thehackernews.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-05-17.
RCE 41
Supply Chain 22
SSRF 8
AI 5
XSS 4
API Sec 3
Python 3
Secrets 3
AuthN 2
Mobile 2
SQLi 2
Bug Bounty 1
JWT 1
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-05-17 2026 | NGINX CVE-2026-42945 Exploited in the Wild Causing Worker Crashes and Possible RCERCE | NGINX CVE-2026-42945 is actively being exploited in the wild. This vulnerability can lead to NGINX worker process crashes, causing denial-of-service conditions. Additionally, there's a possibility of remote code execution (RCE) if specific configurations are met. Users are strongly advised to update their NGINX instances to the latest patched versions to mitigate these risks. The provided link offers further technical details on the exploit and mitigation strategies. |
| 2026-05-15 2026 | TanStack Supply Chain Attack Hits Two OpenAI Employee Devices Forces macOS UpdatesSupply Chain | Library detailing a sophisticated supply chain attack campaign, prominently featuring the TanStack Mini Shai-Hulud worm. The attack targeted OpenAI, Mistral AI, and other vendors, leading to compromised macOS apps (ChatGPT Desktop, Codex App, Codex CLI, Atlas) requiring updates due to revoked signing certificates. The malware, delivered via compromised packages like guardrails-ai and mistralai, exhibits advanced capabilities including hardcoded C2 servers, fallback mechanisms like FIRESCALE, and exfiltration to GitHub repositories, while also incorporating destructive behaviors targeting specific geographic regions and exfiltrating AWS credentials across all availability zones. |
| 2026-05-15 2026 | Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer SecretsSupply Chain | Library: node-ipc versions 9.1.6, 9.2.3, and 12.0.1 contain a stealer backdoor that fingerprints hosts, enumerates local files, and exfiltrates developer and cloud secrets including AWS, Google Cloud, Azure, SSH keys, Kubernetes tokens, and GitHub CLI configs to sh.azurestaticprovider[.]net. The malware uses an Immediately Invoked Function Expression (IIFE) and a SHA-256 fingerprint check for conditional execution, and can exfiltrate data via DNS TXT records by overriding the system's DNS resolver. |
| 2026-05-14 2026 | ThreatsDay Bulletin: PAN-OS RCE Mythos cURL Bug AI Tokenizer Attacks and 10 StoriesRCE | Library for threat intelligence, detailing exploited PAN-OS RCE (CVE-2026-0300) with EarthWorm and ReverseSocks5 payloads, private AI chats leveraging Trusted Execution Environments for Meta AI, a zero-auth data leak impacting Schemata's AI training platform, the FCC's router update deadline extension, Operation GriefLure's APT phishing targeting Vietnam and Philippines with RATs, a multi-stage intrusion using weaponized PowerShell disguised as JPEGs for ConnectWise ScreenConnect, an aid-themed infostealer using LNK files and Python implants, GhostLock's PoC demonstrating denial of file access via SMB share locking, AI scan results for cURL identifying a low-severity bug, and an MoU between Indian agencies for fraud-risk intelligence sharing. |
| 2026-05-14 2026 | 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCERCE | Writeup detailing CVE-2026-42945, a critical heap buffer overflow vulnerability in NGINX's `ngx_http_rewrite_module`, codenamed NGINX Rift. This 18-year-old flaw, discovered by depthfirst, allows unauthenticated remote code execution or denial-of-service through crafted HTTP requests, particularly when using unnamed PCRE captures with a question mark in rewrite directives. The writeup also covers related vulnerabilities: CVE-2026-42946 (excessive memory allocation), CVE-2026-40701 (use-after-free), and CVE-2026-42934 (out-of-bounds read). |
| 2026-05-13 2026 | Microsoft Patches 138 Vulnerabilities Including DNS and Netlogon RCE FlawsRCE | Patches from Microsoft address 138 vulnerabilities, including critical RCE flaws in Windows DNS (CVE-2026-41096) and Netlogon (CVE-2026-41089), along with Azure DevOps information exposure (CVE-2026-42826) and Azure Managed Instance for Apache Cassandra code execution (CVE-2026-33109). Additional fixes target Microsoft Dynamics 365, Azure Logic Apps, Microsoft Teams, Azure Cloud Shell, Azure Entra ID, Windows Hyper-V, and a Microsoft SSO Plugin for Jira & Confluence (CVE-2026-41103), with several identified by Microsoft's AI-driven discovery system MDASH. An AMD vulnerability (CVE-2025-54518) related to CPU cache isolation is also patched. |
| 2026-05-12 2026 | New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code ExecutionRCE | Library addressing CVE-2026-45185, a critical use-after-free vulnerability in Exim's BDAT message body parsing when using GnuTLS. This flaw allows attackers to trigger heap corruption and potential code execution by sending specific TLS close_notify alerts followed by cleartext data during BDAT transfers. The issue impacts Exim versions 4.97 through 4.99.2, with a fix available in version 4.99.3. |
| 2026-05-12 2026 | RubyGems Suspends New Signups After Hundreds of Malicious Packages Are UploadedSupply Chain | Writeup detailing the recent suspension of new signups by RubyGems, the Ruby programming language's standard package manager, due to a "major malicious attack." Hundreds of malicious packages were uploaded, some containing exploits. This incident highlights the rising threat of software supply chain attacks against open-source ecosystems, with threat actors like TeamPCP compromising popular packages to distribute credential-stealing malware. Mend.io, securing RubyGems, intends to release further details once the incident is contained. |
| 2026-05-11 2026 | TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain AttackSupply Chain | Writeup of TeamPCP's compromise of the Checkmarx Jenkins AST plugin, occurring weeks after their KICS supply chain attack. This incident highlights the exploitation of software supply chain trust and the potential for incomplete remediation, as evidenced by the defaced GitHub repository and malicious updates to the plugin. The ongoing attacks by TeamPCP underscore the persistent threat to developer tools and credentials. |
| 2026-05-10 2026 | Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory LeakAPI Sec | Library detailing CVE-2026-7482, a critical out-of-bounds read vulnerability in Ollama's GGUF model loader that allows remote attackers to leak process memory, potentially exposing API keys and user data. It also covers two unpatched Windows vulnerabilities, CVE-2026-42248 (missing signature verification) and CVE-2026-42249 (path traversal), which can be chained for persistent code execution by influencing update responses. |
