newsThe portal itself — self-promo until real sponsors land
Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
25 results//sorted by published//last sync 2026-06-27 14:39Z
Subscribe to news →
CVE-2026-5294 — Geeky: The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up
The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips attacker-supplied ZIP files into wp-content/plugins/. This makes it possible for unauthenticated attackers to perform arbitrary plugin installation and achieve remote code execution. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-35228 — Vulnerability: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle
Vulnerability in the Oracle MCP Server Helper Tool product of Oracle Open Source Projects (component: helper tool). The supported versions that is affected is 1.0.1-1.0.156. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle MCP Server Helper Tool. Successful attacks of this vulnerability can result in Oracle MCP Server Helper Tool executing malicious SQL. CVSSv3.1 8.7 (HIGH)
8.7
CVSS v3.1
94
Edit Score
CVE-2025-13618 — Mentoring: The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up
The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mentoring_process_registration() function. This makes it possible for unauthenticated attackers to register with administrator-level user accounts. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-5722 — MoreConvert: The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions
The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is changed. This makes it possible for unauthenticated attackers to authenticate as existing users, including administrators, by obtaining a valid guest verification token for an attacker-controlled email, changing th CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
Your UEBA is lying to you: Why entity record quality decides everything
Elastic Security Labs·elastic.co
Elastic Security Labs publishes a technical deep-dive on User and Entity Behavior Analytics (UEBA) architecture, arguing that entity record quality—not ML models—determines detection fidelity. The post contrasts two extremes (bare username matching vs. IdP-only records), proposes a confidence-tiered governance model separating identity-provider-backed entities from endpoint-observed local accounts, and describes automatic entity resolution across fragmented identity systems to unify cross-provider risk signals.
68
Edit Score
InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise
Trend Micro Research·trendmicro.comin the wild
Trend Micro disclosed the InstallFix campaign, a multi-stage malware distribution operation leveraging fake Claude AI installer pages promoted via Google Ads to target users across multiple industries and regions. The attack chain uses mshta.exe, obfuscated PowerShell, VBScript COM abuse, AMSI bypass, SSL validation disabling, and victim-unique C&C URLs to achieve persistence and data collection; the final payload exhibits RedLine stealer indicators and collects browser/e-wallet credentials.
82
Edit Score
Paramiko Security Audit
Quarkslab·blog.quarkslab.com
Quarkslab conducted the first public security audit of Paramiko SSH library on behalf of OSTIF, identifying 30 vulnerabilities across Paramiko and its cryptography dependencies: 2 high-severity issues (insecure RSA signature parameters, weak TripleDES key sizes), 6 medium-severity issues (deprecated key exchange methods, weak DH parameters), and 22 lower-severity findings. All identified issues have been remediated with fixes committed to the respective projects.
72
Edit Score
CVE-2026-42238 — Nginxui Nginx_ui: Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application's configuration file (app.ini) and SQLite database. Because the attacker controls the restored app.ini, they can inject CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-42222 — Nginx: In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation
Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available. CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-42221 — Nginx: From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the
Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in transit; it does not authenticate who is allowed to perform installation. A remote attacke CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2025-67796 — IKUS: Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with
IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users data and, in some cases, perform privileged actions. This issue may enable cross-tenant access. Fixed in version 2.10.6. CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-42237 — N8n N8n: Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, and
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake node or the legacy MySQL v1 node. Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, and update keys into query strings without identifier escaping, enabling SQL injection against the connected database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.1 CVSSv3.1 8.8 (HIGH) · EPSS 9th percentile
8.8
CVSS v3.1
94
Edit Score
CVE-2026-42235 — N8n N8n: Clicking the link would execute arbitrary JavaScript in the victim's authenticated n8n browser session
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute arbitrary JavaScript in the victim's authenticated n8n browser session, enabling credent CVSSv3.1 9.6 (CRITICAL) · EPSS 25th percentile
9.6
CVSS v3.1
98
Edit Score
CVE-2026-42234 — N8n N8n: Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issue only affects instances where the Python Task Runner is enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. CVSSv3.1 8.8 (HIGH) · EPSS 21th percentile
8.8
CVSS v3.1
94
Edit Score
CVE-2026-42233 — N8n N8n: is an open source workflow automation platform.
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connec CVSSv3.1 9.8 (CRITICAL) · EPSS 14th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-42232 — N8n N8n: Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. CVSSv3.1 8.8 (HIGH) · EPSS 16th percentile
8.8
CVSS v3.1
94
Edit Score
CVE-2026-42231 — N8n N8n: An authenticated user with permission to create or modify workflows could exploit this to
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the xml2js library used to parse XML request bodies in n8n's webhook handler allowed prototype pollution via a crafted XML payload. An authenticated user with permission to create or modify workflows could exploit this to pollute the JavaScript object prototype and, by chaining the pollution with the Git node's SSH operations, achieve remote code execution on the n8n CVSSv3.1 8.8 (HIGH) · EPSS 65th percentile
8.8
CVSS v3.1
94
Edit Score
CVE-2026-42229 — N8n N8n: is an open source workflow automation platform.
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the SeaTable node's row:search and row:get operations allowed user-controlled input to be concatenated directly into SQL query strings without escaping or parameterization. In workflows where external user input is passed via expressions into the SeaTable node's search or row retrieval parameters, an attacker could manipulate the constructed query to retrieve unintend CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-42796 — Arelle: before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST
Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-42088 — OpenC3: Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container. Because all the docker containers share a network, users can execute specially crafted scripts to bypass the API permissions check and perform administrative actions, including reading and modifying CVSSv3.1 9.6 (CRITICAL)
9.6
CVSS v3.1
98
Edit Score
CVE-2026-42087 — OpenC3: From version 6.7.0 to before version 7.0.0-rc3, a SQL injection vulnerability exists in the
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From version 6.7.0 to before version 7.0.0-rc3, a SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS. The tsdb_lookup function in the cvt_model.rb file directly places user-supplied input into a SQL query without sanitizing the input. As a result, a user can break out of the initial SQL statement and execute arbitrary S CVSSv3.1 9.6 (CRITICAL)
9.6
CVSS v3.1
98
Edit Score
CVE-2026-42084 — OpenC3: Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked acco CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-41571 — Note: In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever
Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password: "null" to the internal login endpoint receives a valid session for that user. The bypass is unauthenticated and requires no user interaction. This issue has been patched in version 0.1 CVSSv3.1 9.4 (CRITICAL)
9.4
CVSS v3.1
97
Edit Score
CVE-2026-29004 — BusyBox: before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client
BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a malformed D6_OPT_DNS_SERVERS option. Attackers can exploit incorrect heap buffer allocation calculations in the option_to_env() function to cause denial of service or achieve arbitrary code execution on CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-0073 — In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication
In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic error in the code. This could lead to remote (proximal/adjacent) code execution as the shell user with no additional execution privileges needed. User interaction is not needed for exploitation. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score