gbhackers.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-06.
RCE 52
XSS 24
SSRF 20
Supply Chain 13
SQLi 11
API Sec 9
Python 4
AI 2
Bug Bounty 2
Burp 2
Mobile 2
GraphQL 1
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-06 2026 | Critical UniFi OS Auth Bypass Flaws Lead to Unauthenticated Root RCERCE | Researchers discovered critical authentication bypass vulnerabilities in UniFi OS, allowing unauthenticated remote code execution (RCE) with root privileges. These flaws exploit weaknesses in how UniFi OS handles user authentication, enabling attackers to gain full control of vulnerable devices without needing valid credentials. This serious security issue could lead to widespread compromise of networks using UniFi equipment. |
| 2026-06-05 2026 | Hugging Face Transformers Security Flaw Allows Remote Code ExecutionRCE | A security vulnerability in Hugging Face Transformers, a popular library for natural language processing, has been discovered. This flaw allows for remote code execution, meaning attackers could potentially run malicious code on a user's system. The library's complex parsing logic is identified as the root cause. Users are advised to update to the latest version to patch this critical vulnerability. The content does not specify a bug bounty payout amount. |
| 2026-06-05 2026 | Malicious Python Package Mimics Parsimonious ParserPython | A malicious Python package has been discovered that masquerades as the legitimate "Parsimonious" parser library. Attackers are likely using this to compromise systems that depend on the original package. Users are advised to exercise extreme caution and verify the authenticity of any installed "Parsimonious" package. No bounty payout amount is mentioned in this content. |
| 2026-06-04 2026 | PoC Exploit Released for Cisco Unified Communications Manager Security VulnerabilitySSRF | A Proof-of-Concept (PoC) exploit has been released for a security vulnerability affecting Cisco Unified Communications Manager (CUCM). This vulnerability, detailed in a Cisco security advisory, allows attackers to potentially gain unauthorized access or disrupt services. The release of the PoC means that exploits are now publicly available, increasing the risk for organizations using vulnerable CUCM versions. It is crucial for users to apply the necessary patches and updates provided by Cisco to mitigate this threat. |
| 2026-06-03 2026 | 1-Click GitHub Vulnerability Enables OAuth Token TheftAPI Sec | A critical vulnerability in GitHub's OAuth application flow allowed attackers to steal OAuth tokens with a single click. This exploit leveraged a misconfiguration that enabled the redirection of authenticated users to malicious websites. Once redirected, attackers could trick users into granting permissions, effectively gaining unauthorized access to their GitHub accounts and associated data. This significant security flaw highlights the importance of robust authentication and authorization mechanisms. |
| 2026-06-03 2026 | Red Hat Confirms Supply Chain Breach Impacting @redhat-cloud-services npm PackagesSupply Chain | Red Hat Confirms Supply Chain Breach Impacting @redhat-cloud-services npm Packages https://ift.tt/YeO8mcy |
| 2026-06-02 2026 | 34 Malicious Packages Steal Cloud Keys Wallets and SSH CredentialsSupply Chain | Thirty-four malicious npm packages have been discovered that steal sensitive information from developers. These packages, disguised as legitimate tools, are designed to exfiltrate cloud API keys, cryptocurrency wallet credentials, and SSH keys. The compromised packages were published on the npm registry, a popular repository for JavaScript. This incident highlights the ongoing threat of supply chain attacks and the importance of vigilant security practices when using third-party code. No specific bounty payout amount was mentioned in the provided content. |
| 2026-06-02 2026 | TP-Link Router Security Bug Enables Remote Command Execution AttacksRCE | A critical security vulnerability in TP-Link routers allows for remote command execution. This flaw enables attackers to compromise the devices without requiring user interaction or authentication, potentially leading to widespread network breaches. Further details on the exploit and affected models are available via the provided link. |
| 2026-06-01 2026 | Critical Magento Cache Plugin Vulnerability Enables Remote Code Execution AttacksRCE | A critical vulnerability has been discovered in a Magento cache plugin, allowing remote code execution (RCE) attacks. This flaw could enable attackers to compromise Magento websites. Further details and potential mitigation strategies are available via the provided link. No specific bounty payout amount is mentioned in the content. |
| 2026-05-29 2026 | Typosquatted npm Packages Steal Cloud and CI/CD SecretsSupply Chain | Library that details a coordinated npm supply chain attack leveraging typosquatted packages like "opensearch-setup" and "elastic-opensearch-helper" to steal cloud and CI/CD secrets. The malware uses npm lifecycle hooks for silent execution, with payloads designed to harvest AWS credentials, HashiCorp Vault tokens, GitHub Actions secrets, and npm publish tokens. Attackers exploit techniques like metadata spoofing, version number inflation, and embedded Bun runtimes to evade detection, with a unique "X-Supply: 1" header as a potential indicator of compromise. |
| 2026-05-29 2026 | GitLab Patches Multiple Duo AI DoS and Authorisation VulnerabilitiesGraphQL | Patches for GitLab CE/EE address seven vulnerabilities, including Duo AI authorization flaws and Wiki denial-of-service. CVE-2026-4868, a critical flaw, allows authenticated users to impersonate others via Duo AI workflows. Medium-severity issues impact GraphQL, Operations, Pipelines, and authentication, potentially exposing private data or bypassing access controls. Self-managed installations require immediate upgrades to versions 19.0.1, 18.11.4, or 18.10.7. |
| 2026-05-29 2026 | New Gogs 0-Day Flaw Enables Remote Code Execution on ServersRCE | Library allows authenticated users to run arbitrary commands on a Gogs server via a critical 0-day vulnerability affecting the "Rebase before merging" feature. The flaw, discovered by Rapid7 Labs and impacting versions 0.14.2 and 0.15.0+dev, stems from unsanitized branch names being passed to Git commands, enabling the injection of an "--exec" flag for remote code execution. This allows attackers to access sensitive data, steal credentials, and pivot to other systems, with a Metasploit module available for exploitation. |
| 2026-05-29 2026 | Anthropic Launches Free Claude Code Terminal Plugin to Detect Security VulnerabilitiesAPI Sec | Plugin for Claude Code that continuously scans AI-generated code for vulnerabilities like injection flaws and insecure deserialization. It employs a three-layer review process: fast pattern matching on edits, an end-of-turn Claude security review for higher-level issues such as IDORs and SSRF, and an agentic review on commits. The plugin can be extended with custom rules and patterns. |
| 2026-05-28 2026 | Roundcube Webmail Vulnerability Allows Hackers to Execute Malicious SQL QueriesSQLi | Library update addressing critical Roundcube Webmail vulnerabilities, including a pre-authentication SQL injection in the virtuser_query plugin via `preg_replace` backslash escape bypass, code injection via unsafe LDAP autovalues evaluation, stored XSS in draft restore, CSS injection bypass with SVG animate, SSRF and remote resource fetch bypasses, remote image blocking bypass, and pre-authentication arbitrary file deletion through Redis/Memcache session poisoning. Versions 1.6.16 and 1.7.1 contain the fixes. |
| 2026-05-28 2026 | Critical Notepad Flaw Could Enable Remote Code Execution AttacksRCE | Writeup on Notepad++ vulnerabilities CVE-2026-48770, CVE-2026-48778, and CVE-2026-48800, detailing how improper handling of config.xml, specifically the `commandLineInterpreter` parameter, can lead to arbitrary code execution via the "Open Containing Folder in cmd" feature. Attack vectors include direct file modification, malicious shortcuts using `-settingsDir`, cloud-synced configurations, and social engineering. Remediation requires upgrading to Notepad++ 8.9.6.1. |
| 2026-05-28 2026 | Microsoft SharePoint Server Flaw Enables Remote Code Execution AttacksRCE | Analysis of CVE-2026-45659, a critical remote code execution flaw in Microsoft SharePoint Server. This vulnerability, stemming from deserialization of untrusted data (CWE-502), carries a CVSS v3.1 score of 8.8 and can be exploited over a network with low attack complexity and no user interaction, requiring only authenticated access. Exploitation allows attackers to execute arbitrary code within the SharePoint server context, potentially leading to lateral movement, privilege escalation, and data breaches. Microsoft has released security updates to patch this high-priority vulnerability. |
| 2026-05-28 2026 | Angular Language Service Extension Flaws Allow Remote Code ExecutionRCE | Library containing vulnerabilities in the Angular Language Service VS Code extension (Angular.ng-template) before version 21.2.4. Exploits include JSDoc Markdown command injection and unsafe handling of TypeScript SDK configurations, allowing attackers to achieve remote code execution through malicious project files. These flaws bypass VS Code's Workspace Trust model, enabling arbitrary command execution during workspace initialization or via user interaction with tooltips. Affected CWEs include CWE-79, CWE-94, CWE-427, and CWE-494. |
| 2026-05-25 2026 | CISA Warns Drupal Core SQL Injection Vulnerability Is Being Exploited in AttacksSQLi | Writeup of CVE-2026-9082, an actively exploited SQL injection vulnerability in Drupal Core. This CWE-89 flaw allows unauthenticated attackers to execute malicious SQL queries, potentially leading to privilege escalation, data exposure, and remote code execution. CISA has added it to its Known Exploited Vulnerabilities catalog, mandating remediation for federal agencies. Organizations should apply patches, harden database access, and update WAF rules to mitigate risks. |