| 2026-05-08 2026 | Quasar Linux RAT Steals Developer Credentials for Software Supply Chain CompromiseSupply Chain | Library targeting developers' systems with the Quasar Linux RAT (QLNX) implants, a malware designed for credential harvesting from files like .npmrc, .pypirc, and .aws/credentials. QLNX masquerades as a kernel thread, wipes logs, and uses seven persistence methods including systemd and crontab. It features a PAM inline-hook backdoor and a kernel-level eBPF rootkit component to hide processes, files, and network ports, ultimately facilitating software supply chain attacks by compromising publishing pipelines and cloud infrastructure. |
| 2026-05-07 2026 | Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level AccessRCE | Writeup on CVE-2026-6973, an active RCE vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allowing administrative users to execute arbitrary code. This flaw, along with CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821, impacts on-premise EPMM and is under active exploitation. CISA has added CVE-2026-6973 to its KEV catalog, mandating fixes for federal agencies. |
| 2026-05-07 2026 | PAN-OS RCE Exploit Under Active Use Enabling Root Access and EspionageRCE | Writeup of CVE-2026-0300, a critical buffer overflow in PAN-OS enabling root access, exploited by threat actors potentially as early as April 9, 2026. The vulnerability allows unauthenticated RCE via crafted packets, with successful exploitation observed by Unit 42, attributed to state-sponsored cluster CL-STA-1132. Post-exploitation involved AD enumeration and deployment of tools like EarthWorm and ReverseSocks5. Mitigation includes restricting portal access, disabling Response Pages, and enabling Threat ID 510019. |
| 2026-05-07 2026 | vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code ExecutionRCE | Writeup detailing critical vulnerabilities within the vm2 Node.js library, enabling sandbox escape and arbitrary code execution. These flaws, including CVE-2026-43997 and CVE-2026-44005, exploit mechanisms like `__lookupGetter__`, the `species` property of promises, the `inspect` function, `SuppressedError`, Symbol-to-string coercion, prototype pollution, and bypasses of the allowlist. The report highlights the ongoing challenge of secure code isolation in JavaScript environments and strongly advises updating to version 3.11.2. |
| 2026-05-06 2026 | Android Apps Get Public Verification System to Stop Supply Chain AttacksSupply Chain | Android is launching a new public verification system to combat supply chain attacks targeting apps. This system will allow developers to publicly attest to the integrity of their app's source code, build environment, and signing keys. By making this information publicly verifiable, Android aims to increase transparency and trust in the app development process, making it harder for malicious actors to inject compromised code into legitimate applications. This initiative seeks to bolster the security of the Android app ecosystem. |
| 2026-05-06 2026 | Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code ExecutionAPI SecRCE | Analysis of CVE-2026-0300, a critical buffer overflow vulnerability in Palo Alto Networks' PAN-OS software, allows unauthenticated remote code execution with root privileges. This flaw impacts PA-Series and VM-Series firewalls, particularly those with the User-ID Authentication Portal accessible from untrusted networks. While patches are forthcoming, interim mitigations include restricting portal access or disabling it entirely. |
| 2026-05-05 2026 | Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCERCE | Writeup of CVE-2026-23918, a critical double-free vulnerability in Apache HTTP Server's HTTP/2 protocol handling that enables denial-of-service and potential remote code execution. Discovered by Bartlomiej Dmitruk and Stanislaw Strzalkowski, the flaw in `mod_http2`'s `h2_mplx.c` allows an attacker to trigger an RCE by exploiting memory reuse with the APR mmap allocator and Apache's scoreboard. Exploitation, while requiring an info leak for system() and scoreboard offsets, is practical on Debian-derived systems and the official httpd Docker image. |
| 2026-05-05 2026 | DAEMON Tools Supply Chain Attack Compromises Official Installers with MalwareSupply Chain | DAEMON Tools, a popular disk imaging software, has been targeted in a supply chain attack. Malicious code was injected into official DAEMON Tools installers distributed via the company's website. This malware infected users' systems upon installation, posing a significant security risk. The extent of the compromise and the specific type of malware used are still under investigation. |
| 2026-05-05 2026 | MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution AttacksRCE | MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks https://ift.tt/wGPfx1F |
| 2026-05-05 2026 | Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug APIAPI SecRCE | Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API https://ift.tt/AUFwnIP |
| 2026-05-04 2026 | Weekly Recap: AI-Powered Phishing Android Spying Tool Linux Exploit GitHub RCE & MoreAIMobileRCE | Library of tools and techniques for application security professionals, detailing active exploitation of a cPanel flaw (CVE-2026-41940) enabling authentication bypass and website wipes, alongside a Linux kernel vulnerability (CVE-2026-31431) for trivial privilege escalation. The recap also covers cybercrime groups using vishing for SaaS environment infiltration, TeamPCP's supply chain attacks across npm, PyPI, and Packagist, a Python backdoor (DEEP#DOOR) for comprehensive data theft, a critical GitHub vulnerability (CVE-2026-3854) allowing remote code execution, and VECT 2.0 ransomware's destructive file wiping. |
| 2026-05-01 2026 | Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential TheftSupply Chain | Attackers are exploiting vulnerabilities in Ruby Gems and Go Modules to compromise CI/CD pipelines and steal credentials. Malicious packages are disguised as legitimate dependencies, and once incorporated into a project's build process, they can execute arbitrary code. This allows attackers to access sensitive information like API keys and passwords stored within the CI environment. Organizations using these package managers should diligently audit their dependencies and implement robust security measures to prevent such attacks. |
