Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-27912 — Microsoft Windows_server_2012: Improper authorization in Windows Kerberos allows an authorized attacker to elevate privileges over an
Improper authorization in Windows Kerberos allows an authorized attacker to elevate privileges over an adjacent network. CVSSv3.1 8.0 (HIGH)
CVE-2026-27303 — Adobe: Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. CVSSv3.1 9.6 (CRITICAL)
CVE-2026-27246 — Adobe: Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. CVSSv3.1 9.3 (CRITICAL)
CVE-2026-27245 — Adobe: Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed. CVSSv3.1 9.3 (CRITICAL)
CVE-2026-27243 — Adobe: Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed. CVSSv3.1 9.3 (CRITICAL)
CVE-2026-26178 — Microsoft Windows_10_1607: Integer size truncation in Windows Advanced Rasterization Platform (WARP) allows an unauthorized attacker to
Integer size truncation in Windows Advanced Rasterization Platform (WARP) allows an unauthorized attacker to elevate privileges locally. CVSSv3.1 8.8 (HIGH)
CVE-2026-26167 — Microsoft Windows_10_1607: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. CVSSv3.1 8.8 (HIGH) · EPSS 14th percentile
CVE-2026-26149 — Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an
Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to bypass a security feature over a network. CVSSv3.1 9.0 (CRITICAL)
CVE-2026-34622 — Acrobat: Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled
Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. CVSSv3.1 8.6 (HIGH)
CVE-2026-39815 — A improper neutralization of special elements used in an sql command ('sql injection') vulnerability
A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or commands via sending crafted HTTP requests CVSSv3.1 8.8 (HIGH)
CVE-2026-39813 — A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through
A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via <insert attack vector here> CVSSv3.1 9.8 (CRITICAL)
CVE-2026-39808 — A improper neutralization of special elements used in an os command ('os command injection')
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here> CVSSv3.1 9.8 (CRITICAL)
CVE-2026-38532 — Webkul Krayin_crm: A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x
A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request. CVSSv3.1 8.1 (HIGH)
CVE-2026-38530 — Webkul Krayin_crm: A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x
A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request. CVSSv3.1 8.1 (HIGH)
CVE-2026-38529 — Webkul Krayin_crm: A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x
A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request. CVSSv3.1 8.8 (HIGH)
CVE-2026-38527 — Server: A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x
A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request. CVSSv3.1 8.5 (HIGH)
CVE-2026-38526 — An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM
An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file. CVSSv3.1 9.9 (CRITICAL)
CVE-2026-22828 — A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 through 7.6.4, FortiManager Cloud
A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 through 7.6.4, FortiManager Cloud 7.6.2 through 7.6.4 may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Successful exploitation would require a large amount of effort in preparation because of ASLR and network segmentation CVSSv3.1 8.1 (HIGH)
CVE-2025-65135 — School: In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through
In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-63939 — Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL
Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-31049 — Hostbill: An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary
An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field CVSSv3.1 9.8 (CRITICAL) · EPSS 55th percentile
Anthropic’s Claude Mythos Preview: The AI Cybersecurity Inflection Point
Anthropic announced Claude Mythos Preview, a frontier AI model capable of autonomously discovering and chaining multiple vulnerabilities across major operating systems and browsers, including a 27-year-old flaw in OpenBSD. Access is restricted to ~50 organizations via Project Glasswing, a controlled industry initiative, but the capability signals that AI-driven vulnerability discovery at scale is now operationalized and will likely become more widely accessible.
CVE-2026-27668 — This could allow an authenticated User Administrator to escalate their own privileges and grant
A vulnerability has been identified in RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) (All versions < V5.8). User Administrators are allowed to administer groups they belong to. This could allow an authenticated User Administrator to escalate their own privileges and grant themselves access to any device group at any access level. CVSSv3.1 8.8 (HIGH)
CVE-2026-25654 — This could allow an authenticated remote attacker to bypass authorization checks, leading to the
A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3). Affected products do not properly validate user authorization when processing password reset requests. This could allow an authenticated remote attacker to bypass authorization checks, leading to the ability to reset the password of any arbitrary user account. CVSSv3.1 8.8 (HIGH)
CVE-2026-40313 — PraisonAI: In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack
PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the GITHUB_TOKEN (and sometimes ACTIONS_RUNTIME_TOKEN) into the .git/config file for persistence, and if any subsequent workflow step uploads artifacts (build outputs, logs, test results, etc.), CVSSv3.1 9.1 (CRITICAL)