bleepingcomputer.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-05-14.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-05-14 2026 | OpenAI confirms security breach in TanStack supply chain attackSupply Chain | Library impacting hundreds of npm and PyPI packages, the TanStack supply chain attack, also known as Mini Shai-Hulud, led to OpenAI confirming a breach on two employee devices. While no customer data or production systems were compromised, attackers exfiltrated limited credentials from internal repositories, prompting OpenAI to rotate code-signing certificates for its applications. The campaign utilized compromised GitHub Actions workflows and CI/CD configurations to inject malicious code and publish trojanized package versions, targeting developer and cloud credentials, including GitHub tokens and AWS credentials, and establishing persistence via modified code hooks. |
| 2026-05-14 2026 | 18-year-old NGINX vulnerability allows DoS potential RCERCE | Library for detecting CVE-2026-42945, an 18-year-old heap buffer overflow in NGINX's ngx_http_rewrite_module, which can lead to denial of service and, under specific conditions like disabled ASLR, remote code execution. This flaw, affecting versions 0.6.27 through 1.30.0, arises from inconsistent state handling during URI processing when 'rewrite' and 'set' directives are used together. The library would likely target this vulnerability and potentially the three other memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) discovered alongside it. |
| 2026-05-13 2026 | New critical Exim mailer flaw allows remote code executionRCE | Writeup of CVE-2026-45185, a critical user-after-free vulnerability in Exim mail transfer agent versions 4.97 through 4.99.2 compiled with GnuTLS. This flaw allows unauthenticated remote code execution by exploiting a TLS shutdown issue during BDAT chunked SMTP traffic. XBOW's AI-assisted research aided in developing a proof-of-concept exploit, highlighting the evolving landscape of vulnerability discovery and exploitation. |
| 2026-05-12 2026 | Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticatorRCE | Writeup detailing critical RCE vulnerabilities in Fortinet products. CVE-2026-44277, an Improper Access Control flaw in FortiAuthenticator, and CVE-2026-26083, a missing authorization weakness in FortiSandbox, allow unauthenticated attackers to execute unauthorized code via crafted requests. These flaws, while not reported as exploited in the wild, follow a pattern of actively exploited Fortinet vulnerabilities, including previous issues in FortiClient EMS. |
| 2026-05-12 2026 | Instructure confirms hackers used Canvas flaw to deface portalsXSS | Writeup on ShinyHunters exploiting cross-site scripting (XSS) vulnerabilities in Instructure's Canvas LMS. Attackers used these flaws to gain authenticated admin sessions, deface login portals with extortion messages, and exfiltrate over 3.6 terabytes of data. The attacks targeted the Free-for-Teacher environment, leading to temporary downtime and account closures. |
| 2026-05-08 2026 | DAEMON Tools devs confirm breach release malware-free versionSupply Chain | Writeup of DAEMON Tools supply chain attack confirming trojanized installers for version 12.5.1 (free). Hackers used digitally signed installers to backdoor systems, deploying an information stealer and a lightweight backdoor, with QUIC RAT malware observed in at least one instance. Disc Soft Limited released a malware-free version, 12.6, addressing the vulnerability. |
| 2026-05-07 2026 | Ivanti warns of new EPMM flaw exploited in zero-day attacksRCE | Writeup of CVE-2026-6973, a critical Improper Input Validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM) exploited in zero-day attacks. This flaw allows remote attackers with administrative privileges to execute arbitrary code on EPMM versions 12.8.0.0 and earlier. Ivanti recommends patching to EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and rotating admin credentials. Four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) were also patched. |
| 2026-05-06 2026 | Palo Alto Networks warns of firewall RCE zero-day exploited in attacksRCE | Writeup of CVE-2026-0300, a critical PAN-OS zero-day exploited in attacks. This buffer overflow vulnerability affects the User-ID Authentication Portal on Internet-exposed PA-Series and VM-Series firewalls, allowing unauthenticated attackers to achieve root-level remote code execution. Palo Alto Networks recommends restricting access to trusted zones or disabling the portal until a patch is released, with initial fixes expected May 13, 2026. |
