appsec.fyi · Sources

cybersecuritynews.com

158 curated AppSec resources from cybersecuritynews.com across 14 topics on appsec.fyi.

cybersecuritynews.com

Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-06.

RCE 69 XSS 25 SSRF 21 API Sec 18 Supply Chain 12 SQLi 9 AI 3 GraphQL 2 Mobile 2 AuthN 1 AuthZ 1 Deser 1 Python 1 Secrets 1
Date Added Resource Excerpt
2026-06-06 2026Critical Vulnerability in Hugging Face Transformers Enables Remote Code Execution AttacksRCEA critical vulnerability has been discovered in Hugging Face's Transformers library, potentially allowing remote code execution attacks. This flaw, detailed in a recent advisory, exposes users to significant security risks. The library is widely used for natural language processing tasks, making this a widespread concern for developers and organizations relying on it. Specific details regarding the nature of the vulnerability and its exploitability are available in the linked advisory. No bug bounty payout amount is mentioned in the provided content.
2026-06-05 2026Microsoft Edge Vulnerability Allows Remote Attackers to Execute Arbitrary CodeRCEA critical vulnerability in Microsoft Edge enables remote attackers to execute arbitrary code on affected systems. This security flaw, detailed in a recent report, poses a significant risk as it allows malicious actors to gain control of a user's device without requiring any interaction. The exact payout for reporting this bug was not disclosed. Users are advised to ensure their Microsoft Edge browsers are updated to the latest version to mitigate this threat.
2026-06-04 2026IronWorm Supply Chain Attack Uses Malicious npm Packages to Steal Developer SecretsSupply ChainA supply chain attack dubbed "IronWorm" is targeting developers through malicious npm packages. These compromised packages are designed to steal sensitive developer secrets. The attack highlights a growing threat vector where attackers inject malicious code into widely used software development tools and libraries, compromising the integrity of the software supply chain and potentially leading to widespread data breaches and unauthorized access. Further details on the specific methods and impact are available at the provided link.
2026-06-04 2026Hackers Actively Exploiting WordPress Plugin Vulnerability to Inject Malicious PHP CodeRCEHackers are actively exploiting a vulnerability in a WordPress plugin to inject malicious PHP code. This allows them to compromise websites, steal sensitive data, and disrupt operations. The vulnerability has been detected in multiple sites, and its widespread exploitation poses a significant threat to WordPress users. It is crucial for users to update their plugins to the latest versions to patch this security flaw and protect their websites from further attacks.
2026-06-04 2026Cisco Unified Communications Manager Vulnerability Exposed Along With PoC Exploit CodeSSRFCisco Unified Communications Manager (CUCM) has a critical vulnerability that has been publicly disclosed. Researchers have released Proof of Concept (PoC) exploit code for this vulnerability, meaning attackers can readily use it to compromise affected systems. This vulnerability poses a significant risk to organizations relying on CUCM for their communication infrastructure. Further details about the specific nature and impact of the exploit are expected to emerge.
2026-06-03 2026Critical StrongDM Vulnerability Allow Attackers to Steal and Reuse AuthenticationAPI SecA critical vulnerability in StrongDM has been discovered, allowing attackers to steal and reuse authentication credentials. This security flaw poses a significant risk by compromising user access. The full details and implications of this exploit are still being assessed, but it highlights a serious concern for organizations using StrongDM for access management.
2026-06-03 2026Critical WP Maps Pro Vulnerability Allow Attackers to Create Administrator AccountAPI SecCritical WP Maps Pro Vulnerability Allow Attackers to Create Administrator Account https://ift.tt/6ykBmfY
2026-06-03 20261-Click GitHub Token Vulnerability Lets Attackers Steal Users' OAuth TokensAPI SecA severe vulnerability in GitHub's web application allows attackers to steal users' OAuth tokens with a single click. This exploit targets how GitHub handles certain types of URLs, enabling malicious actors to trick users into clicking a specially crafted link. Upon clicking, the attacker can gain access to sensitive user data and potentially perform actions on their behalf. The vulnerability was disclosed and has since been patched by GitHub, though specific payout details were not mentioned in the provided content.
2026-06-02 2026Claude Code's Vulnerability in GitHub Actions Allows an Attacker to Compromise any RepositoryAPI SecA critical vulnerability has been discovered in Claude Code's integration with GitHub Actions. This flaw enables an attacker to compromise any repository utilizing the service. The exact payout amount for this bug bounty was not explicitly stated in the provided content.
2026-06-02 2026GitLab Patches Multiple Duo AI DoS and Authorization Flaws in Community and Enterprise EditionGraphQLGitLab has released security updates to address critical vulnerabilities affecting its Duo AI, Denial-of-Service (DoS), and authorization features. These flaws, present in both Community and Enterprise Editions, could allow attackers to disrupt service or gain unauthorized access. Users are strongly advised to update to the latest versions to mitigate these risks. No specific bounty payout amounts were mentioned in the provided content.
2026-06-02 2026Web Application & API Attacks Are Rising:Are You Blind to Modern Web Attacks? Join WAAP Security...API SecWeb application and API attacks are on the rise, leaving organizations vulnerable to modern threats. The provided content, titled "Web Application & API Attacks Are Rising: Are You Blind to Modern Web Attacks? Join WAAP Security...", suggests that businesses may be unaware of these escalating dangers. It promotes WAAP Security as a solution to address these blind spots and improve defenses against contemporary web attacks. The content does not mention any specific bug bounty payout amounts.
2026-06-01 2026IBM WebSphere Server Vulnerable to Remote Code Execution Attack Via Crafted RequestRCEIBM WebSphere Application Server has a critical remote code execution (RCE) vulnerability. Attackers can exploit this flaw by sending a specially crafted request, allowing them to execute arbitrary code on the server. This poses a significant security risk, potentially leading to unauthorized access and control of affected systems. Organizations using IBM WebSphere should prioritize patching and mitigating this vulnerability to protect their environments.
2026-06-01 2026Critical Magento Cache Plugin Vulnerability Enables Remote Code Execution AttacksRCEA critical vulnerability has been discovered in a Magento cache plugin, allowing attackers to execute arbitrary code remotely. This flaw poses a significant security risk for e-commerce stores using the affected plugin, as it could lead to complete system compromise. Merchants are strongly advised to immediately update or remove the plugin to mitigate potential attacks. The exact bounty payout for this vulnerability was not disclosed.
2026-06-01 2026Windows Netlogon 0-Click RCE Vulnerability Now Actively Exploited In The WildRCEA critical 0-click Remote Code Execution (RCE) vulnerability in Windows Netlogon is now being actively exploited. This means attackers can compromise systems without any user interaction. The vulnerability, detailed in a linked article, poses a significant security threat to Windows environments. Details regarding specific exploit methods and potential mitigation strategies are likely available within the linked content, emphasizing the urgency for organizations to address this threat. No bug bounty payout amount is mentioned.
2026-05-29 2026Critical Notepad Vulnerabilities Allow Attackers to Execute Arbitrary CodeRCEWriteup on Notepad++ v8.9.6.1 patching CVE-2026-48778 and CVE-2026-48800, which enable arbitrary code execution by manipulating `config.xml` or `shortcuts.xml` respectively. Attackers can exploit these vulnerabilities through direct file writes, malicious shortcuts, cloud sync poisoning, or social engineering by crafting specific XML tags that are then passed unsafely to `ShellExecute()`, allowing for the execution of arbitrary executables.
2026-05-29 2026Critical Samba Vulnerability Enables Remote Code Execution AttacksRCELibrary patches address CVE-2026-4480, a critical Samba vulnerability enabling unauthenticated remote code execution via command injection through the `%J` substitution parameter in print commands. Exploitation occurs when Samba fails to sanitize shell meta characters, allowing attackers to inject malicious commands. Affected systems include those not using `printing = cups` or `printing = iprint`. Mitigations involve quoting `%J` or removing it from `smb.conf`. SafeBreach, ZeroPath, and Securin Labs reported the flaw, with fixed Samba versions 4.22.10, 4.23.8, and 4.24.3 released.
2026-05-29 2026VS Code Remote-SSH RCE Lets Attackers Pivot From Developer Machines to Cloud ServersRCEWriteup on a Visual Studio Code Remote-SSH RCE vulnerability allowing attackers to pivot from compromised developer machines to cloud environments like AWS EC2 and Azure VMs. The flaw stems from a Time-of-Check to Time-of-Use race condition in how the extension handles bootstrap scripts, enabling attackers to inject malicious payloads executed on the target server after a successful, even MFA-protected, login. This bypasses authentication by exploiting trust in developer workflows, affecting millions of installations including Remote Explorer and cloud-specific toolkits.
2026-05-28 2026Critical Roundcube Webmail Vulnerability Let Attackers Inject SQL QueriesSQLiWriteup of critical Roundcube Webmail SQL injection vulnerability impacting versions 1.6.x and 1.7.x. The flaw, present in the virtuser_query plugin due to improper input sanitization in `preg_replace`, allows pre-authentication SQL injection, potentially exposing sensitive data. Additional fixes address stored XSS, HTML/CSS injection via SVG, SSRF bypasses, remote image blocking issues, arbitrary file deletion via session poisoning, and code-evaluation vulnerabilities in LDAP autovalues. Patched versions 1.6.16 and 1.7.1 are available.
2026-05-28 2026FortiClient Code Execution Vulnerability Exploited to Deploy EKZ MalwareRCEWriteup of CVE-2026-35616 in FortiClient EMS details how attackers exploit improper access control to deploy the EKZ Infostealer. The vulnerability allows unauthenticated API access, enabling threat actors to modify endpoint policies and weaponize the legitimate `on_connect` directive for script execution. This leads to managed endpoints downloading and running a PowerShell payload that installs EKZ, a credential stealer targeting Chromium and Gecko browsers, exfiltrating passwords, cookies, and autofill data.
2026-05-27 2026Attackers Can Exploit BadHost to Access Sensitive AI Agent Server EndpointsAPI SecVulnerability, CVE-2026-48710, named BadHost, allows attackers to bypass authentication in AI agent servers by manipulating HTTP Host headers. This critical flaw affects Starlette versions before 1.0.1, a framework underpinning many FastAPI applications used for LLM inference, agent frameworks, and MCP gateways. Attackers can exploit this to access sensitive AI models, internal tools, and API keys by causing the application to misinterpret request paths. Upgrading Starlette, using more robust authentication mechanisms in FastAPI, or employing reverse proxies can mitigate this risk.
2026-05-26 2026Multiple Angular Language Service Extension Vulnerabilities Enable RCE AttacksRCELibrary exploits in the Angular Language Service Visual Studio Code extension, specifically GHSA-ccq4-xmxr-8hcq, enable RCE via JSDoc hover command injection and insecure TypeScript SDK configuration loading. Attackers can craft malicious JSDoc comments or workspace settings to execute arbitrary commands on developer systems, bypassing VS Code's Workspace Trust. Versions prior to 21.2.4 are affected, with patches available in release 21.2.4.
2026-05-26 2026Microsoft SharePoint Server Vulnerability Enables Remote Code Execution AttacksRCELibrary for securing Microsoft SharePoint Server, addressing CVE-2026-45659, a critical vulnerability enabling remote code execution via deserialization of untrusted data. The flaw, exploitable by authenticated users with Site Member permissions through a network attack with low complexity, requires immediate patching. Mitigations include applying security updates, auditing permissions, monitoring logs for suspicious activity, isolating internet-facing instances, and potentially enabling WAF rules against malicious deserialization payloads.
