 5.19.4 and 6.2.3 are recommended. → securityweek.com |
| 2026-04-08 2026 | Claude Discovers 13-Year-Old RCE Vulnerability in Apache ActiveMQ Within Minutes news 2 min read | Library for Apache ActiveMQ Classic that details CVE-2026-34197, a 13-year-old remote code execution vulnerability. The flaw leverages the Jolokia REST API interface to expose JMX operations, allowing attackers to abuse the `addNetworkConnector` function with a crafted `vm://` URI to load and execute malicious remote configuration files. Exploitation typically requires administrative access, but CVE-2024-32114 in specific versions removes this authentication requirement, enabling unauthenticated RCE. Recommendations include upgrading to fixed versions, changing default credentials, and monitoring logs for suspicious patterns. → cyberpress.org |
| 2026-04-08 2026 | Fortinet FortiClientEMS Remote Code Execution Vulnerability news | Writeup of CVE-2026-35616 in FortiClientEMS, an Improper Access Control vulnerability allowing unauthenticated attackers to execute unauthorized code or commands via crafted requests. Exploited in the wild, this vulnerability can lead to remote code execution and elevation of privilege on affected systems. Users should update to FortiClientEMS 7.4.7 or later. → hkcert.org |
| 2026-04-08 2026 | Hackers Targeting Ninja Forms Bug That Exposes WordPress Sites to Takeover news 1 min read | Writeup on CVE-2026-0740, a critical unauthenticated arbitrary file upload vulnerability in Ninja Forms' File Uploads addon. This flaw, with a CVSS score of 9.8, allows attackers to bypass file type validation and use path traversal to upload malicious PHP code to the webroot, enabling remote code execution and complete site takeover. Defiant reports thousands of exploitation attempts against the ~50,000 affected websites. Users should update to version 3.3.27. → securityweek.com |
| 2026-04-08 2026 | Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations news 11 min read | Library detailing Storm-1175's high-tempo Medusa ransomware operations, exploiting N-days like CVE-2023-21529 (Microsoft Exchange), CVE-2023-27351 (Papercut), and CVE-2024-21887 (Ivanti), alongside zero-days. The actor rapidly chains exploits, establishes persistence via new users, uses tools like PsExec and RMMs (Atera, N-able), PDQ Deployer, and Impacket for lateral movement and credential theft before deploying ransomware. → microsoft.com |
| 2026-04-08 2026 | Claude Uncovers 13-Year-Old RCE Flaw in Apache ActiveMQ in Just 10 Minutes news 2 min read | Writeup of CVE-2026-34197, a 13-year-old RCE vulnerability in Apache ActiveMQ Classic's Jolokia JMX-HTTP bridge, discovered by Anthropic's Claude AI. The flaw allows authenticated attackers to inject crafted VM transport URIs via the `addNetworkConnector` operation, leading to arbitrary OS command execution through Spring's `MethodInvokingFactoryBean`. A separate flaw, CVE-2024-32114, makes this RCE unauthenticated in ActiveMQ versions 6.0.0 through 6.1.1. The vulnerability is patched in ActiveMQ Classic versions 5.19.4 and 6.2.3. → cybersecuritynews.com |
| 2026-04-08 2026 | CUPS Vulnerability Chain Enables Remote Attacker to Execute Malicious Code as Root User news 2 min read | Writeup on CVE-2026-34980 and CVE-2026-34990, two zero-day vulnerabilities in CUPS versions 2.4.16 and older. Attackers can exploit a parsing bug in shared PostScript queues to bypass authentication and execute code as the "lp" user, then leverage a privilege escalation flaw to gain root access. Mitigation involves disabling shared legacy queues, limiting network exposure, enforcing authentication, or using mandatory access control systems like AppArmor. → cybersecuritynews.com |
| 2026-04-08 2026 | Claude Identifies Critical 13-Year-Old RCE Vulnerability in Apache ActiveMQ news 2 min read | Writeup detailing CVE-2026-34197, a 13-year-old RCE vulnerability in Apache ActiveMQ Classic, exploitable via Jolokia to inject a crafted `vm://` URI. This forces the broker to fetch and execute a remote Spring XML configuration file, granting system control. Versions 6.0.0 through 6.1.1 are particularly vulnerable due to CVE-2024-32114, allowing unauthenticated exploitation. Updates to versions 5.19.4 or 6.2.3 are recommended, along with securing default credentials and monitoring for suspicious activity. → gbhackers.com |
| 2026-04-07 2026 | Attackers exploit critical Flowise flaw CVE-2025-59528 for remote code execution news 2 min read | Writeup of CVE-2025-59528 in Flowise, detailing how attackers exploit improper JavaScript validation in the CustomMCP node for remote code execution and file system access. The vulnerability, fixed in version 3.0.6, allows arbitrary JavaScript execution with full Node.js privileges, enabling command execution and data theft, and has seen active exploitation in the wild, targeting thousands of exposed instances. → securityaffairs.com |
| 2026-04-07 2026 | Hackers exploit critical flaw in Ninja Forms WordPress plugin news 2 min read | Writeup detailing CVE-2026-0740, a critical 9.8 severity vulnerability in Ninja Forms File Uploads for WordPress versions up to 3.3.26. The flaw allows unauthenticated arbitrary file uploads, including PHP scripts, through a lack of destination filename validation and supports path traversal, enabling remote code execution. The vulnerability was discovered by Sélim Lanouar and reported to Wordfence, who provided temporary firewall mitigations before the vendor released a full fix in version 3.3.27. → bleepingcomputer.com |
| 2026-04-07 2026 | Active exploitation of max severity Flowise bug threatens broad compromise news | Library for identifying and mitigating CVE-2025-59528, a critical code injection vulnerability in Flowise. Exploitation of this flaw allows for remote code execution, compromise of sensitive modules like `child_process` and `fs`, system compromise, file system infiltration, and data theft. → scworld.com |
| 2026-04-07 2026 | New CUPS vulnerabilities threaten RCE network breaches news | Analysis of CVE-2026-34980 and CVE-2026-34990, two critical vulnerabilities in the Common Unix Printing System (CUPS), reveals their potential to enable unauthenticated remote code execution and root file overwrite on Linux and Unix-like systems. Exploitation involves chaining a print job submission to a PostScript queue with an authorization flaw, allowing low-privileged accounts to gain root access. These findings, discovered by SpaceX security engineer Asim Viladi Oglu Manizada, highlight the increasing role of AI in vulnerability detection. → scworld.com |
| 2026-04-07 2026 | Critical CUPS Vulnerability Chain Allows Remote Code Execution as Root news 2 min read | Writeup on CVE-2026-34980 and CVE-2026-34990, a critical vulnerability chain in the Common Unix Printing System (CUPS) that allows unauthenticated remote code execution and subsequent local privilege escalation to root. The first flaw enables RCE via improper input sanitization on PostScript print queues, while the second leverages a race condition to overwrite system files with root privileges. Mitigations include disabling network access, enforcing authentication, and deploying AppArmor or SELinux. → cyberpress.org |
| 2026-04-07 2026 | Critical Flaw in Windmill Developer Platform Allows Remote Code Execution news 2 min read | Writeup of Windmill RCE vulnerabilities CVE-2026-29059 and an authenticated SQL injection flaw, alongside a misconfiguration in Nextcloud Flow, enabling unauthenticated attackers to achieve RCE and full system control. The "Windfall" exploit framework, developed by Chocapikk, automates these attacks and features a "Ghost Mode" to evade detection. Related vulnerabilities CVE-2026-23695, CVE-2026-23696, CVE-2026-23697, and CVE-2026-23698 are also mentioned. → cyberpress.org |
| 2026-04-07 2026 | Critical Flowise Vulnerability in Attacker Crosshairs news 2 min read | Library updates address CVE-2025-59528, a critical remote code execution vulnerability in Flowise affecting versions up to 3.0.5. This flaw allows attackers to exploit unvalidated user-supplied JavaScript in MCP server configuration, granting full Node.js runtime privileges and access to the file system. Threat actors are actively exploiting this bug, posing an extreme risk to business continuity and sensitive data for thousands of exposed Flowise instances. Version 3.0.6 includes the patch. → securityweek.com |
| 2026-04-07 2026 | CUPS Vulnerabilities Could Allow Remote Attackers to Achieve Root-Level Code Execution news 2 min read | Library components enabling the discovery and exploitation of two critical CUPS vulnerabilities: CVE-2026-34980, allowing unauthenticated remote code execution via PostScript queues through newline character injection in print options, and CVE-2026-34990, a local privilege escalation to root via interception of administrator tokens and a race condition to overwrite sensitive system files. → gbhackers.com |
