2026-04-15
2026-04-15 12:00Z
HIGH

From Patch Tuesday to Pentest Wednesday®: When “Clean” Didn’t Mean Secure

Horizon3.ai·horizon3.ai

Horizon3.ai published a case study of an internal penetration test at a defense industrial base organization that revealed critical attack paths despite passing external security assessments and maintaining active EDR/endpoint controls. The test demonstrated that credentialed attackers could achieve full domain compromise through credential reuse, lateral movement, and privilege escalation—techniques aligned with Iranian threat actor tradecraft (MuddyWater, APT33, APT39). Targeted remediation focused on breaking attack chains rather than patching individual vulnerabilities, validating that internal testing reveals risks invisible to external assessments.

SRFOsTACTA0004TACTA0005TACTA0001SRFIdentityTACTA0003TACTA0008TYPResearch
72
Edit Score
2026-04-15
2026-04-15 11:16Z
HIGH

CVE-2026-40784 — Authorization: Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40784

Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through <= 1.91.2. CVSSv3.1 8.1 (HIGH) · EPSS 16th percentile

CWECWE 639TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-15
2026-04-15 11:16Z
HIGH

CVE-2026-40764 — Site: Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40764

Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through <= 1.10.0.2. CVSSv3.1 8.1 (HIGH) · EPSS 7th percentile

CWECWE 352TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-15
2026-04-15 11:16Z
HIGH

CVE-2026-33805 — Fastify Fastify\/http-proxy: This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33805

@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affe CVSSv3.1 8.6 (HIGH) · EPSS 17th percentile

CWECWE 644VNDFastifyTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-04-15
2026-04-15 10:16Z
CRIT

CVE-2026-33808 — Fastify Fastify\/express: This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33808

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-nor CVSSv3.1 9.1 (CRITICAL) · EPSS 38th percentile

CWECWE 436VNDFastifyTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-15
2026-04-15 10:16Z
CRIT

CVE-2026-33807 — Fastify Fastify\/express: This results in complete bypass of Express middleware security controls, including authentication, authorization, and

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33807

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all CVSSv3.1 9.1 (CRITICAL) · EPSS 6th percentile

CWECWE 436VNDFastifyTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-15
2026-04-15 09:16Z
HIGH

CVE-2025-40899 — Stored: A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-40899

A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victim views the Assets or Nodes pages, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt applicatio CVSSv3.1 8.9 (HIGH) · EPSS 10th percentile

CWECWE 79VNDStoredTYPVulnerability
8.9
CVSS v3.1
95
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-04-15
2026-04-15 09:16Z
HIGH

CVE-2025-40897 — An access control vulnerability was discovered in the Threat Intelligence functionality due to a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-40897

An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only privileges. An authenticated user with view-only privileges for the Threat Intelligence functionality can perform administrative actions on it, altering the rules configuration, and/or affecting their availability. CVSSv3.1 8.1 (HIGH) · EPSS 12th percentile

CWECWE 863TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-15
2026-04-15 04:17Z
HIGH

CVE-2026-40104 — Xwiki Xwiki: Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40104

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties, which list all available pages as part of the metadata for database list properties without applying query limits. On lar CVSSv3.1 8.2 (HIGH)

CWECWE 770VNDXwikiTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2026-04-15
2026-04-15 04:17Z
HIGH

CVE-2026-39884 — Suyogs Mcp-server-kubernetes: Versions 3.4.0 and prior contain an argument injection vulnerability in the port_forward tool in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39884

mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Versions 3.4.0 and prior contain an argument injection vulnerability in the port_forward tool in src/tools/port_forward.ts, where a kubectl command is constructed via string concatenation with user-controlled input and then naively split on spaces before being passed to spawn(). Unlike all other tools in the codebase which correctly use array-based argument passing with execFileSync(), CVSSv3.1 8.3 (HIGH)

CWECWE 88VNDModelVNDSuyogsTYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2026-04-15
2026-04-15 04:17Z
CRIT

CVE-2026-39842 — Openremote Openremote: Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39842

OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via Nashorn's ScriptEngine.eval() without sandboxing, class filtering, or access restrictions, and the authorization check in RulesResourceImpl only restricts Groovy rules to superusers while leaving JavaScript rules un CVSSv3.1 9.9 (CRITICAL)

CWECWE 94CWECWE 917VNDOpenremoteTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2026-04-14
2026-04-14 23:16Z
CRIT

CVE-2026-39399 — NuGet: An attacker can supply a crafted nuspec file with malicious metadata, leading to cross

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39399

NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within NuGet packages. An attacker can supply a crafted nuspec file with malicious metadata, leading to cross package metadata injection that may result in remote code execution (RCE) and/or arbitrary blob writes due to insufficient input validation. The issue is exploitable via URI fragment injection using unsanitized packag CVSSv3.1 9.6 (CRITICAL)

CWECWE 22CWECWE 20VNDNugetTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2026-04-14
2026-04-14 23:16Z
HIGH