| 2026-05-25 2026 | Hackers Compromise 34 npm PyPI and Crates Packages in Major Supply Chain AttackSupply Chain | Survey of the "TrapDoor" supply chain attack, which compromised 34 npm, PyPI, and Crates.io packages, including `eth-security-auditor` and `wallet-security-checker`. The attack uses ecosystem-specific techniques like post-install scripts and compile-time code execution to steal SSH keys, cloud credentials, and crypto wallet data, while employing persistence mechanisms and attempting AI prompt injection via hidden instructions in files like `.cursorrules`. |
| 2026-05-22 2026 | Microsoft DurableTask Python Client Targeted in TeamPCP CyberattackPython | Writeup on the TeamPCP supply chain attack that compromised the Microsoft DurableTask Python client, specifically versions 1.4.1, 1.4.2, and 1.4.3. The attackers leveraged a compromised GitHub user to gain access to repository secrets, including a PyPI token, allowing them to publish trojanized versions. The payload, an evolution of previous malware, steals cloud credentials from AWS, Azure, GCP, Kubernetes, and Vault, and propagates via AWS SSM and Kubernetes, also attempting to unlock password managers like Bitwarden. |
| 2026-05-21 2026 | Critical Vulnerability in Cisco Secure Workload Threatens Enterprise API SecurityAPI Sec | Writeup of CVE-2026-20223, a critical vulnerability in Cisco Secure Workload allowing unauthenticated administrative access via internal REST API endpoints. This flaw, with a CVSS score of 10.0 and classified as CWE-306, enables attackers to gain Site Admin privileges, access sensitive cross-tenant data, modify configurations, and disrupt operations. Patches are available for on-premises deployments (versions 3.10.8.3 for 3.10, 4.0.3.17 for 4.0, and migration for earlier versions), while SaaS environments are already remediated. Immediate upgrades are strongly advised as there are no workarounds. |
| 2026-05-20 2026 | New NGINX Vulnerability Exposes Servers to Malicious Code ExecutionRCE | Writeup of CVE-2026-8711, a heap-based buffer overflow in NGINX's JavaScript module affecting versions 0.9.4 through 0.9.8. Exploitation via the `js_fetch_proxy` directive with client-controlled variables and `ngx.fetch()` calls can lead to denial-of-service or, in systems without ASLR, remote code execution. F5 advisory K000161307 details the vulnerability, recommending an upgrade to njs 0.9.9 or later or refactoring configurations. |
| 2026-05-19 2026 | 20-Year-Old PostgreSQL Flaw Gets Public PoC Exploit for Remote Code ExecutionRCE | Library for exploiting CVE-2026-2005, a two-decade-old PostgreSQL flaw in the pgcrypto extension leading to remote code execution. This vulnerability allows attackers to achieve arbitrary read/write memory access via a heap-based buffer overflow in PGP session key parsing, ultimately escalating privileges to PostgreSQL superuser. The public PoC, demonstrating a multi-stage exploit that bypasses ASLR, leverages crafted PGP messages and PostgreSQL’s "COPY FROM PROGRAM" feature to execute arbitrary OS commands. |
| 2026-05-19 2026 | PostgreSQL Flaws Expose Databases to Remote Code Execution and SQL InjectionSQLi | Analysis of critical PostgreSQL security updates addressing 11 vulnerabilities, including remote code execution (RCE) via stack buffer overflows in the refint module (CVE-2026-6637) and SQL injection flaws in replication features (CVE-2026-6472, CVE-2026-6476, CVE-2026-6638). Versions 14 through 18 are affected, with patched releases including 18.4, 17.10, 16.14, 15.18, and 14.23. Other identified issues encompass memory corruption, privilege escalation, symlink attacks (CVE-2026-6475), and timing attacks on authentication (CVE-2026-6478). |
| 2026-05-19 2026 | SEPPmail Gateway Flaws Expose Organizations to RCE and Email Traffic InterceptionRCE | Writeup of SEPPmail Gateway vulnerabilities including CVE-2026-2743, CVE-2026-7864, CVE-2026-44127, and CVE-2026-44128, allowing pre-authenticated RCE via arbitrary file write in the LFT module and Perl code injection in the GINA v2 interface. Attackers can chain these flaws to gain full control of email gateways, intercept sensitive email traffic, and access confidential communications and credentials, posing significant risks to organizations, particularly in the DACH region. |
| 2026-05-18 2026 | Critical NGINX Vulnerability Lets Hackers Launch Remote Code Execution AttacksRCE | Writeup on CVE-2026-42945, a critical NGINX vulnerability allowing unauthenticated attackers to crash servers or execute remote code via specially crafted HTTP requests triggering a heap buffer overflow. Exploitation is possible under specific conditions, such as ASLR being disabled, and requires a particular rewrite configuration. Millions of NGINX servers are exposed, and active exploitation has been observed, necessitating prompt patching and configuration audits. |
| 2026-05-18 2026 | Critical Marimo RCE Flaw Could Let Attackers Execute Malicious Code RemotelyRCE | Library for mitigating CVE-2026-39987, a critical RCE flaw in the Marimo Python notebook framework. This vulnerability allows unauthenticated attackers to spawn a system-level shell via the `/terminal/ws` WebSocket endpoint, potentially leading to full infrastructure compromise. Exploitation has been observed with NKAbuse malware, leveraging simple WebSocket clients to execute commands. Affected Marimo versions prior to 0.23.0 require immediate upgrading, with interim mitigations including network access restrictions and non-root execution. |
| 2026-05-18 2026 | 1 Million WordPress Websites Exposed by Avada Builder Security VulnerabilitiesSQLi | Library update addressing CVE-2026-4782 and CVE-2026-4798 in Avada Builder, a WordPress plugin used by over a million sites. The arbitrary file read vulnerability (CVSS 6.5) allows authenticated users to extract sensitive files like wp-config.php. The SQL injection vulnerability (CVSS 7.5) enables unauthenticated attackers to perform time-based blind SQL injection attacks. Updates to version 3.15.3 are recommended to mitigate these risks. |
| 2026-05-18 2026 | n8n Security Flaws Could Let Attackers Achieve Remote Code ExecutionRCE | Writeup of n8n security flaws (CVE-2026-44789, CVE-2026-44790, CVE-2026-44791) detailing how prototype pollution, argument injection in the Git node, and patch bypass in the XML node can be chained for remote code execution. These critical vulnerabilities, requiring only low-privilege authenticated access, enable attackers to perform arbitrary file reads and compromise the entire n8n instance by manipulating workflow logic. |
| 2026-05-18 2026 | Claude Code Vulnerability Allows Attackers to Run Commands Through Crafted DeeplinksRCE | Writeup of Claude Code RCE vulnerability allowing arbitrary command execution via crafted deeplinks, exploiting a flaw in `eagerParseCliFlag` that mishandles `--settings=` within URL parameters. This technique, discovered by Joernchen, impacts Claude Code versions prior to 2.1.118 and demonstrates the risks of naive string parsing for CLI arguments, particularly when combined with deeplink handlers that inject user-controlled input into critical application logic. |
| 2026-05-14 2026 | Windows DNS Client Security Flaw Exposes Systems to Remote Code ExecutionRCE | Writeup on CVE-2026-41096, a critical heap-based buffer overflow in the Windows DNS Client (dnsapi.dll) that allows remote code execution. Exploitable over the network without user interaction or privileges, it has a CVSS score of 9.8. Attackers can trigger this vulnerability by sending a specially crafted DNS response, potentially leading to full system compromise. Microsoft released patches in May 2026. |
| 2026-05-14 2026 | GitLab Security Flaw Allows Cross-Site Scripting and Unauthenticated DoSXSS | Library update addressing 25 vulnerabilities in GitLab CE/EE, including four critical XSS flaws (CVSS 8.7) affecting Analytics, global search, and Duo Agent output, allowing authenticated attackers to hijack sessions. Three severe DoS vulnerabilities (CVSS 7.5) are also patched, enabling unauthenticated attacks via crafted requests to CI/CD, Duo Workflows, or internal APIs to crash servers. Additional fixes include CVE-2026-1322 (GraphQL authorization flaw), CSRF in JiraConnect, and bypasses for package protection rules. |
| 2026-05-14 2026 | Critical Exim Mailer Flaw Enables Remote Code Execution AttacksRCE | Writeup on CVE-2026-45185, nicknamed "Dead.Letter," detailing a critical use-after-free vulnerability in Exim mail transfer agents compiled with GnuTLS. This flaw allows unauthenticated attackers to achieve remote code execution by crafting SMTP commands that trigger memory corruption during TLS shutdown amidst BDAT chunk processing. The vulnerability's exploitability is amplified by Exim's custom pool allocator, enabling attackers to corrupt heap metadata and gain control via function pointer overwrites. Mitigation includes upgrading Exim, switching to OpenSSL, or disabling BDAT support. |
| 2026-05-14 2026 | PoC Released for 18-Year-Old NGINX Flaw Allowing Remote Code ExecutionRCE | Writeup of CVE-2026-42945 (NGINX Rift), a critical 18-year-old heap buffer overflow vulnerability in NGINX’s `ngx_http_rewrite_module` discovered by depthfirst's AI. This unauthenticated RCE flaw affects NGINX versions from 0.6.27 to 1.30.0 and impacts various F5 and NGINX products. The article also details CVE-2026-42946 (excessive memory allocation), CVE-2026-40701 (use-after-free), and CVE-2026-42934 (out-of-bounds read). Immediate upgrades to NGINX 1.31.0 or 1.30.1 are recommended. |
