Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-40488 — Openmage Magento: Files are stored in the publicly accessible `media/custom_options/quote/` directory, which lacks server-side execution restrictions
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the product custom option file upload in OpenMage LTS uses an incomplete blocklist (`forbidden_extensions = php,exe`) to prevent dangerous file uploads. This blocklist can be trivially bypassed by using alternative PHP-executable extensions such as `.phtml` CVSSv3.1 8.8 (HIGH)
CVE-2026-30269 — Doorman Doorman: Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update
Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/{username}. The `role` field is accepted by the update model without a manage_users permission check for self-updates, enabling privilege escalation to high-privileged roles. CVSSv3.1 9.9 (CRITICAL) · EPSS 13th percentile
CVE-2026-25524 — Openmage Magento: Prior to version 20.17.0, PHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` can trigger
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` can trigger deserialization when processing `phar://` stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and m CVSSv3.1 8.1 (HIGH)
CVE-2026-26944 — Dell Powerprotect_dp_series_appliance: PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain a missing authentication for critical function vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. Exploitation requires an authenticated user to perform a specific action. CVSSv3.1 8.8 (HIGH)
CVE-2026-24467 — Filigran Openaev: Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains
OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple security weaknesses that together allow reliable account takeover. The primary issue is that password reset tokens do not expire. Once a token is generated, it remains valid indefinitely, even if significant time has passed or if ne CVSSv3.1 9.0 (CRITICAL) · EPSS 73th percentile
CVE-2026-5760 — SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing
SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment(). CVSSv3.1 9.8 (CRITICAL) · EPSS 59th percentile
CVE-2026-4048 — Progress Connection_manager_for_objectscale: OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows
OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process. CVSSv3.1 8.4 (HIGH) · EPSS 23th percentile
CVE-2026-3519 — Progress Connection_manager_for_objectscale: OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command CVSSv3.1 8.4 (HIGH) · EPSS 23th percentile
CVE-2026-3518 — Progress Connection_manager_for_objectscale: OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command CVSSv3.1 8.4 (HIGH) · EPSS 23th percentile
CVE-2026-3517 — Progress Connection_manager_for_objectscale: OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “Geo Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command CVSSv3.1 8.4 (HIGH) · EPSS 23th percentile
CVE-2026-33557 — Apache Kafka: A possible security vulnerability has been identified in Apache Kafka.
A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the `preferred_username` set to any user, and the broker will accept it. We advise the Kafka users using kafka v4.1.0 or CVSSv3.1 9.1 (CRITICAL)
FakeWallet crypto stealer spreading through iOS apps in the App Store
Kaspersky discovered 26+ phishing apps in the Apple App Store masquerading as popular cryptocurrency wallets (MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, Bitpie), primarily targeting Chinese users. Once installed, these apps redirect to malicious pages that distribute trojanzed wallet versions engineered to steal recovery phrases and private keys via library injection, method swizzling, and sophisticated phishing overlays. The campaign has been active since at least fall 2025 and employs both hot-wallet credential harvesting and cold-wallet phishing, with some samples also containing SparkKitty modules, suggesting possible threat-actor overlap.
CVE-2026-5967 — Teamt5 Threatsonar_anti-ransomware: ThreatSonar Anti-Ransomware developed by TeamT5 has an Privilege Escalation vulnerability.
ThreatSonar Anti-Ransomware developed by TeamT5 has an Privilege Escalation vulnerability. Authenticated remote attackers with shell access can inject OS commands and execute them with root privileges. CVSSv3.1 8.8 (HIGH) · EPSS 34th percentile
CVE-2026-5966 — Teamt5 Threatsonar_anti-ransomware: ThreatSonar Anti-Ransomware developed by TeamT5 has an Arbitrary File Deletion vulnerability.
