Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-41455 — WeKan: before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling
WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to ov CVSSv3.1 8.5 (HIGH)
CVE-2026-41454 — WeKan: before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints
WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new integrations, modify or delete existing integrations, and manage integration activities by exploiting insufficient authorization checks in the JsonRoutes REST handlers. CVSSv3.1 8.3 (HIGH)
CVE-2026-41175 — Statamic: Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel requires authentication with minimal permissions in order to exploit. e.g. "view entries" permission to delete entries, or "view users" permission to delete users, etc. The REST and Gra CVSSv3.1 8.1 (HIGH)
CVE-2026-41167 — Jellystat: Because the vulnerable call site dispatches via `node-postgres`'s simple query protocol (no parameter array
Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via `POST /api/getUserDetails` and `POST /api/getLibrary`, enabling full read of any table in the database - including `app_config`, which stores the Jellystat admin credentials, the Jellyfin API key, and the CVSSv3.1 9.1 (CRITICAL)
CVE-2026-40937 — Rustfs Rustfs: This enables cross-user event interception and audit evasion.
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the o CVSSv3.1 8.3 (HIGH)
CVE-2026-33656 — EspoCRM: Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus
EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities. Because `sourceId` is concatenated directly into a file path with no sanitization in `EspoUploadDir::getFilePath()`, an attacker can redirect any file read or write operation to an arbitrary path within CVSSv3.1 9.1 (CRITICAL)
CVE-2026-33471 — Nimiq Nimiq_proof-of-stake: nimiq-block contains block primitives to be used in Nimiq's Rust implementation.
nimiq-block contains block primitives to be used in Nimiq's Rust implementation. `SkipBlockProof::verify` computes its quorum check using `BitSet.len()`, then iterates `BitSet` indices and casts each `usize` index to `u16` (`slot as u16`) for slot lookup. Prior to version 1.3.0, if an attacker can get a `SkipBlockProof` verified where `MultiSignature.signers` contains out-of-range indices spaced by 65536, these indices inflate `len()` but collide onto the same in-range `u16` CVSSv3.1 9.6 (CRITICAL)
CVE-2026-34415 — Xerte: Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in
Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-34413 — Xerte: Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the
Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to continue and process the full request server-side. Unauthenticated attackers can perform file operations on project media directories including creating directories, uploading files, renaming files, duplic CVSSv3.1 8.6 (HIGH)
CVE-2026-26354 — Dell Powerprotect_dp_series_appliance: PowerProtect Data Domain with Domain Operating System (DD OS) of Feature Release versions
Dell PowerProtect Data Domain with Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.60, contain a stack-based Buffer Overflow vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution. CVSSv3.1 8.1 (HIGH) · EPSS 15th percentile
Mythos in Practice: Attack Paths, Exploitability, and What Actually Matters Most
Horizon3.ai analysis of Anthropic's Mythos AI system demonstrates that AI-assisted vulnerability discovery and exploit generation significantly reduces friction in attack chain development. Mythos successfully identified and exploited zero-days across major OSes and browsers, chained multiple weaknesses into RCE and privilege escalation, and enabled non-expert engineers to produce working exploits with minimal human input. The research emphasizes that risk is determined by exploitability in context and attack path viability, not vulnerability severity alone.
