newsThe portal itself — self-promo until real sponsors land
Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
25 results//sorted by published//last sync 2026-06-27 10:14Z
Subscribe to news →
CVE-2026-0300 — Paloaltonetworks Pan-os: A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KC CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2024-30151 — HCL: BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading
HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation. This could allow unauthorized users to gain elevated privileges, bypassing intended access restrictions. This may result in exposure of sensitive data or unauthorized system modifications CVSSv3.1 8.3 (HIGH)
8.3
CVSS v3.1
92
Edit Score
CVE-2026-29090 — Cern Rucio: ### Summary A SQL injection vulnerability exists in Rucio versions 1.30.0 and later before
### Summary A SQL injection vulnerability exists in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, in `FilterEngine.create_postgres_query()`. This allows any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database through the DID search endpoint (`GET /dids/<scope>/dids/search`). When the `postgres_meta` metadata plugin is configured, attacker-controlled filter keys and values are interpolated directly into raw S CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-7875 — NanoClaw: contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup
NanoClaw contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read files outside the intended outbox directory by supplying crafted messages_out.id and content.files values or creating symlinked outbox files. Attackers can exploit this vulnerability to trigger host-side reads of arbitrary files and in some cases achieve recursive deletion of paths outside the in CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-42503 — This can allow a malicious party on the same network to execute code arbitrarily
gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0. As a result, users might inadvertently cause gopls to bind 0.0.0.0. This can allow a malicious party on the same network to execute code arbitrarily via gopls. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-29080 — Cern Rucio: A SQL injection vulnerability in `FilterEngine.create_sqla_query()` allows any authenticated Rucio user to execute arbitrary
A SQL injection vulnerability in `FilterEngine.create_sqla_query()` allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint (`GET /dids/<scope>/dids/search`). On Oracle deployments attacker-controlled filter keys and values are interpolated directly into `sqlalchemy.text()` via Python `.format()`, completely bypassing parameterization. This enables full database compromise including extraction of authentication CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-20034 — A vulnerability in the web-based management interface of Cisco Unity Connection could allow an
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of a targeted de CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
Make it Blink: Over-the-Air Exploitation of the Philips Hue Bridge
Synacktiv researchers disclosed a critical remote code execution vulnerability (CVE-2026-3555) in the Philips Hue Bridge exploited during Pwn2Own 2026. The vulnerability exists in Zigbee frame processing where a heap buffer overflow in the Download Blob state machine allows unauthenticated attackers on the local Zigbee network to overflow into adjacent heap chunks. The researchers leveraged musl libc allocator "Vudo" techniques to achieve arbitrary write and code execution by hijacking a global function pointer.
92
Edit Score
The Accidental C2: Exploring Dev Tunnels for Remote Access
SpecterOps·specterops.io
SpecterOps researcher Adam Chester reverse-engineered VS Code Dev Tunnels to expose a multi-layered C2-like architecture combining REST APIs, WebSocket tunneling, SSH, and MsgPack RPC. The research reveals that Dev Tunnels can be abused for initial access via Device Code Phishing against GitHub/Azure OAuth flows, lateral movement through token theft from vscdb, and persistence by establishing tunnels from compromised hosts. Additionally, FOCI (Family of Client IDs) and BroCI clients provide attack surface expansion—compromising any FOCI member allows token exchange to Dev Tunnels access.
82
Edit Score
Critical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300)
Palo Alto Networks disclosed CVE-2026-0300, a critical unauthenticated buffer overflow (CVSS 9.3) in the User-ID Authentication Portal feature of PAN-OS PA-Series and VM-Series firewalls. The vulnerability allows remote code execution with root privileges and is confirmed exploited in the wild. No patches are available yet; fixes are expected May 13–28, 2026, with ~225,000 internet-facing PAN-OS instances at risk.
95
Edit Score
CVE-2026-5081 — Apache: Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure.
Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure. Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQUE_ID variable is set by the Apache mod_unique_id plugin, which generates unique ids for the request. The id is based on the IPv4 address, the process id, the epoch time, a 16-bit counter and a thread index, with no obfuscation. CVSSv3.1 9.1 (CRITICAL)
9.1
CVSS v3.1
96
Edit Score
OceanLotus suspected of using PyPI to deliver ZiChatBot malware
Kaspersky Securelist·securelist.comin the wild
Kaspersky researchers discovered malicious Python wheel packages uploaded to PyPI in July 2025 that delivered a previously unknown malware family called ZiChatBot, attributed to OceanLotus APT. The attack targeted both Windows and Linux users through three fake libraries (uuid32-utils, colorinal, termncolor) that acted as droppers, with ZiChatBot using Zulip's public REST APIs as command-and-control infrastructure instead of traditional servers. The packages were removed from PyPI and the attacker's Zulip organization deactivated before widespread infections occurred.
82
Edit Score
Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware
Rapid7 Research·rapid7.comin the wild
Rapid7 researchers identified a sophisticated intrusion initially attributed to Chaos ransomware that was actually a false-flag operation by MuddyWater (Seedworm), an Iranian APT affiliated with MOIS. The attackers used interactive Microsoft Teams social engineering to harvest credentials and MFA, established persistence via DWAgent and AnyDesk, deployed a custom RAT (Game.exe) masquerading as WebView2, and exfiltrated data while avoiding file encryption. Attribution was anchored by a code-signing certificate ("Donald Gay") previously linked to MuddyWater's Operation Olalampo, C2 infrastructure overlap (moonzonet.com), and signature tradecraft including pythonw.exe process injection and Teams-based credential harvesting.
82
Edit Score
CVE-2026-42208: Pre-Authentication SQL Injection in LiteLLM Proxy
Bishop Fox researchers confirmed CVE-2026-42208, a critical pre-authentication SQL injection in LiteLLM proxy (versions 1.81.16–1.83.6) affecting the bearer-token verification logic. An unauthenticated attacker can inject SQL via a malformed Authorization header into any LLM API endpoint, exploiting an f-string interpolation sink to extract database contents via timing-based blind SQLi. In-the-wild exploitation was observed within 36 hours of the GitHub advisory publication; the fix (v1.83.7) introduces proper parameter binding.
92
Edit Score
Otto Support - Excessive Agency and Tool Privileges
Bishop Fox Labs·bishopfox.com
Bishop Fox research demonstrates how AI agents with excessive tool privileges and production-level permissions have caused real-world infrastructure failures, including data loss, email deletion, and multi-hour outages. The post details the 'excessive agency' vulnerability pattern where agents can combine available tools in unintended ways, and presents otto-support, a CTF demonstrating how tiered permissions and role-aware tool registration can mitigate blast radius.
82
Edit Score
CVE-2026-43283 — Linux: This would lead to improper unmapping of the buffer.