2026-05-25 2026CISA Warns of Drupal Core SQL Injection Vulnerability Exploited in AttacksSQLiAlert regarding CVE-2026-9082, a critical SQL injection vulnerability in Drupal Core, actively exploited and listed on CISA's Known Exploited Vulnerabilities catalog. This CWE-89 flaw, impacting the database abstraction API, enables attackers to execute malicious SQL queries, leading to potential privilege escalation and remote code execution. CISA mandates remediation by May 27, 2026, for federal agencies under BOD 22-01, urging immediate patching, log monitoring, WAF implementation, and consideration of service shutdowns if patching isn't feasible.
2026-05-23 2026Nginx-poolslip Vulnerability Enables DoS and Code Execution AttacksRCELibrary detailing CVE-2026-9256, the nginx-poolslip vulnerability affecting NGINX Plus and Open Source. This flaw, residing in `ngx_http_rewrite_module`, allows remote, unauthenticated attackers to trigger a heap buffer overflow (CWE-122) via crafted requests using overlapping PCRE capture groups in rewrite directives. Exploitation can lead to denial-of-service or code execution by hijacking the memory pool's cleanup handler pointer, a distinct code path to corruption.
2026-05-23 2026CISA adds Langflow Origin Validation Flaw to Known Exploited Vulnerabilities CatalogAPI SecVulnerability CVE-2025-34291 is an origin validation flaw in Langflow, a tool for AI workflows, caused by an overly permissive CORS configuration combined with SameSite=None cookies. This allows malicious websites to execute authenticated cross-origin requests, enabling attackers to steal refresh tokens, call backend authentication endpoints, potentially execute code, and achieve system compromise. CISA has added it to the Known Exploited Vulnerabilities catalog, urging immediate patching and review of CORS configurations.
2026-05-22 2026Hackers Use Hugging Face to Host Second-Stage Malware for npm Supply Chain AttackSupply ChainLibrary for detecting sophisticated npm supply chain attacks where threat actors leverage Hugging Face for second-stage malware hosting and data exfiltration. This library helps identify malicious packages like "terminal-logger-utils" and its associated variants, which exhibit keylogger, infostealer, and RAT behaviors, stealing sensitive data including Telegram information, SSH keys, and cryptocurrency wallets. It can also detect the persistence mechanisms and self-update capabilities employed by this malware.
2026-05-21 2026Critical Chrome Vulnerabilities Enables Remote Code Execution AttacksRCEWriteup detailing Chrome's 16 patched vulnerabilities, including two Critical severity flaws: CVE-2026-9111 (Use-After-Free in WebRTC) and CVE-2026-9110 (Inappropriate Implementation in UI), which enable remote code execution. Nine High-severity flaws, such as CVE-2026-9112 and CVE-2026-9113, and five Medium-severity issues, including out-of-bounds reads (CVE-2026-9121, CVE-2026-9122) and heap buffer overflows (CVE-2026-9123), were also addressed.
2026-05-21 2026Claude Code's Network Sandbox Vulnerability Exposes User Credentials and Source CodeAPI SecWriteup of Claude Code's SOCKS5 hostname null-byte injection vulnerability, which affected releases v2.0.24 through v2.1.89. This critical bypass, stemming from a parser differential between JavaScript and libc, allowed attackers to exfiltrate credentials, source code, and environment variables by crafting hostnames that tricked the JavaScript `endsWith()` check while resolving to a different, blocked host via `getaddrinfo()`. The issue, silently patched in v2.1.90, is a second consistent implementation failure following CVE-2025-66479, and was not publicly disclosed by Anthropic with a specific CVE.
2026-05-21 2026Critical Cisco Secure Workload Vulnerability Enables Unauthorized API AccessAPI SecWriteup of CVE-2026-20223, a critical Cisco Secure Workload vulnerability allowing unauthenticated API access. Exploiting CWE-306 (Missing Authentication for Critical Function) via crafted REST API requests can grant Site Admin privileges, impacting tenant data and configurations across SaaS and on-premises deployments. Cisco has released patches for versions 3.10 and 4.0, with earlier versions requiring migration.
2026-05-21 2026New NGINX 0-Day RCE "nginx-poolslip" Affects Millions of NGINX ServersRCEVulnerability concerning nginx-poolslip, a zero-day RCE affecting NGINX 1.31.0, allows attackers to bypass ASLR for system compromise. Discovered by NebSec, it exploits memory pool handling and targets the latest release, potentially impacting millions. This follows the CVE-2026-42945 heap buffer overflow. Interim mitigations include restricting admin interfaces, enabling ASLR, auditing configurations for specific directives, and considering alternatives like Cloudflare Pingora.
2026-05-20 2026Grafana GitHub Breach Linked to TanStack npm Supply Chain RansomwareSupply ChainAnalysis of the Grafana GitHub breach, linked to a TanStack npm supply chain compromise and the "Mini Shai-Hulud" campaign, details how attackers leveraged compromised npm dependencies to inject malicious code. A missed GitHub workflow token allowed continued access, leading to exfiltration of source code, internal documentation, and business contact information. Despite token rotation, an overlooked CI/CD workflow facilitated the data theft, prompting a ransom demand which Grafana refused, aligning with FBI guidance. The incident underscores the risks of compromised npm packages within automated CI/CD workflows.
2026-05-20 2026New NGINX Vulnerability Allow Remote Attackers to Trigger Malicious CodeRCEWriteup on CVE-2026-8711, a heap-based buffer overflow in NGINX JavaScript (njs) versions 0.9.4-0.9.8. Exploitable via the `js_fetch_proxy` directive when combined with `ngx.fetch()` and client-controlled variables. This vulnerability, classified as CWE-122, can lead to denial-of-service and, under certain conditions like disabled ASLR, remote code execution within the NGINX worker process. The fix is available in njs 0.9.9.
2026-05-20 2026PoC Exploit Released for 20-Year Old PostgreSQL RCE VulnerabilityRCEWriteup on CVE-2026-2005, a two-decade-old PostgreSQL remote code execution vulnerability in the pgcrypto extension. The flaw, a heap-based buffer overflow in PGP session key parsing, allows arbitrary memory read/write, leading to PostgreSQL superuser privilege escalation and OS command execution via features like "COPY FROM PROGRAM." Exploitation, demonstrated by a PoC from Varik Matevosyan on GitHub, requires specific PostgreSQL builds and utilizes Python tools like psycopg2 and pwntools.
2026-05-19 2026Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL InjectionsSQLiReference detailing 11 critical PostgreSQL vulnerabilities, including CVE‑2026‑6637 enabling arbitrary code execution via the refint module, and SQL injection flaws in logical replication (CVE‑2026‑6476, CVE‑2026‑6638). Also addresses memory corruption (CVE‑2026‑6473), client-side risks with libpq (CVE‑2026‑6477), and file overwrite issues in backup utilities (CVE‑2026‑6475), affecting PostgreSQL 14 through 18.
2026-05-19 2026Critical SEPPmail Gateway Flaws Allow Remote Code Execution and Mail Traffic TheftRCEFlaws in SEPPmail Secure Email Gateway, including CVE-2026-2743 (pre-authenticated RCE via arbitrary file write) and CVE-2026-44128 (unauthenticated RCE through Perl code injection), permit remote code execution and mail traffic interception. Other vulnerabilities like CVE-2026-44127 (LFI) and CVE-2026-7864 (debug exposure) enable access to sensitive files and environment variables. These issues affect versions prior to the 15.x patched releases, allowing attackers to gain control, read or modify traffic, and access credentials.
2026-05-19 2026Critical Marimo Security Vulnerability Enables Remote Code Execution AttacksRCEVulnerability CVE-2026-39987 is a pre-authentication remote code execution flaw in Marimo versions ≤ 0.22.x, specifically within the `/terminal/ws` WebSocket endpoint. An attacker can exploit this by connecting to the unauthenticated endpoint, which spawns a system-level shell, enabling arbitrary command execution and potential deployment of malware like NKAbuse, with payloads hosted on Hugging Face Spaces. This critical gap in authentication allows attackers to gain full control of exposed systems, often used for AI and data science prototyping.
2026-05-19 2026Critical n8n Vulnerabilities Expose Automation Nodes to Full RCERCEWriteup on critical n8n vulnerabilities CVE-2026-44789, CVE-2026-44790, and CVE-2026-44791, which allow attackers to achieve full remote code execution. These flaws impact the HTTP Request node via prototype pollution (CWE-1321), the Git node through argument injection (CWE-88) for arbitrary file reads, and the XML node with a patch bypass. Versions below 1.123.43, 2.20.7, and 2.22.1 are affected.
2026-05-18 2026Hackers Actively Exploiting Critical NGINX RCE Vulnerability in the WildRCEWriteup on CVE-2026-42945, a critical NGINX heap buffer overflow vulnerability actively exploited in the wild. Researchers have observed real-world attacks allowing unauthenticated attackers to crash NGINX worker processes via crafted HTTP requests. While full remote code execution is unlikely due to ASLR, denial-of-service conditions are readily achievable. Exploitation requires specific NGINX rewrite configurations, but the large number of potentially vulnerable internet-facing NGINX servers necessitates urgent patching and mitigation.
2026-05-18 2026Critical Microsoft Exchange Server Vulnerability Actively Exploited in AttacksXSSWriteup detailing CVE-2026-42897, a critical spoofing vulnerability in Microsoft Exchange Server exploited in the wild, impacting on-premises Outlook Web Access. Threat actors leverage this network-based flaw, characterized by improper input neutralization, to execute arbitrary JavaScript by sending specially crafted emails. This affects Exchange Server 2016, 2019, and Subscription Edition, enabling network-level spoofing and session hijacking. Temporary mitigations, including the Exchange Emergency Mitigation Service or manual tool execution, are advised despite minor functional side effects like calendar printing issues and inline image display problems, pending a permanent patch.
2026-05-18 20261 Million WordPress Sites Affected by Avada Builder File Read and SQL Injection FlawsSQLiWriteup detailing CVE-2026-4782 and CVE-2026-4798, impacting over one million WordPress sites via the Avada Builder plugin. The arbitrary file read vulnerability allows low-privileged users to access sensitive server files, including wp-config.php, while the SQL injection flaw enables unauthenticated attackers to extract user credentials and password hashes. Patches are available in Avada Builder versions 3.15.2 and 3.15.3.
2026-05-18 2026Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious DeeplinksRCELibrary for understanding the Claude Code RCE vulnerability, which allows arbitrary command execution through malicious deeplinks by exploiting a naive command-line argument parser. The flaw, identified by Joernchen of 0day.click and now patched in version 2.1.118, weaponizes the `claude-cli://` handler and bypasses workspace trust dialogs by injecting malicious `SessionStart` hooks into the `--prefill` parameter. The vulnerability highlights risks associated with context-blind argument parsing, particularly within deeplink handlers.
2026-05-16 2026PraisonAI Vulnerability Exploited Within Hours of Public DisclosureAPI SecWriteup on CVE-2026-44338, a severe PraisonAI vulnerability in its legacy API server. This flaw, stemming from authentication being disabled by default in the Flask API, allows unauthenticated enumeration of agents via the `/agents` endpoint and task execution through `/chat` by targeting the `agents.yaml` workflow. Attackers can hijack agent operations, drain API quotas, and extract sensitive data. PraisonAI version 4.6.34 patches this issue, and users are advised to update or migrate to the secure "serve agents" command.