| 2026-05-14 2026 | Langflow CVE-2026-33017 Exploited to Steal AWS Keys Deploy NATS WorkerAPI Sec | Writeup detailing the exploitation of Langflow CVE-2026-33017, enabling attackers to steal AWS keys and deploy NATS workers. The vulnerability grants unauthenticated arbitrary Python execution, allowing access to environment variables and secrets. Attackers leverage this to compromise AWS environments, perform reconnaissance across various services like Bedrock and S3, and then deploy specialized Python and Go workers for credential harvesting. These workers communicate via a hardened NATS server, acting as covert command-and-control infrastructure for the "KeyHunter" project, which targets online code sandboxes and commercial LLM APIs. |
| 2026-05-13 2026 | JDownloader Hack Spreads New Python RATPython | Writeup on the JDownloader supply-chain attack where attackers exploited a CMS vulnerability to distribute malicious installers containing a Python RAT. The attack affected Windows and Linux users who downloaded alternative installers between May 6-7, 2026, with the malware allowing remote code execution and using spoofed signatures. Analysis revealed a modular bot framework with identified C2 endpoints and injected code in the Linux variant disguised as `/usr/libexec/upowerd`. Users are advised to reinstall their operating systems if affected. |
| 2026-05-13 2026 | New PoC Exploit Published for Microsoft Defender 0-Day FlawBug Bounty | Writeup of the RedSun exploit, a proof-of-concept for CVE-2026-33825 in Microsoft Defender, released by researcher "Chaotic Eclipse" to GitHub. This uncoordinated disclosure bypasses vendor protocols and poses an immediate threat to organizations reliant on the software, highlighting ongoing friction between independent researchers and Microsoft's MSRC. The researcher also previously released a denial-of-service tool, BlueHammer, and threatens further critical RCE exploits. |
| 2026-05-13 2026 | PHP SOAP Extension Flaw Could Let Attackers Execute Code RemotelyRCE | Library for detecting vulnerabilities in PHP's SOAP extension and core functions. This includes high-severity Remote Code Execution (RCE) via Use-After-Free in ext-soap (CVE-2026-6722), and moderate Use-After-Free (CVE-2026-7261), NULL pointer dereference (CVE-2026-7262), and out-of-bounds reads (CVE-2026-7258, CVE-2026-6104). Patches are available for PHP versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6. |
| 2026-05-12 2026 | SAP Releases Patch for Critical SQL Injection Flaw in S/4HANASQLi | Reference of SAP's May 2026 security patches addresses critical SQL injection (CVE-2026-34260) in S/4HANA ABAP enterprise search, a missing authentication check vulnerability (CVE-2026-34263) in Commerce Cloud, and an OS command injection flaw (CVE-2026-34259) in forecasting and replenishment software. These patches also mitigate medium-severity issues including XSS and DoS across Business Objects and NetWeaver. |
| 2026-05-12 2026 | Open WebUI File Upload Vulnerability Enables 1-Click RCE AttackRCE | Library for securing Open WebUI against a stored XSS flaw, allowing 1-click RCE and account hijacking via profile picture uploads. The vulnerability, discovered by Metin Yunus Kandemir, exploits the backend's failure to validate SVG files containing embedded JavaScript when uploaded with a base64-encoded `data:image/svg+xml` prefix. This allows attackers to craft reverse shell payloads, execute code within user contexts, and steal local storage tokens and chat logs. Administrators can mitigate by restricting media types in `users.py`. |
| 2026-05-12 2026 | Cline AI Agent Flaw Allows Attackers to Launch RCE AttacksRCE | Writeup of CVE-2026-44211, a critical RCE vulnerability in the Cline AI coding assistant's kanban package. Versions before v2.13.0 are affected, allowing attackers to exploit a missing Origin header validation on a WebSocket server to leak workspace information, hijack terminals for arbitrary command execution, and terminate agent sessions. The flaw, stemming from CWE-306 and CWE-1385, requires no user interaction beyond visiting a malicious website. |
| 2026-05-12 2026 | Checkmarx Jenkins AST Plugin Compromised in KICS Supply Chain AttackSupply Chain | Library for detecting and mitigating the Checkmarx Jenkins AST plugin compromise, a supply chain attack attributed to TeamPCP. This compromise involved a malicious version 2026.5.09 being pushed to the Jenkins Marketplace, affecting KICS/Trivy linked ecosystems. The attack leveraged CI/CD credential theft to pivot into downstream software publishers, with the primary objective of exfiltrating secrets from CI/CD runners. Users are advised to revert to version 2.0.13-829.vc72453fa_1c16 or earlier. |
| 2026-05-10 2026 | Multiple Critical Flaws Fixed in Next.js and React Server ComponentsSSRF | Library patches address critical vulnerabilities in Next.js versions 13.x to 16.x. These include CVE-2026-44575 and CVE-2026-44574, which allow unauthenticated middleware and authentication bypasses through specially crafted URLs and query parameters. Denial of Service (DoS) vulnerabilities, CVE-2026-23870 and CVE-2026-44579, exploit server function deserialization and cache component deadlocks, respectively. Additionally, CVE-2026-44578 enables Server-Side Request Forgery (SSRF) via manipulated WebSocket upgrade requests in self-hosted deployments. Updates to versions 15.5.16 and 16.2.5 are urgently recommended. |
| 2026-05-07 2026 | Redis Security Flaws Expose Servers to Remote Code Execution RisksRCE | Writeup on Redis security flaws, including CVE-2026-23479 (use-after-free), CVE-2026-25243 (RESTORE command invalid memory access), CVE-2026-25588 (RedisTimeSeries module) and CVE-2026-25589 (RedisBloom module) which enable RCE for authenticated attackers, and CVE-2026-23631 (Lua use-after-free) affecting master-replica sync. These vulnerabilities, impacting Redis versions up to 8.0.6, were identified by researchers from Wiz ZeroDay.Cloud, Team Xint Code, and others, and have been patched in newer releases. |
| 2026-05-07 2026 | Critical vm2 Node.js Library Flaws Enable Arbitrary Code Execution AttacksRCE | Library flaws in vm2, a popular Node.js sandboxing package, allow for sandbox escapes and arbitrary code execution. Eleven critical vulnerabilities, including CVE-2026-26956, CVE-2026-43999, and CVE-2026-44007, exploit weaknesses in its internal bridge mechanism and allowlist configurations. Attackers can manipulate JavaScript primitives like `__lookupGetter__` and `Buffer.apply`, or exploit specific CVEs related to WebAssembly and module loading, to gain host system access. Organizations should upgrade to vm2 version 3.11.1 and consider alternatives like isolated-vm or Deno for untrusted code execution. |
| 2026-05-05 2026 | Critical Weaver E-cology RCE Exploit Raises Alarm for Enterprise SystemsRCE | Writeup detailing CVE-2026-22679, a critical unauthenticated RCE in Weaver E-cology, impacting builds before 20260312. The vulnerability exploits a debug endpoint allowing OS command execution via Dubbo RPC parameters. Attackers leverage this for initial access, deploying payloads through PowerShell download cradles and fileless techniques. The writeup includes a structured, week-long intrusion campaign analysis, RCE verification via `ping.exe` to Goby infrastructure, and multiple payload delivery attempts using executables and MSI packages. Organizations are advised to patch, audit process trees for suspicious activity, and restrict internet exposure. |
| 2026-05-05 2026 | Qualcomm Chipset Vulnerabilities Raise Alarm Over Remote Code Execution RiskMobileRCE | Bulletin detailing critical Qualcomm chipset vulnerabilities, including CVE-2026-25254 (Remote Code Execution in Software Center), CVE-2026-25293 (RCE via PLC firmware buffer overflow), and CVE-2026-25262 (local privilege escalation via bootloader memory corruption). Flaws also affect automotive GPUs and wireless components, leading to memory corruption and denial-of-service conditions. |
| 2026-05-05 2026 | Critical Android Zero-Click Vulnerability Enables Remote Shell AccessMobileRCE | Writeup on CVE-2026-0073, a critical Android zero-click vulnerability allowing remote shell access via the Android Debug Bridge Daemon (adbd). Exploitable from adjacent networks, this flaw grants shell user privileges and bypasses sandboxing. Affected Android versions include 14, 15, 16, and 16-qpr2. Remediation is available through Project Mainline updates and the May 2026 security patch. |
| 2026-05-05 2026 | pnpm 11 Enables Default Release-Age Guard to Curb npm Supply Chain AttacksSupply Chain | Library update pnpm 11 introduces security-first defaults to mitigate supply chain attacks. It enforces a 24-hour minimum release age for new package versions, directly countering tactics used in campaigns like "Mini Shai-Hulud." The update also enables `blockExoticSubdeps` by default, preventing installations from non-standard sources like Git repositories. Furthermore, `allowBuilds` simplifies control over install-time script execution, a common vector for malicious code injection. These measures aim to disrupt common attack techniques by adding crucial delays and restrictions during dependency installation. |
| 2026-05-05 2026 | Apache HTTP Server Vulnerability Exposes Millions to Remote Code Execution ThreatsRCE | Library update for Apache HTTP Server version 2.4.66 addresses CVE-2026-23918, a critical "double free" vulnerability impacting the HTTP/2 protocol. This flaw allows remote code execution (RCE) and denial-of-service (DoS) attacks. Administrators must update to version 2.4.67 immediately, monitor logs for suspicious HTTP/2 traffic, or temporarily disable the protocol. |
| 2026-05-04 2026 | New Apache MINA Vulnerabilities Open Door to Remote Code Execution AttacksRCE | Framework advisory detailing two critical vulnerabilities, CVE-2026-42778 and CVE-2026-42779, in Apache MINA. These flaws, related to untrusted data deserialization within the AbstractIoBuffer.resolveClass() method, allow for remote code execution when applications utilize AbstractIoBuffer.getObject() without proper validation. Affected users must upgrade to Apache MINA versions 2.1.12 or 2.2.7 to mitigate these risks. |
