2026-04-16
2026-04-16 09:44Z
HIGH

From APT28 to RePythonNET: automating .NET malware analysis

Sekoia.io·sekoia.io

Sekoia TDR published RePythonNET-MCP, an open-source tool automating .NET malware analysis via pythonnet and dnlib integration with AI-assisted decompilation. The research demonstrates practical reverse engineering of APT28's obfuscated Covenant C2 implant, including automated string decryption, function renaming, and configuration extraction through an MCP server exposing 30+ analysis tools.

SRFApplicationTACTA0002TACTA0011VNDApt28VNDCovenantTYPResearchTYPToolTYPWriteup
78
Edit Score
2026-04-16
2026-04-16 06:30Z
HIGH

OID-See — OID-See is an identity attack surface mapping tool that models OAuth trust, persistence, and impersonation paths in Entr

GitHub · Azure / Entra tools·github.comGITHUB POC

OID-See is an open-source identity attack surface mapping tool for Microsoft Entra ID that discovers, analyzes, and visualizes risky third-party and multi-tenant applications through OAuth trust relationships, persistence paths, and impersonation vectors. Version 1.1.1 adds Microsoft's official permission tiering data, BloodHound OpenGraph interoperability, and offline-capable first-party app detection; v1.1.0 introduced large-tenant performance optimization (30k+ nodes) and external identity posture scanning.

SRFIdentitySRFCloudTACTA0043VNDMicrosoftTYPResearchTYPToolSTGDiscoverySTGRecon
78
Edit Score
2026-04-16
2026-04-16 03:16Z
CRIT

CVE-2026-6350 — Openfind: MailGates/MailAudit developed by Openfind has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6350

MailGates/MailAudit developed by Openfind has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers to control the program's execution flow and execute arbitrary code. CVSSv3.1 9.8 (CRITICAL) · EPSS 23th percentile

CWECWE 121VNDOpenfindTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-16
2026-04-16 03:16Z
CRIT

CVE-2026-6349 — HGiga: The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated local

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6349

The  iSherlock developed by HGiga  has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server. CVSSv3.1 9.8 (CRITICAL)

CWECWE 78VNDHgigaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-16
2026-04-16 03:16Z
HIGH

CVE-2026-6348 — WinMatrix: agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6348

WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on the local machine as well as on all hosts within the environment where the agent is installed. CVSSv3.1 8.8 (HIGH) · EPSS 1th percentile

CWECWE 306VNDWinmatrixTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-16
2026-04-16 02:16Z
CRIT

CVE-2026-40504 — Creolabs: Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40504

Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope. Attackers can exploit insufficient bounds checking in gravity_fiber_reassign() to corrupt heap metadata and achieve arbitrary code execution in applications that evaluate untrusted scripts. CVSSv3.1 9.8 (CRITICAL) · EPSS 10th percentile

CWECWE 122VNDCreolabsTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-16
2026-04-16 01:16Z
CRIT

CVE-2026-40959 — Luanti: 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40959

Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod. CVSSv3.1 9.3 (CRITICAL) · EPSS 0th percentile

CWECWE 829VNDLuantiTYPVulnerability
9.3
CVSS v3.1
97
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-04-16
2026-04-16 01:16Z
HIGH

CVE-2026-40502 — Hkuds Openharness: prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40502

OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can execute administrative commands such as /permissions full_auto through remote chat sessions to change permission modes of a running OpenHarness instance without operator authorization. CVSSv3.1 8.8 (HIGH)

CWECWE 862VNDHkudsVNDOpenharnessTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-16
2026-04-16 00:16Z
HIGH

CVE-2026-5363 — Tp-link Archer_c7_firmware: Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5363

Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation. The web interface encrypts the admin password client-side using RSA-1024 before sending it to the router during login.  An adjacent attacker with the ability to intercept network traffic could potentially perform a brute-force or factorization attack against the 1024-bit RSA key to recover the plaintext administrator password, leading to unauth CVSSv3.1 8.8 (HIGH)

CWECWE 326VNDTp LinkVNDInadequateTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-16
2026-04-16 00:00Z
CRIT

