Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-40884 — Goshs Goshs: Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFTP service and access files without a password. This vulnerability is fixed in 2.0.0-beta.6. CVSSv3.1 9.8 (CRITICAL) · EPSS 17th percentile
CVE-2026-40883 — Goshs Goshs: From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing
goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. This vulnerability is fixed in 2.0.0-beta.6. CVSSv3.1 8.1 (HIGH) · EPSS 5th percentile
CVE-2026-40880 — Zfnd Zebra-consensus: Prior to zebrad version 4.3.1 and zebra-consensus version 5.0.2, a logic error in Zebra's
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and zebra-consensus version 5.0.2, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By carefully submitting a transaction that is valid for height H+1 but invalid for H+2 and then mining that transaction in a block at height H+2, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from t CVSSv3.1 8.1 (HIGH) · EPSS 13th percentile
CVE-2026-40876 — Goshs Goshs: is a SimpleHTTPServer written in Go.
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files. The SFTP subsystem routes requests through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards fil CVSSv3.1 8.8 (HIGH) · EPSS 13th percentile
CVE-2026-40372 — Microsoft Asp.net_core: Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate
Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network. CVSSv3.1 9.1 (CRITICAL) · EPSS 8th percentile
CVE-2026-40868 — Kyverno Kyverno: Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ...
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. Because context.apiCall.service.url is policy-controlled, this can send the kyverno serviceaccount token to an attacker-controlled endpoint (confused deputy). Namespaced policies are bloc CVSSv3.1 8.1 (HIGH) · EPSS 9th percentile
CVE-2026-40614 — Pjsip Pjsip: In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames due to insufficient buffer size validation in the Opus codec decode path. The FEC decode buffers (dec_frame[].buf) were allocated based on a PCM-derived formula: (sample_rate/1000) * 60 * channel_cnt * 2. At 8 kHz mono this yields only 960 bytes, but codec_parse() can output encoded frames up to MAX_ENCODED_PACKET_SIZE CVSSv3.1 8.8 (HIGH)
CVE-2026-40611 — Encrypt: Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary
Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process. This vulnerability is fixed in 4.34.0. CVSSv3.1 8.8 (HIGH)
CVE-2026-5652 — Craftycontrol Crafty_controller: An insecure direct object reference vulnerability in the Users API component of Crafty Controller
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation. CVSSv3.1 9.0 (CRITICAL) · EPSS 21th percentile
CVE-2026-40583 — Ultradag Ultradag: In version 0.1, a non-council attacker can submit a signed SmartOp::Vote transaction that passes
UltraDAG is a minimal DAG-BFT blockchain in Rust. In version 0.1, a non-council attacker can submit a signed SmartOp::Vote transaction that passes signature, nonce, and balance prechecks, but fails authorization only after state mutation has already occurred. CVSSv3.1 8.2 (HIGH) · EPSS 12th percentile
CVE-2026-38835 — Tenda W30e_firmware: W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the
Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. CVSSv3.1 9.8 (CRITICAL) · EPSS 38th percentile
v9.0.2
BloodHound v9.0.2 released with routine maintenance updates including cipher additions, Azure post-processing fixes, and a pgx dependency upgrade to remediate two CVEs in the database driver. The release includes minor feature additions and build improvements.
The Vercel Breach Explains Why Identity Attack Path Management Can’t Wait
Vercel suffered a supply-chain breach when an employee connected the AI tool Context.ai to corporate Google Workspace via OAuth with overly broad permissions. Context.ai was subsequently compromised via an infostealer (Lumma Stealer) targeting a Context.ai employee, exposing OAuth tokens that granted attackers direct access to Vercel's identity infrastructure and internal systems. SpecterOps frames this as a structural identity attack path problem: the compromise of a non-human identity (NHI) with delegated trust relationships enabled lateral movement at machine speed, exposing the inadequacy of traditional IAM governance against AI-driven identity risks.
CVE-2026-3324 — Log360: ManageEngine Log360 builds 13000–13013 contain an authentication bypass vulnerability in exposed V1
ManageEngine Log360 builds 13000–13013 contain an authentication bypass vulnerability in exposed V1 APIs that allows attackers to bypass authorization checks and gain unauthorized access to data and operations. The vendor patched the issue in build 13017 released March 10, 2026, with public disclosure on April 17, 2026.
