newsThe portal itself — self-promo until real sponsors land
Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
25 results//sorted by published//last sync 2026-06-25 20:55Z
Subscribe to news →
CVE-2025-63705 — NPM: package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function
NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-6795 — URL: DivvyDrive allows Parameter Injection.
URL redirection to untrusted site ('open redirect') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Parameter Injection. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. CVSSv3.1 9.6 (CRITICAL)
9.6
CVSS v3.1
98
Edit Score
CVE-2026-41589 — Wish: From version 2.0.0 to before version 2.0.1, the SCP middleware in charm.land/wish/v2 is vulnerable
Wish is an SSH server with defaults and a collection of middlewares. From version 2.0.0 to before version 2.0.1, the SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../ sequences over the SCP protocol. This issue has been patched in version 2.0.1. CVSSv3.1 9.6 (CRITICAL)
9.6
CVSS v3.1
98
Edit Score
CVE-2026-41490 — Dagster: Prior to Dagster Core version 1.13.1 and prior to Dagster libraries version 0.29.1, the
Dagster is an orchestration platform for the development, production, and observation of data assets. Prior to Dagster Core version 1.13.1 and prior to Dagster libraries version 0.29.1, the DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the Add Dynamic Partitions permission could create a partition key that injects arbitrary SQL, which would execute CVSSv3.1 8.3 (HIGH)
8.3
CVSS v3.1
92
Edit Score
CVE-2026-30496 — Optoma: The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on
The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports both reading configuration (74 endpoints) and writing/modifying settings including volume, mute, brightness, power, network protocols enable/disable (including TELNET), display modes, and other projector functions. Any device on the same network can control the projector without auth CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-30495 — Optoma: This allows extraction of stored WiFi credentials, installation of persistent malware, and access to
The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes Android Debug Bridge (ADB) on TCP port 5555 over the network without requiring authentication. The device is configured with ro.adb.secure=0, which disables RSA key verification. Additionally, a functional su binary exists at /system/xbin/su that grants root privileges without authentication. An attacker on the same network can connect to the device via ADB, obtain a shell, and escalate to CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2025-14341 — Improperly: controlled modification of Dynamically-Determined object attributes, Allocation of resources without limits or throttling
Improperly controlled modification of Dynamically-Determined object attributes, Allocation of resources without limits or throttling vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Excessive Allocation, Flooding. This issue affects DivvyDrive: from 4.8.2.19 before 4.8.3.2. CVSSv3.1 8.3 (HIGH)
8.3
CVSS v3.1
92
Edit Score
SecurityInsight — Rethink Secure Score: risk-based scoring across Defender XDR, Entra, AD, Azure, ExposureGraph, and Shodan — weighted by
GitHub · Azure / Entra tools·github.comGITHUB POC
SecurityInsight is a free, open-source PowerShell-based tool that consolidates security telemetry from Microsoft Defender, Entra ID, Active Directory, Azure, and ExposureGraph to provide risk-based prioritization across endpoints, identity, and cloud assets. It applies a four-dimensional scoring model (consequence, criticality tier, risk factors, customizable index) to rank findings by attacker opportunity rather than severity alone, outputting to Excel, Power BI, Log Analytics, and JSON.
72
Edit Score
CVE-2026-8094 — Other: issue in the WebRTC component.
Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR 140.10.2 and Thunderbird 140.10.2. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-8093 — Memory: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2 and Thunderbird 150.0.2. CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-8092 — Memory: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2. CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-8091 — Incorrect: boundary conditions in the Audio/Video: Playback component.
Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-6002 — Script: Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross-Site Scripting (XSS). This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-5791 — Site: Cross-Site request forgery (CSRF) vulnerability in DivvyDrive Information Technologies Inc.
Cross-Site request forgery (CSRF) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross Site Request Forgery. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. CVSSv3.1 9.6 (CRITICAL)
9.6
CVSS v3.1
98
Edit Score
CVE-2026-5784 — Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in DivvyDrive Information
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Stored XSS. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
Otto Support - SSRF and Token Passthrough with MCP
Bishop Fox researchers document a pattern of SSRF and token-passthrough vulnerabilities in Model Context Protocol (MCP) servers, with three case studies: mcp-atlassian (CVE-2026-27826/27825) chaining SSRF to RCE via unvalidated headers and path traversal, Microsoft's MarkItDown exposing AWS metadata endpoints across 2,500 servers, and OpenClaw's unvalidated redirect handling. The post provides concrete mitigations including destination validation with IP blocklists, network segmentation, and explicit rejection of token passthrough patterns.