2026-05-15 2026Critical Next.js Vulnerability Exposes Cloud Credentials API keys and Admin PanelsSSRFLibrary update for Next.js versions 15.5.16 and 16.2.5 addresses CVE-2026-44578, a critical Server-Side Request Forgery (SSRF) vulnerability. This flaw, disclosed as GHSA-c4j6-fc7j-m34r, allows attackers to exploit WebSocket upgrade requests to exfiltrate cloud credentials, harvest API keys, and access internal admin panels by routing malicious requests through the vulnerable Node.js server. Security patches implement stricter checks on WebSocket handling, and organizations are advised to upgrade, implement network-level protections, or block unused WebSocket upgrade requests.
2026-05-15 2026Critical GitLab Vulnerabilities Enables XSS and Unauthenticated DoS AttacksXSSLibrary of emergency security updates for GitLab addresses multiple high-severity flaws including Cross-Site Scripting (XSS) via CVE-2026-7481 and CVE-2026-5297, and unauthenticated Denial-of-Service (DoS) via CVE-2026-1659 and CVE-2025-14870. These vulnerabilities, impacting self-hosted Community Edition and Enterprise Edition servers, allow for session hijacking, code repository manipulation, and disruption of CI/CD pipelines. Administrators must upgrade to versions 18.11.3, 18.10.6, or 18.9.7 to mitigate these risks.
2026-05-15 2026OpenAI Confirms Security Breach Via TanStack npm Supply Chain AttackSupply ChainWriteup of the Mini Shai-Hulud supply chain attack, which compromised TanStack npm packages and affected OpenAI, Mistral AI, UiPath, Guardrails AI, and OpenSearch. The campaign exploited CI/CD weaknesses to inject malicious code, leading to credential exfiltration from two OpenAI employee devices, though no user data or intellectual property was stolen. OpenAI rotated signing certificates and restricted code deployment as precautionary measures.
2026-05-15 2026node-ipc npm Package with 822K Weekly Downloads Compromised in Supply Chain AttackSupply ChainWriteup on the node-ipc npm package supply chain attack, which compromised versions 9.1.6, 9.2.3, and 12.0.1 with obfuscated stealer and backdoor payloads. Attackers exploited a dormant maintainer account takeover by acquiring its expired recovery email domain. The malicious payload targets CommonJS consumers, fingerprinting hosts, harvesting credentials from over 100 patterns including AWS, Azure, GCP, and Kubernetes secrets, archiving data, and exfiltrating it via DNS TXT queries to a fake Azure domain. Forensic timestamps of October 26, 1985, are used to identify malicious artifacts.
2026-05-15 2026DarkMoon AI-Powered Autonomous Penetration Testing Platform With 50 ToolsGraphQLPlatform for AI-powered autonomous penetration testing, DarkMoon integrates over 50 offensive security tools orchestrated by a multi-agent AI architecture. It autonomously assesses targets by discovering services, modeling attack surfaces, and deploying specialized agents for CMS (WordPress, Drupal), web stacks (PHP, Node.js), Active Directory (NetExec, BloodHound), Kubernetes (kubectl, Kubescape), and GraphQL. Tools like Naabu, Masscan, Nuclei, ffuf, sqlmap, WPScan, and Hydra are utilized within an isolated Docker environment, managed by a Model Context Protocol interface to ensure secure execution.
2026-05-14 2026Langflow CVE-2026-33017 Exploited to Steal AWS Keys and Deploy NATS WorkerAPI SecLibrary for securing Langflow, addressing CVE-2026-33017, an unauthenticated remote code execution flaw that allows attackers to steal AWS keys and deploy NATS workers. This vulnerability, added to the CISA KEV catalog, enables attackers to run commands within the Langflow container, dump sensitive environment variables, and pivot into cloud accounts for reconnaissance and abuse, including LLM jacking. Recommendations include patching Langflow and rotating affected cloud credentials.
2026-05-14 2026Critical Canon MailSuite Vulnerability Enables Remote Code Execution AttacksRCEWriteup of JVN#35567473, a stack-based buffer overflow vulnerability in Canon's GUARDIANWALL MailSuite. Exploiting the `pop3wallpasswd` command allows attackers to achieve Remote Code Execution (RCE) without authentication, affecting versions 1.4.00 through 2.4.26. Canon has released a patch, and a temporary workaround involves disabling the administration screen.
2026-05-14 2026Critical MongoDB Vulnerability Allow Attackers to Execute Arbitrary CodeRCELibrary for securing MongoDB deployments against CVE-2026-8053, a critical vulnerability enabling arbitrary code execution. This flaw allows attackers full server control, data exfiltration, and ransomware deployment. While MongoDB Atlas users are automatically protected, self-hosted deployments require immediate patching to the latest community edition builds and log monitoring for suspicious activity.
2026-05-14 2026Windows DNS Client Vulnerability Enables Remote Code Execution AttacksRCEWriteup of CVE-2026-41096, a critical heap-based buffer overflow in the Windows DNS Client's DNSAPI.dll component. This vulnerability, with a CVSS score of 9.8, allows remote code execution by sending a crafted DNS response, enabling attackers to compromise endpoints without user interaction or authentication. Microsoft addressed this flaw in their May 12, 2026 Patch Tuesday release with cumulative updates for Windows 11 and Server 2022/2025.
2026-05-14 2026Critical 18-Year-Old NGINX Vulnerability Enables Remote Code Execution AttacksRCEAnalysis of CVE-2026-42945, an 18-year-old heap buffer overflow in NGINX's `ngx_http_rewrite_module`, reveals a critical flaw exploitable for unauthenticated remote code execution. Introduced in 2008 and present up to version 1.30.0, the vulnerability arises from a state mismatch in the rewrite and set directives' two-pass processing when a question mark is present, leading to a heap overflow during the second pass. depthfirst autonomously discovered this, along with three other memory corruption bugs, and a public proof-of-concept demonstrates chaining heap manipulation and structure spraying for reliable RCE, particularly when ASLR is disabled. The flaw impacts numerous F5/NGINX products, prompting an urgent upgrade recommendation.
2026-05-14 2026Critical SandboxJS Escape Vulnerability Enables Host TakeoverRCELibrary update addressing CVE-2026-43898 in SandboxJS, a critical JavaScript sandboxing library. This vulnerability, with a CVSS score of 10.0, allowed attackers to escape the sandbox via a leaked `LispType.Call` callback, enabling arbitrary code execution on the host system. The flaw was rooted in allowing sandboxed code to read properties like `caller` and `arguments` of functions. Version 0.9.6 patches this by blocking such access.
2026-05-13 2026Critical Fortinet FortiSandbox Vulnerability Enables Code Execution AttacksRCEWriteup of CVE-2026-26083, a critical Fortinet FortiSandbox vulnerability enabling unauthenticated remote code execution. This missing authorization flaw in the Web UI affects on-premises, cloud, and PaaS variants, with a CVSSv3 score of 9.1. Exploiting this vulnerability allows attackers to compromise the entire threat detection pipeline by executing arbitrary commands on the underlying system, impacting confidentiality, integrity, and availability. Affected versions require immediate patching or migration to fixed releases.
2026-05-12 2026Microsoft Patch Tuesday May 2026 - 120 Vulnerabilities Fixed Including 29 Critical RCE FlawsRCEReference of Microsoft's May 2026 Patch Tuesday, addressing 120 vulnerabilities including 29 critical RCE flaws. Key fixes target Microsoft Dynamics 365 (CVE‑2026‑42898, CVE‑2026‑42833), Office and Word (CVE‑2026‑42831, CVE‑2026‑40363, CVE‑2026‑40358), Windows DNS Client (CVE‑2026‑41096), Netlogon (CVE‑2026‑41089), Windows Graphics/Win32k (CVE‑2026‑40403), Windows GDI (CVE‑2026‑35421), Native Wi‑Fi Miniport (CVE‑2026‑32161), SharePoint Server (CVE‑2026‑40365), and Hyper‑V (CVE‑2026‑40402). The bulletin also includes patches for AI assistants like M365 Copilot and developer tools such as Visual Studio Code.
2026-05-12 2026SAP Patches Critical SQL injection Vulnerability in SAP S/4HANASQLiWriteup on SAP S/4HANA vulnerabilities, detailing CVE-2026-34260, a critical SQL injection flaw with a CVSS of 9.6. This vulnerability, patched via SAP Security Note 3724838, allows attackers to manipulate sensitive corporate financial data. The entry also covers CVE-2026-34263 in SAP Commerce Cloud, CVE-2026-34259 in SAP Forecasting and Replenishment, and CVE-2026-40135 in SAP NetWeaver, highlighting the urgency of applying SAP's May 2026 security patches.
2026-05-12 2026Critical PHP SOAP Extension Vulnerabilities Enables Remote Code Execution AttacksRCELibrary of patches addresses critical vulnerabilities in PHP's ext-soap component, including CVE-2026-6722 enabling unauthenticated Remote Code Execution through XML graph deduplication and Use-After-Free flaws (CVE-2026-7261). Additional issues involve NULL pointer dereference (CVE-2026-7262) leading to Denial of Service and an out-of-bounds read in native urldecode() (CVE-2026-7258). A buffer overrun in the mbstring extension (CVE-2026-6104) is also patched. Updates are available for PHP versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6.
2026-05-10 2026New cPanel and WHM Flaws Enable Code Execution DoS AttacksRCEWriteup of CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203 in cPanel and WHM. These critical flaws allow arbitrary file reads via path traversal, Perl code injection for remote code execution, and unsafe symlink handling leading to denial-of-service or privilege escalation. A previous vulnerability, CVE-2026-41940, enabled login bypasses. Immediate patching is essential for all affected versions.
2026-05-09 2026Critical Ollama Memory Leak Vulnerability Exposes 300000 Servers GloballyAPI SecWriteup of CVE-2026-7482, dubbed "Bleeding Llama," a critical vulnerability affecting Ollama deployments before version 0.17.1. This flaw allows unauthenticated attackers to trigger an out-of-bounds heap read via a crafted GGUF file, exfiltrating sensitive data like prompts, system instructions, and environment variables by preserving leaked memory during model conversion. Approximately 300,000 servers are at risk, with potential exposure of API keys and proprietary code.
2026-05-09 2026Palo Alto Networks Firewall Zero-Day RCE Vulnerability Exploited in the Wild Since AprilRCEAdvisory on CVE-2026-0300, a critical zero-day buffer overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal. This flaw allows unauthenticated RCE with root privileges on PA-Series and VM-Series firewalls by specially crafted packets. Exploitation involves nginx shellcode injection, log destruction, Active Directory enumeration, and the use of public tools like EarthWorm and ReverseSocks5 for tunneling and post-exploitation. Mitigation includes restricting portal access and disabling Response Pages.
2026-05-08 2026Multiple Critical Vulnerabilities Patched in Next.js and React Server ComponentsSSRFAdvisories detail multiple critical vulnerabilities in Next.js and React Server Components, including CVE-2026-23870 (Denial of Service via React Server Components deserialization), CVE-2026-44578 (Server-Side Request Forgery via WebSocket Upgrade Requests), and CVE-2026-44573 (Pages Router i18n Middleware Bypass). Other patched issues include middleware bypass (GHSA-267c-6grr-h53f), cross-site scripting (GHSA-ffhc-5mcf-pf4q), and denial-of-service in the Image Optimization API (GHSA-h64f-5h5j-jqjh). Organizations should upgrade immediately or implement specific mitigations like in-route authorization and network egress restrictions.
