securityaffairs.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-05-16.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-05-16 2026 | OpenAI hit by supply chain attack linked to malicious TanStack packagesSupply Chain | OpenAI has been targeted by a supply chain attack that exploited malicious packages distributed through TanStack. Attackers injected malicious code into the TanStack ecosystem, which was then unknowingly downloaded by OpenAI. This allowed them to gain unauthorized access to OpenAI's systems and steal data from its customers. The extent of the data breach is still under investigation. |
| 2026-05-11 2026 | U.S. CISA adds a flaw in BerriAI LiteLLM to its Known Exploited Vulnerabilities catalogSQLi | CVE-2026-42208 is a critical SQL injection vulnerability in BerriAI LiteLLM versions 1.81.16 to 1.83.6, allowing unauthenticated attackers to access and potentially modify database data via a crafted Authorization header. This flaw was added to CISA's Known Exploited Vulnerabilities catalog due to rapid real-world exploitation observed shortly after disclosure, with attackers targeting sensitive information like virtual API keys and credentials. A fix is available in LiteLLM version 1.83.7. |
| 2026-05-10 2026 | New cPanel vulnerabilities could allow file access and remote code executionRCE | Writeup of cPanel vulnerabilities CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, which permit arbitrary file reads, Perl code execution via the create_user API, and potential denial-of-service or privilege escalation through chmod. These flaws affect multiple cPanel & WHM releases and have been patched. This disclosure follows the weaponization of a separate cPanel authentication bypass vulnerability, CVE-2026-41940, as a zero-day for botnet deployment. Tools are available from watchTowr and cPanel to detect vulnerable hosts. |
| 2026-05-10 2026 | Official JDownloader site served malware to Windows and Linux users between May 6 and May 7Supply Chain | Writeup of a supply chain attack on the JDownloader official website, which occurred between May 6 and May 7, 2026. Attackers compromised the site's content management system, altering download links to serve malware instead of legitimate Windows "Alternative Installer" and Linux shell installers. The deployed malware was a Python-based remote access trojan (RAT). Legitimate installers were digitally signed by "AppWork GmbH," while malicious ones were unsigned or signed by suspicious entities like "Zipline LLC" or "The Water Team." The website was taken offline for investigation and remediation, with correct installer links restored. |
| 2026-05-07 2026 | Cisco patches high-severity flaws enabling SSRF code execution attacksRCE | Advisory detailing high-severity vulnerabilities in Cisco Unity Connection, including CVE‑2026‑20034 allowing authenticated remote root code execution via crafted API requests, and CVE‑2026‑20035 enabling unauthenticated SSRF attacks by sending crafted HTTP requests. These flaws stem from insufficient input validation, potentially leading to complete system compromise or arbitrary network traffic originating from the affected device. |
| 2026-05-06 2026 | Apache fixes critical HTTP/2 double-free flaw CVE-2026-23918 enabling RCERCE | Library fixing CVE-2026-23918, a critical HTTP/2 double-free vulnerability in Apache HTTP Server 2.4.66. This flaw, discovered by Bartlomiej Dmitruk and Stanislaw Strzalkowski, can cause memory corruption leading to denial of service and, under specific configurations like mmap usage, potential remote code execution. The issue resides within mod_http2 and is resolved in version 2.4.67. |
| 2026-05-06 2026 | Palo Alto Networks PAN-OS flaw exploited for remote code executionAPI SecRCE | Writeup of CVE-2026-0300, a critical PAN-OS buffer overflow allowing unauthenticated remote code execution with root privileges. This vulnerability affects PA-Series and VM-Series firewalls using the User-ID Authentication Portal when exposed to the internet. Palo Alto Networks advises restricting access to trusted internal IP addresses to mitigate risk, noting limited exploitation observed primarily on internet-facing portals. Fixes are expected by May 13, 2026. |