82
Edit Score
CVE-2026-6508 — Origin: Validation Error vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Accessing
Origin Validation Error vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Liderahenk: from 2.0.1 before 2.0.2. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-3953 — Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Gosoft Software
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Gosoft Software Industry and Trade Ltd. Co. Proticaret E-Commerce allows Cross-Site Scripting (XSS), Reflected XSS. This issue affects Proticaret E-Commerce: from v5.0.0 before V 6.0.1767.1383. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-33588 — Lfnovo Open-notebook: Lack of user input validation in the file upload functionality of Open Notebook v1.8.3
Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to create or modify files on the docker container via path traversal. CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-33587 — Lfnovo Open-notebook: Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to
Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and subsequently OS commands) on the docker container via Server-Side Template Injection (SSTI) for user-created transformations. CVSSv3.1 10.0 (CRITICAL)
10.0
CVSS v3.1
100
Edit Score
Exploits and vulnerabilities in Q1 2026
Kaspersky Securelist·securelist.comCVE-2018-0802CVE-2017-11882CVE-2017-0199CVE-2023-38831CVE-2025-6218CVE-2025-8088CVE-2026-21509CVE-2026-21514CVE-2026-21513CVE-2022-0847CVE-2019-13272CVE-2021-22555CVE-2023-32233CVE-2026-21519CVE-2026-21533CVE-2026-25253CVE-2026-34070CVE-2026-22812CVE-2023-46604CVE-2024-12356CVE-2026-1731CVE-2023-36884CVE-2025-53770in the wild
Kaspersky's Q1 2026 vulnerability report documents a continued rise in CVE registrations driven by AI-assisted vulnerability discovery, with 23 notable CVEs across Windows, Linux, and emerging AI frameworks. Key findings include active exploitation of Microsoft Office logic flaws (CVE-2026-21514, CVE-2026-21509), privilege escalation chains in DWM and RDS (CVE-2026-21519, CVE-2026-21533), and new attack surface in AI agents (Clawdbot/CVE-2026-25253, LangChain/CVE-2026-34070). Metasploit regained top C2 framework usage, with threat actors prioritizing authentication-bypass exploits to evade detection.
72
Edit Score
CVE-2025-1978 — Code: Remote Code Execution Vulnerability in Hitachi Storage Navigator and the maintenance console in Hitachi
Remote Code Execution Vulnerability in Hitachi Storage Navigator and the maintenance console in Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28. This issue affects Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hita CVSSv3.1 8.3 (HIGH)
8.3
CVSS v3.1
92
Edit Score
CVE-2024-43384 — A low privileged remote attacker can gain the root password due to improper removal
A low privileged remote attacker can gain the root password due to improper removal of sensitive information before storage or transfer. CVSSv3.1 8.0 (HIGH)
8.0
CVSS v3.1
90
Edit Score
K8s-container_escape_audit — Look for possible escape vectors from a container
GitHub · container escape·github.comGITHUB POCCVE-2026-31431CVE-2025-23266CVE-2025-31133CVE-2025-52565CVE-2025-52881CVE-2022-0847CVE-2016-5195
K8s-container_escape_audit is a bash-based security assessment tool that performs 35 checks for container escape vectors across privileged configuration, dangerous capabilities, namespace isolation, filesystem mounts, kernel exposure, Kubernetes misconfigurations, cloud metadata access, and recent CVEs. The tool provides structured findings with impact assessment, exploitability ratings, and remediation guidance, including coverage for emerging CVEs like Copy Fail (CVE-2026-31431) and NVIDIAScape (CVE-2025-23266).
78
Edit Score
CVE-2025-9661 — OS command injection vulneravility in the management gui (maintenance utility) of Hitachi Virtual Storage
OS command injection vulneravility in the management gui (maintenance utility) of Hitachi Virtual Storage Platform One Block 23, 24, 26 and 28. This issue affects Hitachi Virtual Storage Platform One Block 23/24/26/28: before DKCMAIN A3-04-21-40/00, ESM A3-04-21/00. CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score