| 2026-05-05 2026 | DAEMON Tools trojanized in supply-chain attack to deploy backdoorSupply Chain | Writeup detailing a supply-chain attack that trojanized DAEMON Tools installers, versions 12.5.0.2421 through 12.5.0.2434, delivering a backdoor to thousands of systems globally since April 8. The attack compromised DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, leading to initial infections and targeted deployments of a lightweight backdoor and, in one instance, the QUIC RAT, to high-value targets in retail, scientific, government, and manufacturing sectors across Russia, Belarus, and Thailand. |
| 2026-05-04 2026 | Weaver E-cology critical bug exploited in attacks since MarchRCE | Library for Weaver E-cology office automation addressing CVE-2026-22679, a critical unauthenticated remote code execution flaw in versions prior to March 12. Exploited since March, the vulnerability stems from an exposed debug API endpoint allowing attackers to execute system commands via improperly validated user parameters. Attackers leveraged this for discovery commands like `whoami`, `ipconfig`, and `tasklist`, and attempted PowerShell-based payload downloads. The vendor's fix removes the debug endpoint entirely, making upgrades essential. |
| 2026-04-29 2026 | Hackers exploit RCE flaws in Qinglong task scheduler for cryptominingRCE | Library for securing the Qinglong open-source task scheduler, addressing CVE-2026-3965 and CVE-2026-4047. These vulnerabilities, stemming from authentication bypass and path traversal flaws in versions 2.20.1 and older, allow for remote code execution. Attackers have been exploiting these issues to deploy cryptominers, disguised by the process name '.fullgc,' on developer servers by injecting shell commands into `config.sh` and downloading binaries from `file.551911.xyz`. |
| 2026-04-29 2026 | GitHub fixes RCE flaw that gave access to millions of private reposRCESupply Chain | Writeup of CVE-2026-3854, a critical RCE vulnerability affecting GitHub.com and GitHub Enterprise Server, allowing attackers with push access to gain read/write access to millions of private repositories. The flaw stems from unsanitized user-supplied options during 'git push' operations, enabling arbitrary code execution and potential server compromise. Administrators of GitHub Enterprise Server instances are urged to upgrade immediately, as a significant percentage remain vulnerable. |
| 2026-04-28 2026 | Hackers are exploiting a critical LiteLLM pre-auth SQLi flawSQLi | Library for securing LiteLLM, an open-source LLM gateway, against the CVE-2026-42208 pre-authentication SQL injection vulnerability. Attackers exploit this flaw in the API key verification step to access and modify sensitive data, including API keys, credentials, and environment secrets. The vulnerability allows unauthorized access to the proxy and managed credentials, with active exploitation observed targeting specific tables containing secrets from providers like OpenAI and Anthropic. A fix is available in LiteLLM version 1.83.7. |
| 2026-04-24 2026 | Over 10000 Zimbra servers vulnerable to ongoing XSS attacksXSS | Writeup of CVE-2025-48700, an ongoing XSS vulnerability impacting over 10,000 Zimbra Collaboration Suite instances. Exploitable by unauthenticated attackers, this flaw allows arbitrary JavaScript execution, enabling sensitive information access. Patched in June 2025, it has been actively abused in the wild, leading to CISA's inclusion in its Known Exploited Vulnerabilities Catalog and an order for Federal Civilian Executive Branch agencies to secure affected servers. Previous Zimbra vulnerabilities have also been exploited by APT28 and Russian Winter Vivern. |
| 2026-04-24 2026 | Hackers exploit file upload bug in Breeze Cache WordPress pluginRCE | Library for detecting and preventing arbitrary file uploads, specifically addressing CVE-2026-3844 in the Breeze Cache WordPress plugin. This critical vulnerability, with a severity score of 9.8, allows unauthenticated attackers to achieve remote code execution (RCE) by exploiting a missing file-type validation in the ‘fetch_gravatar_from_remote’ function when the “Host Files Locally - Gravatars” add-on is enabled. Versions up to 2.4.4 are affected. |
