sentinelone.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-22.
Python 5
SSRF 5
CSRF 4
SQLi 4
Deser 3
JWT 3
RCE 2
Supply Chain 2
XXE 2
AuthN 1
IDOR 1
Recon 1
Secrets 1
XSS 1
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-22 2026 | Hypersonic Supply Chain Attacks: One Solution That Didn't Need to Know the PayloadSupply Chain | Library that stops zero-day supply chain attacks like those targeting LiteLLM, Axios, and CPU-Z by using on-device behavioral AI. It detects malicious execution patterns rather than relying on signatures or reputation, making it effective against previously unseen payloads delivered through trusted channels, even when AI agents automate execution with unrestricted permissions. This approach, part of SentinelOne's Autonomous Security Intelligence, flags anomalous process chains and code execution in real-time, terminating threats before they can escalate. |
| 2026-04-22 2026 | CVE-2026-32597: PyJWT Information Disclosure VulnerabilityJWT | Writeup of CVE-2026-32597, an information disclosure vulnerability in PyJWT versions prior to 2.12.0. The library fails to properly validate the RFC 7515 crit (Critical) Header Parameter, allowing attackers to bypass security controls by crafting tokens with unrecognized critical extensions that are silently ignored instead of rejected. This input validation error, classified under CWE-345, can lead to authentication bypass in applications relying solely on PyJWT for validation. Mitigation involves upgrading PyJWT to version 2.12.0 or later and implementing additional validation logic. |
| 2026-04-22 2026 | CVE-2026-2092: Keycloak Auth Bypass VulnerabilityAuthN | Writeup of CVE-2026-2092, a Keycloak authentication bypass vulnerability, details how attackers can inject encrypted assertions into unsigned SAML responses. This flaw, affecting Keycloak and related Red Hat products, allows unauthorized access by substituting an attacker's valid signed assertion with one for an arbitrary principal, bypassing proper validation and potentially compromising identity federation. Mitigation involves applying patches and configuring SAML identity providers to always sign SAML responses in addition to assertions. |
| 2026-04-22 2026 | CVE-2025-68454: Craft CMS Twig SSTI RCE VulnerabilityRCE | Writeup detailing CVE-2025-68454, an authenticated Remote Code Execution vulnerability in Craft CMS versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16. Exploitation occurs via Server-Side Template Injection (SSTI) using the Twig map filter in text fields within Settings or the System Messages utility. Attackers with administrative privileges or access to System Messages can achieve arbitrary code execution by crafting malicious Twig payloads. Mitigation involves updating to patched versions 5.8.21 or 4.16.17, disabling allowAdminChanges, and restricting access to sensitive utilities. |
| 2026-04-22 2026 | CVE-2025-12821: WordPress NewsBlogger CSRF Allowing RCECSRF | Writeup of CVE-2025-12821, a Cross-Site Request Forgery (CSRF) vulnerability in the NewsBlogger WordPress theme (versions 0.2.5.6 through 0.2.6.1), allowing arbitrary file upload and remote code execution. This critical flaw, a regression of CVE-2025-1305, arises from missing nonce validation in the `newsblogger_install_and_activate_plugin()` function, enabling unauthenticated attackers to compromise sites by tricking administrators into clicking malicious links. |
| 2026-04-22 2026 | CVE-2026-22607: Fickling Python RCE VulnerabilityPython | Writeup of CVE-2026-22607 details an Insecure Deserialization vulnerability in Fickling, a Python pickling decompiler. Versions up to 0.1.6 incorrectly classify pickle files using `cProfile.run()` as "SUSPICIOUS" instead of "OVERTLY_MALICIOUS". This misclassification allows attackers to craft malicious pickle files, bypass Fickling's analysis, and achieve arbitrary code execution on systems relying on its security assessment for deserialization. |
| 2026-04-22 2026 | CVE-2026-21226: Azure Core Python Library RCE VulnerabilityPython | Library for Python applications using Azure SDKs, addressing CVE-2026-21226, an insecure deserialization vulnerability (CWE-502). Attackers with low-level authorization can execute arbitrary code over a network by crafting malicious serialized payloads processed by the vulnerable Azure Core library. Mitigation involves updating the `azure-core` package via `pip install --upgrade azure-core` and implementing input validation or network segmentation. |
