newsThe portal itself — self-promo until real sponsors land
Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
25 results//sorted by published//last sync 2026-06-23 15:45Z
Subscribe to news →
CVE-2025-12008 — Authorization: bypass through User-Controlled key vulnerability in APPYAP Technology and Information Inc.
Authorization bypass through User-Controlled key vulnerability in APPYAP Technology and Information Inc. Yaay Social Media App allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Yaay Social Media App: from 3.8.0 through 24102025. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
Otto Support - Logging and Visibility in MCP Servers
Bishop Fox's otto-support research demonstrates critical logging and observability gaps in Model Context Protocol (MCP) servers, using a CTF to contrast minimal versus audit-level logging. The post documents how five attack classes (environment inheritance, excessive agency, SSRF, confused deputy, supply-chain compromise) leave no forensic trace in default logging, and references the EchoLeak vulnerability (CVE-2025-32711) in Microsoft 365 Copilot where exfiltration was invisible in standard audit logs. The EU AI Act's August 2026 traceability requirements will mandate structured audit logging, but most MCP implementations currently ship with no logging or access-log-only entries.
78
Edit Score
Kimsuky targets organizations with PebbleDash-based tools
Kaspersky Securelist·securelist.com
Kaspersky disclosed an in-depth analysis of Kimsuky's evolving PebbleDash and AppleSeed malware clusters, revealing new variants including HelloDoor (first Rust-based PebbleDash variant), httpMalice (latest backdoor), and MemLoad. The group has shifted tactics to leverage legitimate tools (VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent) for persistence and post-exploitation, targeting South Korean defense, government, and medical sectors with spear-phishing campaigns delivering JSE/PIF/SCR/EXE droppers. Notably, HelloDoor contains LLM-generated code comments, and httpMalice uses ChaCha20 encryption with sophisticated C2 communication protocols.
78
Edit Score
CVE-2026-2347 — Authorization: bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd.
Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Session Hijacking. This issue affects E-Commerce Website: before 4.5.001. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2025-11024 — Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Blind SQL Injection. This issue affects E-Commerce Website: before 4.5.001. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-6512 — InfusedWoo: The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions
The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, products, or orders, mass-delete all comments on any post, and change any post's status. CVSSv3.1 9.1 (CRITICAL)
9.1
CVSS v3.1
96
Edit Score
CVE-2026-6510 — InfusedWoo: The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization
The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This is due to missing nonce verification and capability checks in the iwar_save_recipe() AJAX handler. This makes it possible for unauthenticated attackers to create a malicious automation recipe that pairs an HTTP post trigger with an auto-login action, allowing any unauthenticated visitor to visit a crafted URL and receive aut CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-6506 — InfusedWoo: The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions
The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to the infusedwoo_gdpr_upddata() function missing authorization and capability checks, as well as lacking restrictions on which user meta keys can be updated. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their own wp_capabilities user meta to grant themselves Administrator role privilege CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-6271 — Career: The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all
The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. This is due to missing file type validation. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-5395 — Fluent: The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Fluent Forms manager-level access and above, to bypass form-level access restrictions to access submissions from forms they are not au CVSSv3.1 8.2 (HIGH)
8.2
CVSS v3.1
91
Edit Score
CVE-2026-3892 — Motors: The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.4.107. This is due to insufficient file path validation in the become-dealer logo upload flow. The plugin allows any authenticated user to set an arbitrary filesystem path via the profile update handler. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-8181 — Burst: The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is
The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for th CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-7481 — GitLab: has remediated an issue in GitLab EE affecting all versions from 16.4 before
GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to execute arbitrary JavaScript in other users' browsers due to improper input sanitization. CVSSv3.1 8.7 (HIGH)
8.7
CVSS v3.1
94
Edit Score
CVE-2026-7377 — GitLab: has remediated an issue in GitLab EE affecting all versions from 18.7 before
GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due to improper input sanitization. CVSSv3.1 8.7 (HIGH)
8.7
CVSS v3.1
94
Edit Score
CVE-2026-6073 — GitLab: has remediated an issue in GitLab EE affecting all versions from 18.7 before
GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to execute arbitrary JavaScript in other users' browsers due to improper input sanitization. CVSSv3.1 8.7 (HIGH)
8.7
CVSS v3.1
94
Edit Score
CVE-2026-5396 — Fluent: The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key
The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, delete, add notes) based on a user-supplied `form_id` query parameter. This makes it possible for authenticated attackers, with Fluent Forms Manager access restricted to specific forms, to read, modify status, add notes to, and permanen CVSSv3.1 8.2 (HIGH)
8.2
CVSS v3.1
91
Edit Score
Why AMOS matters: The macOS malware stealing data at scale
Sophos X-Ops·news.sophos.comin the wild
Sophos X-Ops analyzed an AMOS (Atomic macOS Stealer) variant deployed via ClickFix social engineering, accounting for 40% of macOS protection updates in 2025 and nearly half of stealer customer reports in Q1 2026. The malware uses terminal command injection to bootstrap a multi-stage payload that harvests Keychain credentials, browser data, cryptocurrency wallets, and system information, establishing persistence via LaunchDaemon and C2 registration. Detection and prevention opportunities include monitoring for dscl authentication attempts, hidden password storage, ditto compression of credential datasets, and unsigned binary execution from hidden paths.
78
Edit Score
CVE-2026-8500 — Web: Web::Passwd versions through 0.03 for Perl is vulnerable to RCE.
Web::Passwd versions through 0.03 for Perl is vulnerable to RCE. Web::Passwd is a small CGI application for managing htpasswd files using the htpasswd command. The user parameter is not validated or escaped, and is used as the last argument on the command line, allowing for command injection. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-29206 — SQL: Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on
Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled. CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-45158 — OPNsense: Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is processed by a shell script, allowing remote code execution as root on the underlying operating system. This vulnerability is fixed in 26.1.8. CVSSv3.1 9.1 (CRITICAL)
9.1
CVSS v3.1
96
Edit Score
CVE-2026-44447 — ERPNext: Prior to 16.9.0, some endpoints were vulnerable to SQL injection through specially crafted requests
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 16.9.0. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-44446 — ERPNext: Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL injection through specially
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 15.104.3 and 16.14.0. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-44442 — ERPNext: Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 16.9.1. CVSSv3.1 9.9 (CRITICAL)
9.9
CVSS v3.1
100
Edit Score
CVE-2026-44194 — OPNsense: Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a user with user-management privileges to execute arbitrary system commands as root. An attacker can bypass input validation by formatting their malicious payload as a compliant email address, allowing shell commands to reach the underlying operating system. The flaw exists in the local user synchronization flow, wi CVSSv3.1 9.1 (CRITICAL)
9.1
CVSS v3.1
96
Edit Score
CVE-2026-44193 — OPNsense: Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input leading
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input leading to Remote Code Execution. This vulnerability is fixed in 26.1.7. CVSSv3.1 9.1 (CRITICAL)
9.1
CVSS v3.1
96
Edit Score