| 2026-04-23 2026 | New Checkmarx supply-chain breach affects KICS analysis toolSupply Chain | Library compromise affects Checkmarx KICS, its Docker images, and VS Code extensions, with attackers injecting a hidden 'MCP addon' to steal credentials including GitHub tokens, AWS, Azure, and Google Cloud credentials, npm tokens, SSH keys, Claude configs, and environment variables, exfiltrating them to audit.checkmarx[.]cx. Affected users should block access to malicious domains, use pinned SHAs, revert to safe versions like DockerHub KICS v2.1.20, and rotate secrets. |
| 2026-04-22 2026 | Microsoft releases emergency patches for critical ASP.NET flawAPI Sec | Library updates address critical ASP.NET Core privilege escalation vulnerability (CVE-2026-40372) in Data Protection cryptographic APIs. This flaw allows unauthenticated attackers to forge authentication cookies, potentially gaining SYSTEM privileges, disclosing files, and modifying data. The regression impacts Microsoft.AspNetCore.DataProtection NuGet packages from 10.0.0-10.0.6. Updates to 10.0.7 are recommended, followed by key ring rotation for full remediation. Previously, Microsoft patched an HTTP request smuggling bug (CVE-2025-55315) in the Kestrel web server. |
| 2026-04-22 2026 | New npm supply-chain attack self-spreads to steal auth tokensSupply Chain | Library for detecting and defending against npm supply-chain attacks. This worm-like malware self-propagates by injecting malicious code into packages, stealing developer credentials, API keys, cloud service secrets, cryptocurrency wallets (MetaMask, Exodus), and targeting AI agent tooling and database operations. It can also exfiltrate data from CI/CD systems, registries, and LLM platforms, and has been observed targeting PyPI packages with .pth-based payloads. Socket and StepSecurity offer indicators of compromise and remediation guidance, advising immediate removal of affected packages and rotation of all exposed secrets. |
| 2026-04-21 2026 | Actively exploited Apache ActiveMQ flaw impacts 6400 serversRCE | Writeup on CVE-2026-34197, a code injection vulnerability in Apache ActiveMQ Classic, impacting over 6,400 exposed servers. Discovered by Horizon3 researcher Naveen Sunkavally, the flaw allows authenticated actors to execute arbitrary code due to improper input validation. Patched in versions 6.2.3 and 5.19.4, this actively exploited vulnerability has been a repeated target, with CISA urging federal agencies to secure their systems. Exploitation indicators include suspicious broker connections with VM transport and the brokerConfig=xbean:http:// parameter. Previous exploited ActiveMQ flaws include CVE-2016-3088 and CVE-2023-46604. |
| 2026-04-19 2026 | LiteLLM PyPI Package Compromised in TeamPCP Supply Chain AttackPython | Library compromised in a supply-chain attack, where malicious versions of the LiteLLM Python package (1.82.7 and 1.82.8) were uploaded to PyPI by the TeamPCP hacking group. These versions deployed an infostealer that harvested sensitive data including SSH keys, cloud credentials, Kubernetes secrets, and cryptocurrency wallet data. The payload also attempted lateral movement and installed a persistent systemd backdoor, exfiltrating data to attacker-controlled infrastructure. Organizations are advised to rotate credentials and inspect systems for persistence artifacts. |
| 2026-04-18 2026 | Critical flaw in Protobuf library enables JavaScript code executionRCE | Library vulnerability GHSA-xq3m-2v4x-88gg, a critical RCE flaw in protobuf.js, arises from unsafe dynamic code generation. Attackers can inject arbitrary JavaScript code by supplying malicious schemas, leading to code execution on servers or developer machines. Endor Labs identified the issue, impacting versions 8.0.0/7.5.4 and lower, with patches available in 8.0.1 and 7.5.5. Mitigation involves upgrading, auditing dependencies, and treating schema loading as untrusted input. |
| 2026-04-16 2026 | Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging FaceRCE | Writeup detailing the exploitation of Marimo CVE-2026-39987, which allows remote code execution and deployment of NKAbuse malware. Attackers leverage Hugging Face Spaces, posing as legitimate AI tools, to host dropper scripts and malware binaries. The payload, a variant of NKAbuse, functions as a remote access trojan with capabilities for shell command execution and data exfiltration, including credential theft from environment variables and Redis servers. Exploitation has increased in volume and tactics, with affected users urged to upgrade Marimo to version 0.23.0 or later, or block external access to the `/terminal/ws` endpoint. |