| 2026-04-19 2026 | CVE-2025-45768: PyJWT Information Disclosure VulnerabilityJWT | Library update detailing CVE-2025-45768, a weak encryption vulnerability in PyJWT v2.10.1. This flaw arises from the library's failure to enforce minimum key length requirements, potentially allowing attackers to forge JWT tokens and bypass authentication. While the vendor disputes the classification, applications using this version without strong key management practices are at risk. Mitigation involves implementing application-level key length validation, enforcing minimum key sizes (256 bits for HMAC, 2048 bits for RSA), and rotating potentially weak keys. |
| 2026-04-19 2026 | CVE-2025-9611: Microsoft Playwright MCP Server CSRF FlawCSRF | CVE-2025-9611 describes a DNS rebinding vulnerability in Microsoft Playwright MCP Server versions prior to 0.0.40, allowing attackers to exploit browser interactions to invoke tool endpoints without proper authentication by bypassing same-origin protections. The vulnerability, rooted in the lack of Origin header validation, can lead to unauthorized commands and system manipulation. Mitigation involves upgrading to version 0.0.40+, configuring `allowedHosts`, and implementing workarounds such as restricting binding to localhost or using a reverse proxy with origin validation. |
| 2026-04-19 2026 | CVE-2025-23797: WP Options Editor CSRF VulnerabilityCSRF | Writeup of CVE-2025-23797, a Cross-Site Request Forgery vulnerability affecting the WP Options Editor WordPress plugin. This flaw, present in versions up to 1.1, allows unauthenticated attackers to trick administrators into clicking malicious links, leading to privilege escalation by modifying critical WordPress options like `default_role` and user capabilities without proper nonce verification. Mitigation requires immediate deactivation and removal of the plugin, auditing options, and verifying administrator accounts. |
| 2026-04-17 2026 | 9 Attack Surface Monitoring Tools in 2026 (SentinelOne)Recon | Library for discovering and managing attack surface exposures, including open ports, subdomains, misconfigurations, and public-facing APIs. It integrates with SIEMs and incident response teams, providing real-time risk assessment and addressing multi-cloud and hybrid complexities. SentinelOne Singularity™ Cloud Security, a CNAPP solution, offers features like CSPM, CIEM, EASM, AI-SPM, CWPP, and CDR, with autonomous AI-based protection and secret detection. |
| 2026-04-17 2026 | Securing the Software Supply Chain: How SentinelOne's AI EDR Autonomously Blocked the CPU-Z Watering Hole Cyber AttackSupply Chain | Library detailing SentinelOne's AI EDR autonomous blocking of the CPU-Z watering hole attack. The attack involved trojanized download infrastructure and a reflective payload, CRYPTBASE.dll, employing XXTEA encryption and DEFLATE decompression, with STX RAT as the final payload delivering hidden VNC, credential theft, and a reverse proxy. The entry highlights behavioral detection's efficacy against supply chain compromises, anomalous API resolution, reflective code loading, suspicious memory allocation, process injection patterns, and heuristic shellcode signatures, noting attacker reuse of C2 infrastructure and STX RAT YARA rules from a previous FileZilla campaign. |
| 2026-04-11 2026 | CVE-2024-33663: Python-jose Algorithm ConfusionJWT | Writeup on CVE-2024-33663, an algorithm confusion vulnerability impacting python-jose through version 3.3.0. This flaw allows attackers to exploit key format confusion with OpenSSH ECDSA keys, potentially enabling authentication bypass or signature forgery. The vulnerability, similar to CVE-2022-29217 affecting PyJWT, arises from improper algorithm enforcement during JWT verification, allowing attackers to craft malicious tokens by using a public key as a symmetric secret. Mitigation involves explicit algorithm allowlisting and upgrading affected python-jose versions. |