2026-05-07 2026Critical Redis Vulnerabilities Enables Remote Code Execution AttacksRCELibrary of advisories detailing critical Redis vulnerabilities, including CVE-2026-23479 (use-after-free), CVE-2026-25243 (RESTORE invalid memory access), CVE-2026-25588 and CVE-2026-25589 (module-specific RESTORE flaws), and CVE-2026-23631 (Lua use-after-free). These flaws, discovered by researchers like Emil Lerner and Joseph Surin, allow authenticated attackers to achieve remote code execution and system compromise across various Redis editions.
2026-05-07 2026Critical vm2 Node.js Library Vulnerabilities Enables Arbitrary Code Execution AttacksRCELibrary vulnerabilities affecting vm2, a Node.js package for executing untrusted JavaScript, enable arbitrary code execution by allowing attackers to escape the sandbox. Eleven critical flaws, including CVE-2026-24118, CVE-2026-24120, CVE-2026-24781, CVE-2026-26332, CVE-2026-26956, CVE-2026-43997, CVE-2026-44006, CVE-2026-43999, and CVE-2026-44005, exploit various JavaScript and Node.js features like __lookupGetter__, Promise species, util.inspect, DisposableStack, WebAssembly try_table, prototype chains, and Module._load. Two unpatched vulnerabilities, CVE-2026-44008 and CVE-2026-44009, continue to pose a risk.
2026-05-06 2026New MajorDoMo RCE Vulnerability Exposes Servers to Code Execution AttacksRCEVulnerability CVE-2026-27174 allows unauthenticated remote code execution in MajorDoMo by exploiting a broken authentication flow and unsafe PHP evaluation via its /admin.php endpoint. Attackers can trigger this through a crafted HTTP GET request, bypassing access controls and leading to arbitrary PHP code execution, potentially compromising IoT services and internal networks. Resecurity has noted a detection template is available in ProjectDiscovery Nuclei. Administrators should restrict administrative access, use VPNs or reverse proxies, and apply vendor patches.
2026-05-06 2026Argo CD's ServerSideDiff Vulnerability Enables Kubernetes Secret ExtractionAPI SecLibrary with CVE-2026-43824 allows low-privileged users to extract plaintext Kubernetes Secrets from Argo CD environments. This critical flaw, discovered by Alexmt and Hoang-Prod, bypasses data-masking in the ServerSideDiff endpoint when `IncludeMutationWebhook=true` is set. Attackers with read-only access can exploit this to steal sensitive operational data like passwords and tokens. Users are urged to upgrade to patched versions 3.3.9 or 3.2.11, or apply mitigations such as removing the annotation and tightening RBAC.
2026-05-06 2026Zero-Auth Flaw Exposes DoD Contractor to Cross-Tenant Data AccessAPI SecAuthZLibrary of techniques to bypass API authorization, exemplified by the zero-authorization flaw in Schemata’s API that exposed DoD contractor data. This vulnerability, discovered by the Strix AI agent, allowed unprivileged users to access cross-tenant data, including service member records and sensitive military training materials, by failing to enforce organizational scoping and tenant isolation on its API.
2026-05-05 2026New ScarCruft Supply Chain Attack Hits Gaming Platform With Windows and Android BackdoorsSupply ChainWriteup detailing ScarCruft's supply chain attack on the sqgame platform, compromising Windows and Android versions with BirdCall and RokRAT backdoors. The attack, active since late 2024, targeted ethnic Koreans in China's Yanbian region, exploiting trojanized game packages and malicious update packages to exfiltrate personal data, contacts, and files via Zoho WorkDrive accounts. The analysis highlights the Android BirdCall backdoor's functionality, including silent operation, data collection, and microphone/screenshot capabilities, alongside the Windows RokRAT downloader.
2026-05-05 2026Critical Weaver E-cology RCE Vulnerability Actively Exploited in AttacksRCEWriteup detailing CVE-2026-22679, a critical unauthenticated RCE vulnerability in Weaver E-cology 10.0, actively exploited before vendor patches. Attackers leverage an exposed debug endpoint to execute arbitrary commands via POST requests, observed using ping callbacks with the Goby framework and attempting payload delivery. Evasion techniques included renaming PowerShell executables. The vulnerability allows direct command output reflection in HTTP responses, bypassing the need for persistent shells. Organizations must update to build 20260312 or later.
2026-05-05 2026Critical Qualcomm Chipset Vulnerabilities Enables Remote Code ExecutionMobileRCEBulletin detailing critical Qualcomm chipset vulnerabilities enabling remote code execution. Highlights include CVE-2026-25254 (CVSS 9.8) in the Software Center, CVE-2026-25293 (CVSS 9.6) in PLC firmware, and CVE-2026-25262 in the Primary Bootloader. These flaws, affecting hundreds of chipsets including Snapdragon processors and FastConnect platforms, allow unauthenticated attackers to execute arbitrary code, escalate privileges, or cause denial-of-service conditions, necessitating urgent patching by OEMs.
2026-05-05 2026DAEMON Tools Software Hacked to Deliver Malware in a Supply Chain AttackSupply ChainWriteup of the DAEMON Tools supply chain attack, where trojanized installers (versions 12.5.0.2421-12.5.0.2434) signed with valid certificates delivered malware. The attack chain involves compromised binaries like DTHelper.exe, leading to a backdoor that uses PowerShell to download an information collector. Targeted secondary payloads, including the QUIC RAT backdoor, were deployed to high-value targets in government, scientific, manufacturing, and retail sectors. Indicators of compromise include SHA1 hash 2d4eb55b01f59c62c6de9aacba9b47267d398fe4 and the malicious domain env-check.daemontools[.]cc.
2026-05-05 2026Critical Android Zero-Click Vulnerability Grants Remote Shell AccessMobileRCEWriteup of CVE-2026-0073, a critical Android zero-click remote code execution vulnerability within the adbd component. This flaw grants proximal attackers remote shell access, bypassing sandboxes without user interaction, and affects Android 14, 15, and 16. Google resolved this in the May 2026 security patch, distributed via system updates and AOSP. Users should install updates to verify the May 1, 2026 security patch level.
2026-05-05 2026Apache HTTP Server Exposes Millions of Servers to Remote Code Execution AttacksRCELibrary detailing vulnerabilities in Apache HTTP Server 2.4.66 and earlier, including CVE-2026-23918, a critical double-free RCE flaw in HTTP/2; CVE-2026-24072, local privilege escalation via mod_rewrite and ap_expr; CVE-2026-28780, heap overflow in mod_proxy_ajp; CVE-2026-29168, resource exhaustion in mod_md; and CVE-2026-29169, NULL pointer dereference in mod_dav_lock. Recommended mitigations include upgrading to 2.4.67, temporarily disabling HTTP/2, removing unused modules like mod_dav_lock, and auditing .htaccess permissions.
2026-05-04 2026Apache MINA Vulnerabilities Enables Remote Code Execution AttacksRCELibrary for Apache MINA addressing critical vulnerabilities CVE-2026-42778 and CVE-2026-42779, which enable remote code execution through insecure deserialization of untrusted data when using the `AbstractIoBuffer.getObject()` method. Developers must upgrade to MINA versions 2.2.7 or 2.1.12 to mitigate these risks.
2026-05-04 2026FreeBSD DHCP Client Vulnerability Enables Remote Code Execution as RootRCEWriteup of CVE-2026-42511 in FreeBSD's default IPv4 DHCP client, a vulnerability discovered by Joshua Rogers allowing local network attackers to execute arbitrary code as root. The flaw stems from improper handling of double-quotes in DHCP server responses, leading to malicious commands being injected into the `dhclient.conf` file and subsequently executed with high privileges via `dhclient-script(8)`. This aligns with MITRE ATT&CK techniques T1557 and T1059. FreeBSD has released patches, and administrators should update immediately. Network-level mitigation includes enabling DHCP snooping.
2026-05-03 2026Jenkins Patches High-Severity Plugin Flaws Including Path Traversal and Stored XSSXSSLibrary updates address seven Jenkins plugin vulnerabilities, including critical path traversal (CVE-2026-42520 in Credentials Binding Plugin) enabling arbitrary file writes and remote code execution, and two stored XSS flaws (CVE-2026-42523 in GitHub Plugin, CVE-2026-42524 in HTML Publisher Plugin) allowing JavaScript injection. Medium-severity issues in Script Security, Matrix Authorization Strategy, GitHub Branch Source, and Microsoft Entra ID plugins are also patched.
2026-05-01 2026Critical Wireshark Vulnerabilities Let Attackers Execute Arbitrary Code Via Malformed PacketsRCELibrary update addressing over 40 Wireshark vulnerabilities, including critical remote code execution flaws (CVE-2026-5402, CVE-2026-5403, CVE-2026-5405, CVE-2026-5656) within dissectors for TLS, SBC, RDP, and profile imports. Numerous other vulnerabilities lead to denial-of-service conditions through dissector crashes (e.g., CVE-2026-5409, CVE-2026-5408, CVE-2026-5406) and infinite loops (CVE-2026-5407), alongside decompression engine issues (CVE-2026-6535, CVE-2026-6533).
2026-04-30 2026Google Gemini CLI Vulnerabilities Allow Attackers to Execute Commands on Host SystemsAPI SecRCELibrary vulnerability in the Google Gemini CLI allows attackers to execute commands on host systems by exploiting workspace trust in non-interactive CI/CD environments. This infrastructure-level exploit, distinct from prompt injection, bypasses AI agent sandboxing by automatically trusting malicious agent configurations in pull requests, leading to host-level code execution, secret theft, and supply-chain attacks. Patched versions include @google/gemini-cli 0.39.1 or 0.40.0-preview.3, and google-github-actions/run-gemini-cli 0.1.22.
2026-04-30 2026Qinglong Task Scheduler RCE Vulnerabilities Exploited in the WildAPI SecRCEWriteup of Qinglong task scheduler RCE vulnerabilities (CVE-2026-3965 and CVE-2026-4047) that were actively exploited in early 2026. Unauthenticated attackers leveraged authentication bypass flaws in Qinglong versions 2.20.1 and earlier to achieve remote code execution, enabling them to deploy a cryptominer named .fullgc. The vulnerabilities stem from mismatches between security middleware assumptions and the Express.js framework's routing behavior, specifically concerning URL rewrite rules and case-insensitive URL handling. Updates and auditing are crucial for securing deployments.
2026-04-30 2026CVE MCP Server Turns Claude Into a Full-Spectrum Security Analyst With 27 Tools Across 21 APIsAIAPI SecTool for turning Claude AI into a full-spectrum security analyst, the CVE MCP Server integrates with 27 intelligence tools across 21 APIs. It automates CVE triage by correlating data from NVD, EPSS, CISA KEV, GitHub, VirusTotal, Shodan, and more, providing a weighted risk score for prioritization. Key features include API-free tool access, DevSecOps integrations for dependency scanning, and support for Claude Desktop and Claude Code.
2026-04-30 2026ProFTPDs SQL Injection Vulnerability Enables Remote Code Execution AttacksRCESQLiWriteup of CVE-2026-42167, a critical SQL injection vulnerability in ProFTPD's mod_sql extension. This flaw, with a CVSS score of 8.1, can lead to authentication bypass, data theft via blind SQL injection, or remote code execution by leveraging PostgreSQL's COPY TO PROGRAM feature. Exploitation occurs when crafted usernames bypass sanitization in the is_escaped_text() function, allowing attackers to execute unauthorized SQL commands. Immediate patching to ProFTPD 1.3.9a or disabling SQL logging via mod_sql is recommended.