| 2026-04-30 2026 | New Linux 'Copy Fail' Vulnerability Enables Root Access on Major DistributionsPythonRCE | New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions https://ift.tt/cStkN40 |
| 2026-04-30 2026 | PyTorch Lightning Compromised in PyPI Supply Chain Attack to Steal CredentialsSupply Chain | Library compromised in a PyPI supply chain attack, pushing malicious versions 2.6.2 and 2.6.3 of PyTorch Lightning, leading to credential theft. The attack leveraged a hidden downloader and obfuscated JavaScript payload, executed automatically upon import, to harvest GitHub tokens, cloud credentials, and other secrets, with propagation techniques extending to npm packages. This incident is linked to the broader Mini Shai-Hulud campaign and threat actor TeamPCP. |
| 2026-04-30 2026 | Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code ExecutionRCE | Google has patched two critical vulnerabilities. One, a CVSS 10 rated Remote Code Execution (RCE) flaw in Gemini CLI CI, allowed attackers to execute arbitrary code. The other, a flaw in Cursor, also enabled code execution. Details were not provided regarding specific bounty payouts for these fixes. |
| 2026-04-29 2026 | LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of DisclosureSQLi | Writeup of CVE-2026-42208, a critical SQL injection vulnerability in BerriAI's LiteLLM Python package, actively exploited within 36 hours of disclosure. The flaw, affecting versions between 1.81.16 and 1.83.7, allowed unauthenticated attackers to modify the LiteLLM proxy database, potentially accessing and altering credentials for LLM providers like OpenAI, Anthropic, and AWS. Exploitation attempts targeted tables such as `litellm_credentials.credential_values`, suggesting attackers sought to compromise cloud-grade credentials managed by the AI gateway. |
| 2026-04-28 2026 | Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git PushRCESupply Chain | Writeup of CVE-2026-3854, a critical command injection vulnerability in GitHub.com and GitHub Enterprise Server. Exploitable via a single "git push" command, this flaw allows authenticated users with push access to achieve remote code execution by injecting malicious metadata into internal service headers. Researchers from Wiz demonstrated a technique chaining three injections to bypass sandboxing, redirect hooks, and execute arbitrary commands as the git user, potentially leading to cross-tenant repository exposure on GitHub.com. |
| 2026-04-28 2026 | Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCERCE | Writeup on CVE-2026-25874, a critical unauthenticated RCE vulnerability in Hugging Face's LeRobot platform. The flaw, found in version 0.4.3, stems from unsafe data deserialization using Python's pickle format within the async inference pipeline, allowing attackers to execute arbitrary code via gRPC calls. This impacts the PolicyServer and robot client components, potentially leading to network compromise, data theft, and safety risks. A fix is planned for version 0.6.0. |
| 2026-04-28 2026 | Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202RCE | Writeup on CVE-2026-32202, a Windows Shell spoofing vulnerability actively exploited in the wild. This zero-click flaw, with a CVSS score of 4.3, stems from an incomplete patch for CVE-2026-21510 and allows attackers to steal Net-NTLMv2 hashes via SMB connections. Russian nation-state group APT28 reportedly used it in conjunction with CVE-2026-21513, leveraging malicious LNK files to bypass Microsoft Defender SmartScreen and achieve credential theft. |
| 2026-04-27 2026 | Weekly Recap: Fast16 Malware XChat Launch Federal Backdoor AI Employee Tracking & MoreAI | Toolset highlighting recent application security threats including fast16 malware, the UNC6692 group's Snow malware suite, FIRESTARTER backdoor targeting a U.S. federal agency, Lotus Wiper affecting Venezuelan energy systems, and The Gentlemen RaaS deploying SystemBC. It also covers the Bitwarden CLI compromise, detailing vulnerabilities such as CVE-2025-20333 and CVE-2025-20362. |
| 2026-04-24 2026 | LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of DisclosureSSRF | Library that facilitates the deployment and serving of large language models, LMDeploy, is vulnerable to CVE-2026-33626, a high-severity Server-Side Request Forgery (SSRF) flaw. This vulnerability, discovered by Igor Stepansky and observed being exploited by Sysdig within 13 hours of disclosure, allows attackers to fetch arbitrary URLs via the `load_image()` function in `lmdeploy/vl/utils.py`. Exploitation can lead to accessing cloud metadata services, internal networks, sensitive data, and port scanning of internal systems, as demonstrated by active attempts against AWS IMDS and Redis. |
| 2026-04-22 2026 | Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer TokensSupply Chain | Library for detecting and preventing supply chain attacks, such as the self-propagating worm found in npm packages like `@automagik/genie` and `pgserve`. It details how these worms, like CanisterSprawl, steal developer tokens and credentials for AWS, Azure, and Google Cloud, and can propagate to PyPI packages. The library also covers attacks targeting GitHub Actions' `pull_request_target` trigger and credential harvesting via LLM proxies. |
| 2026-04-22 2026 | Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply ChainSupply Chain | Writeup of supply chain attacks targeting Checkmarx, detailing malicious KICS Docker images and VS Code extensions. Threat actors overwrote Docker Hub tags and introduced compromised versions of the `cx-dev-assist` and `ast-results` extensions. The compromised artifacts exfiltrated GitHub tokens, AWS and Azure credentials, and SSH keys to external endpoints. These attacks, potentially by TeamPCP, leveraged stolen credentials to inject malicious GitHub Actions workflows and republish npm packages, creating further propagation paths. |
| 2026-04-22 2026 | UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 HoursSecrets | Writeup of UNC6426's nx npm supply-chain attack, detailing how a compromised GitHub token and an overly permissive AWS OIDC trust were exploited to gain full AWS administrator access within 72 hours. The attack involved leveraging the `nx` package, the `pull_request_target` vulnerability, and the QUIETVAULT credential stealer, with reconnaissance aided by the Nord Stream tool. Recommendations include sandboxing package managers, applying least privilege to CI/CD roles, and enforcing fine-grained PATs. |
