Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
v9.0.2
BloodHound v9.0.2 released with routine maintenance updates including cipher additions, Azure post-processing fixes, and a pgx dependency upgrade to remediate two CVEs in the database driver. The release includes minor feature additions and build improvements.
The Vercel Breach Explains Why Identity Attack Path Management Can’t Wait
Vercel suffered a supply-chain breach when an employee connected the AI tool Context.ai to corporate Google Workspace via OAuth with overly broad permissions. Context.ai was subsequently compromised via an infostealer (Lumma Stealer) targeting a Context.ai employee, exposing OAuth tokens that granted attackers direct access to Vercel's identity infrastructure and internal systems. SpecterOps frames this as a structural identity attack path problem: the compromise of a non-human identity (NHI) with delegated trust relationships enabled lateral movement at machine speed, exposing the inadequacy of traditional IAM governance against AI-driven identity risks.
CVE-2026-3324 — Log360: ManageEngine Log360 builds 13000–13013 contain an authentication bypass vulnerability in exposed V1
ManageEngine Log360 builds 13000–13013 contain an authentication bypass vulnerability in exposed V1 APIs that allows attackers to bypass authorization checks and gain unauthorized access to data and operations. The vendor patched the issue in build 13017 released March 10, 2026, with public disclosure on April 17, 2026.
CVE-2026-31019 — Dolibarr Dolibarr_erp\/crm: An authenticated user with permission to edit PHP content can bypass this filtering, resulting
In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code execution with the ability to execute arbitrary operating system commands on the server. CVSSv3.1 8.8 (HIGH)
CVE-2026-31018 — Dolibarr Dolibarr_erp\/crm: In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement
In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation. CVSSv3.1 8.8 (HIGH)
Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained
Rapid7 analyzed two Kyber ransomware variants—one targeting VMware ESXi and one targeting Windows—recovered from a March 2026 incident. The ESXi variant uses ChaCha8 encryption despite claiming post-quantum Kyber1024, while the Windows variant correctly implements AES-256-CTR with Kyber1024 key wrapping. Both variants share campaign infrastructure and employ sophisticated anti-recovery techniques including VM termination, shadow copy deletion, and management interface defacement.
CVE-2026-6750 — Mozilla Firefox: Privilege escalation in the Graphics: WebRender component.
Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. CVSSv3.1 8.8 (HIGH)
CVE-2026-6748 — Mozilla Firefox: Uninitialized memory in the Audio/Video: Web Codecs component.
Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-41038 — Qntmnet Qn-i-470_firmware: An attacker on the same network could exploit this vulnerability by performing password guessing
This vulnerability exists in Quantum Networks router due to lack of enforcement of strong password policies in the web-based management interface. An attacker on the same network could exploit this vulnerability by performing password guessing or brute-force attacks against user accounts, leading to unauthorized access to the targeted device. CVSSv3.1 8.8 (HIGH) · EPSS 7th percentile
CVE-2026-41037 — Qntmnet Qn-i-470_firmware: An attacker on the same network could exploit this vulnerability by performing brute force
This vulnerability exists in Quantum Networks router due to missing rate limiting and CAPTCHA protection for failed login attempts in the web-based management interface. An attacker on the same network could exploit this vulnerability by performing brute force attacks against administrative credentials, leading to unauthorized access with root privileges on the targeted device. CVSSv3.1 8.8 (HIGH) · EPSS 7th percentile
CVE-2026-41036 — Qntmnet Qn-i-470_firmware: Successful exploitation of this vulnerability could allow the attacker to perform remote code execution
This vulnerability exists in Quantum Networks router due to inadequate sanitization of user-supplied input in the management CLI interface. An authenticated remote attacker could exploit this vulnerability by injecting arbitrary OS commands on the targeted device. Successful exploitation of this vulnerability could allow the attacker to perform remote code execution with root privileges on the targeted device. CVSSv3.1 8.8 (HIGH) · EPSS 64th percentile
shannon — Shannon Lite is an autonomous, white-box AI pentester for web applications and APIs. It analyzes your source code, ident
Shannon Lite is an open-source autonomous AI pentester for web applications and APIs that performs white-box security testing by analyzing source code and executing real exploits. The tool identifies attack vectors across injection, XSS, SSRF, and authentication bypass categories, generating proof-of-concept exploits for confirmed vulnerabilities. Shannon Pro, the commercial variant, adds agentic SAST, SCA, secrets scanning, and business logic testing with static-dynamic correlation.