2026-04-29 2026Hugging Face LeRobot Vulnerability Enables Unauthenticated RCE AttacksRCEWriteup of CVE-2026-25874, a critical RCE vulnerability in Hugging Face's LeRobot, enables unauthenticated attackers to execute arbitrary commands by exploiting insecure Pickle deserialization over unauthenticated gRPC channels in the async inference module. This flaw, affecting versions up to 0.5.1, allows attackers to gain administrative control, exfiltrate sensitive data, and sabotage robot operations. Researchers noted the irony of using unsafe Pickle despite the development of the secure safetensors format, with `# nosec` tags present near vulnerable `pickle.loads()` calls. A patch is planned, but immediate mitigation involves restricting network access and binding the server to localhost.
2026-04-29 2026Critical Chrome Vulnerabilities Enables Remote Code Execution AttacksRCEWriteup on 30 Chrome vulnerabilities, including critical Use-After-Free flaws like CVE-2026-7363 in Canvas and CVE-2026-7333 in GPU, enabling Remote Code Execution. This update addresses memory mismanagement that can lead to arbitrary code execution via specially crafted webpages, potentially bypassing sandbox protections. Users are strongly advised to update to Chrome version 147.0.7727.137/138.
2026-04-28 2026Critical GitHub.com and Enterprise Server RCE Vulnerability Enables Full Server CompromiseRCESupply ChainWriteup of CVE-2026-3854, a critical RCE vulnerability in GitHub's internal git proxy, babeld. This flaw, stemming from improper neutralization of special elements (CWE-77) via semicolon injection in git push options, allows authenticated users to compromise backend servers, access private repositories, and achieve full server takeover on GitHub Enterprise Server (GHES). Exploitation involves chaining three injected fields: `rails_env` to bypass sandboxing, `custom_hooks_dir` to redirect hook scripts, and `repo_pre_receive_hooks` for path traversal. Wiz researchers discovered this vulnerability using AI-augmented reverse engineering with IDA MCP.
2026-04-28 2026Critical LiteLLM SQL Injection Vulnerability Exploited in the WildSQLiWriteup detailing CVE-2026-42208, a critical pre-authentication SQL injection vulnerability in the LiteLLM AI gateway. This flaw, actively exploited in the wild, allows attackers to extract sensitive cloud and AI provider credentials from the PostgreSQL database by targeting tables like `litellm_credentials`. The exploit targets the unprotected Authorization Bearer header and has been observed in coordinated, data-extraction efforts. Immediate patching to version 1.83.7 and credential rotation are strongly advised, along with auditing logs for suspicious activity.
2026-04-28 2026Popular PyPI Package With 1 Million Monthly Downloads Hacked to Inject Malicious ScriptsSupply ChainWriteup detailing a supply chain attack on the PyPI package elementary-data, version 0.23.3. Threat actors exploited a GitHub Actions pipeline vulnerability to inject a malicious script, bypassing standard security checks and publishing a compromised version. This information stealer payload targets cloud access tokens, SSH keys, Kubernetes tokens, cryptocurrency wallets, and environment variables. Affected users must rotate credentials and update to version 0.23.4.
2026-04-27 2026Critical Gemini CLI Vulnerability Enables Remote Code Execution AttacksRCETool for patching a critical Gemini CLI RCE vulnerability, affecting @google/gemini-cli and google-github-actions/run-gemini-cli, particularly in CI/CD pipelines. The flaw stems from unsafe workspace trust handling in headless mode and a bypass of tool allowlisting under –yolo mode, enabling remote code execution when processing untrusted content. Google recommends immediate upgrades and review of automation pipeline configurations, especially concerning external contributors.
2026-04-27 2026Nessus Agent Vulnerability on Windows Enables Arbitrary Code Execution with SYSTEM PrivilegesRCEVulnerability in Nessus Agent on Windows allows arbitrary code execution with SYSTEM privileges by exploiting a symlink attack. Attackers can create a Windows junction to redirect the agent's file deletion routine, corrupting the system and enabling payload execution at the highest privilege level. Tenable has released a patch in Nessus Agent version 11.1.3.
2026-04-24 2026Python Vulnerability Allows Out-of-Bounds Write on Windows SystemsPythonWriteup of CVE-2026-3298, an out-of-bounds write vulnerability in Python's Windows asyncio implementation. The flaw, discovered in the `sock_recvfrom_into()` method of `asyncio.proactorEventLoop`, occurs due to a missing boundary check when the `nbytes` parameter is used, potentially allowing attackers to corrupt memory, leading to crashes or code execution. Only Windows users running Python with affected asyncio network applications are at risk. A fix is available via a pull request to the CPython repository.
2026-04-21 2026CISA Warns Axios npm Package Was Compromised in Major Supply Chain AttackSupply ChainAlert regarding a supply chain attack targeting the Axios npm package, specifically versions 1.14.1 and 0.30.4, which were compromised by injecting a malicious dependency, plain-crypto-js@4.2.1. The attack deploys a remote access trojan (RAT) on developer machines. Recommendations include reverting to safe Axios versions (axios@1.14.0 or axios@0.30.3), deleting the malicious dependency, rotating credentials, blocking C2 domains, and implementing long-term prevention strategies like `.npmrc` configurations (`ignore-scripts=true`, `min-release-age=7`) and requiring phishing-resistant MFA.
2026-04-21 2026Claude Code Gemini CLI and GitHub Copilot Vulnerable to Prompt Injection via GitHub CommentsAILibrary of techniques demonstrating "Comment and Control" prompt injection, a cross-vendor vulnerability class affecting AI coding agents like Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and GitHub Copilot Agent. These attacks weaponize GitHub comments, PR titles, and issue bodies to hijack AI agents, exfiltrating API keys and access tokens from CI/CD environments by bypassing security mitigations such as environment variable filtering, secret scanning, and firewalls. Vulnerabilities detailed include RCE via PR title and API key leaks through issue comments.
2026-04-21 2026Critical Anthropics MCP Vulnerability Enables Remote Code Execution AttacksRCEAnalysis of critical Anthropic MCP vulnerability, impacting over 150 million downloads and potentially 200,000 servers, reveals architectural flaws enabling Arbitrary Command Execution (RCE). OX Security identified exploitation vectors including Unauthenticated UI Injection, Hardening Bypasses in Flowise, Zero-Click Prompt Injection in AI IDEs like Windsurf and Cursor, and Malicious Marketplace Distribution. Exploits were confirmed on LiteLLM, LangChain, and IBM’s LangFlow, resulting in multiple CVEs, with patched vulnerabilities like CVE-2026-30623 and CVE-2026-33224, while others remain unpatched in GPT Researcher, Agent Zero, and DocsGPT.
2026-04-20 2026Lovable AI App Builder Reportedly Exposes Customer Data From Projects via Unpatched API FlawAPI SecWriteup on a Broken Object Level Authorization (BOLA) vulnerability in Lovable, an AI app builder, allowing unauthorized access to project data including source code, database credentials, and customer information. The flaw, unpatched for projects created before November 2025, enables free-tier users to make unauthenticated API calls to retrieve sensitive data via endpoints like `api.lovable.dev/GetProjectMessagesOutputBody`. Researchers found exposed Supabase credentials and data from individuals at Accenture Denmark and Copenhagen Business School, along with potential risks for employees at Nvidia, Microsoft, Uber, and Spotify. This issue was previously reported on HackerOne as duplicate report #3583821.
2026-04-20 2026Critical Vulnerability In Flowise Allows Remote Command Execution Via MCP AdaptersRCEAnalysis of a critical architectural flaw in Anthropic's Model Context Protocol (MCP) reveals remote command execution vulnerabilities across numerous AI frameworks. This vulnerability, present in official MCP SDKs for Python, TypeScript, Java, and Rust, has resulted in at least ten CVEs impacting platforms like Flowise, LiteLLM, and LangChain. Attack vectors include unauthenticated UI injection, hardening bypasses in protected environments, and zero-click prompt injection, with researchers confirming exploitation on six production platforms and poisoning of MCP registries. Immediate actions include blocking public internet exposure of AI services, treating MCP input as untrusted, sandboxing services, and monitoring for unexpected outbound activity.
2026-04-18 2026Critical Cisco ISE Vulnerabilities Let Remote Attackers Execute Malicious CodeRCEAdvisory detailing two critical Cisco Identity Services Engine (ISE) vulnerabilities: CVE-2026-20147, a CVSS 9.9 RCE flaw allowing arbitrary command execution via crafted HTTP requests with administrative credentials, and CVE-2026-20148, a CVSS 4.9 path traversal vulnerability enabling sensitive file access. Both require administrative access, and Cisco advises immediate upgrades to patched versions, as no workarounds exist.
2026-04-16 2026Windows Active Directory Vulnerability Allow Attackers to Execute Malicious CodeRCEVulnerability CVE-2026-33826 in Windows Active Directory allows remote code execution by attackers with adjacent network access. This critical flaw, stemming from improper input validation (CWE-20) in RPC processing, enables threat actors to compromise core identity servers with low complexity and no user interaction. Microsoft urges immediate application of cumulative updates and monthly rollups for affected Windows Server versions, including specific KB numbers for 2012 R2, 2016, 2019, 2022, and 2025.
2026-04-16 2026Splunk Enterprise and Cloud Platform Vulnerability Enables Remote Code Execution AttacksRCEVulnerability CVE-2026-20204 is a critical flaw in Splunk Enterprise and Cloud platforms, enabling Remote Code Execution (RCE) for attackers with low-privileged access. Exploitation involves uploading a malicious file to a specific temporary directory, triggering unauthorized code execution. The issue, categorized under CWE-377, affects various versions of Splunk Enterprise and Cloud Platform, with affected Splunk Enterprise versions including 10.2 before 10.2.1, 10.0 before 10.0.5, 9.4.0-9.4.9, and 9.3 up to 9.3.10. Mitigation strategies include upgrading to patched versions, disabling the Splunk Web component, or modifying web configurations.
2026-04-15 2026Agentic LLM Browsers Expose New Attack Surface for Prompt Injection and Data TheftAIAnalysis of agentic LLM browsers, including Comet, Atlas, Microsoft Edge Copilot, and Brave Leo AI, reveals a new attack surface for prompt injection and data theft. Researchers identified architectural vulnerabilities where Cross-Site Scripting (XSS) on trusted domains can grant attackers control over browsing sessions, enabling indirect prompt injection. This allows malicious commands to be executed, leading to unauthorized file access, email exfiltration, and malware deployment, with attacks being difficult to detect as they leverage user credentials and mimic normal behavior.
2026-04-15 202625000 Endpoints Exposed by Dragon Boss Solutions Update Domain Supply Chain AttackSupply ChainAnalysis of a Dragon Boss Solutions LLC domain supply chain attack exposing 25,000 endpoints, detailing how signed software used Advanced Installer and MSI/PowerShell payloads, including the `ClockRemoval.ps1` script to disable antivirus and prevent reinstallation by modifying hosts files and Windows Defender exclusions. The attack's scale was revealed when the unregistered update domain, `chromsterabrowser[.]com`, allowed attackers to control infected systems, impacting universities, critical infrastructure, and Fortune 500 companies.
2026-04-15 2026Critical ShowDoc RCE Vulnerability Active Exploited in the WildRCEVulnerability CNVD-2020-26585 is a critical remote code execution flaw in ShowDoc versions prior to 2.8.7. Threat actors actively exploit this by uploading malicious PHP files via the image upload API endpoint (/index.php?s=/home/page/uploadImg). Exploitation involves crafting a POST request with a manipulated filename and embedding an execution command, granting attackers arbitrary code execution on vulnerable servers. Mitigation requires upgrading to ShowDoc 2.8.7+, reviewing logs for suspicious uploads, restricting server access, and configuring WAFs to block malformed requests.
