Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
From Patch Tuesday to Pentest Wednesday®: When “Clean” Didn’t Mean Secure
Horizon3.ai published a case study of an internal penetration test at a defense industrial base organization that revealed critical attack paths despite passing external security assessments and maintaining active EDR/endpoint controls. The test demonstrated that credentialed attackers could achieve full domain compromise through credential reuse, lateral movement, and privilege escalation—techniques aligned with Iranian threat actor tradecraft (MuddyWater, APT33, APT39). Targeted remediation focused on breaking attack chains rather than patching individual vulnerabilities, validating that internal testing reveals risks invisible to external assessments.
CVE-2026-40784 — Authorization: Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting
Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through <= 1.91.2. CVSSv3.1 8.1 (HIGH) · EPSS 16th percentile
CVE-2026-40764 — Site: Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows
Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through <= 1.10.0.2. CVSSv3.1 8.1 (HIGH) · EPSS 7th percentile
CVE-2026-33805 — Fastify Fastify\/http-proxy: This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them
@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affe CVSSv3.1 8.6 (HIGH) · EPSS 17th percentile
CVE-2026-33808 — Fastify Fastify\/express: This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is
Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-nor CVSSv3.1 9.1 (CRITICAL) · EPSS 38th percentile
CVE-2026-33807 — Fastify Fastify\/express: This results in complete bypass of Express middleware security controls, including authentication, authorization, and
@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all CVSSv3.1 9.1 (CRITICAL) · EPSS 6th percentile
CVE-2025-40899 — Stored: A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due
A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victim views the Assets or Nodes pages, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt applicatio CVSSv3.1 8.9 (HIGH) · EPSS 10th percentile
CVE-2025-40897 — An access control vulnerability was discovered in the Threat Intelligence functionality due to a
An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only privileges. An authenticated user with view-only privileges for the Threat Intelligence functionality can perform administrative actions on it, altering the rules configuration, and/or affecting their availability. CVSSv3.1 8.1 (HIGH) · EPSS 12th percentile
CVE-2026-40104 — Xwiki Xwiki: Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties, which list all available pages as part of the metadata for database list properties without applying query limits. On lar CVSSv3.1 8.2 (HIGH)
CVE-2026-39884 — Suyogs Mcp-server-kubernetes: Versions 3.4.0 and prior contain an argument injection vulnerability in the port_forward tool in
mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Versions 3.4.0 and prior contain an argument injection vulnerability in the port_forward tool in src/tools/port_forward.ts, where a kubectl command is constructed via string concatenation with user-controlled input and then naively split on spaces before being passed to spawn(). Unlike all other tools in the codebase which correctly use array-based argument passing with execFileSync(), CVSSv3.1 8.3 (HIGH)
CVE-2026-39842 — Openremote Openremote: Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine
OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via Nashorn's ScriptEngine.eval() without sandboxing, class filtering, or access restrictions, and the authorization check in RulesResourceImpl only restricts Groovy rules to superusers while leaving JavaScript rules un CVSSv3.1 9.9 (CRITICAL)
CVE-2026-39399 — NuGet: An attacker can supply a crafted nuspec file with malicious metadata, leading to cross
NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within NuGet packages. An attacker can supply a crafted nuspec file with malicious metadata, leading to cross package metadata injection that may result in remote code execution (RCE) and/or arbitrary blob writes due to insufficient input validation. The issue is exploitable via URI fragment injection using unsanitized packag CVSSv3.1 9.6 (CRITICAL)
CVE-2026-35589 — Nanobot Nanobot: Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the
nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server in bridge/src/server.ts, resulting from an incomplete remediation of CVE-2026-2577. The original fix changed the binding from 0.0.0.0 to 127.0.0.1 and added an optional BRIDGE_TOKEN parameter, but token authentication is disabled by default and the server does not validate the Origin header during the WebSocket hand CVSSv3.1 8.0 (HIGH)
CVE-2026-35033 — Jellyfin Jellyfin: Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The ParseStreamOptions method in StreamingHelpers.cs adds any lowercase query parameter to a dictionary without validation, bypassing the RegularExpression attribute on the level controller parameter, and the unsanitized value is concatenated direct CVSSv3.1 9.1 (CRITICAL)
CVE-2026-35032 — Jellyfin Jellyfin: Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users. An attacker can chain these vulnerabilities by CVSSv3.1 8.1 (HIGH)
CVE-2026-35031 — Jellyfin Jellyfin: Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. This arbitrary file write can be chained into arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via CVSSv3.1 9.9 (CRITICAL)
CVE-2026-34457 — Oauth2_proxy_project Oauth2_proxy: Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration (such as nginx auth_request) and either --ping-user-agent is set or --gcp-healthchecks is enabled. In affected configurations, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health c CVSSv3.1 9.1 (CRITICAL)
CVE-2026-27290 — Adobe: Framemaker versions 2022.8 and earlier are affected by an Untrusted Search Path vulnerability
Adobe Framemaker versions 2022.8 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue does not require user interaction. CVSSv3.1 8.6 (HIGH)
CVE-2026-40291 — Chamilo: In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serializat CVSSv3.1 8.8 (HIGH)
CVE-2026-39907 — Unisys Webperfect_image_suite: WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's LFName parameter, allowing remote attackers to trigger SMB connections and leak NTLMv2 machine-account hashes. Attackers can submit crafted SOAP requests with UNC paths to force the server to initiate outbound SMB connections, exposing authentication credentials that may be relayed CVSSv3.1 10.0 (CRITICAL)
CVE-2026-39906 — Unisys Webperfect_image_suite: WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through object-unmarshalling techniques. Attackers can capture the leaked NTLMv2 hash and relay it to other hosts to achieve privilege escalation or lateral movement depending on network configuration and patch level. CVSSv3.1 10.0 (CRITICAL)
CVE-2026-35196 — Chamilo: In versions prior to 2.0.0-RC.3, an OS Command Injection vulnerability exists in the main/inc/ajax/gradebook.ajax.php
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an OS Command Injection vulnerability exists in the main/inc/ajax/gradebook.ajax.php endpoint within the export_all_certificates action, where the course code retrieved from the session variable $_SESSION['_cid'] via api_get_course_id() is concatenated directly into a shell_exec() command string without sanitization or escaping using escapeshellarg(). If an attacker can manipulate or po CVSSv3.1 8.8 (HIGH)
CVE-2026-27306 — ColdFusion: versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Attacker requires elevated privileges. Exploitation of this issue requires user interaction in that a victim must open a malicious file. CVSSv3.1 8.4 (HIGH)
CVE-2026-27305 — ColdFusion: versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. CVSSv3.1 8.6 (HIGH)
CVE-2026-27304 — ColdFusion: versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. CVSSv3.1 9.3 (CRITICAL)