thehackerwire.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-22.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-22 2026 | Authlib Critical JWT Forgery (CVE-2026-27962)JWT | Library vulnerability CVE-2026-27962 affects Authlib's JWS deserialization when `key=None`, allowing unauthenticated attackers to forge arbitrary JWTs. By embedding their public key within the JWT's `jwk` header, attackers can bypass signature verification and achieve complete authentication bypass in applications using Authlib versions prior to 1.6.9. |
| 2026-04-22 2026 | Keycloak SAML Disabled Client SSO Bypass (CVE-2026-3047)AuthN | Writeup of CVE-2026-3047, a CVSS 8.8 flaw in Keycloak's SAML broker (`org.keycloak.broker.saml`), enabling SSO bypass. Attackers can exploit this by initiating login through a SAML client that is simultaneously disabled and configured as an IdP-initiated broker landing target. Despite its disabled status, the broker incorrectly completes the authentication flow, granting unauthorized SSO access to enabled clients within the Keycloak realm. Exploitation requires no prior authentication, allowing remote attackers to bypass security restrictions. |
| 2026-04-22 2026 | LibreChat SSRF Bypass via IPv6 Mapped Address ConfusionSSRF | Writeup of CVE-2026-31943 in LibreChat details a Server-Side Request Forgery bypass where authenticated users can exploit the `isPrivateIP()` function's failure to detect hex-normalized IPv4-mapped IPv6 addresses. This allows the LibreChat server to send HTTP requests to internal network resources, including cloud metadata services and loopback addresses, undermining SSRF protections. Versions prior to 0.8.3 are affected. |
| 2026-04-16 2026 | Chamilo LMS IDOR Leads to Admin Privileges (CVE-2026-40291)IDOR | Writeup of CVE-2026-40291 details an Insecure Direct Object Modification (IDOR) vulnerability in Chamilo LMS, allowing any authenticated student to escalate privileges to administrator. Exploitation involves a PUT request to the `/api/users/{id}` endpoint, modifying the `roles` field to `["ROLE_ADMIN"]`, bypassing insufficient authorization checks that only verify user ownership of the record. This high-severity flaw affects versions prior to 2.0.0-RC.3 and requires basic API interaction knowledge. The fix is available in Chamilo LMS version 2.0.0-RC.3. |
| 2026-04-10 2026 | FastGPT Critical SSRF via Unauthenticated HTTP Proxy EndpointSSRF | Writeup of CVE-2026-34162 in FastGPT, a critical SSRF vulnerability with a CVSS score of 10. An unauthenticated HTTP tools testing endpoint, `/api/core/app/httpTools/runTool`, acts as a full HTTP proxy, allowing attackers to force the FastGPT server to make arbitrary HTTP requests to internal or external resources. Exploitation requires only network access and affects versions prior to 4.14.9.5, with a fix available in version 4.14.9.5. |
| 2026-04-10 2026 | U-Office Force Critical RCE via Insecure Deserialization (CVE-2026-3422)DeserRCE | Writeup of CVE-2026-3422 details an unauthenticated remote code execution vulnerability in U-Office Force, a product of e-Excellence. This critical flaw, rated CVSS 9.8, stems from insecure deserialization, where the application processes maliciously crafted serialized content without proper validation. Attackers can exploit this by crafting specific serialized payloads containing gadget chains, leading to arbitrary code execution on the server. Successful exploitation requires identifying input channels that deserialize data, such as API endpoints or file uploads. |
| 2026-04-10 2026 | IBM Langflow Desktop RCE via Insecure DeserializationDeserRCE | Writeup of CVE-2026-3357, detailing an RCE vulnerability in IBM Langflow Desktop (versions 1.6.0-1.8.2) with a CVSS score of 8.8. Exploitation requires authentication and leverages insecure deserialization within the FAISS component, allowing an attacker to execute arbitrary code by providing malicious serialized data. |
| 2026-04-10 2026 | Wazuh RCE via Deserialization of Untrusted Data (CVE-2026-25769)RCE | Writeup of CVE-2026-25769, a critical RCE vulnerability in Wazuh versions 4.0.0 through 4.14.2. This Deserialization of Untrusted Data flaw, rated 9.1 CVSS, requires initial compromise of a worker node to enable an attacker to execute code with root privileges on the Wazuh master node. The fix is available in Wazuh version 4.14.3. |
| 2026-04-10 2026 | Critical Pre-Auth RCE in ChurchCRM Setup WizardRCE | Writeup of CVE-2026-39337, a critical pre-authentication RCE in ChurchCRM versions prior to 7.1.0. Attackers can inject arbitrary PHP code into the `$dbPassword` variable during the setup wizard's installation process, leading to complete server compromise. This vulnerability is an incomplete fix for CVE-2025-62521, highlighting ongoing input validation issues. |