2026-04-14 2026Microsoft Patch Tuesday April 2026 168 Vulnerabilities Fixed Including Actively Exploited 0-dayRCEMicrosoft Patch Tuesday April 2026 – 168 Vulnerabilities Fixed, Including Actively Exploited 0-day https://ift.tt/TbdJPtY
2026-04-14 2026Critical FortiSandbox Vulnerabilities Allow Attackers to Execute Unauthorized CommandsRCEWriteup on two critical FortiSandbox vulnerabilities, CVE-2026-39808 and CVE-2026-39813, both scoring 9.1 CVSSv3. CVE-2026-39808, an OS Command Injection flaw (CWE-78) in the API component, allows unauthenticated remote attackers to execute arbitrary commands. CVE-2026-39813, a Path Traversal vulnerability (CWE-24) in the JRPC API, enables unauthenticated attackers to bypass authentication and escalate privileges. Exploitation requires no prior authentication and has a low attack complexity. Affected FortiSandbox versions require immediate patching.
2026-04-14 2026CISA Warns of Fortinet SQL Injection Vulnerability Actively Exploited in AttacksSQLiVulnerability writeup detailing CVE-2026-21643, an unauthenticated SQL injection in Fortinet FortiClient Enterprise Management Server (EMS). This CWE-89 flaw allows remote attackers to execute unauthorized code by sending crafted HTTP requests, posing a significant risk to corporate networks. CISA has added this to its Known Exploited Vulnerabilities catalog, mandating a rapid patching timeline for federal agencies and recommending similar urgency for private sector organizations. Immediate application of Fortinet patches, monitoring for unusual traffic, and securing cloud deployments are crucial mitigation steps.
2026-04-13 2026Marimo RCE Vulnerability Exploited in the Within 10 Hours of DisclosureRCEWriteup of CVE-2026-39987, a pre-authentication RCE vulnerability in Marimo affecting versions up to 0.20.4, was weaponized within 10 hours of disclosure. The flaw in the `/terminal/ws` WebSocket endpoint allows unauthenticated attackers to gain an interactive shell, leading to the exfiltration of cloud credentials like AWS access keys from `.env` files. Sysdig Threat Research Team observed exploitation originating from IP 49.207.56[.]74, highlighting the rapid targeting of niche software.
2026-04-13 2026Critical Axios Vulnerability Allows Remote Code ExecutionRCELibrary with CVE-2026-40175 allows remote code execution by exploiting prototype pollution in header processing. Versions before 1.15.0 are vulnerable, enabling attackers to smuggle requests, bypass AWS IMDSv2, steal IAM credentials, and achieve cloud account takeover through unsanitized header values and problematic third-party dependencies.
2026-04-12 2026Hackers Exploit GitHub Copilot Flaw to Exfiltrate Sensitive DataSupply ChainWriteup of CVE-2025-59145, the "CamoLeak" vulnerability impacting GitHub Copilot Chat, which allowed attackers to exfiltrate sensitive data like API keys and source code. The exploit weaponized hidden markdown comments within pull requests, manipulating Copilot into searching the codebase and encoding findings in base16. This encoded data was then embedded into pre-signed image addresses, bypassing Content Security Policy and network egress controls by routing outbound traffic through GitHub's trusted infrastructure. The attack chain highlights the risks of AI assistants with deep system access.
2026-04-11 20260-Click Zendesk Account Takeover VulnerabilityAuthNVulnerability writeup detailing a zero-click account takeover in Zendesk's Android SDK. The flaw stems from predictable JWT tokens generated by combining hardcoded secrets with sequential account IDs, allowing attackers to mass-generate valid authentication tokens. Exploitation grants access to all support tickets and sensitive customer data without user interaction or rate limiting. The ZendeskHelper.g() method is identified as the vulnerable component, with recommendations including high-entropy secrets, rate limits, and mobile auth audits.
2026-04-10 2026AI Router Vulnerabilities Allow Attackers to Inject Malicious Code and Steal Sensitive DataRCELibrary for securing AI agent LLM API routers, detailing how these intermediaries can be weaponized for malicious code injection and credential exfiltration. Research from UC Santa Barbara highlights vulnerabilities in routers purchased from platforms like Taobao and Shopify, demonstrating attacks including payload injection and autonomous session hijacking. Mitigations include fail-closed policy gates, response-side anomaly screening, and append-only transparency logging.
2026-04-10 2026Critical Chrome Vulnerabilities Let Attackers to Execute Arbitrary CodeRCEWriteup of critical Chrome vulnerabilities, including CVE-2026-5858 and CVE-2026-5859, which are heap buffer overflow and integer overflow flaws in WebML, respectively. These, along with 14 high-severity issues like use-after-free in WebRTC and V8, and heap buffer overflows in WebAudio and ANGLE, could allow arbitrary code execution. Google's fuzzing infrastructure aided in their detection.
2026-04-10 2026SolarWinds Web Help Desk Deserialization VulnerabilityDeserWriteup of CVE-2025-26399 in SolarWinds Web Help Desk, a deserialization vulnerability (CWE-502) in the AjaxProxy component. This flaw allows remote command execution on affected hosts, leading to potential data theft and network pivoting. CISA has added this to its Known Exploited Vulnerabilities catalog, mandating immediate patching or disconnection for federal agencies by March 12, 2026, with strong recommendations for private sector urgency.
2026-04-09 2026CISA Warns of Critical Ivanti EPMM Code Injection Vulnerability Exploited in AttacksRCEAdvisory on CVE-2026-1340, a critical Ivanti EPMM code injection vulnerability, highlights its active exploitation and addition to CISA's Known Exploited Vulnerabilities catalog. This unauthenticated remote code execution flaw allows attackers to gain administrative control, steal data, deploy malware, and pivot within networks. CISA mandates immediate patching and mitigation for federal agencies and strongly urges private sector adoption of the same rapid response, advising disconnection if a fix is not immediately feasible.
2026-04-09 2026Multiple SonicWall Vulnerabilities Enable SQL Injection and Privilege Escalation AttacksSQLiAdvisory on multiple SonicWall vulnerabilities affecting SMA 1000 series appliances, including CVE-2026-4112 enabling SQL injection and privilege escalation, CVE-2026-4113 for user credential enumeration, CVE-2026-4114 and CVE-2026-4116 allowing TOTP bypass. Immediate hotfix application is required due to the severity of these flaws and lack of workarounds.
2026-04-08 2026Claude Uncovers 13-Year-Old RCE Flaw in Apache ActiveMQ in Just 10 MinutesRCEWriteup of CVE-2026-34197, a 13-year-old RCE vulnerability in Apache ActiveMQ Classic's Jolokia JMX-HTTP bridge, discovered by Anthropic's Claude AI. The flaw allows authenticated attackers to inject crafted VM transport URIs via the `addNetworkConnector` operation, leading to arbitrary OS command execution through Spring's `MethodInvokingFactoryBean`. A separate flaw, CVE-2024-32114, makes this RCE unauthenticated in ActiveMQ versions 6.0.0 through 6.1.1. The vulnerability is patched in ActiveMQ Classic versions 5.19.4 and 6.2.3.
2026-04-08 2026CUPS Vulnerability Chain Enables Remote Attacker to Execute Malicious Code as Root UserRCEWriteup on CVE-2026-34980 and CVE-2026-34990, two zero-day vulnerabilities in CUPS versions 2.4.16 and older. Attackers can exploit a parsing bug in shared PostScript queues to bypass authentication and execute code as the "lp" user, then leverage a privilege escalation flaw to gain root access. Mitigation involves disabling shared legacy queues, limiting network exposure, enforcing authentication, or using mandatory access control systems like AppArmor.
2026-04-07 202650000 WordPress Sites Exposed to Critical Ninja Forms File Upload RCE VulnerabilityRCEWriteup of CVE-2026-0740, a critical unauthenticated arbitrary file upload vulnerability in the Ninja Forms plugin for WordPress, exposing an estimated 50,000 sites to Remote Code Execution. The flaw, discovered by Sélim Lanouar, stems from inadequate filename sanitization and a failure to validate destination filenames before saving, allowing attackers to leverage path traversal to upload malicious PHP files. Exploitation can lead to complete server takeover, data theft, malware injection, and further attacks. Versions up to 3.3.26 are affected; updates to 3.3.27 or higher are urgently recommended.
2026-04-06 20262000 FortiClient EMS Instances Exposed Online Amid Active RCE Vulnerability Exploits in the WildRCEAnalysis of FortiClient EMS vulnerabilities reveals over 2,000 exposed instances, with CVE-2026-35616 and CVE-2026-21643 actively exploited for unauthenticated remote code execution. These critical flaws allow attackers to gain full control of affected systems and managed endpoints, posing a significant risk to enterprise networks. Immediate patching and restricted internet access are crucial mitigations against this widespread threat.
2026-04-06 2026CERT-EU Confirms Trivy Supply Chain Attack Led to Credential ExposureSecretsLibrary provides specific MITRE ATT&CK techniques, including Supply Chain Compromise (T1195.002), Cloud Account Compromise (T1586.003), Valid Cloud Accounts (T1078.004), and Data from Local System (T1005), illustrating a supply chain attack on the European Commission via a compromised Trivy version. This incident, detailed by CERT-EU and involving threat actors TeamPCP and extortion group ShinyHunters, led to the exfiltration of over 340 GB of data by exploiting AWS API keys and utilizing tools like TruffleHog. Recommendations include updating Trivy, rotating secrets, restricting CI/CD access, and enabling CloudTrail logs.
2026-04-04 202614000 F5 BIG-IP APM Devices Exposed Online Amid Active RCE Vulnerability ExploitsRCEWriteup of CVE-2025-53521, an actively exploited RCE flaw impacting F5 BIG-IP APM devices, with over 14,000 instances still exposed online. Initially disclosed as a DoS, its upgrade to RCE by F5 necessitates immediate patching and post-compromise hunting. Successful exploitation allows attackers to bypass corporate perimeters, leading to data theft or network infiltration. Organizations must apply vendor updates (K000156741), assume breach, and audit external assets.
2026-04-02 2026Critical Grafana Vulnerabilities Let Attackers Achieve Remote Code ExecutionRCEWriteup on critical Grafana vulnerabilities, CVE-2026-27876 and CVE-2026-27880, detailing a SQL expressions RCE flaw requiring Viewer permissions and an unauthenticated DoS vulnerability affecting OpenFeature validation endpoints. The RCE allows arbitrary file writes and SSH acquisition, while the DoS exploits unbounded input to crash instances. Administrators must upgrade to patched versions (12.4.2, 12.3.6, etc.) or disable SQL expressions to mitigate the RCE, and use reverse proxies or highly available environments against the DoS.
2026-03-30 2026Stored XSS Bug in Jira Work Management Could Lead to Full Organization TakeoverXSSWriteup of a Stored XSS vulnerability in Jira Work Management, CVE-2024-XXXX, uncovered by Snapsec. A low-privileged Product Admin can exploit the "icon URL" property of custom issue priorities, which lacks input validation and output encoding, to inject a malicious script. This payload executes when a Super Admin views the priorities page, leading to an automated invitation of an attacker-controlled account with full organizational access, enabling complete takeover of Atlassian products.