| 2026-04-07 2026 | Windmill Developer Platform Flaws Expose Users to RCE Attacks Proof-of-Concept Published news 2 min read | Library for detecting critical vulnerabilities in the Windmill developer platform and Nextcloud Flow, enabling unauthenticated path traversal (CVE-2026-29059) and authenticated SQL injection, leading to RCE. The "Windfall" exploit framework, with AI assistance, automates these attacks, including a stealthy "Ghost Mode" for erasing traces. Administrators must patch to Windmill 1.603.3 and Nextcloud Flow 1.3.0 to mitigate these risks. → gbhackers.com |
| 2026-04-07 2026 | 50000 WordPress Sites Exposed to Critical Ninja Forms File Upload RCE Vulnerability news 2 min read | Writeup of CVE-2026-0740, a critical unauthenticated arbitrary file upload vulnerability in the Ninja Forms plugin for WordPress, exposing an estimated 50,000 sites to Remote Code Execution. The flaw, discovered by Sélim Lanouar, stems from inadequate filename sanitization and a failure to validate destination filenames before saving, allowing attackers to leverage path traversal to upload malicious PHP files. Exploitation can lead to complete server takeover, data theft, malware injection, and further attacks. Versions up to 3.3.26 are affected; updates to 3.3.27 or higher are urgently recommended. → cybersecuritynews.com |
| 2026-04-07 2026 | Over 1000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign news 7 min read | Tooling identified in a campaign targeting over 1000 exposed ComfyUI instances allows attackers to exploit custom node vulnerabilities for remote code execution. This enables enrollment into a cryptomining botnet for Monero and Conflux using XMRig and lolMiner, and deployment into a Hysteria V2 proxy botnet. The attack leverages tools that scan for vulnerable ComfyUI instances, install malicious nodes like "ComfyUI-Shell-Executor," and establish persistence via shell scripts that disable history, kill competing miners, and use `LD_PRELOAD` hooks and `chattr +i` for resilience. → thehackernews.com |
| 2026-04-07 2026 | Fortinet Releases Emergency Patch After FortiClient EMS Bug Is Exploited news 1 min read | Writeup of CVE-2026-35616, a critical improper access control vulnerability affecting FortiClient EMS, which has been exploited in the wild, allowing unauthenticated attackers to execute unauthorized code via crafted requests. This follows the discovery and exploitation of another critical flaw, CVE-2026-21643, an SQL injection vulnerability in the same platform, highlighting the significant risks associated with compromised endpoint management infrastructure. → infosecurity-magazine.com |
| 2026-04-07 2026 | Attackers Exploit Flowise Injection Vulnerability as 15000 Instances Remain Exposed news 2 min read | Library for securing Flowise, an open-source AI development platform, addressing CVE-2025-59528, a critical code injection vulnerability in the CustomMCP node. This flaw allows remote attackers to execute arbitrary JavaScript code via crafted network requests, leading to full server compromise and data exfiltration. Versions 3.0.5 and earlier are affected; upgrading to 3.0.6 is mandatory as over 15,000 instances remain exposed and actively exploited. → gbhackers.com |
| 2026-04-07 2026 | 50000 WordPress Sites Running Ninja Forms Vulnerable to Critical File Upload RCE news 2 min read | Library for WordPress sites, specifically the Ninja Forms File Upload plugin, vulnerable to CVE-2026-0740. This unauthenticated arbitrary file upload flaw, with a CVSS score of 9.8, allows attackers to bypass file type validation and path sanitization, enabling the upload of malicious PHP scripts to the website's root directory. Successful exploitation grants Remote Code Execution, allowing for webshells, data theft, or ransomware deployment. Versions prior to 3.3.27 are affected, with immediate upgrades recommended. → gbhackers.com |
| 2026-04-07 2026 | Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12000 Instances Exposed news 1 min read | Writeup on CVE-2025-59528, a CVSS 10.0 code injection vulnerability in Flowise AI Agent Builder, allowing remote code execution via JavaScript code injection, similar to prior Flowise flaws like CVE-2025-8943 and CVE-2025-26319. Exploitation can grant access to Node.js modules like `child_process` and `fs`, enabling system compromise, file access, and data exfiltration. Over 12,000 instances remain exposed, facing active exploitation. → thehackernews.com |
| 2026-04-07 2026 | AI agents found vulns in this popular Linux and Unix print server news 4 min read | Writeup of CVE-2026-34980 and CVE-2026-34990 in CUPS, a popular Linux and Unix print server, detailing how two chained vulnerabilities allow unauthenticated remote attackers to execute code and achieve root file overwrite. The flaws, discovered by AI agents and a security researcher, exploit CUPS' handling of anonymous print-job requests and option parsing to enable code injection. CVE-2026-34980 provides remote code execution as the `lp` user, which can then be chained with CVE-2026-34990, an authorization flaw, to gain root privileges. → theregister.com |
| 2026-04-06 2026 | CVE-2026-2699-and-CVE-2026-2701 news 1 min read | Writeup detailing CVE-2026-2699 and CVE-2026-2701, two critical severity vulnerabilities in Progress ShareFile Storage Zones Controller (SZC) 5.x. CVE-2026-2699, an authentication bypass via improper redirect/session handling, allows unauthenticated access to administrative functions. When combined with CVE-2026-2701, an arbitrary file upload to the webroot flaw, these vulnerabilities enable pre-authentication remote code execution. Affected versions include SZC 5.x up to 5.12.3, with fixes available in 5.12.4. → arcticwolf.com |
| 2026-04-06 2026 | 2000 FortiClient EMS Instances Exposed Online Amid Active RCE Vulnerability Exploits in the Wild news 2 min read | Analysis of FortiClient EMS vulnerabilities reveals over 2,000 exposed instances, with CVE-2026-35616 and CVE-2026-21643 actively exploited for unauthenticated remote code execution. These critical flaws allow attackers to gain full control of affected systems and managed endpoints, posing a significant risk to enterprise networks. Immediate patching and restricted internet access are crucial mitigations against this widespread threat. → cybersecuritynews.com |
| 2026-04-06 2026 | Attackers Exploit RCE Flaw as 14000 F5 BIG-IP APM Instances Remain Exposed news 1 min read | Writeup detailing CVE-2025-53521, a critical RCE vulnerability affecting F5 BIG-IP APM instances. Attackers are actively exploiting this flaw, which allows specially crafted traffic to trigger remote code execution when access policies are enabled. Shadowserver reports over 14,000 exposed instances, with CISA adding the vulnerability to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch by March 30, 2026. → securityaffairs.com |
| 2026-04-06 2026 | Oracle issues emergency fix for pre-auth RCE in Identity Manager (CVE-2026-21992) news 1 min read | Patch for CVE-2026-21992, a critical pre-authentication RCE vulnerability in Oracle Identity Manager and Oracle Web Services Manager, is available. This unauthenticated flaw, affecting versions 12.2.1.4.0 and 14.1.2.1.0, mirrors the exploited CVE-2025-61757, also a missing authentication issue in Identity Manager reported by Assetnote / Searchlight Cyber. Urgent application of this emergency fix is recommended to prevent system takeover. → helpnetsecurity.com |
| 2026-04-06 2026 | Critical Flaws Identified in Progress Software ShareFile Service news | Critical Flaws Identified in Progress Software ShareFile Service https://ift.tt/ERZfLV6 |
| 2026-04-06 2026 | 2000 FortiClient EMS Instances Exposed Online as Attackers Exploit Active RCE Flaw news 2 min read | Writeup on FortiClient EMS vulnerabilities, specifically CVE-2026-35616 and CVE-2026-21643, which are unauthenticated Remote Code Execution flaws actively exploited in the wild. Over 2,000 exposed FortiClient EMS instances are vulnerable, allowing attackers to gain full control and potentially deploy malware or ransomware across corporate networks by exploiting the central management capabilities of the tool. → gbhackers.com |
| 2026-04-06 2026 | Metasploit Wrap-Up 04/03/2026 news 4 min read | Library updates for Metasploit Framework introduce new HTTP/HTTPS CMD payloads for Windows, enabling RCE against FreeScout (CVE-2026-27636, CVE-2026-28289) and Grav CMS (CVE-2025-50286). It also adds a generic HTTP command execution exploit, a Windows persistence technique via `UserInitMprLogonScript`, and various enhancements, bug fixes, and documentation updates. → rapid7.com |
| 2026-04-06 2026 | Multiple Vulnerabilities in Progress ShareFile Could Allow for Remote Code Execution news 4 min read | Advisory detailing multiple vulnerabilities in Progress ShareFile versions prior to 5.12.4. Chained exploitation of an authentication bypass (CVE-2026-2699) and a remote code execution flaw (CVE-2026-2701) allows attackers to upload malicious ASPX webshells via abuse of file upload and extraction functionality. Public proof-of-concept code is available for the mentioned CVEs. |
