Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-27304 — ColdFusion: versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. CVSSv3.1 9.3 (CRITICAL)
v9.0.1-rc1
BloodHound v9.0.1-rc1 release candidate published with dependency updates and DAWGS library bump to 0.4.16. This is a routine maintenance release addressing identified vulnerabilities in upstream dependencies.
Patch Tuesday - April 2026
Microsoft released 167 vulnerabilities in April 2026 Patch Tuesday, including a critical unauthenticated RCE in Windows IKE (CVE-2026-33824, CVSS 9.8) with pre-auth network exposure, a local privilege escalation in Microsoft Defender (CVE-2026-33825) with public disclosure, and a SharePoint spoofing zero-day (CVE-2026-32201) already exploited in the wild. The patch batch reflects a significant industry-wide surge in vulnerability reporting driven by expanding AI capabilities, with 80 browser vulnerabilities patched separately.
CVE-2026-34160 — Chamilo Chamilo_lms: In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter that the server fetches using curl without filtering private or internal IP addresses, enabling unauthenticated Server-Side Request Forgery (SSRF). An attacker can exploit this to probe internal network CVSSv3.1 8.6 (HIGH)
CVE-2026-24893 — openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows
openITCOCKPIT is an open source monitoring tool built for different monitoring engines. openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows an authenticated user with permission to add or modify hosts to execute arbitrary OS commands on the monitoring backend. The vulnerability arises because user-controlled host attributes (specifically the host address) are expanded into monitoring command templates without validatio CVSSv3.1 8.8 (HIGH)
Hack the AI agent: Build agentic AI security skills with the GitHub Secure Code Game
GitHub released Season 4 of the Secure Code Game, a free interactive training platform focused on agentic AI security vulnerabilities. The game simulates a deliberately vulnerable AI assistant (ProdBot) across five progressive levels, teaching developers to identify and exploit real-world attack patterns including prompt injection, tool misuse, and sandbox escapes. The release addresses a critical gap: 83% of organizations plan agentic AI deployment but only 29% feel secure doing so.
CVE-2026-5752 — Sandbox: Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a
Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal. CVSSv3.1 9.3 (CRITICAL)
CVE-2026-34617 — Adobe: Connect versions 2025.3, 12.10 and earlier are affected by a Cross-Site Scripting (XSS)
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could result in privilege escalation. A low-privileged attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised we CVSSv3.1 8.7 (HIGH)
CVE-2026-34615 — Adobe: Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. CVSSv3.1 9.3 (CRITICAL)
CVE-2026-33827 — Concurrent: execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an unauthorized attacker to execute code over a network. CVSSv3.1 8.1 (HIGH)
CVE-2026-33826 — Windows: Improper input validation in Windows Active Directory allows an authorized attacker to execute code
Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network. CVSSv3.1 8.0 (HIGH)
CVE-2026-33824 — Double: free in Windows IKE Extension allows an unauthorized attacker to execute code over
Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-33120 — Untrusted: pointer dereference in SQL Server allows an authorized attacker to execute code over
Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a network. CVSSv3.1 8.8 (HIGH)
CVE-2026-33115 — Use: after free in Microsoft Office Word allows an unauthorized attacker to execute code
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH)
CVE-2026-33114 — Untrusted: pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code
Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH)
CVE-2026-32225 — Protection: mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security
Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network. CVSSv3.1 8.8 (HIGH)
CVE-2026-32221 — Heap: Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code
Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH)
CVE-2026-32202 — Microsoft Windows_10_1607: Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over
Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network. CVSSv3.1 4.3 (MEDIUM) · EPSS 92th percentile
CVE-2026-32190 — Use: after free in Microsoft Office allows an unauthorized attacker to execute code locally.
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH)
CVE-2026-32171 — Insufficiently: protected credentials in Azure Logic Apps allows an authorized attacker to elevate privileges
Insufficiently protected credentials in Azure Logic Apps allows an authorized attacker to elevate privileges over a network. CVSSv3.1 8.8 (HIGH)
CVE-2026-32162 — Acceptance: of extraneous untrusted data with trusted data in Windows COM allows an unauthorized
Acceptance of extraneous untrusted data with trusted data in Windows COM allows an unauthorized attacker to elevate privileges locally. CVSSv3.1 8.4 (HIGH)
CVE-2026-32157 — Use: after free in Remote Desktop Client allows an unauthorized attacker to execute code
Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network. CVSSv3.1 8.8 (HIGH)
CVE-2026-32091 — Concurrent: execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File
Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally. CVSSv3.1 8.4 (HIGH)
CVE-2026-27928 — Windows: Improper input validation in Windows Hello allows an unauthorized attacker to bypass a security
Improper input validation in Windows Hello allows an unauthorized attacker to bypass a security feature over a network. CVSSv3.1 8.7 (HIGH)
CVE-2026-27912 — Microsoft Windows_server_2012: Improper authorization in Windows Kerberos allows an authorized attacker to elevate privileges over an
Improper authorization in Windows Kerberos allows an authorized attacker to elevate privileges over an adjacent network. CVSSv3.1 8.0 (HIGH)