2026-03-20 2026Russian APT Exploits Zimbra XSS to Target Ukrainian Government in Operation GhostMailXSSWriteup detailing Operation GhostMail, a Russian APT campaign targeting a Ukrainian government agency through a Zimbra XSS vulnerability (CVE-2025-66376). This attack, attributed to APT28, bypassed traditional indicators by embedding a base64-encoded JavaScript payload within an HTML email body, silently exfiltrating credentials, email archives, and enabling persistent access via app-specific passwords. The campaign exploited insufficient HTML sanitization in Zimbra Collaboration Suite versions prior to 10.0.18 and 10.1.13, using both HTTPS and DNS exfiltration channels.
2026-03-17 2026Angular XSS Vulnerability Exposes Thousands of web Applications to XSS AttacksXSSLibrary concerning CVE-2026-32635, a critical XSS vulnerability in Angular's i18n handling within `@angular/compiler` and `@angular/core` packages. This flaw allows attackers to inject malicious scripts by binding unsanitized user input to localized sensitive attributes like `href`, `src`, and `data`, potentially leading to session hijacking and data exfiltration. Patches are available for specific versions, with updates recommended or manual sanitization using `DomSanitizer` for unpatched releases.
2026-03-12 2026GitLab Security Update - Patch for XSS and API DoS VulnerabilitiesXSSLibrary patch notes detail urgent updates for GitLab CE/EE addressing critical Cross-Site Scripting (XSS) and Denial-of-Service (DoS) vulnerabilities. The update, covering versions 18.9.2, 18.8.6, and 18.7.6, resolves issues including CVE-2026-1090 (XSS in Markdown), CVE-2026-1069 (DoS in GraphQL API), CVE-2025-13929 (DoS in repository archives), and CVE-2025-14513 (DoS in protected branches API). Administrators of self-managed instances should apply these patches immediately to mitigate risks.
2026-03-04 2026Critical XSS Vulnerability in Angular i18n Enables Malicious Code ExecutionXSSWriteup of CVE-2026-27970, a critical XSS vulnerability in Angular's i18n pipeline, enabling malicious JavaScript execution. Attackers can exploit this by compromising an application's translation files, particularly when embedded HTML within ICU messages isn't properly sanitized. Exploitation requires access to translation files and a lack of strong defenses like CSP or Trusted Types. Developers are urged to update to patched @angular/core versions to mitigate risks.
2026-03-02 2026Angular SSR Request Vulnerability Allows Attackers to Trick Applications into Sending Unauthorized RequestsSSRFLibrary patches address CVE-2026-27739, a critical Server-Side Request Forgery (SSRF) vulnerability in Angular SSR. Attackers can exploit this flaw by manipulating Host and X-Forwarded-* headers, tricking applications into sending unauthorized requests to external domains. This enables credential exfiltration and internal network probing. Patched versions include 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21. Workarounds involve avoiding header-based URL construction and implementing strict header validation.
2026-02-26 2026Firefox 148 Released With Sanitizer API to Disable XSS AttackXSSLibrary introducing the Sanitizer API for Firefox 148, offering a standardized, effective method to prevent Cross-Site Scripting (XSS) attacks by converting potentially harmful HTML into safe alternatives. This API, implemented via the `setHTML()` method, provides an easier alternative to complex Content-Security-Policy (CSP) configurations and works synergistically with Trusted Types for enhanced protection against common web vulnerabilities.
2026-02-20 2026Critical Jenkins Vulnerability Exposes Build Environments to XSS AttacksXSSAdvisory detailing CVE-2026-27099, a high-severity stored XSS vulnerability in Jenkins Core affecting versions 2.550 and earlier, where unescaped HTML in offline cause descriptions allows malicious JavaScript injection. This critical flaw can compromise user sessions and build environments. A second medium-severity vulnerability, CVE-2026-27100, is also discussed, which allowed unauthorized access to build and job information via Run Parameter values. Updates to Jenkins 2.551 and LTS 2.541.2 are recommended to address these risks.
2026-02-18 2026Microsoft VS Code Extension with 11M Downloads Expose Developers to One-Click XSS AttacksXSSWriteup of a critical vulnerability in the VS Code Live Preview extension (versions < 0.4.16) that allows one-click XSS and local file exfiltration. Discovered by OX Security, the flaw enables malicious websites to enumerate local files and extract sensitive data like API keys by exploiting improper input handling in the extension's local development server. Microsoft patched the vulnerability, now addressed by an `escapeHTML` function in version 0.4.16.
2026-02-17 2026Langchain Community SSRF Bypass Vulnerability Enables Access to Internal ServicesSSRFLibrary fix addressing CVE-2026-26019 in langchain/community versions up to 1.1.13. This Server-Side Request Forgery (SSRF) vulnerability stemmed from an inadequate URL validation in RecursiveUrlLoader, allowing crafted subdomains and direct access to cloud metadata endpoints (169.254.169.254) or internal networks. The patch in 1.1.14 implements strict origin validation via the URL API and introduces new SSRF filters in @langchain/core/utils/ssrf to block private, loopback, and non-HTTP(S) schemes.
2026-02-13 2026Zimbra Security Update - Patch for XSS XXE & LDAP Injection VulnerabilitiesXSSLibrary update patches Zimbra Collaboration 10.1.16 for critical XSS, XXE, and LDAP injection vulnerabilities. The fixes include enhanced input validation for XSS, tightened XML parsing for XXE in EWS, and robust sanitization against LDAP injection. Additionally, this release restores PDF previews in Classic UI and strengthens CSRF protection, while also improving backup performance and adding new web application features.
2026-02-11 2026GitLab Patches Multiple Vulnerabilities That Enables DoS and Cross-site Scripting AttacksXSSLibrary patches address multiple GitLab vulnerabilities, including CVE-2025-7659 (CVSS 8.0) in the Web IDE allowing unauthenticated token theft and private repository access, DoS flaws CVE-2025-8099 and CVE-2026-0958 targeting GraphQL and JSON middleware respectively, and CVE-2025-14560 (CVSS 7.3) a Cross-Site Scripting vulnerability in the "Code Flow" feature. Updates for Community and Enterprise Editions are available in versions 18.8.4, 18.7.4, and 18.6.6.
2026-02-10 2026FortiSandbox XSS Vulnerability Let Attackers Run Arbitrary CommandsXSSAnalysis of CVE-2025-52436, a critical XSS vulnerability in FortiSandbox's GUI, allows unauthenticated attackers to achieve arbitrary command execution via crafted web requests. This improper neutralization of input during web page generation (CWE-79) escalates to RCE when a victim interacts with malicious content, enabling data exfiltration and lateral movement. Patches are available in FortiSandbox PaaS versions 4.4.8 and 5.0.5.
2026-02-04 2026CISA Warns of GitLab Community and Enterprise Editions SSRF Vulnerability Exploited in AttacksSSRFWriteup on CVE-2021-39935, a critical GitLab SSRF vulnerability actively exploited by threat actors. This flaw allows attackers to leverage the CI Lint API to send requests from the GitLab server to internal or external systems, bypassing network controls. Exploitation can lead to internal network scanning, access to cloud metadata, or interaction with internal APIs. CISA added it to the KEV catalog, prompting immediate patching or workarounds, such as disabling the CI Lint API.
2026-02-03 2026Foxit PDF Editor Vulnerabilities Let Attackers Execute Arbitrary JavaScriptXSSWriteup detailing CVE-2026-1591 and CVE-2026-1592, cross-site scripting vulnerabilities in Foxit PDF Editor Cloud's File Attachments list and Layers panel. These CWE-79 flaws, with a CVSS 3.0 score of 6.3, allow arbitrary JavaScript execution due to inadequate input sanitization and output encoding. Exploitation could lead to high confidentiality risks by accessing sensitive document and session data. Foxit has released patches, automatically deployed for Cloud users.
2026-01-22 2026Critical Chainlit AI Vulnerabilities Let Hackers Gain Control Over Cloud EnvironmentsSSRFVulnerabilities in Chainlit, CVE-2026-22218 and CVE-2026-22219, allow attackers to steal cloud credentials and control AI environments. The arbitrary file read vulnerability permits access to sensitive data like AWS secret keys and database credentials, while the server-side request forgery flaw enables attackers to target internal services and AWS metadata endpoints for IAM role credentials. These can be chained to compromise cloud infrastructure, steal source code, and achieve account takeover. Chainlit version 2.9.4 addresses these issues.
2026-01-13 2026FortiSandbox SSRF Vulnerability Allow Attacker to proxy Internal Traffic via Crafted HTTP RequestsSSRFWriteup of CVE-2025-67685 in FortiSandbox, a Server-Side Request Forgery vulnerability due to improper input validation in the GUI component. This flaw, with a CVSSv3 score of 3.4, allows authenticated attackers to craft HTTP requests, proxying traffic to internal plaintext endpoints, potentially exposing sensitive services. Fortinet recommends immediate upgrades to mitigate the risk.
2026-01-13 2026New Angular Vulnerability Enables an Attacker to Execute Malicious PayloadXSSLibrary for Angular development, addressing CVE-2026-22610, a critical XSS vulnerability in the Template Compiler. This flaw allows attackers to execute arbitrary JavaScript by exploiting the sanitization schema's failure to properly validate `href` and `xlink:href` attributes in SVG `<script>` elements when used with dynamic property bindings. Exploitation can lead to session hijacking, data exfiltration, and unauthorized actions. Developers should update to patched Angular versions or, as a mitigation, avoid dynamic bindings with SVG script elements and implement strict server-side input validation.
2025-12-19 2025Roundcube Vulnerabilities Allow Attackers to Execute Malicious ScriptsXSSLibrary for patching Roundcube Webmail to address critical Cross-Site Scripting (XSS) vulnerabilities in SVG handling and Information Disclosure flaws in HTML sanitization. These vulnerabilities, reported by researchers from CrowdStrike and somerandomdev, allow attackers to execute arbitrary JavaScript and bypass sanitization filters to steal sensitive data and session tokens, impacting versions 1.6 and 1.5 LTS. Patched versions 1.6.12 and 1.5.12 are available on GitHub.
2025-12-11 2025GitLab Patches Multiple Vulnerabilities that Allows Attackers to Trigger XSS and DoS AttackXSSPatches for GitLab address ten vulnerabilities, including four high-severity flaws like cross-site scripting (XSS) in Wiki functionality (CVSS 8.7), improper encoding in vulnerability reports (CVSS 8.7), XSS in Swagger UI (CVSS 8.0), and a GraphQL denial-of-service (DoS) issue (CVSS 7.5). Other identified risks involve authentication bypass and DoS vulnerabilities targeting ExifTool, the Commit API, and GraphQL endpoints. Affected versions range from pre-18.4.6, 18.5.x before 18.5.4, and 18.6.x before 18.6.2.
2025-12-10 2025Critical Ivanti EPM Vulnerability Allows Admin Session Hijacking via Stored XSSXSSWriteup of CVE-2025-10573, a critical stored XSS vulnerability in Ivanti Endpoint Manager allowing unauthenticated administrator session hijacking. Exploitable via the `/incomingdata/postcgi.exe` endpoint, attackers can inject JavaScript payloads into device scan fields, which are then executed when administrators view device information on dashboards like `frameset.aspx`. The vulnerability stems from insufficient input validation in the `incomingdata` web API. Ivanti has released version 2024 SU4 SR1 to patch this high-severity flaw.