| 2026-04-14 2026 | Microsoft April 2026 Patch Tuesday fixes 167 flaws 2 zero-daysRCE | Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days https://ift.tt/nLAl5mZ |
| 2026-04-13 2026 | OpenAI rotates macOS certs after Axios attack hit code-signing workflowSupply Chain | Library for securing applications against supply chain attacks, exemplified by OpenAI's response to a malicious Axios package compromising its GitHub Actions workflow. This incident, linked to UNC1069, led to the rotation of macOS code-signing certificates used for ChatGPT Desktop, Codex, and Atlas to prevent potential misuse of the signing key for distributing malware. OpenAI's investigation found no evidence of compromised certificates or user data, but users must update macOS applications to versions signed with new certificates before May 8, 2026, to avoid functionality loss. |
| 2026-04-12 2026 | Critical Marimo pre-auth RCE flaw now under active exploitationRCE | Writeup detailing CVE-2026-39987, a critical pre-authentication RCE vulnerability in Marimo versions 0.20.4 and earlier. Exploitable via the unauthenticated WebSocket endpoint '/terminal/ws', attackers can gain an interactive shell with the Marimo process's privileges. Active exploitation observed within hours of disclosure, with attackers exfiltrating credentials and SSH keys. Sysdig researchers noted a methodical operator targeting high-value information. Mitigation includes upgrading to version 0.23.0, restricting external access, or disabling the '/terminal/ws' endpoint. |
| 2026-04-11 2026 | 10,000+ Docker Hub Images Leaking CredentialsSecrets | Analysis of 10,000+ Docker Hub images reveals widespread credential and authentication key leaks affecting over 100 organizations, including a Fortune 500 company and a national bank. Researchers at Flare identified exposed secrets like OpenAI, HuggingFace, and Gemini API keys, GitHub tokens, and database credentials within container images and manifests. Common vulnerabilities stem from `.env` files and hardcoded secrets in application files, impacting cloud environments, CI/CD systems, and Git repositories. While some developers revoked keys within 48 hours, 75% of exposed secrets remained unrevoked, posing ongoing risks. |
| 2026-04-10 2026 | Supply chain attack at CPUID pushes malware with CPU-Z/HWMonitorSupply Chain | Library for analyzing supply chain attacks, specifically detailing a compromise at CPUID that distributed malware via trojanized versions of CPU-Z and HWMonitor. The attack involved DLL sideloading using a malicious CRYPTBASE.dll and delivered the STX RAT infostealer. This incident highlights a pattern targeting widely used utilities, similar to a prior FileZilla compromise. |
| 2026-04-10 2026 | Dangerous runC Flaws Allow Hackers to Escape Docker ContainersRCE | Vulnerabilities in runC, CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, allow attackers with custom mount configurations to escape Docker and Kubernetes containers by exploiting bind-mounts and symlink race conditions to gain root privileges on the host system. Fixes are available in later runC versions, and mitigations include user namespaces and rootless containers. |
| 2026-04-10 2026 | Max Severity Flowise RCE Vulnerability Now Exploited in AttacksRCE | Library for securing Flowise, an open-source platform for LLM apps. It addresses CVE-2025-59528, a critical RCE vulnerability allowing arbitrary JavaScript code injection via the CustomMCP node. Developers should upgrade to version 3.0.6 or later to mitigate this threat, which has already been observed in active exploitation. Other Flowise vulnerabilities, CVE-2025-8943 and CVE-2025-26319, have also seen in-the-wild exploitation. |
| 2026-04-08 2026 | 13-year-old bug in ActiveMQ lets hackers remotely execute commandsRCE | Writeup detailing CVE-2026-34197, a 13-year-old remote code execution vulnerability in Apache ActiveMQ Classic affecting versions before 5.19.4 and 6.2.3. Discovered using Claude AI, the flaw allows attackers to execute arbitrary commands by exploiting the Jolokia management API to load external configurations, often chaining with CVE-2024-32114 for unauthenticated access. This issue underscores ActiveMQ's history as a target for attackers, with previous RCEs like CVE-2016-3088 and CVE-2023-46604 appearing on CISA's KEV list. |