| 2026-04-22 2026 | TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV FilesSupply Chain | Library compromising the `telnyx` Python package with versions 4.87.1 and 4.87.2 on PyPI. The malware uses audio steganography within `.WAV` files to deliver a multi-stage attack chain, harvesting credentials and exfiltrating data to `83.142.209[.]203:8080` on Linux/macOS, while establishing persistence via `msbuild.exe` on Windows. This supply chain attack by TeamPCP follows similar compromises of Trivy, KICS, and litellm. |
| 2026-04-22 2026 | Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply ChainRCE | Analysis of the Model Context Protocol (MCP) reveals a fundamental design flaw enabling Arbitrary Command Execution (RCE) across its SDK implementations in Python, TypeScript, Java, and Rust. This systemic vulnerability, affecting over 7,000 projects including LiteLLM, LangChain, and Flowise, stems from unsafe defaults in STDIO transport, leading to identified CVEs like CVE-2026-30623 and CVE-2025-49596. The flaw allows attackers to inject commands through various means, including prompt injection and network requests, potentially compromising sensitive data and impacting the AI supply chain, despite Anthropic classifying the behavior as "expected." |
| 2026-04-22 2026 | SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model FilesPythonRCE | Writeup on CVE-2026-5760, a CVSS 9.8 remote code execution vulnerability in SGLang. Attackers exploit this by crafting malicious GGUF model files with Jinja2 server-side template injection payloads in the `tokenizer.chat_template` parameter. Loading these models and hitting the `/v1/rerank` endpoint allows arbitrary Python code execution on the SGLang server, similar to CVE-2024-34359 (Llama Drama) and CVE-2025-61620 in vLLM. Mitigation involves using `ImmutableSandboxedEnvironment` for rendering templates. |
| 2026-04-22 2026 | Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of DisclosurePythonRCE | Writeup on CVE-2026-39987, a pre-authenticated RCE vulnerability in Marimo exploited within 10 hours of disclosure. The flaw, unpatched until version 0.23.0, allowed unauthenticated attackers to gain a full PTY shell by connecting to the `/terminal/ws` WebSocket endpoint without proper authentication. Attackers leveraged the exploit for credential theft, environment variable extraction, and deployment of the NKAbuse variant via Hugging Face Spaces, with CISA adding it to the KEV catalog. |
| 2026-04-22 2026 | Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution Container EscapeRCE | Writeup of CVE-2026-5752, a critical sandbox escape vulnerability in Cohere AI's Terrarium, allowing root code execution via JavaScript prototype chain traversal within the Pyodide WebAssembly environment. This flaw enables attackers with local access to execute arbitrary system commands, access sensitive files like "/etc/passwd," reach other network services, and potentially escape containers. Since the open-source project is unmaintained, mitigations focus on disabling code submission, network segmentation, Web Application Firewall deployment, and rigorous container monitoring. |
| 2026-04-21 2026 | 22 BRIDGE:BREAK Flaws Expose 20000 Lantronix and Silex Serial-to-IP ConvertersRCE | Writeup of BRIDGE:BREAK vulnerabilities affecting Lantronix and Silex serial-to-IP converters. Forescout Research Vedere Labs identified 22 flaws, including remote code execution (CVE-2026-32955, CVE-2025-67041), DoS (CVE-2015-5621), authentication bypass (CVE-2026-32960), and device takeover (FSCT-2025-0021), in devices like Lantronix EDS3000PS Series and Silex SD330-AC, potentially allowing attackers to hijack devices and tamper with data. |
| 2026-04-21 2026 | Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code ExecutionAI | Library for defending against prompt injection attacks in AI-powered development tools. This library addresses vulnerabilities like the one in Google's Antigravity IDE, where flaws in file searching and input sanitization allowed code execution via the `-X` flag. It also covers techniques seen in attacks such as Comment and Control against GitHub Copilot, NomShub in Cursor IDE, ToolJack, CVE-2026-21520 in Microsoft Copilot Studio, and Claudy Day in Claude, all of which leverage untrusted input to manipulate AI agents, exfiltrate data, or gain unauthorized access. |
| 2026-04-19 2026 | Compromised IAM Credentials Power Large AWS Crypto Mining CampaignSecrets | Analysis of an AWS crypto mining campaign details how attackers use compromised IAM credentials, including admin-like privileges, to gain access. The multi-stage attack involves credential validation via `RunInstances` with `DryRun`, role creation for ECS and Lambda, and deployment of malicious Docker images like `yenik65958/secret:user`. Persistence is achieved using `ModifyInstanceAttribute` to disable API termination and by creating Lambda functions. This campaign highlights the sophisticated use of AWS services for illicit cryptocurrency mining and the importance of strong IAM controls, temporary credentials, MFA, and least privilege. |
| 2026-04-19 2026 | Oracle EBS Under Fire as Cl0p Exploits CVE-2025-61882SSRF | Library detailing exploitation of CVE-2025-61882, a critical Oracle E-Business Suite vulnerability, by the Cl0p threat actor for remote code execution. The entry outlines the attack workflow involving XSL payload delivery via a malicious server, Netcat listeners, and specially crafted HTTP requests to `/OA_HTML/SyncServlet` and `/OA_HTML/RF.jsp`. It also highlights a sophisticated chain involving Server-Side Request Forgery (SSRF) and Carriage Return/Line Feed (CRLF) Injection to load untrusted XSLT templates, enabling arbitrary code execution. |
| 2026-04-17 2026 | New Supply Chain Malware Operation Hits npm and PyPISupply Chain | Library of malware operations targeting npm and PyPI packages, including GlueStack for remote command execution and screenshotting, express-api-sync and system-health-sync-api for file deletion, and imad213 on PyPI for harvesting Instagram credentials. These attacks leverage compromised accounts and malicious code injection to steal information, sabotage systems, and exfiltrate data via covert channels like SMTP. |