| 2026-04-10 2026 | CVE-2025-56005: PLY RCE VulnerabilityPython | Library vulnerability analysis of CVE-2025-56005 in Dabeaz PLY version 3.11, detailing an insecure deserialization flaw within an undocumented `picklefile` parameter of the `yacc()` function. This allows Remote Code Execution (RCE) through malicious pickle files, a risk amplified by the parameter's obscurity. The analysis includes technical details on the attack vector, root cause (CWE-502), detection methods, and mitigation strategies, while noting ongoing disputes regarding the CVE's validity. |
| 2026-04-10 2026 | Best Secret Scanning Tools For 2026Secrets | Library from SentinelOne scans code repositories for over 750 types of hardcoded secrets, including API keys and cloud tokens, preventing leakage and unauthorized access. It integrates into CI/CD pipelines, supports GitHub, GitLab, and BitBucket, and offers agentless vulnerability scanning with over 1,000 rules. Its CNAPP capabilities include Cloud Security Posture Management, Cloud Workload Security with AI-powered runtime protection, and Cloud Infrastructure Entitlement Management for tightening permissions and reducing alert fatigue. |
| 2026-04-10 2026 | CVE-2026-26116: SQL Server SQL InjectionSQLi | Writeup of CVE-2026-26116, a SQL Injection vulnerability affecting Microsoft SQL Server. Exploiting CWE-89, an authenticated attacker can elevate privileges over a network by manipulating SQL commands. Attackers with low-privilege accounts can craft malicious SQL statements to bypass authorization, access sensitive data, or gain administrative control. Mitigation involves applying Microsoft security updates, implementing parameterized queries, restricting network access, and enabling comprehensive auditing. |
| 2026-04-10 2026 | Protecting Against the Critical React2Shell RCE ExposureRCE | Library for identifying and mitigating the critical 'React2Shell' RCE vulnerability (CVE-2025-55182) affecting React Server Components and Next.js. This vulnerability allows unauthenticated attackers to perform server-side code execution via insecure deserialization in the RSC 'Flight' protocol. The library helps secure environments by detailing immediate actions, providing detection rules, and showcasing how SentinelOne's Offensive Security Engine can verify exploitability of affected workloads. |
| 2026-04-09 2026 | WordPress Webmention Plugin SSRF (CVE-2026-0688)SSRF | Analysis of CVE-2026-0688 details a Server-Side Request Forgery (SSRF) vulnerability in WordPress's Webmention plugin up to version 5.6.2. This flaw, residing in the Tools::read function, allows authenticated attackers with Subscriber-level access to force the server to make requests to arbitrary internal or external locations. The vulnerability can be exploited to probe internal networks, access cloud metadata, and interact with sensitive backend systems, often bypassing standard firewalls. Mitigation involves updating the plugin, disabling it, restricting user access, or implementing network-level egress filtering. |
| 2026-04-09 2026 | CVE-2026-3125: OpenNext Cloudflare SSRF via Path Normalization BypassSSRF | Writeup of CVE-2026-3125, detailing a Server-Side Request Forgery (SSRF) in @opennextjs/cloudflare, exploiting path normalization bypass via backslash substitution in the /cdn-cgi/image/ handler. This allows attackers to bypass Cloudflare's edge interception, proxy arbitrary content through victim domains, and potentially expose private cache data under /cdn-cgi/_next_cache. The vulnerability stems from inconsistent path handling between Cloudflare's edge and the JavaScript URL class, classified as CWE-706. Remediation involves upgrading to @opennextjs/cloudflare version 1.17.1 or later. |
| 2026-04-06 2026 | CVE-2025-12305: Shiyi-blog RCE via DeserializationDeser | Writeup of CVE-2025-12305 detailing an insecure deserialization vulnerability in quequnlong shiyi-blog versions up to 1.2.1. Exploitation of the Job Handler component, specifically SysJobController.java, allows remote attackers to achieve arbitrary code execution via crafted serialized Java objects. The vulnerability stems from CWE-502 and CWE-20, enabling attackers with low privileges to leverage gadget chains. Public exploits are available, increasing the risk. Mitigation strategies include input validation, serialization filtering, and network segmentation. |