| 2026-04-06 2026 | Critical RCE Vulnerability in F5 BIG-IP Under Exploitation news | Critical RCE Vulnerability in F5 BIG-IP Under Exploitation |
| 2026-04-06 2026 | CVE-2026-20131 Cisco FMC RCE Vulnerability news 3 min read | Writeup of CVE-2026-20131, a critical RCE vulnerability in Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control Firewall Management. This insecure deserialization flaw in the web interface allows unauthenticated remote attackers to execute arbitrary code as root, and has been observed in ransomware campaigns. The vulnerability affects specific Cisco FMC and Security Cloud Control Firewall Management versions, with Cisco issuing software updates as the sole remediation. |
| 2026-04-06 2026 | Emerging Threat: CVE-2026-27876 Grafana Remote Code Execution via SQL Expressions news 3 min read | Writeup of CVE-2026-27876, a critical RCE vulnerability in Grafana's sqlExpressions feature, allowing arbitrary file writes to achieve remote code execution. Exploitable with viewer access, it affects specific versions of Grafana 11 and 12 when the feature is enabled, particularly impacting Information Technology and Communication Services sectors. Patches are available, with workarounds including disabling the feature toggle and network restriction. |
| 2026-04-05 2026 | Critical Remote Code Execution Vulnerability in Cisco Secure Firewall Management Center (CVE-2026-20131) news 4 min read | Writeup on CVE-2026-20131, a critical RCE vulnerability in Cisco Secure Firewall Management Center, exploitable via insecure deserialization of Java objects. This unauthenticated attack allows arbitrary code execution and privilege escalation to root. Active exploitation was observed, leading to inclusion in CISA's KEV catalog and a mandate for remediation in federal agencies. Exploitation leverages YSoSerial, with techniques including command-and-control communication. → securityboulevard.com |
| 2026-04-05 2026 | New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation news 1 min read | Writeup on CVE-2026-5281, a critical use-after-free vulnerability in Chrome's Dawn component. This zero-day flaw, actively exploited in the wild, allows remote attackers to execute arbitrary code via crafted HTML pages. The advisory highlights recent exploitation trends, including CVE-2026-3909, CVE-2026-3910, and CVE-2026-2441, urging users to update to the latest Chrome versions. → thehackernews.com |
| 2026-04-04 2026 | Critical Grafana Vulnerabilities Enable Remote Code Execution and DoS Attacks news 2 min read | Writeup of critical Grafana vulnerabilities, CVE-2026-27876 and CVE-2026-27880, enabling remote code execution and denial-of-service attacks. CVE-2026-27876, a CVSS 9.1 flaw in SQL expressions, allows arbitrary file writes leading to RCE and SSH access. CVE-2026-27880 affects OpenFeature validation endpoints, permitting instance crashes via large requests. Recommendations include immediate upgrades, disabling SQL expressions, and edge-level DoS mitigation using reverse proxies like Nginx or Cloudflare. → securityboulevard.com |
| 2026-04-04 2026 | 14000 F5 BIG-IP APM Devices Exposed Online Amid Active RCE Vulnerability Exploits news 2 min read | Writeup of CVE-2025-53521, an actively exploited RCE flaw impacting F5 BIG-IP APM devices, with over 14,000 instances still exposed online. Initially disclosed as a DoS, its upgrade to RCE by F5 necessitates immediate patching and post-compromise hunting. Successful exploitation allows attackers to bypass corporate perimeters, leading to data theft or network infiltration. Organizations must apply vendor updates (K000156741), assume breach, and audit external assets. → cybersecuritynews.com |
| 2026-04-03 2026 | CISA Warns of Craft CMS Code Injection Flaw Exploited in Active Attacks news 2 min read | Analysis of CVE-2025-32432, a critical code injection flaw in Craft CMS versions 3.x, 4.x, and 5.x. Exploited through insecure deserialization within asset transform generation, this pre-authentication vulnerability allows arbitrary code execution by chaining object injection with the Yii framework's PhpManager component. CISA has added it to the KEV catalog due to active exploitation. Recommended mitigations include upgrading to patched versions 3.9.15, 4.14.15, or 5.6.17. → gbhackers.com |
| 2026-04-03 2026 | New Progress ShareFile Flaws Expose Servers to Unauthorized Remote Takeover news 2 min read | Library of exploit techniques for Progress ShareFile Storage Zone Controller vulnerabilities CVE-2026-2699 and CVE-2026-2701, allowing unauthenticated attackers to bypass authentication via Execution After Redirect and achieve Remote Code Execution by reconfiguring upload paths to a webroot for malicious ASPX shell deployment. → gbhackers.com |
| 2026-04-03 2026 | Researchers warn of critical flaws in Progress ShareFile news | Researchers warn of critical flaws in Progress ShareFile https://ift.tt/OIsV6B0 → cybersecuritydive.com |
| 2026-04-03 2026 | SSTI (Server-Side Template Injection) to RCE Walkthrough intermediate | SSTI (Server-Side Template Injection) to RCE Walkthrough |
| 2026-04-03 2026 | SSTI Leading to Remote Code Execution (RCE) intermediate | SSTI Leading to Remote Code Execution (RCE) |
| 2026-04-03 2026 | OpenOlat Velocity Template Injection Leads to RCE intermediate 2 min read | Writeup of CVE-2026-28228 in OpenOlat details a high-severity server-side template injection vulnerability. Exploitable by authenticated users with the Author role, it allows Velocity directives to be injected into reminder email templates, leading to remote code execution (RCE) via Java reflection and `ProcessBuilder`. Affected versions include those prior to OpenOlat 19.1.31, 20.1.18, and 20.2.5. → thehackerwire.com |
| 2026-04-03 2026 | A Pentester's Guide to SSTI | Cobalt beginner 3 min read SSTI | Guide to Server-Side Template Injection (SSTI) detailing how attackers exploit template engines like Smarty, Twig, Velocity, Jinja, and Liquid to achieve remote code execution (RCE). It describes using polyglot payloads to detect vulnerabilities, identify template engines through error messages, and leverage available objects like `settings.SECRET_KEY` for exploitation. The guide also mentions Tplmap as an automated tool for SSTI exploitation and suggests input sanitization and sandboxing as remediation techniques. → cobalt.io |
| 2026-04-03 2026 | RCE with Server-Side Template Injection intermediate | RCE with Server-Side Template Injection |
| 2026-04-03 2026 | Rejetto HTTP File Server SSTI RCE (CVE-2024-23692) | Invicti news | Writeup of CVE-2024-23692, a Server-Side Template Injection (SSTI) vulnerability in Rejetto HTTP File Server (HFS) versions 2.3m and earlier. This flaw allows unauthenticated remote code execution via a malicious HTTP request. Remediation involves migrating to HFS 3.x, as version 2.x is end-of-life and unsupported. Compensating controls include network access restrictions, reverse proxy filtering, or temporary service shutdown. → invicti.com |
| 2026-04-03 2026 | WPML Plugin RCE via Twig SSTI (CVE-2024-6386) news 5 min read | Writeup detailing CVE-2024-6386, an authenticated Remote Code Execution vulnerability in the WPML Multilingual CMS Plugin for WordPress. The vulnerability stems from a Twig Server-Side Template Injection (SSTI) flaw due to inadequate input sanitization within shortcode processing. Exploitation involves constructing payloads using the `dump()` function to dynamically gather necessary characters, bypassing quote restrictions and enabling arbitrary command execution. Affected versions are `<= 4.6.11`. |
| 2026-04-03 2026 | PayloadsAllTheThings - Server Side Template Injection beginner 4 min read SSTI | Library of Server-Side Template Injection (SSTI) techniques and tools, including scanners like Hackmanit/TInjA and epinna/tplmap, along with research on Rendered, Error-Based, Boolean-Based, and Time-Based exploitation. It details methods for identifying template engines such as Jinja2, Twig, and FreeMarker, and provides example payloads and research papers like James Kettle's "Server-Side Template Injection: RCE For The Modern Web App." |
| 2026-04-03 2026 | SSTI: Advanced Exploitation Guide | Intigriti advanced 9 min read SSTI | Library that details advanced exploitation techniques for Server-Side Template Injection (SSTI) vulnerabilities. It covers identification methods for template engines like Jinja2, Twig, and ERB, and demonstrates how to escalate basic injections to remote code execution by exploiting sandboxed environments and chained objects, offering practical examples for Python, PHP, Ruby, JavaScript, Java, and C# template engines. → intigriti.com |
| 2026-04-03 2026 | SSTI Exploitation with RCE Everywhere | YesWeHack intermediate 7 min read SSTI | Writeup detailing advanced Server-Side Template Injection (SSTI) exploitation techniques for achieving Remote Code Execution (RCE) without quotes or external plugins. It covers payloads for Jinja2, Mako, Twig, Smarty, Blade, Groovy, and FreeMarker, demonstrating how to bypass auto-escaping and exploit built-in functions like `chr`, `popen`, `passthru`, and `execute` across various languages and frameworks. → yeswehack.com |