| 2026-05-06 2026 | Critical Android vulnerability CVE-2026-0073 fixed by GoogleMobileRCE | Analysis of CVE-2026-0073, a critical remote code execution vulnerability in Android's System component affecting the adbd daemon. Exploitation, which requires no user interaction or special permissions, could lead to shell user code execution and full device compromise. Google has released a patch, and no public exploits or active attacks exploiting this specific flaw are currently known. This follows a previously exploited Qualcomm component vulnerability (CVE-2026-21385) involving a buffer over-read in the Graphics component. |
| 2026-04-29 2026 | CVE-2026-42208: LiteLLM bug exploited 36 hours after its disclosureAISQLi | Writeup of CVE-2026-42208 in LiteLLM, an SQL injection vulnerability in the proxy API key verification. Attackers exploited this flaw rapidly, within 36 hours of its disclosure, targeting sensitive data like virtual API keys and provider credentials by crafting malicious Authorization headers. The vulnerability affected LiteLLM versions 1.81.16 to 1.83.6 and was patched in 1.83.7. |
| 2026-04-28 2026 | CVE-2026-3854 GitHub flaw enables remote code executionRCE | Writeup of CVE-2026-3854, a critical command injection vulnerability in GitHub Enterprise allowing remote code execution. Exploitable via a crafted git push, attackers can inject malicious metadata, bypass sandbox protections, and run arbitrary commands. Wiz researchers reported the flaw, which GitHub fixed with patches for Enterprise Server versions. The vulnerability underscores risks in inter-service communication and sanitization of user-controlled data in complex systems. |
| 2026-04-17 2026 | U.S. CISA adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalogRCE | Writeup of CVE-2026-34197, a critical flaw in Apache ActiveMQ Classic impacting versions prior to 5.19.4 and 6.2.3. This vulnerability, caused by improper input validation and unsafe code execution, allows authenticated attackers to achieve remote code execution by exploiting the Jolokia JMX-HTTP bridge. The flaw leverages a crafted discovery URI to force the broker to load a malicious remote Spring XML configuration, enabling arbitrary code execution through bean factory methods like `Runtime.exec()`. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating remediation for federal agencies. |
| 2026-04-15 2026 | Microsoft Patch Tuesday for April 2026 fixed actively exploited SharePoint zero-dayRCE | Writeup of Microsoft's April 2026 Patch Tuesday, which fixed 165 vulnerabilities, including an actively exploited SharePoint zero-day, CVE-2026-32201. This critical spoofing vulnerability, likely an XSS flaw, allowed attackers to view or modify sensitive information. Security experts urge rapid patching, noting the release's large size and potential impact on organizations with internet-facing SharePoint servers. |
| 2026-04-11 2026 | CVE-2026-39987: Marimo RCE exploited in hours after disclosureRCE | Writeup of CVE-2026-39987 in Marimo, a Python notebook tool, detailing its pre-authenticated RCE flaw. The vulnerability, actively exploited within 10 hours of disclosure by Sysdig Threat Research Team, allowed attackers to gain a full PTY shell by targeting the unauthenticated `/terminal/ws` WebSocket endpoint. This exploit highlights the rapid threat actor response to disclosures, even for niche software like Marimo, with credential theft occurring in under three minutes. |
| 2026-04-07 2026 | Attackers exploit critical Flowise flaw CVE-2025-59528 for remote code executionRCE | Writeup of CVE-2025-59528 in Flowise, detailing how attackers exploit improper JavaScript validation in the CustomMCP node for remote code execution and file system access. The vulnerability, fixed in version 3.0.6, allows arbitrary JavaScript execution with full Node.js privileges, enabling command execution and data theft, and has seen active exploitation in the wild, targeting thousands of exposed instances. |