| 2026-05-04 2026 | FreeBSD Systems at Risk From DHCP Client RCE VulnerabilityRCE | Advisory for CVE-2026-42511, a critical RCE vulnerability in FreeBSD's default IPv4 dhclient, allows local network attackers to execute arbitrary code as root by crafting malicious DHCP lease options. Discovered by Joshua Rogers, this flaw impacts supported FreeBSD versions and can be exploited via a rogue DHCP server to inject code into the dhclient.conf file. FreeBSD Project urges immediate patching via binary updates or package upgrades, followed by a system reboot or service restart. Network-level defenses like DHCP snooping can also mitigate the attack vector. |
| 2026-05-01 2026 | Jenkins Plugin Updates Fix Path Traversal and Stored XSS BugsXSS | Library updates for Jenkins address seven vulnerabilities, including critical path traversal (CVE-2026-42520) in the Credentials Binding Plugin, enabling arbitrary file writes and potential RCE. Stored XSS flaws are patched in the GitHub Plugin (CVE-2026-42523) and HTML Publisher Plugin (CVE-2026-42524), allowing script injection. Medium-severity issues like information disclosure via Script Security Plugin (CVE-2026-42519) and unsafe deserialization in Matrix Authorization Strategy Plugin (CVE-2026-42521) are also resolved, alongside unauthorized connection tests in GitHub Branch Source Plugin (CVE-2026-42522) and open redirects in Microsoft Entra ID Plugin (CVE-2026-42525). |
| 2026-05-01 2026 | Ruby Gems and Go Modules Used in Campaign Targeting GitHub ActionsSupply Chain | Library detailing a sophisticated supply chain attack utilizing malicious Ruby gems and Go modules that target GitHub Actions. The attack exploits native extension builds for credential theft, scanning for secrets like SSH keys and AWS credentials, and exfiltrating data via hidden endpoints. Malicious Go modules subvert CI environments by tampering with dependency resolution, poisoning proxy settings, and disabling checksum verification. Some payloads attempt to establish persistent access by adding SSH public keys to authorized keys files. |
| 2026-04-30 2026 | ProFTPD SQL Injection Flaw Opens Door To Remote Code Execution AttacksRCESQLi | Writeup of CVE-2026-42167, a critical SQL injection flaw in ProFTPD's mod_sql extension. This vulnerability, with a CVSS score of 8.1, allows remote attackers to bypass authentication, escalate privileges, and potentially achieve remote code execution by injecting malicious SQL commands into usernames or other input fields. The impact ranges from data theft and credential compromise to full system control when ProFTPD is configured with PostgreSQL and elevated privileges. Versions prior to ProFTPD 1.3.9a are affected. |
| 2026-04-29 2026 | SLOTAGENT Malware Hides API Calls and Strings to Thwart AnalysisAPI Sec | Library provides an IDA Python script to decrypt strings obfuscated with a TEA-like algorithm within the SLOTAGENT RAT. This malware, discovered in early 2026, employs advanced evasion techniques including dynamic API resolution via XOR and ROR11 hashing, RC4 decryption of its `db.config` file, and reflective loading of XOR-encoded payloads. SLOTAGENT communicates with its C2 server at 43.156.59[.]110:699 using a proprietary HTTP-like protocol and offers extensive post-exploitation capabilities like screenshotting, file operations, remote shell, BOF execution, and time stomping. |
| 2026-04-29 2026 | GitHub.com and Enterprise Server Vulnerability Allows Remote Code ExecutionRCESupply Chain | Library for identifying and mitigating a critical RCE vulnerability, CVE-2026-3854, in GitHub's git infrastructure. The flaw stemmed from improper neutralization of special elements during repository push operations, allowing authenticated users to execute arbitrary commands by injecting crafted metadata into the X-Stat header. Exploitation involved chaining delimiter injection to bypass security sandboxes, redirect hook directories, and achieve path traversal for arbitrary binary execution, impacting both GitHub.com and Enterprise Server instances. Wiz Research utilized AI-augmented tools like IDA MCP for analysis. |
| 2026-04-28 2026 | Hugging Face LeRobot Flaw Opens Door to Remote Code Execution AttacksRCESupply Chain | Library flaw in Hugging Face's LeRobot, CVE-2026-25874, permits unauthenticated RCE. The vulnerability stems from using `pickle.loads()` for deserializing data over an insecure gRPC channel, allowing attackers to send crafted payloads to execute arbitrary system commands. Exploitation is possible via RPC handlers like `SendPolicyInstructions` and `SendObservations`, especially when the server binds to `0.0.0.0` in production environments. Remediation involves removing pickle serialization, implementing TLS encryption, and enforcing authentication. |
| 2026-04-28 2026 | Critical LiteLLM Flaw Enables Database Attacks Through SQL InjectionSQLi | Writeup on CVE-2026-42208, a critical pre-authentication SQL injection vulnerability in LiteLLM. This flaw allows unauthenticated attackers to execute arbitrary SQL queries against the database due to improper header parameterization. Attackers have been observed exploiting this to steal API keys and provider credentials, demonstrating targeted extraction techniques like column-count enumeration. Updating to LiteLLM version 1.83.7 is crucial, and internet-facing instances should be considered compromised, necessitating immediate secret rotation. |
| 2026-04-28 2026 | ClickUp Security Flaw Exposes 959 Emails Linked to Major Fortune 500 FirmsAPI Sec | Writeup on a ClickUp security flaw that exposed 959 emails from Fortune 500 firms and government agencies due to a hardcoded Split.io SDK token. The vulnerability, unaddressed for over 15 months, allowed attackers to extract sensitive backend data and government worker emails. A separate Server-Side Request Forgery (SSRF) vulnerability in the webhook API also enabled attackers to retrieve internal AWS IAM credentials. Despite ClickUp's multiple security certifications like SOC 2 and ISO 27001, these critical flaws went unnoticed by automated checks and audits. |
| 2026-04-27 2026 | Critical Gemini CLI Flaw Raises Supply Chain Security ConcernsRCESupply Chain | Library patches address critical GHSA-wpqr-6v78-jr5g in Google's Gemini CLI and GitHub Action, mitigating Remote Code Execution risks in CI/CD pipelines. The vulnerability exploited trust bypasses in headless and Yolo execution modes, allowing command injection via malicious environment variables and prompt injection without user interaction. Patches require upgrading the NPM package to 0.39.1 or 0.40.0-preview.3, updating the GitHub Action to 0.1.22, and implementing strict workspace trust configurations and tool allowlists. |
| 2026-04-27 2026 | Metabase Enterprise RCE Flaw Now Has Public Proof-of-Concept ExploitRCE | Writeup on CVE-2026-33725, a Metabase Enterprise RCE vulnerability, details a public Python exploit published to GitHub. This flaw, stemming from an H2 JDBC INIT injection during Enterprise Edition serialization imports, allows attackers to execute arbitrary database commands, leading to Remote Code Execution and sensitive file access. Affected versions range from 1.47.0 through 1.59.3. Researchers advise immediate patching to versions like 1.59.4 to mitigate this risk. |
| 2026-04-24 2026 | GPT-5.5 Bio Bug Bounty Program Aims to Improve AI Safety and PerformanceAIBug Bounty | Program for OpenAI's GPT-5.5 Bio Bug Bounty targets biological risks by inviting cybersecurity researchers and AI red teamers to find vulnerabilities. The main challenge involves crafting a "universal jailbreak" prompt to bypass safety filters and answer a five-question biosafety challenge on GPT-5.5 within Codex Desktop. A top prize of $25,000 is offered for the first successful universal jailbreak. Applications were accepted from April 23, 2026, to June 22, 2026, with testing from April 28, 2026, to July 27, 2026, requiring participants to sign an NDA. |
| 2026-04-24 2026 | Python Vulnerability Enables Out-of-Bounds Write on WindowsPython | Writeup on CVE-2026-3298, a high-severity out-of-bounds write vulnerability affecting Python's `asyncio.ProactorEventLoop` on Windows. This flaw in the `sock_recvfrom_into()` method allows attackers to overwrite adjacent memory regions if incoming network data exceeds a pre-allocated buffer. Affecting Windows-hosted servers, API backends, and UDP socket applications, the vulnerability can lead to memory corruption or code execution. A fix has been submitted via GitHub Pull Request #148809, and users should monitor for patched Python releases. |
| 2026-04-23 2026 | Attackers Exploit LMDeploy Flaw in the Wild Within 12 Hours of AdvisorySSRF | Writeup on CVE-2026-33626, a critical SSRF vulnerability in LMDeploy's vision-language module, exploited in the wild within 12 hours of its April 21, 2026 advisory. The flaw, stemming from an unvalidated `load_image()` function, allows attackers to fetch arbitrary internal URLs, including cloud metadata services and local databases, without requiring proof-of-concept code. Exploitation attempts targeted AWS IMDS for credentials and confirmed open Redis ports, demonstrating the risks to AI inference servers with broad cloud permissions. |
| 2026-04-23 2026 | Checkmarx KICS Docker Repo Hijacked in Malicious Code Injection AttackSupply Chain | Library compromise: The official Checkmarx KICS Docker Hub repository and VS Code extensions were targeted in a supply chain attack. Threat actors injected trojanized Docker images (affecting tags v2.1.20, v2.1.20-debian, alpine, debian, and latest) and tampered VS Code extensions (versions 1.17.0 and 1.19.0) to exfiltrate developer credentials and cloud secrets, including GitHub tokens, AWS, Azure, and GCP credentials, and SSH keys. The attack, claimed by TeamPCP, involved malicious Golang binaries and JavaScript payloads, utilizing Git history manipulation and abusing GitHub Actions for secret theft and NPM package republishing. |