CVE-2026-31019 — Dolibarr Dolibarr_erp\/crm: An authenticated user with permission to edit PHP content can bypass this filtering, resulting
In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code execution with the ability to execute arbitrary operating system commands on the server. CVSSv3.1 8.8 (HIGH)
CVE-2026-31018 — Dolibarr Dolibarr_erp\/crm: In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement
In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation. CVSSv3.1 8.8 (HIGH)
Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained
Rapid7 analyzed two Kyber ransomware variants—one targeting VMware ESXi and one targeting Windows—recovered from a March 2026 incident. The ESXi variant uses ChaCha8 encryption despite claiming post-quantum Kyber1024, while the Windows variant correctly implements AES-256-CTR with Kyber1024 key wrapping. Both variants share campaign infrastructure and employ sophisticated anti-recovery techniques including VM termination, shadow copy deletion, and management interface defacement.
CVE-2026-6750 — Mozilla Firefox: Privilege escalation in the Graphics: WebRender component.
Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. CVSSv3.1 8.8 (HIGH)
CVE-2026-6748 — Mozilla Firefox: Uninitialized memory in the Audio/Video: Web Codecs component.
Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-41038 — Qntmnet Qn-i-470_firmware: An attacker on the same network could exploit this vulnerability by performing password guessing
This vulnerability exists in Quantum Networks router due to lack of enforcement of strong password policies in the web-based management interface. An attacker on the same network could exploit this vulnerability by performing password guessing or brute-force attacks against user accounts, leading to unauthorized access to the targeted device. CVSSv3.1 8.8 (HIGH) · EPSS 7th percentile
CVE-2026-41037 — Qntmnet Qn-i-470_firmware: An attacker on the same network could exploit this vulnerability by performing brute force
This vulnerability exists in Quantum Networks router due to missing rate limiting and CAPTCHA protection for failed login attempts in the web-based management interface. An attacker on the same network could exploit this vulnerability by performing brute force attacks against administrative credentials, leading to unauthorized access with root privileges on the targeted device. CVSSv3.1 8.8 (HIGH) · EPSS 7th percentile
CVE-2026-41036 — Qntmnet Qn-i-470_firmware: Successful exploitation of this vulnerability could allow the attacker to perform remote code execution
This vulnerability exists in Quantum Networks router due to inadequate sanitization of user-supplied input in the management CLI interface. An authenticated remote attacker could exploit this vulnerability by injecting arbitrary OS commands on the targeted device. Successful exploitation of this vulnerability could allow the attacker to perform remote code execution with root privileges on the targeted device. CVSSv3.1 8.8 (HIGH) · EPSS 64th percentile
shannon — Shannon Lite is an autonomous, white-box AI pentester for web applications and APIs. It analyzes your source code, ident
Shannon Lite is an open-source autonomous AI pentester for web applications and APIs that performs white-box security testing by analyzing source code and executing real exploits. The tool identifies attack vectors across injection, XSS, SSRF, and authentication bypass categories, generating proof-of-concept exploits for confirmed vulnerabilities. Shannon Pro, the commercial variant, adds agentic SAST, SCA, secrets scanning, and business logic testing with static-dynamic correlation.
CVE-2026-5965 — NewSoftOA: developed by NewSoft has an OS Command Injection vulnerability, allowing unauthenticated local attackers
NewSoftOA developed by NewSoft has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server. CVSSv3.1 9.8 (CRITICAL) · EPSS 92th percentile
CVE-2026-40497 — Freescout Freescout: CSP allows `style-src * 'self' 'unsafe-inline'`, so injected inline styles execute freely.
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's `Helper::stripDangerousTags()` removes `<script>`, `<form>`, `<iframe>`, `<object>` but does NOT strip `<style>` tags. The mailbox signature field is saved via POST /mailbox/settings/{id} and later rendered unescaped via `{!! $conversation->getSignatureProcessed([], true) !!}` in conversation views. CSP allows `style-src * 'self' 'unsafe-inline'`, so injected inline styles exec CVSSv3.1 8.1 (HIGH)