| 2026-04-06 2026 | CVE-2025-34153: Hyland OnBase RCE via DeserializationDeser | Writeup on CVE-2025-34153, a critical unauthenticated remote code execution vulnerability in Hyland OnBase. Exploiting the .NET Timer Service's TCP channel on port 6031, attackers can leverage insecure .NET BinaryFormatter deserialization in Hyland.Core.Timers.dll to achieve SYSTEM-level privileges. Detection involves monitoring network traffic to port 6031 and suspicious process activity, while mitigation requires upgrading to version 17.0.2.87 or later, or blocking the port. |
| 2026-04-06 2026 | CVE-2025-42928: SAP jConnect RCE via DeserializationDeser | Writeup of CVE-2025-42928, an insecure deserialization vulnerability in SAP jConnect. This flaw, classified under CWE-502, allows authenticated attackers with high privileges to achieve remote code execution by submitting specially crafted serialized Java objects. Exploitation requires leveraging gadget chains within the application's classpath, potentially leading to full system compromise. Mitigation involves applying SAP Security Note #3685286, restricting high-privilege access, and implementing network segmentation. |
| 2026-04-06 2026 | CVE-2026-33873: Langflow Agentic Assistant RCE VulnerabilityPython | Analysis of CVE-2026-33873 in Langflow details a critical code injection vulnerability (CWE-94) in the Agentic Assistant feature. Versions prior to 1.9.0 incorrectly execute LLM-generated Python code during validation, allowing attackers to achieve arbitrary server-side Python execution by manipulating AI output. This network-accessible vulnerability requires low privileges and can lead to system compromise. Mitigation involves upgrading to Langflow 1.9.0 or later, or disabling the Agentic Assistant feature. |
| 2026-04-06 2026 | CVE-2026-34519: AIOHTTP XSS VulnerabilityPython | Library for detecting and mitigating CVE-2026-34519, an HTTP Response Splitting vulnerability in AIOHTTP versions prior to 3.13.4. This flaw, classified as CWE-113, allows attackers to inject arbitrary HTTP headers by controlling the `reason` parameter in `Response` objects, potentially leading to cache poisoning or cross-site scripting. The library assists in identifying affected applications and provides mitigation strategies, including upgrading AIOHTTP, input sanitization for CRLF characters, and WAF rule implementation. |
| 2026-04-06 2026 | CVE-2026-27697: Basercms SQLi VulnerabilitySQLi | Writeup of CVE-2026-27697, an unauthenticated SQL injection vulnerability affecting baserCMS versions prior to 5.2.3. Exploitation allows attackers to manipulate database queries through the blog posts functionality, potentially leading to unauthorized data access, modification, or deletion. The vulnerability stems from improper input validation and can be mitigated by upgrading to baserCMS 5.2.3 or later, implementing WAF rules, or temporarily disabling the blog posts feature. |
| 2026-04-06 2026 | CVE-2026-5197: Student Membership System SQLi VulnerabilitySQLi | Writeup of CVE-2026-5197, a SQL injection vulnerability in code-projects Student Membership System 1.0. The flaw in `/delete_user.php` allows remote authenticated attackers to inject malicious SQL commands via the ID parameter, potentially leading to unauthorized data access, modification, or deletion. Exploitation involves manipulating database queries using techniques like UNION-based or boolean-based blind injection. Mitigation includes implementing prepared statements, strict input validation, or WAF rules. |
| 2026-04-06 2026 | CVE-2025-11035: Jinher OA XXE VulnerabilityXXE | Writeup of CVE-2025-11035 details an XML External Entity (XXE) vulnerability in Jinher OA 2.0, specifically affecting the ManageWord.aspx endpoint. This flaw allows authenticated remote attackers to exfiltrate data, perform server-side request forgery (SSRF), and access internal network resources by manipulating XML input and referencing external entities. Mitigation strategies include input validation, web application firewall rules to block DOCTYPE declarations, and secure XML parser configuration to disable DTD processing. |
| 2026-04-06 2026 | CVE-2025-54254: Adobe Experience Manager Forms XXE VulnerabilityXXE | Analysis of CVE-2025-54254 reveals an XXE vulnerability in Adobe Experience Manager Forms versions 6.5.23 and earlier. This flaw, stemming from improper XML external entity reference handling (CWE-611), allows unauthenticated attackers to read arbitrary files from the server's file system without user interaction. Exploitation involves submitting crafted XML payloads to vulnerable endpoints, potentially exposing sensitive data. Mitigation requires applying Adobe's security patch (APSB25-82), configuring XML parsers to disable external entities, or implementing WAF rules to block XXE patterns. |
