Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
From APT28 to RePythonNET: automating .NET malware analysis
Sekoia TDR published RePythonNET-MCP, an open-source tool automating .NET malware analysis via pythonnet and dnlib integration with AI-assisted decompilation. The research demonstrates practical reverse engineering of APT28's obfuscated Covenant C2 implant, including automated string decryption, function renaming, and configuration extraction through an MCP server exposing 30+ analysis tools.
OID-See — OID-See is an identity attack surface mapping tool that models OAuth trust, persistence, and impersonation paths in Entr
OID-See is an open-source identity attack surface mapping tool for Microsoft Entra ID that discovers, analyzes, and visualizes risky third-party and multi-tenant applications through OAuth trust relationships, persistence paths, and impersonation vectors. Version 1.1.1 adds Microsoft's official permission tiering data, BloodHound OpenGraph interoperability, and offline-capable first-party app detection; v1.1.0 introduced large-tenant performance optimization (30k+ nodes) and external identity posture scanning.
CVE-2026-6350 — Openfind: MailGates/MailAudit developed by Openfind has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers
MailGates/MailAudit developed by Openfind has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers to control the program's execution flow and execute arbitrary code. CVSSv3.1 9.8 (CRITICAL) · EPSS 23th percentile
CVE-2026-6349 — HGiga: The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated local
The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-6348 — WinMatrix: agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local
WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on the local machine as well as on all hosts within the environment where the agent is installed. CVSSv3.1 8.8 (HIGH) · EPSS 1th percentile
CVE-2026-40504 — Creolabs: Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function
Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope. Attackers can exploit insufficient bounds checking in gravity_fiber_reassign() to corrupt heap metadata and achieve arbitrary code execution in applications that evaluate untrusted scripts. CVSSv3.1 9.8 (CRITICAL) · EPSS 10th percentile
CVE-2026-40959 — Luanti: 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via
Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod. CVSSv3.1 9.3 (CRITICAL) · EPSS 0th percentile
CVE-2026-40502 — Hkuds Openharness: prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway
OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can execute administrative commands such as /permissions full_auto through remote chat sessions to change permission modes of a running OpenHarness instance without operator authorization. CVSSv3.1 8.8 (HIGH)
CVE-2026-5363 — Tp-link Archer_c7_firmware: Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows
Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation. The web interface encrypts the admin password client-side using RSA-1024 before sending it to the router during login. An adjacent attacker with the ability to intercept network traffic could potentially perform a brute-force or factorization attack against the 1024-bit RSA key to recover the plaintext administrator password, leading to unauth CVSSv3.1 8.8 (HIGH)
QEMU abused to evade detection and enable ransomware delivery
Sophos X-Ops documents active abuse of QEMU by threat actors to deploy hidden virtual machines for defense evasion, credential harvesting, and ransomware delivery. Two campaigns (STAC4713 linked to PayoutsKing/GOLD ENCOUNTER, and STAC3725 exploiting CitrixBleed2) use QEMU VMs to host attack toolkits while remaining invisible to endpoint security controls. Initial access vectors include unpatched SolarWinds Web Help Desk (CVE-2025-26399), exposed VPNs, and Citrix NetScaler exploitation (CVE-2025-5777).
CVE-2026-40316 — Owasp Owasp_blt: Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow.
OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pull_request_target trigger to run with full GITHUB_TOKEN write permissions, copies attacker-controlled files from untrusted pull requests into the trusted runner workspace via git show, and then executes python manage. CVSSv3.1 8.8 (HIGH) · EPSS 20th percentile
CVE-2026-6388 — ArgoCD: This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource
A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on applications managed by other tenants. This leads to cross-namespace privilege escalation, impacting application integrity through unauthorized application updates. CVSSv3.1 9.1 (CRITICAL)
Obfuscation vs the Optimizer: An LLVM Middle-End Arms Race
Quarkslab research demonstrates how LLVM compiler optimizations progressively defeat code obfuscation techniques, specifically showing how a single commit in LLVM 19 (implementing De Morgan's Law in InstCombine) collapsed Mixed Boolean Arithmetic (MBA) obfuscation that survived LLVM 18. The post traces an arms race between obfuscators and optimizers, illustrating that obfuscation resilience has an expiration date as compiler middle-end passes evolve.
CVE-2026-40261 — Getcomposer Composer: Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field w CVSSv3.1 8.8 (HIGH) · EPSS 12th percentile
CVE-2026-40173 — Dgraph Dgraph: Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint
Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line including the admin token configured via the --security "token=..." startup flag. An attacker can retrieve the leaked token and reuse it in the X-Dgraph-AuthToken header to gain unauthor CVSSv3.1 9.4 (CRITICAL) · EPSS 31th percentile
CVE-2026-6363 — Google Chrome: Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker
Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium) CVSSv3.1 8.8 (HIGH) · EPSS 21th percentile
CVE-2026-6361 — Google Chrome: Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed
Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High) CVSSv3.1 8.3 (HIGH) · EPSS 4th percentile
CVE-2026-6360 — Google Chrome: Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote
Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 7th percentile
CVE-2026-6358 — Google Chrome: Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed
Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Critical) CVSSv3.1 8.8 (HIGH) · EPSS 30th percentile
CVE-2026-6318 — Google Chrome: Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote
Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) CVSSv3.1 8.8 (HIGH) · EPSS 15th percentile
CVE-2026-6317 — Google Chrome: Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote
Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 33th percentile
CVE-2026-6316 — Google Chrome: Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote
Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 33th percentile
CVE-2026-6315 — Google Chrome: Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed
Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 30th percentile
CVE-2026-6314 — Google Chrome: Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a
Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the GPU process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.3 (HIGH) · EPSS 10th percentile
CVE-2026-6311 — Google Chrome: Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147.0.7727.101 allowed a
Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.3 (HIGH) · EPSS 8th percentile