| 2026-04-03 2026 | Progress ShareFile vulnerabilities allow unauthenticated file exfiltration news 1 min read | Writeup detailing Progress ShareFile vulnerabilities CVE-2026-2699 and CVE-2026-2701, which allow unauthenticated file exfiltration. Exploitation involves chaining an authentication bypass with remote code execution within the Storage Zones Controller (SZC). Researchers at watchTowr discovered these flaws, affecting Progress ShareFile versions 5.x. Progress has released version 5.12.4 to patch these critical issues. → scworld.com |
| 2026-04-03 2026 | Critical ShareFile Flaws Lead to Unauthenticated RCE news 2 min read | Writeup detailing chained vulnerabilities CVE-2026-2699 (Execution After Redirect) and CVE-2026-2701 (arbitrary file upload) in Citrix ShareFile. WatchTowr discovered these flaws allowed unauthenticated attackers to gain administrative access, exfiltrate sensitive files to attacker-controlled S3 buckets, and achieve remote code execution by uploading a web shell. The vulnerabilities were patched in ShareFile version 5.12.4. → securityweek.com |
| 2026-04-03 2026 | Under Fire: Attackers Target Flaws in F5 and Citrix Gear news 4 min read | Library: Actively exploited vulnerabilities in F5 BIG-IP APM (CVE-2025-53521, a critical remote code execution flaw) and NetScaler ADC/Gateway (CVE-2026-3055, a critical memory overread, and CVE-2026-4368, a session mix-up) are detailed. Attackers, including nation-state actors, are targeting these application delivery and security platforms, with F5 revising its BIG-IP APM flaw severity from denial-of-service to remote code execution, and CISA mandating patching for federal agencies. Memory leak vulnerabilities in Citrix products, like the previously disclosed CitrixBleed, continue to be a significant concern. → bankinfosecurity.com |
| 2026-04-03 2026 | AI discovers RCE vulnerabilities in Vim and Emacs text editors news | Library for identifying remote code execution (RCE) vulnerabilities in text editors. Leverages AI assistance to find flaws, such as a modeline-related RCE in Vim (versions 9.2.0271 and earlier) and a Git integration vulnerability in GNU Emacs that allows arbitrary command execution via a core.fsmonitor program. The AI also aids in exploit development and suggests fixes. → scworld.com |
| 2026-04-02 2026 | Critical Fortinet FortiClient EMS flaw exploited for Remote Code Execution news 1 min read | Writeup of CVE-2026-21643, a critical SQL Injection vulnerability in Fortinet FortiClient EMS, now actively exploited. Threat actors smuggle SQL statements via the "Site"-header in HTTP requests to achieve remote code execution, potentially gaining an initial network foothold for lateral movement or malware deployment. Nearly 1000 instances of FortiClient EMS are publicly exposed. This follows the earlier CVE-2023-48788, also an SQL Injection flaw, added to CISA's KEV catalog. → securityaffairs.com |
| 2026-04-02 2026 | Critical Cisco Smart Software Manager Vulnerability Enables Arbitrary Command Execution news 2 min read | Writeup on CVE-2026-20160, a critical unauthenticated remote code execution vulnerability in Cisco Smart Software Manager On-Prem. This flaw, with a CVSS score of 9.8, allows attackers to gain root privileges on enterprise license management infrastructure by sending specially crafted HTTP requests to an exposed internal service. Exploitation requires no authentication and enables arbitrary command execution, posing an extreme risk for lateral movement, data exfiltration, and network takeover. Administrators must immediately upgrade to SSM On-Prem version 9-202601, as no workarounds are available. → cyberpress.org |
| 2026-04-02 2026 | ImageMagick vulnerability allows remote code execution news 1 min read | Library for ImageMagick vulnerability analysis, detailing a critical flaw allowing remote code execution via crafted image files. Researchers identified a "magic byte shift" that bypasses restrictive policies, enabling attackers to leverage secondary tools like GhostScript and Magick Scripting Language (MSL) for RCE, data theft, and backdoor installation. Affecting major Linux distributions and WordPress sites, the vulnerability remains a pervasive threat due to the lack of automated patches and the unlabelled nature of early fixes. → scworld.com |
| 2026-04-02 2026 | GIGABYTE Control Center vulnerability allows remote code execution news | Analysis of CVE-2026-4415, a critical arbitrary file-write vulnerability in GIGABYTE Control Center (GCC) versions 25.07.21.01 and earlier. Unauthenticated remote attackers can exploit the "pairing" feature to write arbitrary files, leading to remote code execution, privilege escalation, or denial-of-service. GIGABYTE has released version 25.12.10.01 to patch this flaw, with immediate upgrades recommended. → scworld.com |
| 2026-04-02 2026 | Fortinet hit by another exploited cybersecurity flaw news 4 min read | Analysis of CVE-2026-21643, a critical SQL injection vulnerability in FortiClient EMS, detailing its exploitation for remote code execution and data exfiltration. This flaw, present in version 7.4.4 with multi-tenant mode enabled, allows unauthenticated attackers to craft HTTP requests to access admin credentials, endpoint data, and certificates. The vulnerability remains a top application security risk, underscoring the need for organizations to patch immediately and consider zero-trust architectures to mitigate such threats. → csoonline.com |
| 2026-04-02 2026 | Critical Grafana Vulnerabilities Let Attackers Achieve Remote Code Execution news 2 min read | Writeup on critical Grafana vulnerabilities, CVE-2026-27876 and CVE-2026-27880, detailing a SQL expressions RCE flaw requiring Viewer permissions and an unauthenticated DoS vulnerability affecting OpenFeature validation endpoints. The RCE allows arbitrary file writes and SSH acquisition, while the DoS exploits unbounded input to crash instances. Administrators must upgrade to patched versions (12.4.2, 12.3.6, etc.) or disable SQL expressions to mitigate the RCE, and use reverse proxies or highly available environments against the DoS. → cybersecuritynews.com |
| 2026-04-02 2026 | Hackers exploiting critical F5 BIG-IP flaw in attacks patch now news 2 min read | Advisory regarding CVE-2025-53521, a critical remote code execution flaw in F5 BIG-IP APM systems that attackers are actively exploiting to deploy webshells. This vulnerability, previously classified as denial-of-service, allows unprivileged attackers to achieve RCE when access policies are configured on a virtual server. F5 strongly recommends patching and reviewing systems for signs of compromise. CISA has added it to its list of actively exploited flaws, urging federal agencies to secure their BIG-IP APM deployments. → bleepingcomputer.com |
| 2026-02-02 2026 | depthfirst | 1-Click RCE To Steal Your Moltbot Data and Keys advanced 5 min read AI Secrets | Library analysis by depthfirst identified a critical vulnerability (CVE-2026-25253) in OpenClaw, an AI assistant. This flaw allows for a one-click RCE exploit by chaining a logic gap in gateway URL ingestion with Cross-Site WebSocket Hijacking. The exploit bypasses Same Origin Policy and allows disabling security features like user confirmation and sandboxing via API calls, leading to arbitrary command execution and access to sensitive data like iMessage and Stripe API keys. |
| 2025-12-07 2025 | 🚨 New article: SSRF exploitation advanced SSRF | What's inside: → 20+ bypass techniques → Cloud metadata attacks (AWS/Azure/GCP) → Gopher protocol exploitation → Docker & Redis RCE chains → Blind SSRF detection → Real automation scripts From ping t... |
| 2025-08-14 2025 | https://weekly.infosecwriteups.com/iw-weekly-39-10-000-bounty-zero-click-account-takeover-stored-xss-open-redirection-vulnerability-sql-injection-rce-reconnaissance-techniques-and-much-more/ intermediate 3 min read SQLi XSS | Collection of Infosec writeups featuring a $10,000 bounty for a Facebook Reels vulnerability, Zoom stored XSS, Facebook zero-click account takeover, io_uring UAF (CVE-2022-2602), Apple subdomain open redirection, GraphQL pentesting, social engineering guides, insecure CORS, bug bounty automation, smart contract vulnerabilities, mental health tips for hackers, HTTP Basic Auth, SQL Injection to RCE (CVE-2022-44015), RFC analysis for bounties, MMORPG CTF challenges, CodeQL for GraphQL, reconnaissance techniques, SSRF deep dives, Foundry EVM chain tests, and online security learning resources. |