| 2026-04-23 2026 | Xinference PyPI Breach Exposes Developers to Cloud Credential TheftSupply Chain | Library compromise via supply chain attack; malicious versions of the Xinference Python package (2.6.0, 2.6.1, 2.6.2) uploaded to PyPI by threat actors via a compromised bot account (XprobeBot) embedded an infostealer. The malware targets cloud credentials (AWS, Google Cloud, Kubernetes), environment variables, SSH keys, API keys, cryptocurrency wallets (Bitcoin, Ethereum, Dogecoin, Monero), and service credentials for platforms like Discord and Slack. Developers are advised to downgrade to version 2.5.0, rotate all sensitive credentials, enable 2FA, and audit their environments. |
| 2026-04-22 2026 | Mozilla Firefox 150 Released With Fixes for Multiple Code Execution VulnerabilitiesRCE | Mozilla Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities https://ift.tt/6dEs8aC |
| 2026-04-22 2026 | Critical Spring Authorization Server Issue Exposes Systems to XSS and SSRF AttacksSSRF | Writeup of CVE-2026-22752 in Spring Security Authorization Server, detailing how insufficient validation of client metadata in Dynamic Client Registration endpoints allows Stored XSS and SSRF attacks. The vulnerability, exploitable with low privileges, affects specific versions of Spring Security and Spring Authorization Server. Administrators are urged to upgrade to patched versions or disable Dynamic Client Registration as a temporary mitigation. |
| 2026-04-21 2026 | Apache Syncope RCE Vulnerability Detailed After Public Exploit Code ReleaseRCE | Writeup detailing CVE-2025-57738, a high-severity RCE vulnerability in Apache Syncope affecting 2.x, 3.x prior to 3.0.14, and 4.x before 4.0.2. The flaw stems from unchecked Groovy code compilation via a bare GroovyClassLoader, allowing authenticated administrators to execute arbitrary JVM commands using `Runtime.exec()` or `ProcessBuilder`. This is compounded by CWE-653 and a lack of sandboxing. Patches in Syncope 3.0.14 and 4.0.2 implement a multi-layered Groovy sandbox using Jenkins' Script Security, including a SecureASTCustomizer and runtime blacklists. Previous Syncope RCEs include CVE-2023-26360 and CVE-2024-27348. |
| 2026-04-21 2026 | Malicious GGUF Models Could Trigger Remote Code Execution on SGLang ServersRCE | Vulnerability CVE-2026-5760 in SGLang allows remote code execution via maliciously crafted GGUF models. Threat actors can compromise inference servers by uploading a weaponized model to platforms like HuggingFace, which, when loaded by a victim, triggers Server-Side Template Injection through an insecure Jinja2 configuration. This allows arbitrary Python commands to execute on the host machine, similar to the Llama Drama bug (CVE-2024-34359) and sharing an attack surface with vLLM's DoS flaw (CVE-2025-61620). |
| 2026-04-21 2026 | CISA Warns Compromised Axios npm Package Fueled Major Supply Chain AttackSupply Chain | Alert from CISA details a significant supply chain attack involving the compromised Axios npm package, versions 1.14.1 and 0.30.4, which installed a malicious dependency, plain-crypto-js v4.2.1. This backdoor payload deployed a Remote Access Trojan (RAT) capable of stealing source code, environment variables, and pivoting into CI/CD pipelines. Recommended mitigations include downgrading Axios to safe versions (1.14.0 or 0.30.3), removing the malicious dependency, rotating credentials, monitoring for connections to Sfrclak[.]com, and implementing npm configuration changes like `ignore-scripts=true` and `min-release-age=7`. |
| 2026-04-21 2026 | Lovable AI App Builder Hit by Reported API Flaw Exposing Thousands of ProjectsAPI Sec | Writeup on an API flaw in the Lovable AI app builder, allowing unauthorized access to thousands of older projects. Disclosed 48 days ago by @weezerOSINT on X, the vulnerability grants free account holders access to source code, database credentials, customer information, and AI chat histories, potentially exposing data from users at companies like Nvidia, Microsoft, Uber, and Spotify. The bug stems from inconsistent patching, where projects created before November 2025 return a 200 OK status, while newer ones are protected. |
| 2026-04-20 2026 | Anthropic MCP Hit by Critical Vulnerability Enabling Remote Code ExecutionAI | Writeup of critical RCE vulnerability in Anthropic's Model Context Protocol (MCP), impacting over 150 million downloads and 200,000 servers. This systemic flaw, an architectural design decision across SDKs for Python, TypeScript, Java, and Rust, enables unauthenticated UI injection (CVE-2026-30617), authenticated RCE (CVE-2026-30623), and zero-click prompt injection. Exploitation families were found in tools like Flowise, Windsurf (CVE-2026-30615), Cursor, LiteLLM, LangChain, and IBM's LangFlow. Despite multiple disclosures and critical CVEs, the protocol-level issue remains unaddressed by Anthropic. |
| 2026-04-16 2026 | Splunk Enterprise and Cloud Platform Exposed to Dangerous RCE VulnerabilityRCE | Library for patching Splunk Enterprise and Cloud Platform against CVE-2026-20204, a Remote Code Execution vulnerability stemming from improper temporary file handling (CWE-377). Discovered by Gabriel Nitu, this flaw allows low-privileged users to execute arbitrary code by uploading malicious files to the `SPLUNK_HOME/var/run/splunk/apptemp` directory, potentially leading to server takeover. Affected versions include Splunk Enterprise 10.2.0, 10.0.0-10.0.4, 9.4.0-9.4.9, and 9.3.0-9.3.10, and specific Splunk Cloud Platform builds. Immediate updates to patched versions or disabling the Splunk Web component are recommended mitigations. |
| 2026-04-15 2026 | Top 10 Best API Security Providers Protecting Web Apps in 2026API Sec | Tool for API security, evaluating providers for 2026, highlighting Salt Security for its AI-driven business logic protection and automated discovery, and Akamai for its comprehensive lifecycle coverage and global threat intelligence. The entry emphasizes the critical need for API security in modern web applications due to evolving threats like Broken Object Level Authorization (BOLA), shadow APIs, and business logic abuse, recommending solutions that offer API discovery, runtime protection, and DevSecOps integration. |
| 2026-04-15 2026 | Windows Active Directory Flaw Opens Door to Malicious Code ExecutionRCE | Vulnerability CVE-2026-33826, impacting Windows Active Directory and discovered by Aniq Fakhrul, allows authenticated attackers to execute remote code over an adjacent network. This critical flaw, stemming from improper input validation (CWE-20) and exploitable via crafted RPC calls with low complexity, affects numerous Windows Server versions. Microsoft has released security updates as of April 2026 to address this high-impact vulnerability, urging immediate deployment and traffic monitoring. |
| 2026-04-15 2026 | FortiClient Hit by Severe SQL Injection Vulnerability Enabling Database IntrusionSQLi | Writeup of CVE-2026-21643, a critical SQL injection vulnerability in FortiClient Enterprise Management Server (EMS) version 7.4.4. This pre-authentication flaw allows unauthenticated attackers to execute arbitrary SQL commands via crafted HTTP requests to the `/api/v1/init_consts` endpoint. Exploitation enables total database control, including stealing credentials, certificates, and potentially achieving full network takeover. Fortinet patched the issue in version 7.4.5 by properly sanitizing HTTP header input. |
| 2026-04-14 2026 | Critical etcd Vulnerability Allows Unauthorized Access to Sensitive Cluster APIsAPI Sec | Writeup of CVE-2026-33413, an authentication bypass in etcd allowing unauthorized access to sensitive cluster APIs like Maintenance.Alarm, KV.Compact, and Lease.LeaseGrant. Discovered autonomously by Strix, this critical vulnerability (CVSS 8.8) exploits a flaw in the applier chain, where specific methods are not checked by the authApplierV3 wrapper, enabling unauthenticated or under-privileged users to perform disruptive operations. A patch was released in March 2026. |
| 2026-04-14 2026 | SAP Patch Day Fixes Critical SQL Injection DoS and Code Injection FlawsSQLi | Analysis of SAP's monthly patch day, addressing 19 new security notes and one update, details critical vulnerabilities including SQL injection (CVE-2026-27681) in Business Planning and Consolidation and Business Warehouse, a Denial of Service in BusinessObjects (CVE-2025-64775), and code injection in NetWeaver (CVE-2026-27674). It also highlights a missing authorization check in ERP and S/4 HANA (CVE-2026-34256) and a cross-site scripting flaw in Supplier Relationship Management (CVE-2026-0512), emphasizing the need for immediate remediation. |
| 2026-04-14 2026 | Hackers Exploit Critical ShowDoc RCE Flaw in Ongoing AttacksRCE | Writeup on CNVD-2020-26585, a critical remote code execution vulnerability in ShowDoc versions prior to 2.8.7. Attackers exploit an unrestricted file upload mechanism, disguised as image uploads to the `/index.php?s=/home/page/uploadImg` endpoint, to upload webshells bypassing weak extension checks like `test.<>php`. This allows unauthenticated control, enabling data theft and lateral movement. Mitigation involves upgrading ShowDoc, restricting access, deploying WAFs, and monitoring logs. |
| 2026-04-14 2026 | CISA Warns Fortinet SQL Injection Flaw Is Being Actively ExploitedSQLi | Alert regarding CVE-2026-21643, an unauthenticated SQL injection vulnerability in Fortinet FortiClient Enterprise Management Server (EMS). This critical flaw (CWE-89) allows remote code execution via crafted HTTP requests, is actively exploited, and requires immediate patching or mitigation by April 16, 2026, according to CISA. |
| 2026-04-13 2026 | Critical Axios Vulnerability Enables Remote Code Execution PoC ReleasedRCE | Library with CVE-2026-40175, a critical Axios vulnerability (CVSS 9.9), allows RCE by bypassing AWS IMDSv2. This flaw stems from unrestricted cloud metadata exfiltration via header injection, involving a "Gadget" chain that exploits polluted `Object.prototype` and header sanitization weaknesses. Versions prior to 1.13.2 are affected; updating to 1.15.0 or later mitigates the risk of request smuggling and credential exfiltration. |