CVE-2026-5965 — NewSoftOA: developed by NewSoft has an OS Command Injection vulnerability, allowing unauthenticated local attackers
NewSoftOA developed by NewSoft has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server. CVSSv3.1 9.8 (CRITICAL) · EPSS 92th percentile
CVE-2026-40497 — Freescout Freescout: CSP allows `style-src * 'self' 'unsafe-inline'`, so injected inline styles execute freely.
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's `Helper::stripDangerousTags()` removes `<script>`, `<form>`, `<iframe>`, `<object>` but does NOT strip `<style>` tags. The mailbox signature field is saved via POST /mailbox/settings/{id} and later rendered unescaped via `{!! $conversation->getSignatureProcessed([], true) !!}` in conversation views. CSP allows `style-src * 'self' 'unsafe-inline'`, so injected inline styles exec CVSSv3.1 8.1 (HIGH)
CVE-2026-40496 — Freescout Freescout: Prior to version 1.8.213, attachment download tokens are generated using a weak and predictable
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, attachment download tokens are generated using a weak and predictable formula: `md5(APP_KEY + attachment_id + size)`. Since attachment_id is sequential and size can be brute-forced in a small range, an unauthenticated attacker can forge valid tokens and download any private attachment without credentials. Version 1.8.213 fixes the issue. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-39866 — Lawnchair Lawnchair: Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code
Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code execution. Commit fcba413f55dd47f8a3921445252849126c6266b2 patches the issue. CVSSv3.1 8.8 (HIGH)
CVE-2026-39861 — Anthropic Claude_code: Reliably exploiting this required the ability to add untrusted content into a Claude Code
Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the symlink and wrote to the target location outside the workspace without prompting the user for confirmation. This allowed a sandbox escape where neither the sandboxed command nor the un CVSSv3.1 10.0 (CRITICAL)
CVE-2026-39386 — M1k1o Neko: This results in a complete compromise of the instance.
Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings, broadcast control, session termination, etc.). This results in a complete compromise of the instance. The vulnerability has been patched in v3.0.11 and v3.1.2. If upgrading is not immediately possible, the fol CVSSv3.1 8.8 (HIGH)
CVE-2026-41329 — Openclaw Openclaw: before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via
OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve unauthorized privilege escalation. CVSSv3.1 9.9 (CRITICAL) · EPSS 13th percentile
CVE-2026-41303 — Openclaw Openclaw: before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that
OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approvers to resolve pending exec approvals. Attackers can send Discord text commands to bypass the channels.discord.execApprovals.approvers allowlist and approve pending host execution requests. CVSSv3.1 8.8 (HIGH) · EPSS 20th percentile
CVE-2026-41296 — Openclaw Openclaw: before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path validation and file read operations to bypass sandbox restrictions and read arbitrary files. CVSSv3.1 8.2 (HIGH) · EPSS 8th percentile
CVE-2026-41294 — Openclaw Openclaw: before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration
OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment settings during OpenClaw startup. CVSSv3.1 8.6 (HIGH) · EPSS 3th percentile
CVE-2026-35587 — Nicolargo Glances: Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. The value of public_api is used directly in outbound HTTP requests without any scheme restriction or hostname/IP validation. An attacker who can modify the Glances configuration can force the application to send requests to arbitrary inte CVSSv3.1 8.8 (HIGH)
CVE-2026-35570 — Gitlawb Openclaude: When the sandbox auto-allow feature is active and no explicit deny rule is configured
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside `src/tools/BashTool/bashPermissions.ts`. When the sandbox auto-allow feature is active and no explicit deny rule is configured, the function returns an `allow` result immediately — before the path constraint filter (`checkPathConstraints`) is ever evaluated. This allows commands containing path trav CVSSv3.1 8.4 (HIGH)
Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories
Void Dokkaebi (Famous Chollima), a North Korea-aligned threat actor, has evolved a self-propagating supply chain worm that spreads malware through compromised developer repositories via two mechanisms: malicious VS Code task configurations (.vscode/tasks.json) and injected obfuscated JavaScript with git history tampering. Analysis identified over 750 infected repositories, 500+ malicious VS Code tasks, and compromises of major organizations including DataStax and Neutralinojs, with payloads staged on blockchain infrastructure (Tron, Aptos, BSC) and delivered as DEV#POPPER RAT variants.