| 2026-04-17 2026 | Malicious PyPI, npm, Ruby Packages Exposed (The Hacker News)Supply Chain | Library updates on npm, PyPI, and Ruby pose significant supply chain risks, with malicious packages identified for draining cryptocurrency, erasing codebases, and exfiltrating Telegram API tokens. These threats include typosquatting attacks like "xlsx-to-json-lh" on npm and impersonating "colorama" on PyPI, alongside novel techniques such as "monkey patching" Solana key generation and injecting infostealers into PyTorch models. Vendors like Checkmarx, ReversingLabs, Safety, and Socket reported these findings, highlighting the exploitation of geopolitical events and the growing threat of AI-themed package abuse. |
| 2026-04-17 2026 | Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active ExploitationRCE | Writeup detailing CVE-2026-34197, a critical Apache ActiveMQ Classic vulnerability allowing code injection via the Jolokia API. This flaw, actively exploited and added to CISA's KEV catalog, has been present for 13 years and is exacerbated by CVE-2024-32114 on certain versions, enabling unauthenticated RCE. Horizon3.ai and SAFE Security highlight its exploitation targeting exposed management endpoints, with Fortinet noting dozens of attempts. Upgrading to versions 5.19.4 or 6.2.3 is recommended. |
| 2026-04-16 2026 | DarkSword iOS Exploit Kit: 6 Flaws and 3 Zero-Days for Full TakeoverMobile | Library leveraging six iOS vulnerabilities, including zero-days CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174, to steal sensitive data from iPhones running iOS 18.4 through 18.7. This JavaScript-based exploit chain, dubbed DarkSword, achieves code execution via JavaScriptCore vulnerabilities like CVE-2025-31277, escapes sandboxes through GPU processes, and escalates privileges via kernel flaws like CVE-2025-43520, ultimately exfiltrating information within minutes. |
| 2026-04-16 2026 | ThreatsDay Bulletin: 17-Year-Old Excel RCEDefender 0-DaySonicWall Brute-Force and 15 More StoriesRCE | Library of recent application security vulnerabilities, including a 17-year-old Microsoft Office Excel RCE (CVE-2009-0238), a new Microsoft Defender privilege escalation zero-day (RedSun) and DoS exploit (UnDefend), a targeted cryptocurrency wallet breach via AI social engineering against Zerion, and a fake Ledger app on the Apple App Store that stole $9.5 million. It also covers a new ransomware strain (JanaWare) targeting Turkey, the uncovering of stealthy C2 frameworks (ObsidianStrike, ArchangelC2), and updates to Raspberry Pi OS disabling passwordless sudo by default. |
| 2026-04-16 2026 | Cisco Patches Four Critical Identity Services Webex Flaws Enabling Code ExecutionRCE | Writeup detailing Cisco's patching of four critical vulnerabilities in Identity Services and Webex Services. CVE-2026-20184, a critical improper certificate validation flaw in Webex SSO, allows unauthenticated user impersonation. CVE-2026-20147, CVE-2026-20180, and CVE-2026-20186 are insufficient input validation flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), enabling authenticated remote code execution and arbitrary command execution with administrative or read-only credentials respectively. |
| 2026-04-15 2026 | April Patch Tuesday Fixes Critical Flaws Across SAP Adobe Microsoft Fortinet and MoreRCE | Reference detailing critical vulnerabilities patched in April's Patch Tuesday, including an SQL injection in SAP Business Planning and Consolidation (CVE-2026-27681), a remotely exploitable code execution in Adobe Acrobat Reader (CVE-2026-34621), and path traversal flaws in FortiSandbox (CVE-2026-39813, CVE-2026-39808). It also mentions a spoofing vulnerability in Microsoft SharePoint Server (CVE-2026-32201) and numerous other patches from vendors like ABB, AWS, Apple, Cisco, and Linux distributions. |
| 2026-04-15 2026 | Critical nginx-ui Vulnerability CVE-2026-33032 Allows Unauthenticated Nginx TakeoverRCE | Writeup of CVE-2026-33032, an authentication bypass vulnerability in nginx-ui. This flaw, codenamed MCPwn, allows unauthenticated attackers to seize control of Nginx services by exploiting the /mcp_message endpoint, which bypasses authentication while only enforcing IP whitelisting. Attackers can gain session IDs by leveraging a separate vulnerability (CVE-2026-27944) to decrypt backups and extract sensitive data, including "node_secret" credentials. Exploitation can lead to restarting Nginx, modifying configuration files, and intercepting traffic. The vulnerability is patched in nginx-ui version 2.3.4. |
| 2026-04-15 2026 | Microsoft Issues Patches for SharePoint Zero-Day and 168 Other VulnerabilitiesRCE | Library of Microsoft patches addressing 169 vulnerabilities, including zero-day CVE-2026-32201 impacting SharePoint Server, a privilege escalation flaw in Microsoft Defender (CVE-2026-33825) known as BlueHammer, and a critical remote code execution vulnerability in Windows Internet Key Exchange (CVE-2026-33824). The release also included CVEs impacting AMD, Node.js, Windows Secure Boot, and Git for Windows. |
| 2026-04-14 2026 | ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched ServersRCE | Writeup of CVE-2025-0520, a critical ShowDoc RCE flaw with CVSS 9.4, actively exploited due to unrestricted file upload via improper extension validation. Attackers can upload PHP web shells to execute arbitrary code on unpatched servers running versions before 2.8.7, demonstrating the exploitation of N-day vulnerabilities. |
| 2026-04-14 2026 | CISA Adds 6 Known Exploited Flaws in Fortinet Microsoft and Adobe SoftwareRCE | Survey of CISA's Known Exploited Vulnerabilities (KEV) catalog, detailing six critical flaws actively exploited in the wild. This includes an SQL injection in Fortinet FortiClient EMS (CVE-2026-21643), use-after-free in Adobe Acrobat Reader (CVE-2020-9715), privilege escalation via Windows CLFS driver (CVE-2023-36424), deserialization vulnerability in Microsoft Exchange Server (CVE-2023-21529), local privilege elevation in Host Process for Windows Tasks (CVE-2025-60710), and insecure library loading in Microsoft VBA (CVE-2012-1854). |
| 2026-04-13 2026 | OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain IncidentSupply Chain | Writeup detailing the OpenAI macOS app certificate revocation following a supply chain incident involving the malicious Axios library, which was poisoned by UNC104 and delivered a WAVESHAPER.V2 backdoor. The incident, alongside another targeting Trivy and leading to the deployment of the SANDCLOCK credential stealer and CanisterWorm, highlights widespread risks to open-source ecosystems and cloud environments, with vendors like CrowdStrike, Microsoft, and Trend Micro analyzing related campaigns such as CVE-2026-33634. |