| 2025-08-14 2025 | Chaining an Blind SSRF bug to Get an RCE | by Santosh Kumar Sha (@killmonga intermediate SSRF | The content discusses chaining a Blind Server-Side Request Forgery (SSRF) bug to achieve Remote Code Execution (RCE), presented by Santosh Kumar Sha. This technique involves exploiting a vulnerability in which an attacker can make a server perform unauthorized requests, leading to gaining control over the server and executing malicious code remotely. The focus is on demonstrating how an SSRF bug can be leveraged to escalate to a more severe RCE attack, highlighting the importance of understanding and securing against such vulnerabilities in web applications. |
| 2025-08-14 2025 | Just Gopher It: Escalating a Blind SSRF to RCE for $15k — Yahoo Mail | by S intermediate SSRF | The content discusses escalating a blind Server-Side Request Forgery (SSRF) vulnerability to Remote Code Execution (RCE) in Yahoo Mail, earning a reward of $15,000. The process involves utilizing the Gopher protocol to exploit the SSRF vulnerability and achieve RCE. The article likely details the steps taken to identify, exploit, and report the vulnerability to Yahoo Mail's security team, resulting in a significant bounty payout. |
| 2025-08-14 2025 | https://github.com/smgorelik/Windows-RCE-exploits/tree/master/Web/VBScript advanced | The provided link leads to a GitHub repository containing Windows Remote Code Execution (RCE) exploits written in VBScript. The repository offers a collection of scripts that can be used to exploit vulnerabilities in Windows systems. It focuses on utilizing VBScript for web-based attacks. The content provides a resource for security researchers and professionals interested in studying or testing RCE vulnerabilities in Windows environments using VBScript. |
| 2025-08-14 2025 | https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-bypass-firewall-to-get-rce-and-then-went-from-server-shell-to-get-783f71131b94?source=userActivityShare-90814179aa21-1525127127 intermediate | The content discusses a bug bounty experience where the author bypassed a firewall to achieve Remote Code Execution (RCE) and gained access to a server shell. The author describes the steps taken to exploit vulnerabilities, including identifying the firewall, exploiting it to gain RCE, and escalating privileges to access the server shell. The article provides insights into the process of identifying and exploiting security weaknesses, showcasing the author's skills in penetration testing and bug hunting. |
| 2025-08-14 2025 | https://medium.com/@kedrisec/how-i-found-2-9-rce-at-yahoo-bug-bounty-program-20ab50dbfac7 intermediate | The content discusses a security researcher's experience finding a critical Remote Code Execution (RCE) vulnerability in Yahoo's Bug Bounty Program. The researcher details the steps taken to discover and exploit the vulnerability, which allowed unauthorized code execution on Yahoo's servers. The post highlights the importance of responsible disclosure and the collaboration between security researchers and companies to address such vulnerabilities. The discovery earned the researcher a significant bounty reward. |
| 2025-08-14 2025 | https://medium.com/@p4c3n0g3/lfi-to-rce-via-access-log-injection-88684351e7c0?source=userActivityShare-90814179aa21-1524411790 intermediate | The content discusses a security vulnerability called Local File Inclusion (LFI) that can be exploited to achieve Remote Code Execution (RCE) through access log injection. By manipulating log files, an attacker can inject malicious code that gets executed on the server, leading to potential compromise. The article provides a detailed explanation of how this attack works and offers insights into the impact and mitigation strategies. It emphasizes the importance of understanding and securing against such vulnerabilities to protect systems from unauthorized access and data breaches. |
| 2025-08-14 2025 | https://engineering.salesforce.com/meraki-rce-when-red-team-and-vulnerability-research-fell-in-love-3a119ce2cf56?source=userActivityShare-90814179aa21-1515163858 intermediate | The content discusses a case study where a red team and vulnerability researchers collaborated to discover a critical Remote Code Execution (RCE) vulnerability in Meraki devices. The article highlights the importance of teamwork, communication, and collaboration between different security roles to identify and address security flaws effectively. The process involved reverse engineering, code analysis, and exploitation techniques to uncover the vulnerability. The findings were responsibly disclosed to the vendor for remediation. This case emphasizes the significance of cross-functional cooperation in cybersecurity to enhance overall security posture and protect against potential threats. |
| 2025-08-14 2025 | Leading the Blind to Light! - A Chain to RCE intermediate 5 min read | Writeup detailing a Remote Code Execution (RCE) chain achieved by exploiting an Oracle E-Business Suite instance. The chain begins with an authentication bypass leading to blind XXE, which then facilitates information disclosure. This information is combined with an SQL injection vulnerability on an internal database host, enabling the re-enabling of `xp_cmdshell`. Successful execution of `xp_cmdshell` ultimately grants command execution with Administrator privileges. → blog.zsec.uk |
| 2025-08-14 2025 | opsxcq/exploit-CVE-2016-10033: PHPMailer 5.2.18 Remote Code Execution intermediate 6 min read | Tool for exploiting CVE-2016-10033 in PHPMailer versions prior to 5.2.18, enabling remote code execution. This vulnerability allows attackers to inject arbitrary code by crafting a `From` address that bypasses filters, leading to the execution of commands via the `mail()` function's `additional_parameters`. The provided exploit leverages this by writing a backdoor file to a web-accessible directory, allowing for shell access and further exploitation. |
| 2025-08-14 2025 | Artificial truth · From LFI to RCE in php intermediate 2 min read | Technique for achieving RCE via LFI in PHP, improving on earlier /proc/self/environ and /var/log methods. This technique leverages PHP's temporary file handling during uploads. By repeatedly triggering an infinite recursive inclusion with a SIGSEGV, the temporary file is prevented from deletion, allowing an attacker to bruteforce its randomly generated name and achieve remote code execution, as demonstrated with a Python script and a shell.php payload. |
| 2025-08-14 2025 | The Tale Of SSRF To RCE on .GOV Domain | by Tobydavenn | Sep, 2022 | Medium intermediate SSRF | The content titled "The Tale Of SSRF To RCE on .GOV Domain" by Tobydavenn on Medium discusses a scenario involving Server-Side Request Forgery (SSRF) leading to Remote Code Execution (RCE) on a .GOV domain. The article likely delves into the technical details of how this vulnerability was exploited, highlighting the significance of such security flaws on government domains. It may provide insights into the exploitation process, potential impacts, and the importance of addressing SSRF vulnerabilities promptly to prevent RCE attacks. |
| 2025-08-14 2025 | https://www.reddit.com/r/Hacking_Tutorials/comments/gtpkug/remote_code_execution_explained_with_real_life/?utm_source=share&utm_medium=ios_app&utm_name=iossmf beginner Bug Bounty | The content discusses remote code execution, explaining how it works with real-life examples. It delves into the concept of exploiting vulnerabilities to execute code on a remote system, potentially leading to unauthorized access. The post likely provides insights into the dangers of remote code execution and how hackers can leverage it for malicious purposes. It serves as a tutorial or informational resource for individuals interested in understanding cybersecurity threats and how to protect against them. |
| 2025-08-14 2025 | https://medium.com/@smilehackerofficial/how-i-found-rce-but-got-duplicated-ea7b8b010990 intermediate | The content discusses a security researcher's experience finding a Remote Code Execution (RCE) vulnerability in a web application. The researcher details the steps taken to identify and exploit the vulnerability, leading to a successful demonstration of the RCE. However, the researcher later discovered that the same vulnerability had been previously reported by another researcher, resulting in a duplicate submission. The article highlights the importance of thorough research before reporting vulnerabilities to avoid duplication and emphasizes the need for collaboration within the security research community. |
| 2025-08-14 2025 | https://omespino.com/write-up-private-bug-bounty-usd-rce-as-root-on-marathon-instance/ intermediate 2 min read | Writeup detailing RCE as root on Marathon instances, found by exploiting unauthenticated Marathon UIs discovered via Shodan. The technique involves using `curl` to create a Marathon application with a command like `wget` to exfiltrate host data to an attacker-controlled listener, leveraging the `cmd` parameter for arbitrary command execution. This vulnerability allows for root-level command execution on vulnerable Marathon deployments. |