| 2026-04-07 2026 | Hackers exploit critical flaw in Ninja Forms WordPress pluginRCE | Writeup detailing CVE-2026-0740, a critical 9.8 severity vulnerability in Ninja Forms File Uploads for WordPress versions up to 3.3.26. The flaw allows unauthenticated arbitrary file uploads, including PHP scripts, through a lack of destination filename validation and supports path traversal, enabling remote code execution. The vulnerability was discovered by Sélim Lanouar and reported to Wordfence, who provided temporary firewall mitigations before the vendor released a full fix in version 3.3.27. |
| 2026-04-02 2026 | Hackers exploiting critical F5 BIG-IP flaw in attacks patch nowRCE | Advisory regarding CVE-2025-53521, a critical remote code execution flaw in F5 BIG-IP APM systems that attackers are actively exploiting to deploy webshells. This vulnerability, previously classified as denial-of-service, allows unprivileged attackers to achieve RCE when access policies are configured on a virtual server. F5 strongly recommends patching and reviewing systems for signs of compromise. CISA has added it to its list of actively exploited flaws, urging federal agencies to secure their BIG-IP APM deployments. |
| 2026-03-18 2026 | CISA orders feds to patch Zimbra XSS flaw exploited in attacksXSS | Writeup of CVE-2025-66376, a stored cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite's Classic UI. Exploitable via malicious HTML emails, this flaw allows remote unauthenticated attackers to execute arbitrary JavaScript, potentially hijacking sessions and stealing data. CISA mandated federal agencies patch this actively exploited flaw, which has seen prior exploitation of Zimbra vulnerabilities by groups like Winter Vivern. |
| 2026-02-20 2026 | Microsoft says bug causes Copilot to summarize confidential emailsAI | Advisory regarding a Microsoft 365 Copilot bug where confidential emails were summarized, bypassing data loss prevention policies. This issue, tracked under CW1226324 and detected January 21, affected the Copilot "work tab" chat feature, incorrectly processing emails in Sent Items and Drafts, even those with confidentiality labels. Microsoft confirmed a code error as the root cause and began rolling out a fix in early February, with remediation continuing for complex service environments. |
| 2026-02-04 2026 | CISA warns of five-year-old GitLab flaw exploited in attacksSSRF | Writeup on CVE-2021-39935, a GitLab SSRF vulnerability actively exploited by threat actors. CISA has ordered U.S. federal agencies to patch this five-year-old flaw, which allows unauthenticated external users to access the CI Lint API and perform server-side requests. This vulnerability impacts multiple GitLab versions prior to December 2021 updates and affects organizations using GitLab's DevSecOps platform. |
| 2025-10-21 2025 | CISA confirms hackers exploited Oracle E-Business Suite SSRF flawSSRF | Writeup of CVE-2025-61884, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in Oracle E-Business Suite, now confirmed by CISA as actively exploited. This flaw in the Oracle Configurator runtime component was leveraged in July attacks, with exploits leaked by ShinyHunters and potentially used by the Clop ransomware gang. Oracle has released patches and recommended federal agencies apply them by November 10, 2025, to mitigate unauthorized data access risks. |
| 2025-04-09 2025 | Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentialsSSRF | Library for detecting and mitigating Server-Side Request Forgery (SSRF) vulnerabilities that target EC2 Metadata. This resource highlights a campaign exploiting IMDSv1 to steal AWS IAM credentials, enabling privilege escalation and access to services like S3. It details attacker techniques, including rotating query parameters and subpaths, and emphasizes the importance of migrating to IMDSv2. The article also notes the broader trend of older CVEs, such as CVE-2017-9841 and CVE-2023-1389, remaining highly exploited. |
| 2024-11-04 2024 | Microsoft SharePoint RCE bug exploited to breach corporate networkRCE | Writeup detailing the exploitation of CVE-2024-38094, a Microsoft SharePoint RCE vulnerability, for initial network access. Attackers deployed a webshell, leveraged Horoung Antivirus to disable defenses, and used tools like Impacket, Mimikatz, FRP, everything.exe, Certify.exe, and kerbrute for lateral movement, credential harvesting, persistence, and network scanning. The exploit involved a batch script for antivirus installation and manipulation of system logging. |