| 2026-04-10 2026 | WWBN AVideo RCE via Persistent PHP File Upload (CVE-2026-33717)RCE | Writeup of CVE-2026-33717, a remote code execution vulnerability in WWBN AVideo. This flaw allows unauthenticated attackers to persistently upload and execute arbitrary PHP files by exploiting improper handling of remote content in the `downloadVideoFromDownloadURL()` function and bypassing cleanup via an invalid `resolution` parameter. Affected versions include WWBN AVideo up to 26.0, and a fix is available in commit `6da79b43484099a0b660d1544a63c07b633ed3a2`. |
| 2026-04-10 2026 | Explorance Blue RCE via Unrestricted File UploadRCE | Writeup of CVE-2025-57794 impacting Explorance Blue, detailing an authenticated unrestricted file upload vulnerability allowing remote code execution. Exploitation requires administrative credentials and is possible on versions prior to 8.14.9 by uploading web shells (e.g., PHP, ASPX, JSP, CFML) to accessible directories. The flaw lies in the application's failure to validate file types, enabling attackers to execute arbitrary code on the server. Explorance has released version 8.14.9 to address this critical issue. |
| 2026-04-10 2026 | Precurio Intranet Portal: CSRF to RCE via File UploadRCE | Writeup detailing CVE-2026-32989, a CSRF to RCE vulnerability in Precurio Intranet Portal 4.4. This high-severity flaw (CVSS 8.8) allows an attacker to trick an authenticated user into uploading a malicious file. If the portal stores this file in a web-accessible, executable format, it can lead to arbitrary code execution on the web server. Exploitation requires an authenticated victim and network access to the target portal. |
| 2026-04-10 2026 | Tiandy Easy7 RCE via OS Command Injection (CVE-2026-4585)RCE | Writeup of CVE-2026-4585, a critical OS command injection vulnerability in Tiandy Easy7 Integrated Management Platform (versions prior to 7.17.0). This remote, unauthenticated flaw allows attackers to execute arbitrary commands via the `ImportSystemConfiguration.jsp` endpoint by manipulating the `File` argument. The exploit is publicly disclosed and requires no user interaction, presenting a severe risk of system compromise. |
| 2026-04-10 2026 | Microsoft Bing Images OS Command Injection RCERCE | Writeup of CVE-2026-32191, a critical OS command injection vulnerability in Microsoft Bing Images, allows unauthenticated attackers to achieve remote code execution (RCE) over the network. The flaw stems from improper neutralization of special elements in OS commands, where unsanitized user input is incorporated into system calls, enabling the execution of arbitrary shell commands. Exploitation requires identifying an injection point and crafting payloads to bypass sanitization. |
| 2026-04-10 2026 | AWS RES Root RCE via Crafted Session Name (CVE-2026-5707)RCE | Writeup of CVE-2026-5707, an OS command injection flaw in AWS Research and Engineering Studio (RES) versions 2025.03 through 2025.12.01. A remote authenticated actor can exploit this vulnerability by providing a crafted virtual desktop session name, leading to arbitrary command execution with root privileges on the virtual desktop host. Exploitation requires valid credentials for the RES environment. Users should upgrade to RES version 2026.03 or apply a mitigation patch. |
| 2026-04-10 2026 | Group-Office Critical RCE via Insecure Deserialization (CVE-2026-34838)RCE | Writeup of CVE-2026-34838 in Group-Office, detailing an insecure deserialization flaw in the `AbstractSettingsCollection` model. This critical vulnerability, requiring only authenticated low-privilege access, allows attackers to achieve Arbitrary File Write by injecting a serialized `FileCookieJar` object into setting strings. This file write directly enables Remote Code Execution on affected Group-Office versions prior to 6.8.156, 25.0.90, and 26.0.12. |
| 2026-04-10 2026 | NVIDIA APEX Deserialization RCE (CVE-2025-33244)RCE | Writeup of CVE-2025-33244 in NVIDIA APEX for Linux, detailing a critical deserialization of untrusted data vulnerability. This flaw, impacting PyTorch versions prior to 2.6, allows unauthenticated attackers to achieve arbitrary code execution, denial of service, privilege escalation, data tampering, and information disclosure by crafting malicious serialized data. Exploitation requires identifying the specific deserialization sink within APEX and understanding gadget chains in affected PyTorch versions, with upgrading PyTorch to 2.6 or later recommended as a mitigation. |
| 2026-04-10 2026 | PraisonAI Critical RCE via Malicious YAML Parsing (CVE-2026-39890)RCE | Writeup of CVE-2026-39890, a critical RCE vulnerability in PraisonAI, allowing arbitrary JavaScript execution via insecure YAML parsing. The flaw exists in `AgentService.loadAgentFromFile`, which improperly handles dangerous `js-yaml` tags like `!!js/function` and `!!js/undefined` when processing agent definition files. Exploitation involves crafting a malicious YAML file with embedded JavaScript and uploading it to the server, leading to server-side code execution. The vulnerability affects versions prior to 4.5.115 and is mitigated by upgrading. |