| 2025-08-14 2025 | Zoom Zero Day: 4 Million Webcams & maybe an RCE? Just get them to visit yo intermediate | The content mentions a Zoom zero-day vulnerability affecting 4 million webcams that could potentially lead to remote code execution (RCE). The vulnerability can be exploited by tricking users into visiting a malicious website. This poses a significant security risk as attackers could gain unauthorized access to users' webcams and potentially execute malicious code on their devices. It highlights the importance of staying vigilant and updating software to protect against such vulnerabilities. |
| 2025-08-14 2025 | elttam - Ruby 2.x Universal RCE Deserialization Gadget Chain advanced 11 min read | Library releasing a universal Ruby 2.x RCE deserialization gadget chain, bypassing prerequisites of earlier techniques like the ActiveSupport gem. This chain leverages code reuse attacks by chaining "gadgets" from the Ruby standard library, including techniques to indirectly load further libraries via `require` calls, ultimately enabling arbitrary command execution. |
| 2025-08-14 2025 | http://blog.orange.tw/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.html advanced | The content discusses how a security researcher chained together four bugs and features to achieve Remote Code Execution (RCE) on Amazon. The researcher details the vulnerabilities found in Amazon's services and how they were exploited to gain unauthorized access and execute code remotely. The blog post provides a technical breakdown of the process, highlighting the importance of identifying and addressing security flaws to prevent such exploits. |
| 2025-08-14 2025 | RCE by uploading a web.config ↳... intermediate | The content discusses a Remote Code Execution (RCE) vulnerability that can be exploited by uploading a malicious web.config file. This type of vulnerability allows attackers to execute arbitrary code on a target system, potentially leading to unauthorized access or data breaches. It highlights the importance of securing file upload functionality and ensuring that user inputs are properly validated to prevent such security risks. |
| 2025-07-29 2025 | GitHub - jeanlucdupont/EXEfromCER: PoC that downloads an executable from a public SSL certificate intermediate Supply Chain | Proof-of-concept that demonstrates downloading and executing a Windows executable embedded within a public SSL certificate. This technique leverages custom X.509 certificate extensions and HTTPS to deliver the payload. The process involves generating a certificate with the executable in a custom OID extension using OpenSSL, serving it via TLS, and a Python client that connects, extracts the binary from the certificate, saves it, and then runs it. |
| 2025-05-17 2025 | New Process Injection Class: The CONTEXT-Only Attack Surface advanced 16 min read | Library for exploring the "context-only" attack surface in process injection. This research demonstrates techniques to inject code by focusing solely on execution primitives, bypassing traditional detection methods that rely on memory allocation and writing. Methods include using `CreateRemoteThread` with `LoadLibraryA` on existing in-process strings, calling arbitrary WinAPI functions via `SetThreadContext`, and leveraging `NtCreateThread` for remote shellcode execution, expanding to APC functions like `QueueUserAPC`. The accompanying `RedirectThread` tool aids in these investigations. |
| 2025-03-30 2025 | Stored XSS in My Flow To RCE in Opera Browser #2 - Renwa - Medium intermediate Bug Bounty XSS | Hey Opera team, after your great response and bounties with previous reports motivated me to look more into the program and find more bugs, luckily I found a critical bug in My Flow that allow an… |
| 2024-12-22 2024 | 0x03 - Approaching the Modern Windows Kernel Heap advanced 13 min read | Writeup detailing exploitation of a Use-After-Free (UaF) vulnerability on Windows 11 (x64) using techniques derived from Alex Ionescu's "Kernel Heap Fengshui." The process involves reverse engineering with Ghidra to identify object sizes and IOCTL codes, and then employing Named Pipes (NPFS.SYS) to trigger nonpaged pool allocations for kernel heap manipulation, overcoming initial challenges with object sizing and allocation control. |
| 2024-12-19 2024 | GitHub - WafflesExploits/hide-payload-in-images: A project that demonstrates embedding shellcode payloads into image files (like PNGs) using Python and extracting them using C/C++. Payloads can be retrieved directly from the file on disk or from the image stored in a binary's resources section (.rsrc) intermediate 1 min read Python | Library demonstrating shellcode payload embedding into PNG images using Python, with C/C++ extractors. The project includes `payload-extractor-from-file.cpp` for disk-based extraction, `payload-extractor-from-resource.cpp` utilizing WinAPI functions like `FindResource` and `LockResource`, and `payload-extractor-from-resource-via-peb.cpp` for stealthier extraction via manual PEB and PE header parsing, avoiding WinAPI calls and improving reliability with direct PEB access. |
| 2024-11-20 2024 | Win32 shellcode beginner | Win32 shellcode |
| 2024-11-10 2024 | GitHub - AnonKryptiQuz/Xploitra: Xploitra is a powerful reverse shell payload generator for educational and security testing. It offers customizable payloads with advanced obfuscation and session management, making it ideal for simulating real-world attack scenarios and assessing system security. intermediate 1 min read | Tool for generating customizable reverse shell payloads for Windows, Xploitra offers advanced obfuscation and session management for simulating attack scenarios. It supports payload customization of IP, port, and execution commands, with randomized encoding and string manipulation to bypass basic detection. The tool can generate payloads on any OS and handle multiple sessions concurrently, encoding them in Base64 for secure delivery and saving them as `.bat` files. |
| 2024-11-10 2024 | GitHub - AnonKryptiQuz/I-Espresso: I-Espresso is a tool that enables users to generate Portable Executable (PE) files from batch scripts. Leveraging IExpress, it demonstrates how file extension spoofing can be used to evade detection. intermediate 1 min read | Tool for generating Portable Executable (PE) files from batch scripts using IExpress. I-Espresso demonstrates file extension spoofing techniques to evade detection, offering a user-friendly, fast, and efficient method for creating disguised payloads without external dependencies on Windows. It guides users through prompts to specify batch scripts, executable names, and custom extensions for generated PE files, intended purely for educational and security testing purposes. |
| 2024-11-04 2024 | Microsoft SharePoint RCE bug exploited to breach corporate network news 2 min read | Writeup detailing the exploitation of CVE-2024-38094, a Microsoft SharePoint RCE vulnerability, for initial network access. Attackers deployed a webshell, leveraged Horoung Antivirus to disable defenses, and used tools like Impacket, Mimikatz, FRP, everything.exe, Certify.exe, and kerbrute for lateral movement, credential harvesting, persistence, and network scanning. The exploit involved a batch script for antivirus installation and manipulation of system logging. → bleepingcomputer.com |
| 2024-10-17 2024 | Vimeo SSRF with code execution potential. intermediate SSRF | The content discusses the discovery of a semi-responded SSRF vulnerability on Vimeo that potentially allows for code execution. The author shares their process of finding and exploiting this vulnerability in a blog post. → infosecwriteups.com |
| 2024-10-17 2024 | How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! advanced 6 min read Bug Bounty SSRF | Writeup detailing a four-vulnerability exploit chain leading to Remote Code Execution (RCE) on GitHub Enterprise. The chain begins with a Server-Side Request Forgery (SSRF) discovered in the WebHook feature, which is then chained with a second SSRF in the Graphite service. This execution chain enables CR-LF injection, allowing protocol smuggling. Finally, a malicious Ruby Object is smuggled as a Memcached protocol, exploiting unsafe `Marshal` deserialization to achieve RCE. The article also mentions potential bypasses for Faraday IP restrictions and the use of Linux Glibc features. |
| 2024-10-01 2024 | GitHub - Offensive-Panda/ProcessInjectionTechniques: This comprehensive process injection series is crafted for cybersecurity enthusiasts, researchers, and professionals who aim to stay at the forefront of the field. It serves as a central repository of knowledge, offering in-depth exploration of various process injection techniques used by adversaries. advanced 2 min read | Library detailing numerous process injection techniques, including Classic Code Injection, Reflective DLL Injection, Process Hollowing, and PE Injection. It offers step-by-step explanations, implementation code, and demonstration videos, utilizing custom shellcode for illustrative purposes. References to MITRE ATT&CK T1055, Dirty Vanity, and resources from ired.team and RedTeamOperations are included. |