| 2026-04-13 2026 | Marimo RCE Vulnerability Exploited Within 10 Hours of Public DisclosureRCE | Writeup of Marimo RCE vulnerability (GHSA-2679-6mx9-h9xc, CVE-2026-39987), actively exploited within 10 hours of disclosure. The critical flaw in Marimo versions 0.20.4 and earlier, affecting the `/terminal/ws` endpoint, allows unauthenticated attackers to gain a full interactive shell with the Marimo process's privileges. Attackers quickly weaponized technical details to extract sensitive AWS credentials from exposed `.env` files. Administrators must upgrade Marimo to version 0.23.0 and review logs for unauthorized terminal connections. |
| 2026-04-10 2026 | GitLab Addresses Multiple Vulnerabilities Linked to DoS and Code InjectionRCE | Library addressing multiple GitLab vulnerabilities, including CVE-2026-5173 for exposed websocket methods, improper input validation in the Terraform state lock API, and unauthenticated denial-of-service via GraphQL API queries. Patches also resolve code injection in Code Quality reports, XSS in customizable analytics, and information disclosure risks in CSV exports, protecting self-managed instances. |
| 2026-04-10 2026 | Burp Suite Professional 2025.2: Built-in AI IntegrationBurp | Library for Burp Suite Professional and Community Edition 2025.2 introduces AI integration via the Montoya API, allowing extensions to interact with PortSwigger’s AI platform for tasks like generating transformations and code. Bug fixes address Collaborator IP address display and update the browser to Chromium 133. A new Bambda library centralizes reusable Bambdas, and a starter project simplifies extension development. Quality of life improvements include persistent Intruder settings and enhanced session handling actions. |
| 2026-04-10 2026 | Critical Zero-Day RCE in Networking Devices Exposes 70,000+ HostsRCE | Writeup of CVE-2025-54322, a zero-day RCE in XSpeeder SXZOS networking devices, enabling unauthenticated root-level access. The flaw leverages an unsafe eval() function processing base64-decoded user input from query parameters, bypassing superficial middleware protections. Exploitation chains a time-synchronized nonce header, session cookie validation, and naive payload scan. The vendor's unresponsiveness to disclosures exacerbates the risk to over 70,000 potentially exposed hosts, particularly in industrial and branch office environments. |
| 2026-04-09 2026 | Multiple SonicWall Flaws Enable SQL Injection and Privilege Escalation AttacksSQLi | Advisory detailing four SonicWall SMA1000 series vulnerabilities: CVE-2026-4112, a SQL injection allowing privilege escalation from read-only to primary administrator; CVE-2026-4113, an observable response discrepancy enabling credential enumeration; CVE-2026-4114 and CVE-2026-4116, both stemming from improper Unicode handling that bypasses Time-based One-Time Password (TOTP) authentication. |
| 2026-04-08 2026 | Claude Identifies Critical 13-Year-Old RCE Vulnerability in Apache ActiveMQRCE | Writeup detailing CVE-2026-34197, a 13-year-old RCE vulnerability in Apache ActiveMQ Classic, exploitable via Jolokia to inject a crafted `vm://` URI. This forces the broker to fetch and execute a remote Spring XML configuration file, granting system control. Versions 6.0.0 through 6.1.1 are particularly vulnerable due to CVE-2024-32114, allowing unauthenticated exploitation. Updates to versions 5.19.4 or 6.2.3 are recommended, along with securing default credentials and monitoring for suspicious activity. |
| 2026-04-07 2026 | CUPS Vulnerabilities Could Allow Remote Attackers to Achieve Root-Level Code ExecutionRCE | Library components enabling the discovery and exploitation of two critical CUPS vulnerabilities: CVE-2026-34980, allowing unauthenticated remote code execution via PostScript queues through newline character injection in print options, and CVE-2026-34990, a local privilege escalation to root via interception of administrator tokens and a race condition to overwrite sensitive system files. |
| 2026-04-07 2026 | Windmill Developer Platform Flaws Expose Users to RCE Attacks Proof-of-Concept PublishedRCE | Library for detecting critical vulnerabilities in the Windmill developer platform and Nextcloud Flow, enabling unauthenticated path traversal (CVE-2026-29059) and authenticated SQL injection, leading to RCE. The "Windfall" exploit framework, with AI assistance, automates these attacks, including a stealthy "Ghost Mode" for erasing traces. Administrators must patch to Windmill 1.603.3 and Nextcloud Flow 1.3.0 to mitigate these risks. |
| 2026-04-07 2026 | Attackers Exploit Flowise Injection Vulnerability as 15000 Instances Remain ExposedRCE | Library for securing Flowise, an open-source AI development platform, addressing CVE-2025-59528, a critical code injection vulnerability in the CustomMCP node. This flaw allows remote attackers to execute arbitrary JavaScript code via crafted network requests, leading to full server compromise and data exfiltration. Versions 3.0.5 and earlier are affected; upgrading to 3.0.6 is mandatory as over 15,000 instances remain exposed and actively exploited. |
| 2026-04-07 2026 | 50000 WordPress Sites Running Ninja Forms Vulnerable to Critical File Upload RCERCE | Library for WordPress sites, specifically the Ninja Forms File Upload plugin, vulnerable to CVE-2026-0740. This unauthenticated arbitrary file upload flaw, with a CVSS score of 9.8, allows attackers to bypass file type validation and path sanitization, enabling the upload of malicious PHP scripts to the website's root directory. Successful exploitation grants Remote Code Execution, allowing for webshells, data theft, or ransomware deployment. Versions prior to 3.3.27 are affected, with immediate upgrades recommended. |
| 2026-04-06 2026 | 2000 FortiClient EMS Instances Exposed Online as Attackers Exploit Active RCE FlawRCE | Writeup on FortiClient EMS vulnerabilities, specifically CVE-2026-35616 and CVE-2026-21643, which are unauthenticated Remote Code Execution flaws actively exploited in the wild. Over 2,000 exposed FortiClient EMS instances are vulnerable, allowing attackers to gain full control and potentially deploy malware or ransomware across corporate networks by exploiting the central management capabilities of the tool. |
| 2026-04-03 2026 | CISA Warns of Craft CMS Code Injection Flaw Exploited in Active AttacksRCE | Analysis of CVE-2025-32432, a critical code injection flaw in Craft CMS versions 3.x, 4.x, and 5.x. Exploited through insecure deserialization within asset transform generation, this pre-authentication vulnerability allows arbitrary code execution by chaining object injection with the Yii framework's PhpManager component. CISA has added it to the KEV catalog due to active exploitation. Recommended mitigations include upgrading to patched versions 3.9.15, 4.14.15, or 5.6.17. |
| 2026-04-03 2026 | New Progress ShareFile Flaws Expose Servers to Unauthorized Remote TakeoverRCE | Library of exploit techniques for Progress ShareFile Storage Zone Controller vulnerabilities CVE-2026-2699 and CVE-2026-2701, allowing unauthenticated attackers to bypass authentication via Execution After Redirect and achieve Remote Code Execution by reconfiguring upload paths to a webroot for malicious ASPX shell deployment. |
| 2026-04-02 2026 | Top 10 Best Dynamic Application Security Testing (DAST) Platforms in 2026Burp | Platforms Acunetix, Burp Suite, and Rapid7 InsightAppSec are leading Dynamic Application Security Testing (DAST) solutions. Acunetix offers a hybrid approach with AcuSensor technology for high accuracy and reduced false positives, ideal for ease of use. Burp Suite provides unparalleled depth and customization, favored by professional penetration testers for in-depth analysis and complex attack simulation. Rapid7 InsightAppSec, a cloud-based option, utilizes a "Universal Translator" for modern web technologies and integrates seamlessly into DevOps workflows, prioritizing automation and user experience. These platforms help identify runtime vulnerabilities like SQL injection and XSS by simulating real-world attacks. |
| 2026-03-30 2026 | Stored XSS Vulnerability in Jira Work Management Could Enable Full Organization TakeoverXSS | Writeup detailing a stored XSS vulnerability in Jira Work Management, allowing an attacker with Product Admin privileges to execute a full organization takeover. The flaw lies in the failure to validate inputs within the custom "Icon URL" property of issue priorities, enabling malicious JavaScript to be saved and executed when a Super Admin views the priorities configuration page. This leads to an automated system invitation for an attacker-controlled user with full Atlassian product access. |
| 2026-03-17 2026 | Angular XSS Vulnerability Threatens Thousands of Web ApplicationsXSS | Writeup of CVE-2026-32635, an XSS vulnerability in Angular affecting i18n attribute bindings, enabling script injection by bypassing sanitization when untrusted input is combined with i18n tags on sensitive attributes like `href` and `src`. Exploitation can lead to session hijacking and data exfiltration. Versions 17.0.0 through 22.0.0-next.2 are impacted; developers should update to patched versions or implement workarounds like blocking untrusted input and using `DomSanitizer`. |
| 2026-03-03 2026 | Angular i18n Flaw Lets Hackers Execute Malicious Code via Critical XSS VulnerabilityXSS | Library advisory for CVE-2026-27970, a critical XSS vulnerability in Angular's i18n pipeline. Attackers can inject malicious JavaScript into compromised translation files (.xliff, .xtb), leading to credential exfiltration or page vandalism when rendered. Mitigation strategies include updating Angular, verifying translation content, implementing strict Content-Security Policy (CSP), and enabling Trusted Types. |