CVE-2026-35589 — Nanobot Nanobot: Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35589

nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server in bridge/src/server.ts, resulting from an incomplete remediation of CVE-2026-2577. The original fix changed the binding from 0.0.0.0 to 127.0.0.1 and added an optional BRIDGE_TOKEN parameter, but token authentication is disabled by default and the server does not validate the Origin header during the WebSocket hand CVSSv3.1 8.0 (HIGH)

CWECWE 1385VNDNanobotTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2026-04-14
2026-04-14 23:16Z
CRIT

CVE-2026-35033 — Jellyfin Jellyfin: Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35033

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The ParseStreamOptions method in StreamingHelpers.cs adds any lowercase query parameter to a dictionary without validation, bypassing the RegularExpression attribute on the level controller parameter, and the unsanitized value is concatenated direct CVSSv3.1 9.1 (CRITICAL)

CWECWE 862CWECWE 88VNDJellyfinTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-14
2026-04-14 23:16Z
HIGH

CVE-2026-35032 — Jellyfin Jellyfin: Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35032

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users. An attacker can chain these vulnerabilities by CVSSv3.1 8.1 (HIGH)

CWECWE 918CWECWE 73VNDJellyfinTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-14
2026-04-14 23:16Z
CRIT

CVE-2026-35031 — Jellyfin Jellyfin: Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35031

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. This arbitrary file write can be chained into arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via CVSSv3.1 9.9 (CRITICAL)

CWECWE 22CWECWE 20CWECWE 187VNDJellyfinTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2026-04-14
2026-04-14 23:16Z
CRIT

CVE-2026-34457 — Oauth2_proxy_project Oauth2_proxy: Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34457

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration (such as nginx auth_request) and either --ping-user-agent is set or --gcp-healthchecks is enabled. In affected configurations, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health c CVSSv3.1 9.1 (CRITICAL)

CWECWE 290VNDOauth2VNDOauth2 Proxy ProjectTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-14
2026-04-14 23:16Z
HIGH

CVE-2026-27290 — Adobe: Framemaker versions 2022.8 and earlier are affected by an Untrusted Search Path vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27290

Adobe Framemaker versions 2022.8 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue does not require user interaction. CVSSv3.1 8.6 (HIGH)

CWECWE 426VNDAdobeTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-04-14
2026-04-14 22:16Z
HIGH

CVE-2026-40291 — Chamilo: In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40291

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serializat CVSSv3.1 8.8 (HIGH)

CWECWE 269CWECWE 863VNDChamiloTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-14
2026-04-14 22:16Z
CRIT

CVE-2026-39907 — Unisys Webperfect_image_suite: WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39907

Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's LFName parameter, allowing remote attackers to trigger SMB connections and leak NTLMv2 machine-account hashes. Attackers can submit crafted SOAP requests with UNC paths to force the server to initiate outbound SMB connections, exposing authentication credentials that may be relayed CVSSv3.1 10.0 (CRITICAL)

CWECWE 73VNDUnisysTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2026-04-14
2026-04-14 22:16Z
CRIT

CVE-2026-39906 — Unisys Webperfect_image_suite: WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39906

Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through object-unmarshalling techniques. Attackers can capture the leaked NTLMv2 hash and relay it to other hosts to achieve privilege escalation or lateral movement depending on network configuration and patch level. CVSSv3.1 10.0 (CRITICAL)

CWECWE 441VNDUnisysTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2026-04-14
2026-04-14 22:16Z
HIGH

CVE-2026-35196 — Chamilo: In versions prior to 2.0.0-RC.3, an OS Command Injection vulnerability exists in the main/inc/ajax/gradebook.ajax.php

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35196

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an OS Command Injection vulnerability exists in the main/inc/ajax/gradebook.ajax.php endpoint within the export_all_certificates action, where the course code retrieved from the session variable $_SESSION['_cid'] via api_get_course_id() is concatenated directly into a shell_exec() command string without sanitization or escaping using escapeshellarg(). If an attacker can manipulate or po CVSSv3.1 8.8 (HIGH)

CWECWE 78VNDChamiloTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-14
2026-04-14 22:16Z
HIGH

CVE-2026-27306 — ColdFusion: versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27306

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Attacker requires elevated privileges. Exploitation of this issue requires user interaction in that a victim must open a malicious file. CVSSv3.1 8.4 (HIGH)

CWECWE 20VNDColdfusionTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2026-04-14
2026-04-14 22:16Z
HIGH

CVE-2026-27305 — ColdFusion: versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27305

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. CVSSv3.1 8.6 (HIGH)

CWECWE 22VNDColdfusionTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-04-14
2026-04-14 22:16Z
CRIT

CVE-2026-27304 — ColdFusion: versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27304

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. CVSSv3.1 9.3 (CRITICAL)

CWECWE 20VNDColdfusionTYPVulnerability
9.3
CVSS v3.1
97
Edit Score