| 2026-04-06 2026 | CVE-2026-5417: Dataease SQLbot SSRF VulnerabilitySSRF | Writeup of CVE-2026-5417, a Server-Side Request Forgery (SSRF) vulnerability in Dataease SQLbot versions up to 1.6.0. Exploitable via the `get_es_data_by_http` function in the Elasticsearch Handler, this flaw allows high-privilege attackers to craft arbitrary HTTP requests to internal or external resources, potentially leading to information disclosure or further system compromise. Mitigation involves upgrading to Dataease SQLbot 1.7.0 or later. |
| 2026-04-06 2026 | CVE-2026-34740: Wwbn Avideo SSRF VulnerabilitySSRF | Writeup detailing CVE-2026-34740, a stored Server-Side Request Forgery (SSRF) in WWBN AVideo versions 26.0 and prior. Authenticated users with upload permissions can exploit this by providing malicious URLs, which the server fetches due to inadequate validation via FILTER_VALIDATE_URL, bypassing the intended isSSRFSafeURL() function. This allows attackers to scan internal networks, access cloud metadata services like AWS IMDSv1 at 169.254.169.254, and interact with restricted internal services. Mitigation includes restricting EPG functionality, egress filtering, and auditing EPG entries. |
| 2026-04-06 2026 | CVE-2026-34394: Wwbn Avideo CSRF VulnerabilityCSRF | Analysis of CVE-2026-34394 reveals a critical Cross-Site Request Forgery (CSRF) vulnerability in WWBN AVideo. The admin plugin configuration endpoint, admin/save.json.php, fails to validate CSRF tokens and bypasses table security checks. This, combined with a SameSite=None cookie policy, allows attackers to overwrite arbitrary plugin settings by crafting forged cross-origin POST requests, potentially compromising payment processors, authentication providers, and cloud storage credentials. Mitigation involves restricting administrative access, implementing WAF rules, and advising administrators on secure browsing habits. |
| 2026-04-06 2026 | CVE-2026-32629: phpMyFAQ XSS VulnerabilityXSS | Writeup of CVE-2026-32629 in phpMyFAQ details a stored Cross-Site Scripting (XSS) vulnerability exploitable by unauthenticated attackers. Malicious HTML and JavaScript can be injected via crafted email addresses within RFC 5321 quoted local parts. This bypasses PHP validation and sanitization, leading to persistent XSS execution in admin sessions due to the unsafe use of Twig's `|raw` filter when rendering email addresses. Versions prior to 4.1.1 are affected. |
| 2026-04-06 2026 | CVE-2026-33030: Nginx UI Authorization BypassIDOR | Analysis of CVE-2026-33030 reveals an Insecure Direct Object Reference (IDOR) vulnerability in Nginx UI versions 2.3.3 and prior. This flaw allows any authenticated user to bypass authorization controls, enabling unauthorized access, modification, and deletion of other users' resources due to a lack of user ownership verification in resource endpoint queries. The vulnerability stems from the base Model struct missing a user_id field, leading to broken access control, particularly in multi-user environments. |
| 2026-04-03 2026 | 7 Types of SQL Injection Attacks & How to Prevent ThemSQLi | Library detailing seven types of SQL injection attacks, including classic and blind SQLi. It explains how these attacks exploit un-sanitized user inputs to manipulate databases, leading to unauthorized access and data breaches. Prevention methods discussed include input sanitization, parameterized queries, least privilege access, and the use of Web Application Firewalls (WAFs). |
| 2026-03-02 2026 | CVE-2026-27829: Astro Framework SSRF VulnerabilitySSRF | Vulnerability regarding CVE-2026-27829 in the Astro web framework (versions 9.0.0-9.5.3) allows Server-Side Request Forgery (SSRF). The `inferSize` option bypasses `image.domains` and `image.remotePatterns` restrictions, enabling servers to fetch unauthorized content, potentially exposing sensitive data by targeting internal services and cloud metadata endpoints. Mitigation involves upgrading Astro to 9.5.4 or later, which implements manual redirect handling, or employing workarounds like avoiding `inferSize` with user-controlled URLs and implementing network egress filtering. |