CVE-2026-5816 — Gitlab Gitlab: has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation under certain conditions. CVSSv3.1 8.0 (HIGH)
CVE-2026-5262 — Gitlab Gitlab: has remediated an issue in GitLab CE/EE affecting all versions from 16.1.0 before
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an unauthenticated user to access tokens in the Storybook development environment due to improper input validation. CVSSv3.1 8.0 (HIGH)
CVE-2026-4922 — Gitlab Gitlab: has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection. CVSSv3.1 8.1 (HIGH)
CVE-2018-25272 — ELBA5: 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database
ELBA5 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions. Attackers can connect to the database using default connector credentials, decrypt the DBA password, and execute commands via the xp_cmdshell stored procedure or add backdoor users to the BEDIENER table. CVSSv3.1 9.8 (CRITICAL) · EPSS 28th percentile
CVE-2018-25270 — Thinkphp Thinkphp: 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute
ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges. CVSSv3.1 9.8 (CRITICAL) · EPSS 39th percentile
CVE-2018-25268 — Lizardsystems Lanspy: 2.0.1.159 contains a local buffer overflow vulnerability that allows attackers to overwrite the
LanSpy 2.0.1.159 contains a local buffer overflow vulnerability that allows attackers to overwrite the instruction pointer by supplying oversized input to the scan field. Attackers can craft a payload with 688 bytes of padding followed by 4 bytes of controlled data to crash the application or potentially achieve code execution. CVSSv3.1 8.4 (HIGH) · EPSS 2th percentile
CVE-2018-25265 — Lizardsystems Lanspy: 2.0.1.159 contains a local buffer overflow vulnerability in the scan section that allows
LanSpy 2.0.1.159 contains a local buffer overflow vulnerability in the scan section that allows local attackers to execute arbitrary code by exploiting structured exception handling mechanisms. Attackers can craft malicious payloads using egghunter techniques to locate and execute shellcode, triggering code execution through SEH chain manipulation and controlled jumps. CVSSv3.1 8.4 (HIGH) · EPSS 2th percentile
CVE-2018-25261 — Entersrl Iperius_backup: Iperius Backup 5.8.1 contains a local buffer overflow vulnerability in the structured exception handling
Iperius Backup 5.8.1 contains a local buffer overflow vulnerability in the structured exception handling (SEH) mechanism that allows local attackers to execute arbitrary code by supplying a malicious file path. Attackers can create a backup job with a crafted payload in the external file location field that triggers a buffer overflow when the backup job executes, enabling code execution with application privileges. CVSSv3.1 8.4 (HIGH) · EPSS 4th percentile
CVE-2018-25260 — Magix Music_editor_deluxe: Music Editor 3.1 contains a buffer overflow vulnerability in the FreeDB Proxy Options
MAGIX Music Editor 3.1 contains a buffer overflow vulnerability in the FreeDB Proxy Options dialog that allows local attackers to execute arbitrary code by exploiting structured exception handling. Attackers can craft a malicious payload, paste it into the Server field via the CD menu's FreeDB Proxy Options, and trigger code execution when settings are accepted. CVSSv3.1 8.4 (HIGH) · EPSS 5th percentile
CVE-2018-25259 — Lizardsystems Terminal_services_manager: Terminal Services Manager 3.1 contains a stack-based buffer overflow vulnerability in the computer names
Terminal Services Manager 3.1 contains a stack-based buffer overflow vulnerability in the computer names field that allows local attackers to execute arbitrary code by triggering structured exception handling. Attackers can craft a malicious input file with shellcode and jump instructions that overwrite the SEH handler pointer to execute calc.exe or other payloads when imported through the add computers wizard. CVSSv3.1 8.4 (HIGH) · EPSS 3th percentile
CVE-2026-35548 — Guardsix Logpoint: An authenticated Operator user could redirect the database connection to unintended internal systems, resulting
An issue was discovered in guardsix (formerly Logpoint) ODBC Enrichment Plugins before 5.2.1 (5.2.1 is used in guardsix 7.9.0.0). A logic flaw allowed stored database credentials to be reused after modification of the target Host, IP address, or Port. When editing an existing Enrichment Source, previously stored credentials were retained even if the connection endpoint was changed. An authenticated Operator user could redirect the database connection to unintended internal sy CVSSv3.1 8.5 (HIGH) · EPSS 9th percentile
CVE-2026-6859 — Redhat Instructlab: This allows a remote attacker to achieve arbitrary Python code execution by convincing a
A flaw was found in InstructLab. The `linux_train.py` script hardcodes `trust_remote_code=True` when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run `ilab train/download/generate` with a specially crafted malicious model from the HuggingFace Hub. This vulnerability can lead to complete system compromise. CVSSv3.1 8.8 (HIGH) · EPSS 36th percentile
CVE-2026-6356 — Augmentt Augmentt: A vulnerability in the web application allows standard users to escalate their privileges to
A vulnerability in the web application allows standard users to escalate their privileges to those of a super administrator through parameter manipulation, enabling them to access and modify sensitive information. CVSSv3.1 9.6 (CRITICAL) · EPSS 9th percentile
CVE-2026-41651 — Packagekit_project Packagekit: between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrar CVSSv3.1 8.8 (HIGH)