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle dma_free_coherent() in error path takes priv->rx_buf.alloc_len as the dma handle. This would lead to improper unmapping of the buffer. Change the dma handle to priv->rx_buf.alloc_phys. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-43274 — Linux: In the Linux kernel, the following vulnerability has been resolved: mailbox: mchp-ipc-sbi: fix out-of-bounds
In the Linux kernel, the following vulnerability has been resolved: mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq() The cluster_cfg array is dynamically allocated to hold per-CPU configuration structures, with its size based on the number of online CPUs. Previously, this array was indexed using hartid, which may be non-contiguous or exceed the bounds of the array, leading to out-of-bounds access. Switch to using cpuid as the index, as it i CVSSv3.1 8.4 (HIGH)
8.4
CVSS v3.1
92
Edit Score
CVE-2026-43249 — Linux: In the Linux kernel, the following vulnerability has been resolved: 9p/xen: protect xen_9pfs_front_free against
In the Linux kernel, the following vulnerability has been resolved: 9p/xen: protect xen_9pfs_front_free against concurrent calls The xenwatch thread can race with other back-end change notifications and call xen_9pfs_front_free() twice, hitting the observed general protection fault due to a double-free. Guard the teardown path so only one caller can release the front-end state at a time, preventing the crash. This is a fix for the following double-free: [ 27.052347] Oop CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-43239 — Linux: In the Linux kernel, the following vulnerability has been resolved: smb: client: prevent races
In the Linux kernel, the following vulnerability has been resolved: smb: client: prevent races in ->query_interfaces() It was possible for two query interface works to be concurrently trying to update the interfaces. Prevent this by checking and updating iface_last_update under iface_lock. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-43233 — Linux: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_choice() In decode_choice(), the boundary check before get_len() uses the variable `len`, which is still 0 from its initialization at the top of the function: unsigned int type, ext, len = 0; ... if (ext || (son->attr & OPEN)) { BYTE_ALIGN(bs); if (nf_h323_error_boundary(bs, len, 0)) /* len is 0 here */ return H32 CVSSv3.1 8.2 (HIGH)
8.2
CVSS v3.1
91
Edit Score
CVE-2026-43232 — Linux: In the Linux kernel, the following vulnerability has been resolved: net: wan: farsync: Fix
In the Linux kernel, the following vulnerability has been resolved: net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets When the FarSync T-series card is being detached, the fst_card_info is deallocated in fst_remove_one(). However, the fst_tx_task or fst_int_task may still be running or pending, leading to use-after-free bugs when the already freed fst_card_info is accessed in fst_process_tx_work_q() or fst_process_int_work_q(). A typical race conditi CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-43215 — Linux: In the Linux kernel, the following vulnerability has been resolved: cifs: Fix locking usage
In the Linux kernel, the following vulnerability has been resolved: cifs: Fix locking usage for tcon fields We used to use the cifs_tcp_ses_lock to protect a lot of objects that are not just the server, ses or tcon lists. We later introduced srv_lock, ses_lock and tc_lock to protect fields within the corresponding structs. This was done to provide a more granular protection and avoid unnecessary serialization. There were still a couple of uses of cifs_tcp_ses_lock to provi CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-43208 — Linux: In the Linux kernel, the following vulnerability has been resolved: net: do not pass
In the Linux kernel, the following vulnerability has been resolved: net: do not pass flow_id to set_rps_cpu() Blamed commit made the assumption that the RPS table for each receive queue would have the same size, and that it would not change. Compute flow_id in set_rps_cpu(), do not assume we can use the value computed by get_rps_cpu(). Otherwise we risk out-of-bound access and/or crashes. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-43198 — Linux: This allows the removal of one tcp_sync_mss(), since tcp_v4_syn_recv_sock() will call it with the
In the Linux kernel, the following vulnerability has been resolved: tcp: fix potential race in tcp_v6_syn_recv_sock() Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock() is done too late. After tcp_v4_syn_recv_sock(), the child socket is already visible from TCP ehash table and other cpus might use it. Since newinet->pinet6 is still pointing to the listener ipv6_pinfo bad things can happen as syzbot found. Move the problematic code in tcp_v6_mapped_ch CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-43197 — Linux: Now we see: printk: console [netcon_ext0] enabled BUG: KASAN: slab-out-of-bounds in string+0x1f7/0x240 Read of
In the Linux kernel, the following vulnerability has been resolved: netconsole: avoid OOB reads, msg is not nul-terminated msg passed to netconsole from the console subsystem is not guaranteed to be nul-terminated. Before recent commit 7eab73b18630 ("netconsole: convert to NBCON console infrastructure") the message would be placed in printk_shared_pbufs, a static global buffer, so KASAN had harder time catching OOB accesses. Now we see: printk: console [netcon_ext0] en CVSSv3.1 9.1 (CRITICAL)
9.1
CVSS v3.1
96
Edit Score