| 2026-04-12 2026 | Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621RCE | Writeup of CVE-2026-34621, an actively exploited Adobe Acrobat Reader flaw. This prototype pollution vulnerability, with a CVSS score of 8.6, allows arbitrary code execution when users open malicious PDF documents. Adobe has released emergency updates for Acrobat DC, Acrobat Reader DC, and Acrobat 2024. Security researcher Haifei Li disclosed the zero-day exploitation, and CISA has added it to their Known Exploited Vulnerabilities catalog. |
| 2026-04-11 2026 | Severe Security Flaw Found in jsonwebtoken LibraryJWT | Writeup of CVE-2022-23529 in the jsonwebtoken library, a vulnerability that could lead to remote code execution when verifying a maliciously crafted JSON web token. The flaw, which impacts versions prior to 9.0.0, requires an attacker to exploit a separate flaw in the secret management process for exploitation. While the CVE was initially high-severity, it has since been retracted as the risk is primarily in insecure calling code rather than the library itself. |
| 2026-04-11 2026 | How Attackers Bypass Synced PasskeysAuthN | Library detailing how attackers bypass synced passkeys through cloud account compromise, phishing proxies, and malicious browser extensions like those exploiting the `webAuthenticationProxy` API or DOM-based clickjacking. It highlights risks with iCloud and Google Cloud syncing, authentication downgrade attacks against Microsoft Entra ID, and the need for device-bound passkeys, recommending enterprise policies to enforce phishing-resistant, device-bound authenticators and block fallback methods. |
| 2026-04-11 2026 | Fortinet FortiGate SAML SSO Bypass Active AttackAuthN | Analysis of Fortinet FortiGate SAML SSO bypass, actively exploited via CVE-2025-59718 and CVE-2025-59719, which allow unauthenticated bypass of SSO logins using crafted SAML messages when FortiCloud SSO is enabled. Threat actors are using hosting providers like The Constant Company llc and Bl Networks to perform malicious logins and export device configurations. CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog. |
| 2026-04-10 2026 | Compromised dYdX npm and PyPI Packages Deliver Wallet StealersSupply Chain | Library for interacting with the dYdX v4 protocol, compromised versions of the JavaScript (`@dydxprotocol/v4-client-js`) and Python (`dydx-v4-client`) packages have been found to steal cryptocurrency wallet credentials and, in the Python version, execute remote access trojans. Threat actors inserted malicious code into core registry files, exploiting developer account compromise to distribute these poisoned updates across ecosystems. The attack also highlights risks associated with un-published packages on npm, where typosquatting can lead to malware distribution. |
| 2026-04-10 2026 | N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, RustSupply Chain | Library detailing the Contagious Interview campaign, which has released over 1,700 malicious packages across npm, PyPI, Go, Rust, and Packagist. These packages, including `dev-log-core`, `logutilkit`, and `github[.]com/golangorg/formstash`, function as malware loaders, distributing infostealers and RATs capable of post-compromise activity. The malicious code is concealed within legitimate functions, making detection challenging. |
| 2026-04-10 2026 | Malicious PyPI and npm Packages Exploiting Dependencies in Supply Chain AttacksSupply Chain | Library detailing malicious PyPI and npm packages exploiting supply chain vulnerabilities. The `termncolor` PyPI package, leveraging the `colorinal` dependency, employed DLL side-loading via `vcpktsvr.exe` and `libcef.dll` for persistence and command-and-control communication. Similarly, compromised npm packages like `redux-ace` and `rtk-logger` targeted developers via job assessments, harvesting credentials and system data. These incidents highlight risks from automated dependency upgrades, exemplified by the `eslint-config-prettier` compromise. |
| 2026-04-10 2026 | The State of Secrets Sprawl 2026: 9 Takeaways for CISOsSecrets | Library of insights from GitGuardian's State of Secrets Sprawl 2026 report detailing the accelerating growth of hardcoded secrets, with 29 million uncovered in 2025. The analysis highlights AI's impact, the 6x higher leak rate in internal repositories, and secrets found outside code in tools like Slack and Jira. It notes the continued validity of leaked secrets and the emergence of developer endpoints as credential aggregation layers, emphasizing the need for non-human identity governance over simple detection. |
| 2026-04-10 2026 | Sneeit WordPress RCE Exploited in the WildRCE | Writeup detailing active exploitation of CVE-2025-6389, a critical RCE vulnerability in the Sneeit Framework WordPress plugin, allowing unauthenticated attackers to execute arbitrary PHP functions like `wp_insert_user()` to create administrative backdoors. Exploitation involves crafting HTTP requests to `/wp-admin/admin-ajax.php` and uploading malicious PHP files such as "xL.php" and "up_sf.php." The report also notes concurrent attacks on ICTBroadcast, exploiting CVE-2025-2611 to deliver the "Frost" DDoS botnet, which employs spreader logic and targets specific response indicators before launching attacks. |
| 2026-04-10 2026 | Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025RCE | Writeup of CVE-2026-34621, a zero-day vulnerability in Adobe Reader exploited since December 2025 via malicious PDFs. This sophisticated exploit, first observed in "Invoice540.pdf," uses obfuscated JavaScript to harvest sensitive data and potentially deliver subsequent payloads for remote code execution and sandbox escape. The exploit targets privileged Acrobat APIs and has been confirmed to work on the latest Adobe Reader version, necessitating user vigilance and prompt application of the provided security update. |
| 2026-04-10 2026 | Cisco Patches Zero-Day RCE Exploited by China-Linked APTRCE | Reference detailing CVE-2025-20393, a critical remote command execution flaw in Cisco AsyncOS Software for Secure Email Gateway and Web Manager. Exploited by China-linked APT UAT-9686, this vulnerability, with a CVSS score of 10.0, allows arbitrary root command execution via insufficient validation of HTTP requests to the Spam Quarantine feature. Attackers deployed tools like ReverseSSH, Chisel, AquaPurge, and AquaShell. Cisco has released patches and recommends hardening guidelines, including firewalling, disabling unnecessary services, and enforcing strong authentication. |
