newsThe portal itself — self-promo until real sponsors land
Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
25 results//sorted by published//last sync 2026-06-23 09:04Z
Subscribe to news →
CVE-2026-45495 — Microsoft: Edge (Chromium-based) Remote Code Execution Vulnerability
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-45230 — DumbAssets: through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and
DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit the optional and disabled-by-default authentication control to traverse outside the intended application directory and delete critical files such as server.js or package.json, causing c CVSSv3.1 9.1 (CRITICAL)
9.1
CVSS v3.1
96
Edit Score
CVE-2026-42822 — Azure: Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges
Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network. CVSSv3.1 10.0 (CRITICAL)
10.0
CVSS v3.1
100
Edit Score
CVE-2023-24215 — Incorrect: access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows
Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request. CVSSv3.1 9.1 (CRITICAL)
9.1
CVSS v3.1
96
Edit Score
v9.2.0-rc1
BloodHound v9.2.0-rc1 release candidate published with 50+ commits including bug fixes, UI/UX improvements, API enhancements, and a fix for CVE-2026-6321 in the fast-uri dependency. Changes span graph schema refactoring, Cypher query fixes, new filtering endpoints, Prometheus metrics exposure, and permission tightening.
35
Edit Score
v9.2.0
BloodHound v9.2.0 released with 50+ commits including bug fixes, UI improvements, and new features. Notable changes include Prometheus metrics exposure, findings endpoint, graph schema refactoring, and a fix for CVE-2026-6321 in the fast-uri dependency.
42
Edit Score
CVE-2026-41085 — Thermo: Fisher Scientific Torrent Suite Dx through 5.14.2 has a privilege escalation vulnerability that
Thermo Fisher Scientific Torrent Suite Dx through 5.14.2 has a privilege escalation vulnerability that may allow an authenticated user with limited access privileges to gain unauthorized administrator-level privileges through exploitation of specific system interfaces. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2025-57282 — ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection.
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-41948 — Dify Dify: version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users
Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencoded dot sequences in task identifiers or manipulated filename parameters to access internal endpoints such as debug interfaces, requiring only knowledge of the victim tenant's UUID. NO CVSSv3.1 9.4 (CRITICAL)
9.4
CVSS v3.1
97
Edit Score
CVE-2026-41947 — Dify Dify: before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users
Dify before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints to redirect all messages and responses from victim applications to attacker-controlled LLM trace providers. NOTE: Dify Cloud allows unauthenticated free self-registration, making accoun CVSSv3.1 9.1 (CRITICAL)
9.1
CVSS v3.1
96
Edit Score
CVE-2026-7304 — SGLangs: multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor
SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-7302 — SGLangs: multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an
SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints. CVSSv3.1 9.1 (CRITICAL)
9.1
CVSS v3.1
96
Edit Score
CVE-2026-7301 — SGLangs: multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains
SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
IT threat evolution in Q1 2026. Mobile statistics
Kaspersky Securelist·securelist.com
Kaspersky's Q1 2026 mobile threat report documents 2.67M prevented attacks, with Trojan-Banker malware accounting for 10.86% of detections and 162,275 malicious banking packages discovered. Key findings include the rise of Mamont banking Trojan variants (73.5% of banker detections), pre-installed Triada backdoors across device ranges, and discovery of SparkCat crypto stealer variants on Google Play and App Store using custom Dalvik-like VMs and Apple Vision framework for OCR.
72
Edit Score
IT threat evolution in Q1 2026. Non-mobile statistics
Kaspersky's Q1 2026 threat report documents 343M blocked web attacks, 77K ransomware victims, and 260K miner targets. Key findings include the FBI's RAMP forum takedown disrupting RaaS infrastructure, Clop's resurgence as the top ransomware gang (14%), and active exploitation of CVE-2026-20131 zero-day in Cisco Secure FMC by the Interlock group. Notable incidents include macOS supply-chain compromise via Axios npm package and in-the-wild iOS/macOS exploit chains with cryptocurrency theft modules.
68
Edit Score
CVE-2026-7498 — Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Basamak Information
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Basamak Information Technology Consulting and Organization Trade Ltd. Co. DernekWeb allows Stored XSS. This issue affects DernekWeb: through 30122025. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-6346 — Mattermost: versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in plaintext via downloading a support packet from the System Console.. Mattermost Advisory ID: MMSA-2026-00607 CVSSv3.1 8.7 (HIGH)
8.7
CVSS v3.1
94
Edit Score
CVE-2026-6379 — Photo: The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and
The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks. CVSSv3.1 8.6 (HIGH)
8.6
CVSS v3.1
93
Edit Score
CVE-2026-3220 — Autoptimize: The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer
The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-8776 — Such manipulation of the argument pptpUserName leads to buffer overflow.
A vulnerability has been found in Edimax BR-6428NS 1.10. This vulnerability affects the function formPPTPSetup of the file /goform/formPPTPSetup of the component POST Request Handler. Such manipulation of the argument pptpUserName leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-8775 — This manipulation of the argument L2TPUserName causes buffer overflow.
A flaw has been found in Edimax BR-6428NS 1.10. This affects the function formL2TPSetup of the file /goform/formL2TPSetup of the component POST Request Handler. This manipulation of the argument L2TPUserName causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
Agentic Governance: Why It Matters Now
Trend Micro Research·trendmicro.com
Trend Micro research paper on agentic governance—the control framework needed to manage autonomous AI agents operating inside trust boundaries with real credentials and API access. The article argues that traditional security models fail against agents because they operate with legitimate credentials and can cause damage through misuse of authority rather than exploitation, and outlines four foundational controls: identity (inventory), authority (granular permissions), action (approval gates), and evidence (comprehensive logging).
72
Edit Score
CVE-2026-8721 — Crypt: Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs.
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded. The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-8507 — Crypt: Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out-of-bounds (OOB) write flaws.
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out-of-bounds (OOB) write flaws. When parsing a PKCS12 file, with a >= 1 GiB OCTET STRING (or BIT STRING) attribute on a SAFEBAG, via info() or info_as_hash(), a heap out-of-bounds write would be triggered with remote-code-execution potential (RCE) due to a signed integer overflow in the size calculation passed to Renew(). CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-46720 — Net: Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections.
Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. CVSSv3.1 8.2 (HIGH)
8.2
CVSS v3.1
91
Edit Score