| 2026-04-10 2026 | Microsoft SharePoint Deserialization RCE (CVE-2026-26114)Deser | Writeup of CVE-2026-26114, a critical deserialization of untrusted data vulnerability in Microsoft Office SharePoint. This high-severity flaw (CVSS 8.8) allows an authenticated, network-exploitable attacker to achieve remote code execution by submitting specially crafted serialized data. Exploitation requires identifying specific input fields accepting serialized data and understanding the application's object graph and potential gadget chains for payload creation. |
| 2026-04-10 2026 | CI4MS Critical Stored XSS (CVE-2026-34569)XSS | Writeup of CVE-2026-34569, a critical stored Cross-Site Scripting (XSS) vulnerability in CI4MS (versions prior to 0.31.0.0). Attackers with category editing privileges can inject JavaScript into blog category titles, which then executes on public and administrative pages when rendered. The vulnerability stems from insufficient input sanitization and output encoding. |
| 2026-04-10 2026 | CI4MS Stored DOM XSS via Menu Management (CVE-2026-34565)XSS | Writeup detailing CVE-2026-34565, a critical stored DOM-based XSS in CI4MS versions prior to 0.31.0.0. Exploitation requires authenticated access to inject malicious scripts into navigation menus via the Menu Management functionality, which are then executed when rendered in administrative dashboards or public-facing menus. This vulnerability, with a CVSS score of 9.1, impacts the CI4MS CMS skeleton built on CodeIgniter 4. |
| 2026-04-10 2026 | Homarr DOM-based XSS (CVE-2026-33510)XSS | Writeup on CVE-2026-33510, a high-severity DOM-based XSS in Homarr (versions prior to 1.57.0). Exploitation involves crafting a malicious link that manipulates the `callbackUrl` parameter on the `/auth/login` page. This parameter is directly passed to client-side navigation functions like `redirect` and `router.push`, allowing attackers to execute arbitrary JavaScript within a victim's browser session. This can lead to credential theft, internal network pivoting, and unauthorized actions. |
| 2026-04-09 2026 | curl_cffi SSRF via Unrestricted Redirects (CVE-2026-33752)SSRF | Writeup of CVE-2026-33752, a critical Server-Side Request Forgery in curl_cffi versions prior to 0.15.0. This vulnerability allows attackers to exploit applications using the library to make requests to internal IP ranges, including cloud metadata endpoints, by leveraging unrestricted HTTP redirects and TLS impersonation features to bypass network controls. Exploitation requires network access to the vulnerable application and involves crafting a URL that redirects to an internal target. |
| 2026-04-09 2026 | Plunk Critical SSRF in SNS Webhook Handler (CVE-2026-32096)SSRF | Writeup of CVE-2026-32096, a critical SSRF vulnerability in Plunk's SNS webhook handler. Unauthenticated attackers can force the email platform, in versions prior to 0.7.0, to make arbitrary outbound HTTP GET requests. This could facilitate internal network reconnaissance or access to sensitive cloud metadata, such as AWS's http://169.254.169.254/latest/meta-data/. The fix is available in Plunk version 0.7.0. |
| 2026-04-09 2026 | Microsoft Purview SSRF Privilege Elevation (CVE-2026-26138)SSRF | Writeup of CVE-2026-26138, detailing a critical SSRF vulnerability in Microsoft Purview. This high-severity flaw, with a CVSS score of 8.6, allows an unauthenticated attacker with network access to force the server to make requests to arbitrary domains or internal resources, leading to privilege escalation. Exploitation requires identifying the specific input parameter or endpoint susceptible to URL manipulation to trigger the attack vector and confirm the privilege escalation mechanism. |
| 2026-04-06 2026 | Nginx UI IDOR Allows Cross-User Resource AccessIDOR | Writeup of CVE-2026-33030, an Insecure Direct Object Reference (IDOR) in Nginx UI versions 2.3.3 and prior. This high-severity vulnerability allows any authenticated user to access, modify, or delete resources belonging to other users due to a missing user_id field in the application's base Model struct. Exploitation requires an authenticated account and involves identifying another user's resource ID to craft requests that bypass authorization controls for complete cross-user resource access. |
| 2026-04-03 2026 | OpenOlat Velocity Template Injection Leads to RCERCE | Writeup of CVE-2026-28228 in OpenOlat details a high-severity server-side template injection vulnerability. Exploitable by authenticated users with the Author role, it allows Velocity directives to be injected into reminder email templates, leading to remote code execution (RCE) via Java reflection and `ProcessBuilder`. Affected versions include those prior to OpenOlat 19.1.31, 20.1.18, and 20.2.5. |