| 2026-04-10 2026 | Critical Telnetd Flaw (CVE-2026-32746) Enables Root RCERCE | Writeup of CVE-2026-32746, a critical out-of-bounds write vulnerability in GNU InetUtils telnetd's LINEMODE Set Local Characters suboption handler. This flaw allows unauthenticated remote attackers to execute arbitrary code as root by sending crafted messages during the initial connection handshake. Discovered by Dream, it affects versions through 2.7 and impacts various systems including FreeBSD, NetBSD, and TrueNAS Core. |
| 2026-04-10 2026 | Critical n8n Flaws Allow Remote Code Execution and Credential ExposureRCE | Writeup detailing critical n8n vulnerabilities including CVE-2026-27577 (expression sandbox escape for RCE) and CVE-2026-27493 (unauthenticated expression evaluation via Form nodes). These flaws, along with CVE-2026-27495 (JavaScript Task Runner code injection) and CVE-2026-27497 (Merge node SQL query mode RCE), allow for arbitrary code execution and credential exposure. Patched versions are 2.10.1, 2.9.3, and 1.123.22. |
| 2026-04-10 2026 | Why React Didn't Kill XSS: The New JavaScript Injection PlaybookXSS | Guide detailing modern JavaScript injection techniques, including prototype pollution, supply chain compromises via packages like Polyfill.io, and AI prompt injection. It highlights how frameworks like React don't fully prevent XSS, demonstrating vulnerabilities with `dangerouslySetInnerHTML` and recommending context-aware encoding and tools like DOMPurify. The guide also touches on WebAssembly security considerations and emerging AI threats, offering a defense-in-depth approach for developers building secure applications. |
| 2026-04-09 2026 | ThreatsDay Bulletin: Hybrid P2P Botnet 13-Year Apache RCE ClickFix Node.js RAT & 18 More StoriesRCE | Library for securing applications, featuring protections against hybrid Phorpiex botnet variants, chained Apache ActiveMQ Classic RCE vulnerabilities (CVE-2026-34197, CVE-2024-32114, CVE-2022-41678), AI-driven DDoS tactics amplified by IoT botnets like TurboMirai, Magecart skimmers hidden in SVG elements affecting Magento stores, and malicious MSI installers delivering Node.js RATs. |
| 2026-04-07 2026 | Over 1000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet CampaignRCE | Tooling identified in a campaign targeting over 1000 exposed ComfyUI instances allows attackers to exploit custom node vulnerabilities for remote code execution. This enables enrollment into a cryptomining botnet for Monero and Conflux using XMRig and lolMiner, and deployment into a Hysteria V2 proxy botnet. The attack leverages tools that scan for vulnerable ComfyUI instances, install malicious nodes like "ComfyUI-Shell-Executor," and establish persistence via shell scripts that disable history, kill competing miners, and use `LD_PRELOAD` hooks and `chattr +i` for resilience. |
| 2026-04-07 2026 | Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12000 Instances ExposedRCE | Writeup on CVE-2025-59528, a CVSS 10.0 code injection vulnerability in Flowise AI Agent Builder, allowing remote code execution via JavaScript code injection, similar to prior Flowise flaws like CVE-2025-8943 and CVE-2025-26319. Exploitation can grant access to Node.js modules like `child_process` and `fs`, enabling system compromise, file access, and data exfiltration. Over 12,000 instances remain exposed, facing active exploitation. |
| 2026-04-05 2026 | LangChain LangGraph Flaws Expose Files Secrets Databases in Widely Used AI FrameworksAI | Library vulnerabilities in LangChain and LangGraph, specifically CVE-2026-34070 (path traversal), CVE-2025-68664 (deserialization of untrusted data), and CVE-2025-67644 (SQL injection), allow attackers to access arbitrary files, steal API keys and environment secrets, and manipulate SQL queries. These flaws, impacting widely used LLM application frameworks, have been patched in recent versions of langchain-core and langgraph-checkpoint-sqlite. |
| 2026-04-05 2026 | 36 Malicious npm Packages Exploited Redis PostgreSQL to Deploy Persistent ImplantsSupply Chain | Library of 36 malicious npm packages disguised as Strapi CMS plugins, which exploit Redis and PostgreSQL to deploy persistent implants, harvest credentials, and execute reverse shells. These packages, uploaded under fake developer accounts, utilize the `postinstall.js` script to execute payloads including Docker container escape, system reconnaissance, and PostgreSQL database exploitation with hardcoded credentials. The campaign's evolution shows a pivot from aggressive exploitation to data collection and targeted credential theft, potentially indicating a cryptocurrency platform attack. |
| 2026-04-05 2026 | New Chrome Zero-Day CVE-2026-5281 Under Active ExploitationRCE | Writeup on CVE-2026-5281, a critical use-after-free vulnerability in Chrome's Dawn component. This zero-day flaw, actively exploited in the wild, allows remote attackers to execute arbitrary code via crafted HTML pages. The advisory highlights recent exploitation trends, including CVE-2026-3909, CVE-2026-3910, and CVE-2026-2441, urging users to update to the latest Chrome versions. |
| 2026-04-04 2026 | UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain AttackSupply Chain | Writeup detailing UNC1069's sophisticated social engineering campaign that compromised the Axios npm package. Threat actors, identified as North Korean, meticulously cloned company founders and branding to build rapport, then used fake Slack workspaces and Microsoft Teams calls to trick maintainers into downloading remote access trojans. This allowed them to steal npm credentials and publish trojanized versions (1.14.1 and 0.30.4) containing the WAVESHAPER.V2 implant, demonstrating a scalable pattern targeting high-impact open-source maintainers to poison the software supply chain. |
| 2026-04-02 2026 | New "LeakyLooker" Flaws in Google Looker Studio Could Enable Cross-Tenant SQL QueriesSQLi | Writeup detailing nine "LeakyLooker" vulnerabilities in Google Looker Studio, including cross-tenant unauthorized access, zero-click SQL injection on database connectors and stored credentials, SQL injection on BigQuery and Spanner through native functions and custom queries, data source leaks via hyperlinks and image rendering, XS leaks with timing oracles, and denial of wallet. These flaws could allow attackers to exfiltrate, insert, and delete data across various Google Cloud Platform services, impacting databases like BigQuery, Spanner, PostgreSQL, and MySQL. |
