Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
Wireless-(in)Fidelity: Pentesting Wi-Fi in 2025
Synacktiv's comprehensive Wi-Fi penetration testing guide covers attack vectors from open networks through WEP and WPA2 PSK, detailing real-world exploitation techniques including LLMNR/mDNS poisoning, deauthentication attacks, evil-twin MitM, and cryptographic weaknesses. The article demonstrates practical attacks against legacy and modern Wi-Fi protocols, with case studies from actual penetration tests showing how credential harvesting and network compromise remain viable despite protocol maturity.
Livewire: remote command execution through unmarshaling
Synacktiv disclosed a critical pre-authenticated remote code execution vulnerability in Livewire, a popular Laravel full-stack framework used in 130K+ public instances. The vulnerability exploits Livewire's hydration mechanism through malicious synthesizers injected via the updates field, bypassing checksum validation through PHP's loose typing and recursive array handling. Attackers can instantiate arbitrary objects and chain gadgets (GuzzleHttp\Psr7\FnStream, League\Flysystem utilities) to achieve stealthy command execution without knowledge of the application's APP_KEY.
CVE-2026-6832 — Get-hermes Hermes_web_ui: Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows
Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system. CVSSv3.1 8.1 (HIGH) · EPSS 31th percentile
CVE-2026-40933 — Flowiseai Flowise: Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution. The vulnerability lies in a bug in the input sanitization from the “Custom MCP” configuration in http://localhost:3000/canvas - where any user can add a new MCP, when doing so - adding a new MCP usin CVSSv3.1 9.9 (CRITICAL)
CVE-2026-40931 — Node-modules Compressing: Physical" divergence, an attacker can bypass the security check using a Directory Poisoning technique
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but fails to account for the actual filesystem state. By exploiting this "Logical vs. Physical" divergence, an attacker can bypass the security check using a Directory Poisoning technique CVSSv3.1 8.4 (HIGH)
CVE-2026-6823 — Hkuds Openharness: Attackers who can reach the configured channel can bypass access controls and reach host-backed
HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach host-backed agent runtimes, potentially leading to unauthorized file disclosure and read access through default-enabled read-only tools. CVSSv3.1 8.2 (HIGH) · EPSS 26th percentile
CVE-2026-40925 — Wwbn Avideo: In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest()`, does not verify a `globalToken`, and does not validate the Origin/Referer header. Because AVideo intentionally sets `session.cookie_samesite=None` to support cross-origin ifra CVSSv3.1 8.3 (HIGH) · EPSS 4th percentile
CVE-2026-40911 — Wwbn Avideo: In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and n CVSSv3.1 10.0 (CRITICAL) · EPSS 37th percentile
CVE-2026-40906 — Electric Sync-service: From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is
Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0. CVSSv3.1 9.9 (CRITICAL) · EPSS 10th percentile
CVE-2026-40892 — Pjsip Pjsip: In 2.16 and earlier, a stack buffer overflow exists in pjsip_auth_create_digest2() in PJSIP when
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a stack buffer overflow exists in pjsip_auth_create_digest2() in PJSIP when using pre-computed digest credentials (PJSIP_CRED_DATA_DIGEST). The function copies credential data using cred_info->data.slen as the length without an upper-bound check, which can overflow the fixed-size ha1 stack buffer (128 bytes) if data.slen exceeds the expected digest string length. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-34309 — Oracle Peoplesoft_enterprise_peopletools: Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Security). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PeopleTools accessib CVSSv3.1 8.1 (HIGH)
CVE-2026-34291 — Oracle Http_server: Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise
Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. While the vulnerability is in Oracle HTTP Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthor CVSSv3.1 8.7 (HIGH)
CVE-2026-34287 — Oracle Identity_manager_connector: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector CVSSv3.1 9.1 (CRITICAL)
CVE-2026-34286 — Oracle Identity_manager_connector: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector CVSSv3.1 9.1 (CRITICAL)
CVE-2026-34285 — Oracle Identity_manager_connector: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector CVSSv3.1 9.1 (CRITICAL)
CVE-2026-34279 — Oracle Enterprise_manager_base_platform: Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Su CVSSv3.1 9.1 (CRITICAL) · EPSS 12th percentile
CVE-2026-34275 — Oracle Advanced_inbound_telephony: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle
Vulnerability in the Oracle Advanced Inbound Telephony product of Oracle E-Business Suite (component: Setup and Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Inbound Telephony. Successful attacks of this vulnerability can result in takeover of Oracle Advanced Inbound Telephony. CVSS 3.1 Base Score 9.8 (Confidentiality, Integ CVSSv3.1 9.8 (CRITICAL) · EPSS 13th percentile
CVE-2026-33519 — Esri Portal_for_arcgis: An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0
An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials. CVSSv3.1 9.8 (CRITICAL) · EPSS 17th percentile
CVE-2026-33518 — Esri Portal_for_arcgis: An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows
An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected. CVSSv3.1 9.8 (CRITICAL) · EPSS 17th percentile
CVE-2026-21997 — Oracle Life_sciences_empirica_signal: Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise
Vulnerability in the Oracle Life Sciences Empirica Signal product of Oracle Life Science Applications (component: Common Core). Supported versions that are affected are 9.2.1-9.2.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Life Sciences Empirica Signal. While the vulnerability is in Oracle Life Sciences Empirica Signal, attacks may significantly impact additional products (scope change). Successful at CVSSv3.1 8.5 (HIGH) · EPSS 8th percentile
CVE-2025-70420 — Genesys Latitude: A SQL injection vulnerability exists in Genesys Latitude v25.1.0.420 that allows an authenticated attacker
A SQL injection vulnerability exists in Genesys Latitude v25.1.0.420 that allows an authenticated attacker to execute arbitrary SQL queries against the backend database. The vulnerability is caused by unsanitized user-supplied input being concatenated directly into SQL statements. CVSSv3.1 8.8 (HIGH) · EPSS 10th percentile
CVE-2026-6819 — Hkuds Openharness: prior to PR #156 remediation exposes plugin lifecycle commands including /plugin install
HKUDS OpenHarness prior to PR #156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. Attackers who gain access through the channel layer can remotely manage plugin trust and activation state, enabling unauthorized plugin installation and activation on the system. CVSSv3.1 8.8 (HIGH) · EPSS 12th percentile
CVE-2026-40909 — Wwbn Avideo: An admin attacker (or any user who can CSRF an admin, since no CSRF
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path at line 30 without any sanitization. The `$_POST['code']` parameter is then written verbatim to that path via `fwrite()` at line 40. An admin attacker (or any user who can CSRF an admin, since no CSRF token is checked and cookies use `SameSite=None`) can traverse out of the `local CVSSv3.1 8.7 (HIGH)
CVE-2026-40903 — Goshs Goshs: ArtiPACKED can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even though the
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even though the token is not present in the repository source code. This vulnerability is fixed in 2.0.0-beta.6. CVSSv3.1 9.1 (CRITICAL) · EPSS 12th percentile
CVE-2026-40885 — Goshs Goshs: is a SimpleHTTPServer written in Go.
goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including Authorization. An unauthenticated observer can capture a victim's folder-specific basic-auth header and replay it to CVSSv3.1 8.8 (HIGH) · EPSS 21th percentile