2025-12-03 2025Angular Platform Vulnerability Allows Malicious Code Execution Via Weaponized SVG Animation FilesXSSLibrary for Angular that addresses CVE-2025-66412, a Stored XSS vulnerability in the template compiler allowing arbitrary code execution via weaponized SVG animation files. This flaw stems from the compiler’s incomplete security schema, failing to sanitize URL-holding attributes and SVG animation elements. Attackers exploit this by binding untrusted data to attributes like `xlink:href` or through dynamic manipulation of SVG animation properties, leading to potential session hijacking and data exfiltration. Upgrading to patched Angular versions or implementing strict Content Security Policy (CSP) headers are recommended mitigations.
2025-11-29 2025CISA Warns of OpenPLC ScadaBR cross-site scripting vulnerability Exploited in AttacksXSSVulnerability writeup detailing CVE-2021-26829, a critical Cross-Site Scripting (XSS) flaw affecting OpenPLC ScadaBR. This CWE-79 vulnerability, actively exploited in the wild and added to CISA's KEV catalog, allows remote attackers to inject malicious scripts via the system settings interface, potentially hijacking sessions, stealing credentials, or altering configurations in Operational Technology (OT) networks. Mitigations include applying vendor patches, reviewing third-party usage, or discontinuing use if patches are unavailable.
2025-11-13 2025Multiple GitLab Vulnerabilities Let Attackers Inject Malicious Prompts to Steal Sensitive DataXSSLibrary updates address prompt injection in GitLab Duo's review feature, allowing attackers to steal sensitive data by injecting hidden prompts into merge request comments. Nine other vulnerabilities were patched, including XSS in the Kubernetes proxy, authorization bypass in workflows, information disclosure via GraphQL subscriptions, branch names, and the packages API, as well as path traversal, improper access control in GitLab Pages, and denial-of-service via Markdown.
2025-11-13 2025Multiple Kibana Vulnerabilities Enables SSRF and XSS AttacksSSRFWriteup of Kibana vulnerabilities CVE-2025-37734 enabling SSRF and XSS attacks. Inadequate origin validation in the Observability AI Assistant component allows forging Origin HTTP headers, bypassing security controls. Exploitation can lead to unauthorized internal network access, information disclosure, and lateral movement. Affecting Kibana versions 8.12.0-8.19.6, 9.1.0-9.1.6, and 9.2.0, patching is critical.
2025-11-12 2025Citrix NetScaler ADC and Gateway Vulnerability Enables Cross-Site Scripting AttacksXSSAnalysis of CVE-2025-12101, a cross-site scripting (XSS) vulnerability affecting NetScaler ADC and Gateway products. This flaw, categorized under CWE-79, allows attackers to inject malicious scripts, potentially leading to session hijacking. Exploitation requires specific configurations, such as operating as a Gateway or AAA virtual server. Affected versions include various releases of 14.1, 13.1, and 12.1, with end-of-life versions being permanently vulnerable. Immediate upgrades to patched releases or migration from EOL versions are recommended.
2025-11-12 2025ChatGPT Hacked Using Custom GPTs Exploiting SSRF Vulnerability to Expose SecretsSSRFWriteup of CVE-XXXXX, an SSRF vulnerability in ChatGPT's Custom GPT "Actions" feature. Attackers could exploit this by using 302 redirects to bypass HTTPS enforcement and inject a "Metadata: true" header to access Azure's Instance Metadata Service. This exposed sensitive Azure credentials, including OAuth2 tokens for Azure's management API, potentially allowing for resource enumeration or escalation within OpenAI's cloud environment. The vulnerability, similar to those on OWASP's Top 10 list, was reported to OpenAI and subsequently patched.
2025-10-29 2025Wordpress Plugin Vulnerability Exposes 7 Million Sites to XSS AttackXSSLibrary: LiteSpeed Cache Plugin, version 7.5.0.1 and earlier, suffers from CVE-2025-12450, a reflected cross-site scripting (XSS) vulnerability due to insufficient input sanitization and output escaping in URL handling. Exploitable via crafted links requiring user interaction, this flaw allows attackers to execute arbitrary JavaScript, potentially leading to session cookie theft or unauthorized actions. Nicholas Giemsa discovered the vulnerability, and version 7.6 of the plugin has been released with a patch. Administrators should update immediately and consider Web Application Firewalls for additional protection.
2025-10-25 2025CISA Warns of Zimbra Collaboration Suite (ZCS) XSS Zero-Day Vulnerability Actively Exploited in AttacksXSSWriteup of CVE-2025-27915, a critical zero-day XSS vulnerability in Synacor's Zimbra Collaboration Suite (ZCS) Classic Web Client. Exploiting improper HTML sanitization in ICS files, attackers can execute arbitrary JavaScript via an ontoggle event handler within a <details> tag, leading to compromised user sessions and malicious email filter creation for data exfiltration. CISA mandates remediation by October 28, 2025, for federal agencies, urging immediate application of vendor mitigations and enhanced email security controls.
2025-10-21 2025CISA Warns Of Oracle E-Business Suite SSRF Vulnerability Actively Exploited In AttacksSSRFLibrary for securing Oracle E-Business Suite against CVE-2025-61884, a critical SSRF vulnerability actively exploited for unauthorized access and data exfiltration. This flaw, rated high severity (CVSS 3.1) and aligned with CWE-918, allows attackers to forge requests by manipulating server input validation. Exploitation tactics include scanning internal networks, bypassing firewalls, and interacting with cloud metadata services. Immediate patching via Oracle's Critical Patch Update is recommended, with mitigations like network segmentation and WAFs as alternatives.
2025-10-18 2025Critical Zimbra SSRF Vulnerability Let Attackers Access Sensitive DataSSRFLibrary update 10.1.12 for Zimbra Collaboration Suite resolves a critical Server-Side Request Forgery (SSRF) vulnerability in the chat proxy configuration. This flaw, affecting versions 10.1.5 through 10.1.11, allowed attackers to craft requests to access internal resources and sensitive user data. The vulnerability exploited improper URL validation, enabling unauthorized access to configuration files, tokens, and connected services. Administrators are urged to apply the latest update to prevent exploitation and enhance overall system resilience.
2025-09-10 2025GitLab Patches Multiple Vulnerabilities That Enables Denial Of Service and SSRF AttacksSSRFPatches for GitLab CE/EE address six vulnerabilities, including high-severity SSRF (CVE-2025-6454) allowing authenticated users to trigger unintended internal requests via Webhook custom headers, and DoS (CVE-2025-2256) exploitable by unauthenticated attackers sending SAML responses. Medium-severity flaws also patched include DoS vulnerabilities CVE-2025-1250, CVE-2025-7337, CVE-2025-10094, and information disclosure CVE-2025-6769.
2025-08-11 2025Xerox FreeFlow Vulnerabilities leads to SSRF and RCE AttacksSSRFWriteup detailing CVE-2025-8355 and CVE-2025-8356, critical vulnerabilities found in Xerox FreeFlow Core version 8.0.4. Discovered by Horizon3.ai researchers, CVE-2025-8355 is an XXE flaw enabling SSRF attacks, allowing attackers to bypass firewalls and access internal resources. CVE-2025-8356 is a path traversal vulnerability that can lead to RCE, permitting arbitrary command execution and system compromise. Xerox has released version 8.0.5 with patches for both issues, and immediate upgrading is crucial for mitigation.
2025-06-19 2025Open Next for Cloudflare SSRF Vulnerability Let Attackers Load Remote Resources from Arbitrary HostsSSRFLibrary vulnerability CVE-2025-6087, a high-severity SSRF in `@opennextjs/cloudflare` prior to 1.3.0, allows unauthenticated attackers to load remote resources from arbitrary hosts via the `/_next/image` endpoint. Exploiting this CWE-918 flaw, attackers can proxy malicious content through victim domains, enabling phishing and internal service exposure. Cloudflare has implemented server-side mitigations, and users are advised to upgrade to `@opennextjs/cloudflare@1.3.0` and configure `remotePatterns` in Next.js.
2025-05-16 2025SonicWall SMA1000 Vulnerability Let Attackers to Exploit Encoded URLs To Gain Internal Systems Access RemotelySSRFAdvisory SNWLID-2025-0010 details CVE-2025-40595, a critical SSRF vulnerability in SonicWall SMA1000 Work Place interface affecting firmware 12.4.3-02925 and earlier. This flaw, with a CVSS v3 score of 7.2, allows unauthenticated attackers to exploit encoded URLs to force the appliance into making unauthorized requests, potentially gaining access to internal systems. A hotfix, version 12.4.3-02963 and higher, is available on MySonicWall and is crucial as no workaround exists.
2025-05-05 2025Hackers Leveraging Email Input Fields to Exploit Vulnerabilities Ranging from XSS to SSRFSSRFAnalysis of email input field vulnerabilities reveals exploitation techniques for Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), and email header injection. Attackers leverage crafted email addresses containing XSS payloads, exploit outbound requests made during email validation to target internal endpoints or cloud metadata, and inject CRLF characters into headers for malicious email manipulation. Mitigations include strict RFC822-compliant validation, context-aware sanitization, CRLF filtering, and restricting outbound requests.
2025-04-15 2025Hackers Exploiting EC2 Instance Metadata Vulnerability to Attacks Websites HostedSSRFLibrary for detecting and preventing exploitation of EC2 Instance Metadata Service (IMDSv1) and Server-Side Request Forgery (SSRF) vulnerabilities. This campaign, observed by F5 Labs, leverages SSRF to query the IMDSv1 endpoint (169.254.169.254) for temporary AWS security credentials, enabling attackers to gain unauthorized access to cloud resources like S3 buckets and databases. Recommended mitigations include transitioning to IMDSv2 and employing Web Application Firewalls (WAFs).
2025-03-12 2025400 IPs Actively Exploiting Multiple SSRF Vulnerabilities In The WildSSRFAnalysis of active exploitation targeting multiple SSRF vulnerabilities, including CVE-2020-7796 (Zimbra), CVE-2021-22214 (GitLab), CVE-2021-21973 (VMware vCenter), and CVE-2024-21893 (Ivanti Connect Secure). This coordinated campaign involves approximately 400 IPs systematically attempting to abuse server functionality for unauthorized requests, with a significant focus on cloud metadata APIs and credential theft, reminiscent of the 2019 Capital One breach.
2025-02-10 2025Microsoft SharePoint Connector Vulnerability Let Attackers Steal Users CredentialsSSRFWriteup detailing CVE-2024-49070, a critical server-side request forgery (SSRF) vulnerability in Microsoft Power Platform's SharePoint connector. This flaw, exploitable by attackers with basic user roles, allowed for credential harvesting and user impersonation across Power Apps, Power Automate, Copilot Studio, and Copilot 365 by manipulating crafted URLs and leaking SharePoint JWTs. Zenity Labs demonstrated the bypass of authentication mechanisms through stolen tokens, enabling unauthorized actions and data exfiltration. Microsoft patched this "Important" severity issue in December 2024 for SharePoint Server and Power Platform services.
2024-08-14 2024Critical SSRF Vulnerability in Microsoft Azure Let Hackers Compromise Health Bot ServicesSSRFAnalysis of a critical SSRF vulnerability in Microsoft Azure Health Bot Service, discovered by Tenable Research. This vulnerability allowed attackers to bypass security filters and access internal endpoints like Azure's Internal Metadata Service (IMDS). By redirecting requests to an attacker-controlled host, they could obtain access tokens for management.azure.com, leading to unauthorized access to cross-tenant resources and potential lateral movement. Microsoft has since patched the vulnerabilities.