| 2026-03-02 2026 | Angular SSR Flaw Enables Unauthorized Server-Side Requests in Web AppsSSRF | Vulnerability CVE-2026-27739 in Angular SSR enables SSRF and Header Injection by trusting unvalidated Host and X-Forwarded-* headers. This allows attackers to redirect internal requests via HttpClient or manual URL construction, leading to credential theft, internal network probing, and data exposure. Mitigation involves updating @angular/ssr packages, using absolute URLs, or implementing strict header validation in server.ts. |
| 2026-02-27 2026 | Stored XSS Vulnerability in RustFS Console Puts S3 Admin Credentials at RiskXSS | Writeup of CVE-2026-27822, a critical Stored XSS vulnerability in RustFS Console, allowing attackers to steal S3 admin credentials from browser localStorage. Exploitation involves uploading a malicious HTML file disguised as a PDF, which executes JavaScript when previewed by an administrator. The flaw arises from improper response content type validation and the lack of origin separation between the console and S3 object delivery. Mitigation requires updating to version 1.0.0-alpha.83 or implementing origin separation and security headers like CSP and X-Content-Type-Options: nosniff. |
| 2026-02-26 2026 | Firefox 148 Unveils New Sanitizer API to Mitigate XSS Attacks in Web ApplicationsXSS | Library introducing Firefox's new Sanitizer API, a built-in tool for mitigating XSS attacks by cleaning untrusted code before it enters web pages. This standardized API simplifies the process for developers by replacing the risky `innerHTML` method with `setHTML()`, offering configurable protection against malicious HTML injection, and can be combined with Trusted Types for enhanced security. |
| 2026-02-20 2026 | Critical Jenkins Flaw Exposes Build Environments to XSS AttacksXSS | Library entry detailing CVEs in the Jenkins automation server, including a stored XSS vulnerability exploiting improperly escaped HTML descriptions for node offline causes. Attackers with low-level permissions can inject malicious scripts to steal data or hijack sessions. A secondary flaw allows build information leaks through Run Parameters. Updates to Jenkins 2.539+ and the application of Content Security Policy (CSP) mitigate the XSS, with immediate patching recommended. |
| 2026-02-17 2026 | Langchain Community SSRF Bypass Vulnerability Exposes Internal Services to Unauthorized AccessSSRF | Writeup on CVE-2026-26019, a critical Server-Side Request Forgery (SSRF) vulnerability in the Langchain community package's RecursiveUrlLoader. This flaw, stemming from a simple string prefix check and lack of private IP validation, allowed attackers to bypass domain restrictions and access internal network resources or cloud metadata, potentially leading to credential theft. Langchain has since patched this in version 1.1.14 with strict origin checks and a new validation module blocking private IPs and metadata endpoints. |
| 2026-02-13 2026 | Zimbra Issues Security Update to Address XSS XXE and LDAP Injection FlawsXSS | Library update addressing XSS, XXE, and LDAP injection in Zimbra collaboration suite. Version 10.1.16 resolves Cross-Site Scripting in Webmail and Briefcase, authenticated LDAP injection by improving input sanitization, and XML External Entity flaws in the EWS SOAP endpoint. It also enforces proper token validation for CSRF protection. |
| 2026-02-11 2026 | GitLab Patches Multiple Vulnerabilities Enabling DoS and Cross-Site Scripting AttacksXSS | Patches address critical GitLab vulnerabilities including CVE-2025-7659, an "Incomplete Validation" issue in Web IDE allowing unauthenticated token theft and repository access. Two Denial of Service flaws, CVE-2025-8099 impacting GraphQL introspection and CVE-2026-0958 related to middleware bypassing JSON validation, also receive fixes. Further patches resolve Cross-Site Scripting in Code Flow (CVE-2025-14560) and HTML Injection in test case titles (CVE-2026-0595), necessitating immediate upgrades for self-managed installations. |
| 2026-02-04 2026 | CISA Warns of Exploited GitLab Community and Enterprise SSRF VulnerabilitySSRF | Analysis of CVE-2021-39935, a critical SSRF vulnerability in GitLab Community and Enterprise Editions, actively exploited by threat actors to perform unauthenticated server-side requests. This flaw allows attackers to access internal resources, bypass perimeter defenses, and potentially facilitate lateral movement. CISA has added this to its KEV catalog, mandating remediation for federal agencies by February 24, 2026, with immediate patching recommended for all affected organizations. |
| 2026-01-17 2026 | Critical XSS Vulnerabilities in Meta Conversion API Enable Zero-Click Account TakeoverXSS | Writeup detailing critical XSS vulnerabilities in Meta's Conversions API Gateway that enable zero-click account takeovers. Researchers discovered flaws in the client-side `capig-events.js` script, exploiting improper origin validation and CSP bypass techniques on Meta domains like facebook.com and meta.com. A second, more severe vulnerability in the backend code allows attackers to inject arbitrary JavaScript into the served `capig-events.js` file through unsafe string concatenation, affecting millions of third-party deployments of the open-source gateway and enabling widespread, silent compromise. |
| 2026-01-13 2026 | New Angular Vulnerability Allows Attackers to Execute Malicious PayloadsXSS | Library for patching CVE-2026-22610, a high severity XSS vulnerability in Angular’s Template Compiler that allows malicious JavaScript execution via improper sanitization of href attributes in SVG script elements. The flaw affects multiple Angular versions, with exploitation requiring specific preconditions. Patches are available, and alternative mitigation includes avoiding dynamic bindings on SVG script elements and implementing server-side input validation. |
| 2026-01-12 2026 | Critical Apache Struts 2 Flaw Could Let Attackers Steal Sensitive DataSSRF | Library for securing Apache Struts 2 applications against CVE-2025-68493, an XML External Entity (XXE) injection vulnerability in the XWork component. This flaw allows attackers to steal sensitive data, perform server-side request forgery (SSRF), and cause denial-of-service by exploiting improper XML configuration parsing. The recommended remediation is upgrading to Struts 6.1.1 or later, with temporary mitigations including custom SAXParserFactory configurations to disable external entities. |
| 2026-01-09 2026 | OWASP CRS Vulnerability Enables Charset Validation BypassXSS | Library update addresses CVE-2026-21876 in OWASP CRS, a critical vulnerability allowing charset validation bypass in WAFs. The flaw, affecting CRS 3.3.x and 4.0.0-4.21.0 across ModSecurity, Coraza, and libmodsecurity, enabled XSS and other encoding-based attacks by only validating the last multipart section's charset. The fix, implemented in CRS 4.22.0 and 3.3.8, now validates every detected charset to prevent bypass. |
| 2025-12-19 2025 | New Kibana Vulnerabilities Allow Attackers to Embed Malicious ScriptsXSS | Writeup of CVE-2025-68385 in Kibana, a critical XSS vulnerability impacting numerous 7.x, 8.x, and 9.x versions. This flaw, leveraging improper input neutralization within the Vega visualization component (CWE-79), allows authenticated attackers to inject and execute malicious scripts in users' browsers, potentially compromising sensitive data. Elastic has released patched versions to address this high-severity issue. |
| 2025-11-27 2025 | Apache SkyWalking Flaw Allows Attackers to Launch XSS AttacksXSS | Writeup of CVE-2025-54057, a Stored XSS vulnerability in Apache SkyWalking versions up to 10.2.0. This flaw allows attackers to inject and store malicious scripts due to improper neutralization of script-related HTML tags, potentially leading to credential theft and unauthorized access. The Apache Software Foundation has released version 10.3.0 with a patch to mitigate this "important" severity issue. |
| 2025-11-13 2025 | Kibana Vulnerabilities Expose Systems to SSRF and XSS AttacksXSS | Library update addressing Kibana's CVE-2025-37734, an origin validation error within the Observability AI Assistant. This flaw enables Server-Side Request Forgery (SSRF) by allowing attackers to craft forged Origin HTTP headers, potentially leading to unauthorized access to internal systems. Affected Kibana versions include 8.12.0 through 8.19.6, 9.1.0 through 9.1.6, and 9.2.0. Elastic recommends upgrading to versions 8.19.7, 9.1.7, or 9.2.1, or disabling the feature as a temporary mitigation. |
| 2025-11-13 2025 | Citrix NetScaler ADC and Gateway Flaw Allows Cross-Site Scripting (XSS) AttacksXSS | Writeup of CVE-2025-12101, a cross-site scripting (XSS) vulnerability affecting NetScaler ADC and Gateway platforms. This medium-severity flaw, CWE-79, allows attackers to inject malicious scripts, potentially leading to session hijacking or credential theft. It impacts various NetScaler versions, including FIPS and end-of-life releases, when configured as a Gateway with specific virtual server types. Cloud Software Group recommends immediate patching to mitigate the risk. |
| 2025-11-12 2025 | Hackers Exploit SSRF Flaw in Custom GPTs to Steal ChatGPT SecretsSSRF | Writeup on SSRF vulnerability in ChatGPT's Custom GPTs feature, demonstrating how attackers could steal cloud infrastructure secrets like Azure management API tokens by exploiting the "Actions" section to perform redirects to instance metadata services. The technique involved a 302 redirect combined with a custom API key header to bypass security controls and retrieve sensitive credentials, a flaw subsequently patched by OpenAI. |
