newsThe portal itself — self-promo until real sponsors land
Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
25 results//sorted by published//last sync 2026-06-24 22:50Z
Subscribe to news →
CVE-2020-37221 — Atomic: Alarm Clock 6.3 contains a stack overflow vulnerability that allows local attackers to
Atomic Alarm Clock 6.3 contains a stack overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string to the display name textbox in the Time Zones Clock configuration. Attackers can craft a buffer with structured exception handling overwrite and encoded shellcode to bypass SafeSEH protections and execute arbitrary commands with application privileges. CVSSv3.1 8.4 (HIGH)
8.4
CVSS v3.1
92
Edit Score
CVE-2020-37218 — Joomla: com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows
Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter. Attackers can submit POST requests with crafted SQL payloads in the hdwplayersearch parameter to extract sensitive database information from the hdwplayer_videos table. CVSSv3.1 8.2 (HIGH)
8.2
CVSS v3.1
91
Edit Score
CVE-2020-37168 — Ecommerce: Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute
Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the payment endpoint, then use SHA1 hash comparison to iteratively test key candidates until discovering the correct production key, enabling them to forge valid payment signatures and manipulate transacti CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
When IT Support Calls: Dissecting a ModeloRAT Campaign from Teams to Domain Compromise
Rapid7 analyzed a ModeloRAT campaign that began with Teams social engineering impersonating IT Support and escalated to full domain compromise. The attack chain leveraged a Dropbox-hosted Python payload, CVE-2023-36036 privilege escalation via cldflt.sys heap overflow, credential harvesting via fake lock screen, and lateral movement across 100+ internal systems. The intrusion demonstrates how collaboration platforms, Living-off-the-Land techniques, and patched vulnerabilities can be chained into rapid enterprise-wide compromise.
92
Edit Score
CVE-2026-42062 — ELECOM: wireless LAN access point devices contain an OS command injection in processing of
ELECOM wireless LAN access point devices contain an OS command injection in processing of username parameter. If processing a crafted request, an arbitrary OS command may be executed. No authentication is required. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-40621 — ELECOM: wireless LAN access point devices do not require authentication to access some specific
ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-3425 — RTMKit: The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion
The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' parameter of the 'get_content' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code ex CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
Otto-Support: Supply Chain Risks in MCP Servers
Bishop Fox Labs·bishopfox.comin the wild
Bishop Fox Labs published research on supply chain risks in MCP (Model Context Protocol) servers, demonstrating how malicious updates can exfiltrate sensitive credentials while maintaining normal functionality. The analysis covers real incidents (postmark-mcp BCC injection, ClawHub malicious skills) and introduces otto-support's selfpwn module to quantify the attack surface—showing SSH keys, cloud credentials, API tokens, and wallet keys accessible to any MCP server running under the user's context. Mitigations include version pinning, internal registries, signed plugins, and network egress controls.
78
Edit Score
From Patch Tuesday to Pentest Wednesday®: How a Software Provider Closed Unknown Paths to Cloud Compromise
Horizon3.ai·horizon3.ai
A healthcare software provider conducted an insider threat pentest using NodeZero that exposed how a single compromised developer credential could chain multiple weaknesses into lateral movement across segmented networks and AWS compromise. Initial testing identified 16 exploitable weaknesses leading to AWS full account compromise and sensitive data exposure; post-remediation reduced to 2 low-severity findings with no business impact through continuous monthly testing cycles and privileged access controls.
62
Edit Score
CVE-2026-41050 — Helm: Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing
Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`. CVSSv3.1 9.9 (CRITICAL)
9.9
CVSS v3.1
100
Edit Score
CVE-2026-25705 — A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected
A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI extension could abuse that to: * Overwrite Rancher binaries or configuration to inject code. * Write to /var/lib/rancher/ to tamper with cluster state. * If hostPath volu CVSSv3.1 8.4 (HIGH)
8.4
CVSS v3.1
92
Edit Score
A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens
Project Zero disclosed a 0-click exploit chain for Pixel 10 combining a patched Dolby UDC vulnerability (CVE-2025-54957) with a novel VPU driver vulnerability. The VPU mmap handler fails to bound physical memory mapping to the register region size, allowing arbitrary kernel memory read-write with 5 lines of code. The VPU bug was patched 71 days after disclosure in February 2026, demonstrating improved Android triage velocity.