QEMU abused to evade detection and enable ransomware delivery

Sophos X-Ops·news.sophos.comCVE-2025-26399CVE-2025-5777in the wild

Sophos X-Ops documents active abuse of QEMU by threat actors to deploy hidden virtual machines for defense evasion, credential harvesting, and ransomware delivery. Two campaigns (STAC4713 linked to PayoutsKing/GOLD ENCOUNTER, and STAC3725 exploiting CitrixBleed2) use QEMU VMs to host attack toolkits while remaining invisible to endpoint security controls. Initial access vectors include unpatched SolarWinds Web Help Desk (CVE-2025-26399), exposed VPNs, and Citrix NetScaler exploitation (CVE-2025-5777).

SRFOsTACTA0005TACTA0001SRFNetworkTACTA0006TACTA0007TACTA0003TACTA0008
88
Edit Score
2026-04-15
2026-04-15 23:16Z
HIGH

CVE-2026-40316 — Owasp Owasp_blt: Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40316

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pull_request_target trigger to run with full GITHUB_TOKEN write permissions, copies attacker-controlled files from untrusted pull requests into the trusted runner workspace via git show, and then executes python manage. CVSSv3.1 8.8 (HIGH) · EPSS 20th percentile

CWECWE 94CWECWE 95VNDOwaspTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 22:17Z
CRIT

CVE-2026-6388 — ArgoCD: This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6388

A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on applications managed by other tenants. This leads to cross-namespace privilege escalation, impacting application integrity through unauthorized application updates. CVSSv3.1 9.1 (CRITICAL)

CWECWE 1220VNDArgocdTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-15
2026-04-15 22:00Z
MED

Obfuscation vs the Optimizer: An LLVM Middle-End Arms Race

Quarkslab·blog.quarkslab.com

Quarkslab research demonstrates how LLVM compiler optimizations progressively defeat code obfuscation techniques, specifically showing how a single commit in LLVM 19 (implementing De Morgan's Law in InstCombine) collapsed Mixed Boolean Arithmetic (MBA) obfuscation that survived LLVM 18. The post traces an arms race between obfuscators and optimizers, illustrating that obfuscation resilience has an expiration date as compiler middle-end passes evolve.

SRFApplicationVNDClangVNDLlvmTYPResearchTYPTechniqueSTGDefense EvasionTECT1027TECT1027.001
72
Edit Score
2026-04-15
2026-04-15 21:17Z
HIGH

CVE-2026-40261 — Getcomposer Composer: Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40261

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field w CVSSv3.1 8.8 (HIGH) · EPSS 12th percentile

CWECWE 20CWECWE 78VNDComposerVNDGetcomposerTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 21:17Z
CRIT

CVE-2026-40173 — Dgraph Dgraph: Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40173

Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security "token=..." startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthor CVSSv3.1 9.4 (CRITICAL) · EPSS 31th percentile

CWECWE 200CWECWE 522CWECWE 215VNDDgraphTYPVulnerability
9.4
CVSS v3.1
97
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6363 — Google Chrome: Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6363

Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium) CVSSv3.1 8.8 (HIGH) · EPSS 21th percentile

CWECWE 843VNDGoogleVNDTypeTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6361 — Google Chrome: Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6361

Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High) CVSSv3.1 8.3 (HIGH) · EPSS 4th percentile

CWECWE 122VNDGoogleVNDHeapTYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6360 — Google Chrome: Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6360

Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 7th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6358 — Google Chrome: Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6358

Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Critical) CVSSv3.1 8.8 (HIGH) · EPSS 30th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6318 — Google Chrome: Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6318

Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) CVSSv3.1 8.8 (HIGH) · EPSS 15th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6317 — Google Chrome: Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6317

Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 33th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6316 — Google Chrome: Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6316

Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 33th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6315 — Google Chrome: Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6315

Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 30th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6314 — Google Chrome: Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6314

Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the GPU process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.3 (HIGH) · EPSS 10th percentile

CWECWE 787VNDGoogleTYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6311 — Google Chrome: Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147.0.7727.101 allowed a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6311

Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.3 (HIGH) · EPSS 8th percentile

CWECWE 457VNDGoogleVNDUninitializedTYPVulnerability
8.3
CVSS v3.1
92
Edit Score