| 2024-08-22 2024 | BChecks/vulnerability-classes/injection at main · PortSwigger/BChecks · GitHub intermediate Burp SQLi XSS | BChecks collection for Burp Suite Professional and Burp Suite Enterprise Edition - PortSwigger/BChecks |
| 2023-11-06 2023 | The toddlers introduction to Heap exploitation (Part 1) beginner | The toddler’s introduction to Heap exploitation (Part 1) https://ift.tt/OhuPqgT |
| 2023-11-05 2023 | Offensive C# beginner Bug Bounty | Course on Offensive C# covering malware development, C2 creation, Active Directory enumeration and attacks, .NET loaders, persistence, WinAPI interaction, token enumeration, shellcode and DLL injection, PE backdooring, PE parsing, PE64 loading, process hollowing, and API hooking and hashing. |
| 2023-10-27 2023 | Perfect DLL Hijacking intermediate 42 min read | Library that details a novel technique for DLL hijacking that circumvents the limitations of Windows' Loader Lock by reverse-engineering the Windows library loader. This research builds upon prior work like Nick Landers' "Adaptive DLL Hijacking" and presents a data-only approach that avoids problematic actions such as changing memory protection with VirtualProtect or modifying pointers, which are often flagged by anti-malware or incompatible with exploit mitigations like Intel CET. The library also offers stable mitigation and detection mechanisms for defenders. |
| 2023-10-18 2023 | Empire beginner | Empire https://ift.tt/Qmfzot3 |
| 2023-10-13 2023 | Understanding File Upload Vulnerabilities in Web App Penetration Testing | 2023 beginner | Understanding File Upload Vulnerabilities in Web App Penetration Testing | 2023 https://ift.tt/8aVoHYJ → cyberw1ng.medium.com |
| 2023-09-22 2023 | How to turn SQL injection into an RCE or a file read? Case study of 128 bug bounty reports intermediate Bug Bounty SQLi Talks | How to turn SQL injection into an RCE or a file read? Case study of 128 bug bounty reports https://www.youtube.com/watch?v=ClnVdYf4PK0 |
| 2023-08-21 2023 | Journey into Windows Kernel Exploitation: The Basics beginner | Journey into Windows Kernel Exploitation: The Basics https://ift.tt/IyEYMN5 |
| 2023-07-22 2023 | Attacking MS Exchange Web Interfaces intermediate | Attacking MS Exchange Web Interfaces https://ift.tt/Hxci19I |
| 2023-07-22 2023 | ProcessInjection intermediate 1 min read | Tool implementing five process injection techniques: Vanilla, DLL, Process Hollowing, APC Queue, and KernelCallbackTable. It accepts shellcode in base64, hex, C, or raw formats, and supports P/Invoke, D/Invoke, Direct Syscalls, and Indirect Syscalls for injection. The tool also includes detection evasion through XOR or AES encryption, and Parent PID Spoofing, with the option to load via reflection from disk or a remote server. |
| 2023-04-03 2023 | Basic and Low-level Python Network Attacks beginner Python | https://ift.tt/SxGhvBQ |
| 2023-04-02 2023 | $10.000 bounty for exposed .git to RCE intermediate Bug Bounty | $10.000 bounty for exposed .git to RCE https://ift.tt/1AxW3QH |
| 2022-04-06 2022 | Favorite tweet by @hakluke beginner Bug Bounty | Favorite tweet: I see people confuse these terms all the time, so I wrote a reference-style blog about it! The difference between code injection, command injection, RCE, remote code execution and rem... |
| 2022-02-28 2022 | Favorite tweet by @NandanLohitaksh intermediate Bug Bounty | Favorite tweet: Top 25 Remote Code Execution (RCE) Parameters 1. ?cmd={payload} 2. ?exec={payload} 3. ?command={payload} 4. ?execute={payload} 5. ?ping={payload} 6. ?query={payload} 7. ?jump={payload... |
| 2022-01-18 2022 | Making Sense of the Constantly Changing Log4Shell Landscape beginner 13 min read Supply Chain | Tool for streaming live football matches; provides HD quality, stable connections, and expert commentary across global leagues like the Premier League, Champions League, and La Liga, with no advertisements or viruses. |
| 2022-01-17 2022 | Log4Pot beginner 1 min read | Honeypot for Log4Shell (CVE-2021-44228) that listens for exploitation attempts on various ports, detects malicious requests in lines and headers, and recursively downloads exploit payloads. It supports logging to files and Azure blob storage, with an included analyzer script to extract and decode payloads, and build timelines. Installation involves fetching the repository and using Poetry for dependency management. |
| 2022-01-03 2022 | Malicious PDF Generator intermediate | Tool for generating ten distinct malicious PDF files, each with phone-home functionality, designed for penetration testing and red-teaming. This application facilitates testing web pages and services that accept PDF uploads, security products, PDF readers, and PDF converters by creating sample files with embedded links that can be configured to point to a Burp Collaborator URL. |
| 2022-01-02 2022 | a c program containing vulnerable code for common types of vulnerabilities can be used to show fuzzing concepts. beginner 3 min read Fuzzing | Program containing vulnerable C code to demonstrate fuzzing concepts. This resource includes code for common vulnerabilities such as integer overflow/underflow, out-of-bounds read/write, double free, use-after-free, memory leaks, and stack/heap exhaustion. It is designed to be fuzzed using tools like AFL, libafl, libfuzzer, and honggfuzz, with instructions and video tutorials provided for setup and execution. |
| 2021-12-31 2021 | InfosecMindmaps/Log4shell at main DickReverse/InfosecMindmaps beginner | InfosecMindmaps/Log4shell at main DickReverse/InfosecMindmaps |
| 2021-12-31 2021 | Log4Shell Visualization beginner | Log4Shell Visualization |
| 2021-12-30 2021 | Golang Offensive Tools with C-Sto and capnspacehook intermediate Python | Library of offensive security tools built with Golang, showcasing work from developers like C-Sto (goWMIexec, BananaPhone, gosecretsdump) and capnspacehook (pandorasbox, garble). The resource covers challenges and future directions of Go malware, listing numerous tools for command and control, obfuscation, reverse engineering, and more, including notable projects like sliver and DeimosC2. |
| 2021-12-16 2021 | Mitigate Log4j2 / Log4Shell in Elasticsearch intermediate 16 min read Supply Chain | Analysis of Log4Shell (CVE-2021-44228) vulnerabilities in Elasticsearch versions 5.0 to 7.16.0. Discusses mitigation strategies including updating Log4j to 2.17.1, setting `log4j2.formatMsgNoLookups=true`, removing the `JndiLookup` class, and leveraging the Java Security Manager's protections. Explains why subsequent Log4j issues (CVE-2021-45046, CVE-2021-45105, CVE-2021-44832) have limited impact on Elasticsearch due to its configuration and security measures. Recommends upgrading Elasticsearch to versions ≥ 7.16.3 or ≥ 6.8.23 for full patching. |
| 2021-12-13 2021 | Semgrep beginner Supply Chain | Semgrep |
| 2021-12-13 2021 | Log4Shell The Worst Java Vulnerability in Years beginner | Log4Shell The Worst Java Vulnerability in Years |
| 2021-12-13 2021 | Java log4j security: Added Lookup injection rule. #1650 intermediate | Library of Semgrep rules designed to detect and prevent Log4j Lookup injection vulnerabilities in Java applications. This includes a specific rule (ID 1650) to address added lookup injections, enhancing static analysis for securing Java codebases against common Log4j exploits. |
| 2021-12-12 2021 | Log4j: Its worse than you think beginner 6 min read | Library of vulnerability scanner rules for detecting CVE-2021-4428 (Log4j), a critical Java package vulnerability. This tool leverages a partial trigger of the exploit to identify vulnerable instances, with a focus on providing remote scanning services to customers. Mitigation advice includes upgrading Log4j, disabling lookups, removing dangerous class files, and blocking JNDI lookup prefixes at the WAF. |
| 2021-12-12 2021 | Digging deeper into Log4Shell - 0Day RCE exploit found in Log4j intermediate 6 min read Supply Chain | Writeup detailing CVE-2021-44228, a remote code execution vulnerability in Apache Log4j. This widespread flaw enables attackers to execute arbitrary code by controlling log messages, leveraging JNDI lookups that can trigger LDAP or DNS calls to load malicious Java classes. The writeup describes the attack mechanism, observed exploitation tactics including targeting User-Agent headers, and mitigation strategies such as patching or disabling lookups. |
| 2021-12-12 2021 | PSA: Log4Shell and the current state of JNDI injection beginner 2 min read Supply Chain | Analysis of CVE-2021-44228 (Log4Shell), detailing how JNDI injection vulnerabilities in Log4j allow remote code execution. It highlights that even recent Java runtimes are susceptible, particularly through RMI and LDAP lookups. The analysis covers historical Java patches like CVE-2009-1094 and CVE-2018-3149, and discusses exploitation vectors using Apache XBean BeanFactory and Java deserialization, affecting environments like Apache Tomcat and WebSphere. |