ThreatSonar Anti-Ransomware developed by TeamT5 has an Arbitrary File Deletion vulnerability. Authenticated remote attackers with web access can exploit Path Traversal to delete arbitrary files on the system. CVSSv3.1 8.1 (HIGH) · EPSS 57th percentile
CVE-2026-5964 — Digiwin Easyflow_.net: EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers
EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. CVSSv3.1 9.8 (CRITICAL) · EPSS 28th percentile
CVE-2026-5963 — Digiwin Easyflow_.net: EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers
EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. CVSSv3.1 9.8 (CRITICAL) · EPSS 28th percentile
CVE-2026-6644 — Asustor Data_master: A command injection vulnerability was found in the PPTP VPN Clients on the ADM.
A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system. Affected products and CVSSv3.1 9.1 (CRITICAL) · EPSS 55th percentile
AzureAD-Attack-Defense — This publication is a collection of various common attack scenarios on Microsoft Entra ID (formerly known as Azure Activ
AzureAD-Attack-Defense is a comprehensive community-driven playbook documenting attack and defense scenarios against Microsoft Entra ID (Azure AD). The repository covers password spray, consent grant abuse, service principal exploitation in Azure DevOps, Entra Connect sync account abuse, PRT token replay, and adversary-in-the-middle phishing attacks, with detection rules and mitigation strategies mapped to MITRE ATT&CK framework.
The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables
Vercel suffered a supply-chain OAuth compromise originating from Lumma Stealer malware infection at third-party vendor Context.ai in February 2026. Attackers leveraged stolen Google Workspace OAuth tokens to pivot into Vercel's internal systems and enumerate customer environment variables, exposing non-sensitive credentials stored unencrypted at rest. The incident demonstrates how OAuth trust relationships bypass perimeter defenses and how default-insecure environment variable models amplify blast radius across downstream services.
magnetar — A EDR bypassing shellcode loader framework for Windows 10 64bit, featuring ETW/AMSI patching, Tartarus Gate, process pro
Magnetar is a Windows 10 64-bit shellcode loader framework designed to bypass EDR solutions through ETW/AMSI patching, direct syscalls via Tartarus Gate, process injection techniques (Early Bird APC, Process Hypnosis), PPID spoofing, and process protection mechanisms. The author intentionally removed the critical syscall obfuscation component from the public release due to its demonstrated effectiveness against Sophos EDR, requiring users to supply their own implementation.
CVE-2026-41242 — Protobufjs_project Protobufjs: In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-40487 — Gitroom Postiz: Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to
Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The uploaded files are then served by nginx with a Content-Type derived from their original extension (`text/html`, `image/svg+xml`), enabling Stored Cross-Site Scripting (XSS) in the context of the application's origin. This can le CVSSv3.1 8.9 (HIGH)
CVE-2026-35582 — Nsa Emissary: In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it
Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escaping or input validation. The IN_FILE_ENDING and OUT_FILE_ENDING configuration keys flow directly into these paths, allowing a place author who can write or modify a .cfg file to inject arbitrary shell metacharacters that execute OS co CVSSv3.1 8.8 (HIGH) · EPSS 17th percentile
v3.8.0
Nuclei v3.8.0 released with two security fixes addressing sandbox escape vectors: JS module now respects allow-local-file-access in require() calls, and template expressions are now restricted to template-authored code only. The release also includes 20+ bug fixes covering race conditions, path handling, and concurrent map writes across fuzzing, WebSocket, and HTTP modules.
CVE-2026-40572 — Minecanton209 Novumos: In versions prior to 0.24, Syscall 15 (MemoryMapRange) allows Ring 3 user-mode processes to
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (MemoryMapRange) allows Ring 3 user-mode processes to map arbitrary virtual address ranges into their address space without validating against forbidden regions, including critical kernel structures such as the IDT, GDT, TSS, and page tables. A local attacker can exploit this to modify kernel interrupt handlers, resulting in privilege escalation from user mode to CVSSv3.1 9.0 (CRITICAL) · EPSS 4th percentile