Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-40350 — Leepeuker Movary: Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users`
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie c CVSSv3.1 8.8 (HIGH) · EPSS 14th percentile
CVE-2026-40317 — Minecanton209 Novumos: In versions prior to 0.24, Syscall 12 (JumpToUser) accepts an arbitrary entry point address
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (JumpToUser) accepts an arbitrary entry point address from user-space registers without validation, allowing any Ring 3 user-mode process to jump to kernel addresses and execute arbitrary code in Ring 0 context, resulting in local privilege escalation. This issue has been fixed in version 0.24. If developers are unable to immediately update, they should restrict CVSSv3.1 9.3 (CRITICAL) · EPSS 6th percentile
CVE-2026-40349 — Leepeuker Movary: Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for their own user ID. The endpoint is intended to let a user edit their own profile, but it updates the sensitive `isAdmin` field without any admin-only authorization check. Version 0.71.1 patches the issue. CVSSv3.1 8.8 (HIGH) · EPSS 3th percentile
CVE-2026-40324 — Hot: This occurs before any validation rules run — `MaxExecutionDepth`, complexity analyzers, persisted query allow-lists
Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser `Utf8GraphQLParser` has no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types can trigger a `StackOverflowException` on payloads as small as 40 KB. Because `StackOverflowException` is uncatchable in .NET (since .NET 2.0), the entire worker process is termina CVSSv3.1 9.1 (CRITICAL) · EPSS 13th percentile
A few more protocol handlers :), Part 2
Hexacorn documents newly discovered Windows 11 25H2 protocol handlers, expanding a multi-year catalog of custom URI schemes that can be abused for code execution and defense evasion. The post identifies 30+ new handlers including ms-recall, ms-devhome, ms-launchremotedesktop, and others that may present attack surface for protocol handler exploitation.
CVE-2026-5720 — Miniupnp_project Miniupnpd: contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers
miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending a malformed SOAPAction header with a single quote. Attackers can trigger an out-of-bounds memory read by exploiting improper length validation in ParseHttpHeaders(), where the parsed length underflows to a large unsigned value when passed to memchr(), causing the process to scan memory far beyond the CVSSv3.1 9.1 (CRITICAL) · EPSS 19th percentile
CVE-2026-40478 — Thymeleaf Thymeleaf: Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine CVSSv3.1 9.0 (CRITICAL) · EPSS 12th percentile
CVE-2026-40477 — Thymeleaf Thymeleaf: Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms.
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input d CVSSv3.1 9.0 (CRITICAL) · EPSS 12th percentile
CVE-2026-40352 — Fastgpt Fastgpt: In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection.
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the "old password" verification by injecting MongoDB query operators. This allows an attacker who has gained a low-privileged session to change the password of their account (or others if combined with ID manipulation) without knowing the current one, leading to full account takeover and persistence. This CVSSv3.1 8.8 (HIGH) · EPSS 9th percentile
CVE-2026-40351 — Fastgpt Fastgpt: This NoSQL injection bypasses the password check, enabling login as any user including the
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object (e.g., {"$ne": ""}) as the password field. This NoSQL injection bypasses the password check, enabling login as any user including the root administrator. This issue has been fixed in version 4.14.9.5. CVSSv3.1 9.8 (CRITICAL) · EPSS 19th percentile
CVE-2026-40321 — Dnnsoftware Dotnetnuke: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased if the scripts are run by a power user. Version 10.2.2 patches the issue. CVSSv3.1 8.0 (HIGH)
CVE-2026-40258 — Gramps: Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media
The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the server's local filesystem. Startig in version 3.11.1, ZIP entry names are now v CVSSv3.1 9.1 (CRITICAL) · EPSS 21th percentile
CVE-2026-29013 — Libcoap Libcoap: contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc()
libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is removed in release builds compiled with NDEBUG. Attackers can send crafted CoAP requests with malformed OSCORE options or responses during OSCORE negotiation to trigger out-of-bounds reads during CBOR parsing and potentially cause out-of-bounds reads through integer wraparound i CVSSv3.1 9.8 (CRITICAL) · EPSS 14th percentile
CVE-2026-40196 — Sysadminsmedia Homebox: Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned
HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the access revocation and prevented the user from viewing or modifying the group's contents, the API did not. Because the original group ID persisted as the user's defaultGroup, and this CVSSv3.1 8.1 (HIGH)
CVE-2026-35512 — Neutrinolabs Xrdp: Versions through 0.10.5 have a heap-based buffer overflow in the EGFX (graphics dynamic virtual
xrdp is an open source RDP server. Versions through 0.10.5 have a heap-based buffer overflow in the EGFX (graphics dynamic virtual channel) implementation due to insufficient validation of client-controlled size parameters, allowing an out-of-bounds write via crafted PDUs. Pre-authentication exploitation can crash the process, while post-authentication exploitation may achieve remote code execution. This issue has been fixed in version 0.10.6. If users are unable to immediate CVSSv3.1 8.8 (HIGH) · EPSS 75th percentile
CVE-2026-33689 — Neutrinolabs Xrdp: Versions through 0.10.5 have an out-of-bounds read vulnerability in the pre-authentication RDP message parsing
xrdp is an open source RDP server. Versions through 0.10.5 have an out-of-bounds read vulnerability in the pre-authentication RDP message parsing logic. A remote, unauthenticated attacker can trigger this flaw by sending a specially crafted sequence of packets during the initial connection phase. This vulnerability results from insufficient validation of input buffer lengths before processing dynamic channel communication. Successful exploitation can lead to a denial-of-servi CVSSv3.1 9.1 (CRITICAL) · EPSS 48th percentile
CVE-2026-23500 — Dolibarr Dolibarr_erp\/crm: An authenticated administrator can inject arbitrary OS commands via this constant using command separators
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when a CVSSv3.1 9.1 (CRITICAL) · EPSS 35th percentile
Metasploit Wrap-Up 17/04/2026
Metasploit Framework 6.4.126–6.4.128 shipped seven new modules including four RCE exploits (AVideo SQLi credential dump, openDCIM chained SQLi-to-RCE, Selenium Grid/Selenoid unauthenticated RCE, ChurchCRM file upload RCE) and three Windows persistence techniques (BITS jobs, PowerShell profiles, Telemetry scheduled tasks). The Selenium module notably unifies prior separate exploits and includes a never-patched Firefox profile handler injection technique dating to 2021.
CVE-2026-40434 — Anviz Crosschex_standard: CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection
Anviz CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection by an attacker on the same network to alter or disrupt application traffic. CVSSv3.1 8.1 (HIGH) · EPSS 7th percentile
CVE-2026-40342 — Firebirdsql Firebird: An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes imm CVSSv3.1 9.9 (CRITICAL) · EPSS 25th percentile
CVE-2026-40066 — Anviz Cx7_firmware: CX2 Lite and CX7 are vulnerable to unverified update packages that can be
Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes a script resulting in unauthenticated remote code execution. CVSSv3.1 8.8 (HIGH) · EPSS 8th percentile
CVE-2026-35682 — Anviz Cx2_lite_firmware: CX2 Lite is vulnerable to an authenticated command injection via a filename parameter
Anviz CX2 Lite is vulnerable to an authenticated command injection via a filename parameter that enables arbitrary command execution (e.g., starting telnetd), resulting in root‑level access. CVSSv3.1 8.8 (HIGH) · EPSS 50th percentile
CVE-2026-35546 — Anviz Cx7_firmware: CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads.
Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted archives to be accepted, enabling attackers to plant and execute code and obtain a reverse shell. CVSSv3.1 9.8 (CRITICAL) · EPSS 23th percentile
CVE-2026-33516 — Neutrinolabs Xrdp: Versions through 0.10.5 contain an out-of-bounds read vulnerability during the RDP capability exchange phase.
xrdp is an open source RDP server. Versions through 0.10.5 contain an out-of-bounds read vulnerability during the RDP capability exchange phase. The issue occurs when memory is accessed before validating the remaining buffer length. A remote, unauthenticated attacker can trigger this vulnerability by sending a specially crafted Confirm Active PDU. Successful exploitation could lead to a denial of service (process crash) or potential disclosure of sensitive information from th CVSSv3.1 9.1 (CRITICAL) · EPSS 40th percentile
CVE-2026-32623 — Neutrinolabs Xrdp: Versions through 0.10.5 contain a heap-based buffer overflow vulnerability in the NeutrinoRDP module.
xrdp is an open source RDP server. Versions through 0.10.5 contain a heap-based buffer overflow vulnerability in the NeutrinoRDP module. When proxying RDP sessions from xrdp to another server, the module fails to properly validate the size of reassembled fragmented virtual channel data against its allocated memory buffer. A malicious downstream RDP server (or an attacker capable of performing a Man-in-the-Middle attack) could exploit this flaw to cause memory corruption, pote CVSSv3.1 8.1 (HIGH) · EPSS 65th percentile