| 2021-12-06 2021 | How to Brute-Force SSH Servers in Python intermediate 3 min read Python | Library for brute-forcing SSH servers in Python using the `paramiko` library. The tutorial details how to create a script that attempts password combinations from a provided wordlist against a target SSH host. It covers handling connection timeouts, authentication failures, and rate limiting, and includes argument parsing for host, username, and password list input. |
| 2021-11-26 2021 | Phantom - A multi-platform HTTP(S) Reverse Shell Server and Client intermediate 3 min read API Sec | Library for building multi-platform HTTP(S) reverse shells. Phantom allows creation of standalone Linux and Windows binaries using PyInstaller, supporting both auto-generated and user-supplied certificates for encrypted HTTPS communication. It includes a helper script for certificate generation and a straightforward build process via `build.py`, which can use Poetry or Virtualenv for dependency management. Client binaries can connect to specified server URLs, facilitating stealthy connections. |
| 2021-11-11 2021 | Game Hacking with Python and cheat engine intermediate Python | Game Hacking with Python and cheat engine |
| 2021-09-24 2021 | Buffer Overflow using ShellCraft - TryHackMe Intro to Pwntools beginner | Buffer Overflow using ShellCraft - TryHackMe Intro to Pwntools |
| 2021-09-14 2021 | Shellshock In-Depth: Why This Old Vulnerability Wont Go Away intermediate 2 min read | Analysis of modern security technologies, including IBM Guardium for data protection, IBM watsonx.governance for AI lifecycle management, IBM Verify for identity and access, IBM HashiCorp for infrastructure automation, and IBM MaaS360 for unified endpoint management. It details how these tools address challenges like data visibility, AI governance, authentication, secrets management, and device security, offering practical insights into real-world application security and threat mitigation strategies. |
| 2021-09-05 2021 | Writing an iOS Kernel Exploit from Scratch advanced 43 min read Mobile | Library for creating an iOS kernel exploit from scratch, specifically focusing on chain #3 against a double-free vulnerability present in iOS 11 and mitigated in 11.4.1. This resource details setting up a test environment, analyzing the IOKit driver vulnerability and its trigger, and developing a full exploit using common techniques, including a sandbox escape method revealed by Siguza. It serves as a reference for beginners by filling potential gaps in exploit development knowledge. |
| 2021-08-18 2021 | remote-method-guesser: A Java RMI Vulnerability Scanner intermediate | remote-method-guesser: A Java RMI Vulnerability Scanner |
| 2021-05-31 2021 | Finding writable folders and hijackable DLLs intermediate | This content discusses security vulnerabilities related to identifying writable folders and DLL hijacking opportunities on a system. These vulnerabilities can be exploited by attackers to gain elevated privileges or execute malicious code. The process likely involves scanning file systems for improperly configured permissions and analyzing the search paths for dynamic-link libraries (DLLs) to find instances where an attacker could substitute a malicious DLL for a legitimate one. No specific bug bounty payout amount is mentioned. |
| 2021-01-20 2021 | Learn About Command Injection Attacks beginner | The content discusses command injection attacks where attackers can run their code on a victim's machine. This type of attack allows malicious actors to execute arbitrary commands on a system, potentially leading to unauthorized access, data theft, or system compromise. It is crucial to understand and protect against command injection vulnerabilities to prevent security breaches and safeguard sensitive information. |
| 2020-05-31 2020 | r/Hacking_Tutorials - Remote Code Execution explained with real life bug bounty reports beginner Bug Bounty | The Reddit post titled "r/Hacking_Tutorials - Remote Code Execution explained with real life bug bounty reports" has received 36 votes but no comments yet. The post likely discusses remote code execution vulnerabilities using real-life bug bounty reports. It aims to provide tutorials and insights into how these vulnerabilities can be exploited, potentially offering valuable information for those interested in hacking and cybersecurity. |
| 2019-10-05 2019 | SQL injection to RCE intermediate SQLi | The content discusses a case of SQL injection leading to Remote Code Execution (RCE) discovered during a recent customer penetration testing. It hints at the potential security vulnerability and the impact it had on the system. |
| 2019-08-28 2019 | WRITE UP – Private bug bounty $$,$$$ USD: “RCE as root on Marathon-Mesos instance” – @omespino intermediate 2 min read | Writeup detailing a private bug bounty win of $30,000 USD for a Remote Code Execution (RCE) as root vulnerability found on a Marathon-Mesos instance. The exploit involved using Shodan to locate unauthenticated Marathon UIs, then crafting a `curl` command to create a Marathon application that executed `/usr/bin/wget --post-data='id'` to a listener, demonstrating root-level command execution via this container orchestration platform. Tools used included netcat, curl, and a web browser. |
| 2019-04-20 2019 | PDFReacter SSRF to ROOT Level Local File Read which led to RCE intermediate SSRF | PDFReacter is a parser that converts HTML content to PDF. |
| 2018-11-09 2018 | elttam - Ruby 2.x Universal RCE Deserialization Gadget Chain advanced 11 min read | Library for Ruby 2.x universal RCE deserialization gadget chains, detailing exploitation of arbitrary deserialization and releasing a public gadget chain for command execution. It discusses serialization, deserialization pitfalls, and code reuse attacks via gadget chains, noting limitations of previous payloads requiring specific gems and libraries. This resource explores hunting for gadgets within the standard library, focusing on techniques that implicitly load additional libraries or allow partial control over arguments to `require`. |
| 2018-07-06 2018 | Latex to RCE, Private Bug Bounty Program intermediate | The content discusses the author's participation in a private bug bounty program focused on a CMS journal site, approximately a year ago. The author aims to share their learnings from this experience, particularly related to exploiting a vulnerability in Latex to achieve Remote Code Execution (RCE). The bug bounty program provided an opportunity for the author to enhance their skills in identifying and exploiting security flaws. |
| 2018-06-07 2018 | How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! intermediate SSRF | The content appears to be a title mentioning chaining four vulnerabilities on GitHub Enterprise, from SSRF execution to RCE. The author is identified as 🍊. |
| 2018-04-29 2018 | #BugBounty — How I was able to bypass firewall to get RCE and then went from server shell to get… intermediate | The content is about a bug bounty experience where the author bypassed a firewall to achieve Remote Code Execution (RCE) and gained access to a server shell. The author likely shares details of the process and techniques used in this security testing scenario. |
| 2017-11-19 2017 | Leading the Blind to Light! - A Chain to RCE advanced 5 min read | Writeup detailing a Remote Code Execution chain on Oracle E-Business Suite. The exploit begins with an authentication bypass, leading to blind XXE and information disclosure. This disclosure helps identify an internal endpoint, which through further fuzzing, reveals an SQL injection vulnerability. By re-enabling `xp_cmdshell` via SQL injection, the attacker achieves command execution with administrator privileges. → blog.zsec.uk |
Frequently Asked Questions
- What is remote code execution?
- Remote Code Execution (RCE) is a vulnerability that allows an attacker to run arbitrary commands or code on a target system. It is the most critical class of security vulnerability because it gives the attacker the same level of access as the application or server process, often leading to complete system compromise.
- What are common RCE attack vectors?
- Common vectors include command injection (unsanitized input passed to shell commands), unsafe deserialization (Java, PHP, Python, .NET), Server-Side Template Injection (Jinja2, Twig, Freemarker), file upload bypasses that execute uploaded code, expression language injection in Java frameworks, and prototype pollution in Node.js leading to code execution.
- Why does RCE pay the highest bug bounties?
- RCE represents total system compromise — an attacker can read all data, modify the application, pivot to internal networks, and potentially access cloud infrastructure. The impact is maximum, so bounty programs consistently pay their highest rewards for RCE findings, often ranging from $10,000 to $100,000+ depending on the target.
Weekly AppSec Digest
Get new resources delivered every Monday.