95
Edit Score
CVE-2026-32661 — Stack: Stack-based buffer overflow vulnerability exists in GUARDIANWALL MailSuite and GUARDIANWALL Mail Security Cloud (SaaS
Stack-based buffer overflow vulnerability exists in GUARDIANWALL MailSuite and GUARDIANWALL Mail Security Cloud (SaaS version). If a remote attacker sends a specially crafted request to the product's web service, arbitrary code may be executed when the product is configured to run pop3wallpasswd with grdnwww user privilege. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2025-11159 — Hitachi: Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver
Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator. CVSSv3.1 9.1 (CRITICAL)
9.1
CVSS v3.1
96
Edit Score
CVE-2026-7635 — Activity: The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object
The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta table, and subsequently calling `maybe_unserialize()` on every retrieved `meta_value` in `query_metas()` without verifying the data was originally serialized by the application. This m CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-8053 — MongoDB: An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database
An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result in arbitrary code execution. This issue impacts MongoDB Server v5.0 versions prior to 5.0.33, v6.0 versions prior to 6.0.28, CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
Patch Tuesday - May 2026
Rapid7 Research·rapid7.comCVE-2026-41089CVE-2026-41096CVE-2026-41103CVE-2026-33109CVE-2026-33844CVE-2026-42823CVE-2026-42826CVE-2026-34329
Microsoft's May 2026 Patch Tuesday addresses 137 vulnerabilities, including three critical RCEs: CVE-2026-41089 (Netlogon stack buffer overflow, CVSS 9.8, SYSTEM-level execution on domain controllers), CVE-2026-41096 (DNS client RCE, CVSS 9.8), and CVE-2026-41103 (Entra ID auth plugin EoP in self-hosted JIRA/Confluence, CVSS 9.1). Additionally, 133 browser vulnerabilities were patched separately. No active exploitation reported for any vulnerability.
78
Edit Score
May’s Patch Tuesday hauls out 132 CVEs
Sophos X-Ops·news.sophos.comCVE-2026-41103CVE-2026-41089CVE-2026-41096CVE-2026-40358CVE-2026-40361CVE-2026-40363CVE-2026-40364CVE-2026-40366CVE-2026-40367CVE-2026-35432CVE-2026-33835CVE-2026-33837CVE-2026-33840CVE-2026-33841CVE-2026-35416CVE-2026-35417CVE-2026-40369CVE-2026-40397CVE-2026-40398CVE-2026-42826CVE-2026-33109CVE-2026-42823CVE-2026-42898CVE-2026-33823CVE-2026-35428CVE-2026-40379CVE-2026-40402CVE-2026-33117CVE-2026-33844CVE-2026-32207CVE-2026-33110CVE-2026-33112CVE-2026-34329CVE-2026-35436CVE-2026-35439CVE-2026-40357CVE-2026-40365
Microsoft's May 2026 Patch Tuesday addresses 132 CVEs across 20 product families, including 29 Critical-severity issues and 43 with CVSS scores of 8.0 or higher. Notably, 14 CVEs were pre-patched before Patch Tuesday with no public disclosure or known active exploitation. Key vulnerabilities include authentication bypass in Microsoft SSO plugins for Jira/Confluence (CVE-2026-41103), Windows Netlogon and DNS Client RCEs (CVE-2026-41089, CVE-2026-41096), and six Office/Word RCEs exploitable via Preview Pane.
72
Edit Score
Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft
Trend Micro Research·trendmicro.comin the wild
Trend Micro Research documents TeamPCP, a financially motivated threat actor cluster, conducting a coordinated supply-chain campaign from March–April 2026 targeting seven confirmed waves across multiple package registries (PyPI, Docker Hub, npm, GHCR, VS Code/OpenVSX). The two primary case studies—Checkmarx KICS (April 22) and elementary-data (April 24)—demonstrate multichannel CI/CD poisoning and GitHub Actions script injection respectively, both designed to harvest developer credentials, cloud keys, SSH material, and CI tokens at scale. The elementary-data attack notably required no maintainer credential compromise; a single unsanitized pull-request comment injected into a GitHub Actions workflow was sufficient to forge a signed release and publish malicious packages.
92
Edit Score
CVE-2026-44548 — ChurchCRM: Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php
ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php causes a logged-in ChurchCRM user with the relevant role to silently delete records, including cascaded property and record-to-property assignments. This vulnerability is fixed in 7.3.2. CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-44547 — ChurchCRM: From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete.
ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release therefore remains exploitable by the PoC published with the original advisory. This vulnerability is fixed in 7.3.1. CVSSv3.1 9.6 (CRITICAL)
9.6
CVSS v3.1
98
Edit Score
CVE-2026-42289 — ChurchCRM: Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST
ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates any low-privilege user to full administrator or creates a new admin backdoor account without the victim's knowledge This vulnerability is fixe CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-42288 — ChurchCRM: The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains
ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2. CVSSv3.1 10.0 (CRITICAL)
10.0
CVSS v3.1
100
Edit Score
CVE-2026-41901 — Thymeleaf: Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of
Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application develo CVSSv3.1 9.0 (CRITICAL)
9.0
CVSS v3.1
95
Edit Score
CVE-2026-8449 — Linux: ksmbd contains a remote memory corruption vulnerability in the ACL inheritance path that
Linux ksmbd contains a remote memory corruption vulnerability in the ACL inheritance path that allows remote clients with directory creation permissions to trigger a heap out-of-bounds read and subsequent heap corruption by setting a crafted DACL with a malformed SID containing an inflated num_subauth field. Attackers can exploit this vulnerability by creating a directory, setting the malicious DACL via SMB2_SET_INFO, and creating child entries to cause kernel instability, de CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score