Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-41056 — Wwbn Avideo: In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin`
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` — the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changin CVSSv3.1 8.1 (HIGH)
CVE-2026-41055 — Wwbn Avideo: In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix. CVSSv3.1 8.6 (HIGH)
Hooking Windows Named Pipes
Synacktiv published a detailed technical writeup on hooking Windows Named Pipes for interception and manipulation of inter-process communication (IPC) between privileged and unprivileged processes. The research covers attack vectors including permissive ACLs, race conditions on pipe creation, and introduces 'Thats No Pipe'—a Frida-based injection tool that hooks syscalls (NtReadFile, NtWriteFile, NtWaitForSingleObject, NtRemoveIoCompletion) to intercept, modify, and inject named pipe traffic across synchronous IO, asynchronous IO, completion ports, and completion routine scenarios.
Kubernetes forensics 1/3: what the container ?
Synacktiv publishes the first article in a three-part Kubernetes forensics series, focusing on container fundamentals. The article covers container architecture, OCI specifications, Docker vs. Podman implementations, OverlayFS storage mechanics, and practical artifact acquisition locations for forensic investigation of containerized environments.
Exploring cross-domain & cross-forest RBCD
Synacktiv published detailed research on Resource-Based Constrained Delegation (RBCD) attacks across Active Directory domains and forests, including the Kerberos workflow mechanics and practical Impacket implementation. The authors documented cross-domain RBCD as fully functional and provided a modified getST.py script to perform S4U2Self and S4U2Proxy operations from Linux; cross-forest RBCD was found to be restricted by Microsoft policy to specific trust configurations and remains partially unexploited in current tooling.
mitmproxy for fun and profit: Interception and Analysis of Application Traffic
Synacktiv published a comprehensive technical guide on using mitmproxy for intercepting and modifying application traffic across Linux, Android, and iOS platforms. The article covers explicit and transparent proxy modes, certificate installation techniques, and includes practical proof-of-concept demonstrations including Git repository hijacking via HTTP interception and gRPC payload manipulation on Android to spoof geolocation data.
Beyond ACLs: Mapping Windows Privilege Escalation Paths with BloodHound
Synacktiv published a comprehensive technical guide on enumerating and exploiting Windows privileges and logon rights using BloodHound, SharpHound, and SharpHoundCommon. The research details how to map privilege escalation paths across Active Directory domains by parsing GPOs and querying LSA remotely, with practical examples of abusing SeBackupPrivilege, SeDebugPrivilege, and SeImpersonatePrivilege for privilege escalation.
On the clock: Escaping VMware Workstation at Pwn2Own Berlin 2025
Synacktiv researchers disclosed a complete VM escape exploit chain against VMware Workstation demonstrated at Pwn2Own Berlin 2025, leveraging a heap-overflow vulnerability (CVE-2025-41238) in the PVSCSI controller. The exploit defeats Windows 11 LFH mitigations through LFH state manipulation, heap shaping with shader and URB objects, and a novel side-channel technique to break LFH randomization, achieving arbitrary read/write and code execution with first-attempt reliability.
Wireless-(in)Fidelity: Pentesting Wi-Fi in 2025
Synacktiv's comprehensive Wi-Fi penetration testing guide covers attack vectors from open networks through WEP and WPA2 PSK, detailing real-world exploitation techniques including LLMNR/mDNS poisoning, deauthentication attacks, evil-twin MitM, and cryptographic weaknesses. The article demonstrates practical attacks against legacy and modern Wi-Fi protocols, with case studies from actual penetration tests showing how credential harvesting and network compromise remain viable despite protocol maturity.
Livewire: remote command execution through unmarshaling
Synacktiv disclosed a critical pre-authenticated remote code execution vulnerability in Livewire, a popular Laravel full-stack framework used in 130K+ public instances. The vulnerability exploits Livewire's hydration mechanism through malicious synthesizers injected via the updates field, bypassing checksum validation through PHP's loose typing and recursive array handling. Attackers can instantiate arbitrary objects and chain gadgets (GuzzleHttp\Psr7\FnStream, League\Flysystem utilities) to achieve stealthy command execution without knowledge of the application's APP_KEY.
CVE-2026-6832 — Get-hermes Hermes_web_ui: Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows
Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system. CVSSv3.1 8.1 (HIGH) · EPSS 31th percentile
CVE-2026-40933 — Flowiseai Flowise: Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution. The vulnerability lies in a bug in the input sanitization from the “Custom MCP” configuration in http://localhost:3000/canvas - where any user can add a new MCP, when doing so - adding a new MCP usin CVSSv3.1 9.9 (CRITICAL)
CVE-2026-40931 — Node-modules Compressing: Physical" divergence, an attacker can bypass the security check using a Directory Poisoning technique
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but fails to account for the actual filesystem state. By exploiting this "Logical vs. Physical" divergence, an attacker can bypass the security check using a Directory Poisoning technique CVSSv3.1 8.4 (HIGH)
CVE-2026-6823 — Hkuds Openharness: Attackers who can reach the configured channel can bypass access controls and reach host-backed
HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach host-backed agent runtimes, potentially leading to unauthorized file disclosure and read access through default-enabled read-only tools. CVSSv3.1 8.2 (HIGH) · EPSS 26th percentile
CVE-2026-40925 — Wwbn Avideo: In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest()`, does not verify a `globalToken`, and does not validate the Origin/Referer header. Because AVideo intentionally sets `session.cookie_samesite=None` to support cross-origin ifra CVSSv3.1 8.3 (HIGH) · EPSS 4th percentile
CVE-2026-40911 — Wwbn Avideo: In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and n CVSSv3.1 10.0 (CRITICAL) · EPSS 37th percentile
CVE-2026-40906 — Electric Sync-service: From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is
Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0. CVSSv3.1 9.9 (CRITICAL) · EPSS 10th percentile
CVE-2026-40892 — Pjsip Pjsip: In 2.16 and earlier, a stack buffer overflow exists in pjsip_auth_create_digest2() in PJSIP when
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a stack buffer overflow exists in pjsip_auth_create_digest2() in PJSIP when using pre-computed digest credentials (PJSIP_CRED_DATA_DIGEST). The function copies credential data using cred_info->data.slen as the length without an upper-bound check, which can overflow the fixed-size ha1 stack buffer (128 bytes) if data.slen exceeds the expected digest string length. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-34309 — Oracle Peoplesoft_enterprise_peopletools: Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Security). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PeopleTools accessib CVSSv3.1 8.1 (HIGH)
CVE-2026-34291 — Oracle Http_server: Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise
Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. While the vulnerability is in Oracle HTTP Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthor CVSSv3.1 8.7 (HIGH)
CVE-2026-34287 — Oracle Identity_manager_connector: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector CVSSv3.1 9.1 (CRITICAL)
CVE-2026-34286 — Oracle Identity_manager_connector: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector CVSSv3.1 9.1 (CRITICAL)
CVE-2026-34285 — Oracle Identity_manager_connector: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector CVSSv3.1 9.1 (CRITICAL)
CVE-2026-34279 — Oracle Enterprise_manager_base_platform: Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Su CVSSv3.1 9.1 (CRITICAL) · EPSS 12th percentile
CVE-2026-34275 — Oracle Advanced_inbound_telephony: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle
Vulnerability in the Oracle Advanced Inbound Telephony product of Oracle E-Business Suite (component: Setup and Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Inbound Telephony. Successful attacks of this vulnerability can result in takeover of Oracle Advanced Inbound Telephony. CVSS 3.1 Base Score 9.8 (Confidentiality, Integ CVSSv3.1 9.8 (CRITICAL) · EPSS 13th percentile