| 2026-04-06 2026 | Attackers Exploit RCE Flaw as 14000 F5 BIG-IP APM Instances Remain ExposedRCE | Writeup detailing CVE-2025-53521, a critical RCE vulnerability affecting F5 BIG-IP APM instances. Attackers are actively exploiting this flaw, which allows specially crafted traffic to trigger remote code execution when access policies are enabled. Shadowserver reports over 14,000 exposed instances, with CISA adding the vulnerability to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch by March 30, 2026. |
| 2026-04-02 2026 | Critical Fortinet FortiClient EMS flaw exploited for Remote Code ExecutionRCE | Writeup of CVE-2026-21643, a critical SQL Injection vulnerability in Fortinet FortiClient EMS, now actively exploited. Threat actors smuggle SQL statements via the "Site"-header in HTTP requests to achieve remote code execution, potentially gaining an initial network foothold for lateral movement or malware deployment. Nearly 1000 instances of FortiClient EMS are publicly exposed. This follows the earlier CVE-2023-48788, also an SQL Injection flaw, added to CISA's KEV catalog. |
| 2026-03-21 2026 | PolyShell flaw exposes Magento and Adobe Commerce to file upload attacksXSS | Library for identifying and mitigating the PolyShell vulnerability in Magento and Adobe Commerce REST APIs. This critical flaw allows unauthenticated attackers to upload executable files, potentially leading to RCE or account takeover. The vulnerability has existed since Magento 2's initial release and impacts versions up to 2.4.9-alpha2, with affected releases prior to 2.3.5 also susceptible to XSS. While a fix exists in the 2.4.9 pre-release, no standalone patch is available for production versions, necessitating real-time WAF blocking and strict server configurations to protect upload directories. |
| 2026-03-19 2026 | Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376XSS | Writeup of CVE-2025-66376, a stored XSS vulnerability in Zimbra Collaboration exploited by Russian APT groups targeting Ukraine. The flaw, with a CVSS score of 7.2, allowed attackers to execute scripts via specially crafted HTML emails, enabling credential theft, session token compromise, and mailbox data exfiltration. Nation-state actors, potentially APT28, leveraged this vulnerability, dubbed Operation GhostMail, to target entities including Ukraine's State Hydrology Agency. Synacor has since released patches, and CISA has added CVE-2025-66376 to its Known Exploited Vulnerabilities catalog. |
| 2025-03-18 2025 | ChatGPT SSRF bug quickly becomes a favorite attack vectorSSRF | Writeup of CVE-2024-27564, a ChatGPT SSRF vulnerability in pictureproxy.php, allowing attackers to trigger arbitrary server requests via crafted URLs. This flaw, with a CVSS score of 6.5, is being actively exploited by threat actors against financial and government organizations, with over 10,000 attack attempts observed in a week. Misconfigured Intrusion Prevention Systems and Web Application Firewalls on systems like NextGenFirewall contribute to unprotected environments, highlighting the risk of ignoring medium-severity vulnerabilities. |
| 2025-03-13 2025 | Experts warn of a coordinated surge in the exploitation attempts of SSRF vulnerabilitiesSSRF | Analysis of a coordinated surge in SSRF exploitation, observed by GreyNoise on March 9, reveals attackers leveraging Grafana for initial access before attempting to exploit multiple SSRF CVEs simultaneously. This coordinated attack, involving at least 400 IPs, targets infrastructure across various platforms, suggesting automated reconnaissance for pivoting and cloud exploitation. Organizations are advised to patch affected systems, mitigate targeted CVEs, and monitor for suspicious outbound requests. |
| 2024-12-10 2024 | SAP fixed critical SSRF flaw in NetWeaver NetWeaverSSRF | Analysis of SAP's December 2024 Security Patch Day, addressing 16 vulnerabilities including critical SSRF (CVE-2024-47578) in NetWeaver's Adobe Document Service, which allows file manipulation or system unavailability. Other fixed issues include CVE-2024-47579, CVE-2024-47580, XSS (CVE-2024-47590) in Web Dispatcher, and RFC Information Disclosure (CVE-2024-54198) in SAP NetWeaver Application Server ABAP. |