| 2026-03-26 2026 | Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any WebsiteXSS | Library for securing AI browser extensions, this analysis details the ShadowPrompt vulnerability (CVE-2025-XXXX) in Anthropic's Claude Chrome Extension. The flaw exploited an overly permissive origin allowlist combined with a DOM-based XSS vulnerability in an Arkose Labs CAPTCHA component, enabling zero-click prompt injection and potential data theft. A patch has since been deployed. |
| 2026-03-20 2026 | Magento PolyShell Flaw Enables Unauthenticated Uploads RCE and Account TakeoverXSS | Library for securing Magento, addressing the PolyShell vulnerability (CVE-2026-XXXX) that allows unauthenticated arbitrary file uploads to achieve RCE or account takeover. This critical flaw, affecting Magento Open Source and Adobe Commerce up to 2.4.9-alpha2, exploits the REST API's handling of custom options with file types by writing uploaded data to `pub/media/custom_options/quote/`. Exploitation involves disguised polyglot files that embed executable PHP code within image formats, leading to web shells and password-protected RCE shells. Mitigation strategies include restricting access to the upload directory and implementing web server rules to block access. |
| 2026-02-06 2026 | Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source LibrariesAIBug Bounty | Library where Claude Opus 4.6 identified over 500 high-severity vulnerabilities in open-source projects like Ghostscript, OpenSC, and CGIF. The LLM demonstrated advanced code reasoning, finding flaws such as a missing bounds check in Ghostscript, a buffer overflow in OpenSC, and a heap buffer overflow in CGIF, even outperforming traditional fuzzers on complex logic-based bugs. |
| 2026-01-21 2026 | Chainlit AI Framework Flaws Enable Data Theft via File Read and SSRF BugsSSRF | Library with vulnerabilities enabling data theft and SSRF attacks within the Chainlit AI framework. CVE-2026-22218, an arbitrary file read flaw, can expose sensitive files and API keys. CVE-2026-22219, an SSRF vulnerability, permits arbitrary HTTP requests, potentially accessing cloud metadata endpoints like AWS IMDSv1. These ChainLeak vulnerabilities can be combined for lateral movement and privilege escalation. Chainlit version 2.9.4 addresses these issues. |
| 2025-11-30 2025 | CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEVXSS | Library for securing OpenPLC ScadaBR, addressing CVE-2021-26829 (XSS) and CVE-2021-26828 (unrestricted file upload), both listed on CISA's Known Exploited Vulnerabilities (KEV) catalog due to active exploitation by groups like TwoNet. These vulnerabilities impact Windows and Linux versions, with exploitation involving defacing HMI pages, disabling logs, and uploading web shells. The article also details Out-of-Band Application Security Testing (OAST) infrastructure used to fuel regional exploit operations. |
| 2025-09-24 2025 | Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM CredentialsSSRF | Writeup of CVE-2025-51591, a Server-Side Request Forgery (SSRF) vulnerability in Pandoc, exploited in attacks targeting Amazon Web Services (AWS) Instance Metadata Service (IMDS) to steal EC2 IAM credentials. The flaw, triggered by specially crafted HTML iframe elements, allows attackers to trick applications running on EC2 instances into requesting sensitive metadata. While IMDSv2 enforcement mitigates this specific attack, the incident highlights the ongoing threat of SSRF against cloud infrastructure, similar to past abuses of Adminer. Mitigation involves using Pandoc's sandbox flags or ensuring IMDSv2 is enforced. |
| 2025-07-23 2025 | CISA Warns: SysAid Flaws Under Active Attack Enable Remote File Access and SSRFSSRF | Writeup on CISA's warning regarding active exploitation of SysAid IT support software. The vulnerabilities, CVE-2025-2775 and CVE-2025-2776, are improper XML external entity (XXE) reference flaws enabling administrator account takeover, file reading, and SSRF. These can be chained with CVE-2024-36394 for remote code execution. SysAid addressed these in on-premise version 24.4.60 build 16. |
| 2025-03-12 2025 | Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber AttackSSRF | Analysis of coordinated cyber attacks revealing over 400 IPs simultaneously exploiting multiple Server-Side Request Forgery (SSRF) vulnerabilities. Notable exploited CVEs include CVE-2020-7796 (Zimbra), CVE-2021-22175 and CVE-2021-22214 (GitLab), and CVE-2024-21893 (Ivanti Connect Secure). The activity, observed by GreyNoise, suggests structured exploitation and potential use of Grafana for reconnaissance before launching SSRF attacks. |
| 2025-02-10 2025 | Zimbra Releases Security Updates for SQL Injection Stored XSS and SSRF VulnerabilitiesSSRF | Library updates address critical vulnerabilities in Zimbra Collaboration, including CVE-2025-25064, a high-severity SQL injection in ZimbraSync Service allowing authenticated attackers to retrieve email metadata by manipulating a parameter. Stored XSS in the Zimbra Classic Web Client and CVE-2025-25065, a medium-severity SSRF flaw in the RSS feed parser, were also patched, enabling unauthorized redirection to internal network endpoints. |
| 2025-02-06 2025 | Microsoft SharePoint Connector Flaw Could've Enabled Credential Theft Across Power PlatformSSRF | Writeup detailing a server-side request forgery (SSRF) vulnerability in the Microsoft SharePoint connector for Power Platform. Exploitation, requiring Environment Maker and Basic User roles, could lead to credential theft and unauthorized API requests across Power Automate, Power Apps, and Copilot. Microsoft patched the flaw, identified as Important severity, in December 2024. |
| 2021-06-24 2021 | Google Releases New Framework to Prevent Software Supply Chain AttacksSupply Chain | Framework outlining Supply chain Levels for Software Artifacts (SLSA) to secure the software development pipeline and prevent tampering. SLSA, inspired by Google's Binary Authorization for Borg, offers four progressive security levels for software packages and build platforms, culminating in SLSA 4's two-person review and hermetic build process, aiming to provide auditable metadata for policy engines. |