| 2025-10-30 2025 | Reflected XSS Flaw Enables Attackers to Evade Amazon CloudFront Protection Using SafariXSS | Writeup detailing a reflected Cross-Site Scripting (XSS) vulnerability on help-ads.target.com that bypasses Amazon CloudFront’s Web Application Firewall (WAF) when exploited using the Safari browser. The flaw leverages Safari's specific handling of URL parsing and reflected script blocks, allowing attackers to execute JavaScript and potentially steal sensitive information like cookies. This underscores the critical need for security testing across diverse browsers and robust output encoding, rather than solely relying on WAF protections. |
| 2025-10-21 2025 | CISA Warns of Oracle E-Business Suite SSRF Vulnerability Actively Exploited in AttacksSSRF | Writeup on CVE-2025-61884, a critical Oracle E-Business Suite SSRF vulnerability actively exploited in the wild. This CWE-918 flaw, affecting the Runtime component of Oracle Configurator, allows unauthenticated remote attackers to forge server-side requests to internal or external resources. CISA has added it to the Known Exploited Vulnerabilities catalog, mandating immediate patching or mitigation for federal agencies. Security teams should apply vendor patches, implement network segmentation, and monitor for suspicious outbound requests to prevent data exfiltration and deeper network penetration. |
| 2025-10-18 2025 | Critical Zimbra SSRF Flaw Exposes Sensitive DataSSRF | Library update 10.1.12 addresses a critical Server-Side Request Forgery (SSRF) vulnerability in Zimbra versions 10.1.5 through 10.1.11, allowing attackers to access sensitive data and perform network reconnaissance by manipulating the chat proxy configuration. This flaw poses risks of data exposure, credential theft, and unauthorized access to internal resources, necessitating immediate patching to prevent exploitation. |
| 2025-09-10 2025 | Multiple Vulnerabilities in GitLab Patched Blocking DoS and SSRF Attack VectorsSSRF | Library update patching six GitLab vulnerabilities, including CVE-2025-6454 (SSRF via webhook headers) and CVE-2025-2256 (DoS via SAML response manipulation), along with other DoS vectors (CVE-2025-1250, CVE-2025-7337), token-related issues (CVE-2025-10094), and information disclosure (CVE-2025-6769). Immediate upgrades are crucial for self-managed installations. |
| 2025-08-14 2025 | Top 500 Most Important XSS Cheat Sheet for Web Application PentestingXSS | Cheatsheet enumerating 500+ XSS payloads for web application pentesting. It categorizes vulnerabilities into Reflected, Stored, and DOM-Based XSS, providing concrete examples of payloads leveraging various HTML tags, attributes, and encoding techniques, including SVG, CSS expressions, and modified UTF-7 encoding. |
| 2025-08-14 2025 | XSSer automated framework to detect, exploit and report XSS vulnerabilitiesXSS | Framework for automating detection, exploitation, and reporting of Cross-Site Scripting (XSS) vulnerabilities. XSSer supports GET and POST injection methods, includes filters and bypassing techniques, and offers both command-line and GUI interfaces. It can inject code, leverage search engine dorks, perform multiple injections with automatic payloads, and utilize TOR proxies. Key defenses against XSS include validating input, adhering to patterns, avoiding direct reflection of untrusted data, and context-aware encoding. |
| 2025-08-14 2025 | XSSight - Automated XSS Scanner And Payload Injector - GBHackers On SecuritXSS | Library for automated XSS scanning and payload injection. XSSight, powered by Team Ultimate, identifies vulnerabilities by injecting characters like `/\”<>` and analyzing page source code. It supports injecting XSS payloads to test for conflicts and offers defense recommendations such as validating input, avoiding direct reflection of untrusted data, and using context-aware encoding. |
| 2025-08-11 2025 | Xerox FreeFlow Flaws Enable SSRF and Remote Code ExecutionSSRF | Analysis of CVE-2025-8355 and CVE-2025-8356 in Xerox FreeFlow Core v8.0.4 reveals critical SSRF and path traversal vulnerabilities. The XXE flaw (CVE-2025-8355) enables attackers to forge server-side requests to internal or external resources, while the path traversal vulnerability (CVE-2025-8356) can lead to remote code execution. Discovered by Jimi Sebree of Horizon3.ai, these "IMPORTANT" severity issues necessitate immediate upgrade to v8.0.5, as per Xerox Security Bulletin XRX25-013. |
| 2025-06-19 2025 | Open Next SSRF Flaw in Cloudflare Lets Hackers Fetch Data from Any HostSSRF | Writeup of CVE-2025-6087, an SSRF flaw in the @opennextjs/cloudflare package. This vulnerability allows unauthenticated attackers to proxy arbitrary remote content through a victim's website domain by exploiting an unimplemented safeguard in the `/`_next`/`image` endpoint. Versions prior to 1.3.0 of the Open Next Cloudflare adapter were affected. Cloudflare has deployed platform-level updates, and operators should upgrade the adapter and consider using the `remotePatterns` filter. |
| 2025-05-05 2025 | Hackers Exploit Email Fields to Launch XSS and SSRF AttacksSSRF | Library for securing applications against XSS and SSRF attacks originating from email input fields. It details how attackers exploit improperly validated email addresses, including payloads like `user@example.com?callback=<img src=x onerror=stealCookies()>` for DOM-based XSS and `user@https://internal-server.local` for SSRF. The library emphasizes the need for RFC822-compliant validation using tools such as `email-validator` for Python, output encoding, SSRF protection via network call restrictions and allowlists, and Content Security Policy (CSP) to prevent these vulnerabilities. |
| 2025-03-18 2025 | Hackers Exploit SSRF Vulnerability to Attack OpenAIs ChatGPT InfrastructureSSRF | Writeup of CVE-2024-27564, an SSRF vulnerability actively exploited against OpenAI's ChatGPT infrastructure, leading to over 10,000 attack attempts primarily targeting government organizations and financial institutions. The report highlights how attackers leverage medium-severity vulnerabilities and misconfigured security systems like IPS and WAFs, emphasizing the need for comprehensive vulnerability management beyond just critical and high-severity flaws. |
| 2025-03-12 2025 | Java Axios Package Vulnerability Threatens Millions of Servers with SSRF ExploitSSRF | Writeup of CVE-2025-27152 in Axios, a widely used JavaScript package, details a critical Server-Side Request Forgery (SSRF) vulnerability. This flaw allows attackers to cause unintended requests, potentially leaking sensitive credentials like API keys by supplying absolute URLs to Axios requests even when a base URL is configured. Versions prior to 1.8.2 are affected. Mitigation involves updating to the patched version or implementing strict URL validation. |
| 2025-03-12 2025 | Over 400 IPs Actively Exploiting Multiple SSRF Vulnerabilities in the WildSSRF | Library detecting over 400 IPs actively exploiting multiple SSRF vulnerabilities, including those in Zimbra, GitLab, VMware Workspace ONE UEM, and VMware vCenter. This coordinated exploitation mirrors historical breaches like Capital One, enabling cloud exploitation, network reconnaissance, and credential theft. Defenders should patch affected CVEs, restrict outbound access, set up alerts for unusual requests, and block identified malicious IPs. |
| 2025-01-16 2025 | Veeam Azure Backup Vulnerability Allows Attackers to Utilize SSRF & Send Unauthorized RequestsSSRF | Writeup of CVE-2025-23082, a critical Server-Side Request Forgery (SSRF) vulnerability in Veeam Backup for Microsoft Azure affecting versions up to 7.1.0.22. This flaw allows attackers to send unauthorized requests from the system, potentially leading to network enumeration and further attacks. Veeam has released an updated build, version 7.1.0.59 or later, to address this high-severity issue. |
| 2024-12-05 2024 | ChatGPT Next Web vulnerability Let Attackers exploit endpoint to Perform SSRFSSRF | Writeup of CVE-2023-49785 impacting ChatGPT Next Web (NextChat) versions 2.11.2 and earlier. This critical Server-Side Request Forgery (SSRF) vulnerability exists in the client settings synchronization API endpoint, improperly secured and accessible to unauthenticated users. Attackers can exploit this to send malicious requests to internal services, potentially leading to unauthorized access, data theft, and compromise of cloud environments. Updating to version 2.12.2 or later is recommended. |
| 2020-06-06 2020 | Top 500 Most Important XSS Cheat Sheet for Web Application PentestingXSS | Library of JavaScript payloads and techniques for identifying and exploiting XSS vulnerabilities. This comprehensive cheat sheet details methods for Reflected XSS, Stored XSS, and DOM-Based XSS, including examples targeting various HTML elements, CSS properties, and encoding schemes like x-imap4-modified-utf7 and mac-farsi. It features payloads for `<img>`, `<svg>`, `<math>`, `<object>`, and `<style>` tags, demonstrating bypasses through attribute manipulation, character encoding, and specific browser behaviors. |
| 2017-06-20 2017 | XSSer automated framework to detect, exploit and report XSS vulnerabilitiesXSS | Framework for detecting, exploiting, and reporting XSS vulnerabilities in web applications. XSSer automates injections using GET and POST methods, supports various filters and bypass techniques, and offers both command-line and GUI interfaces. It can leverage TOR proxies and provides detailed attack statistics. Key features include injection with automatic payloads, reverse connection checks, heuristic parameter filtering, and DOM shadow injection. |
| 2017-04-08 2017 | XSSight - Automated XSS Scanner And Payload Injector - GBHackers On SecuritXSS | Library for automated Cross-Site Scripting (XSS) scanning and payload injection, XSSight, assists in detecting vulnerabilities like Reflected XSS, Stored XSS, and DOM-Based XSS. The tool injects common XSS characters and analyzes website source code to identify weaknesses. It also allows for payload testing to confirm exploitability and suggests defenses such as input validation and context-aware encoding. |