Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-40189 — Goshs Goshs: This results in a critical authorization bypass affecting confidentiality, integrity, and availability.
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs fi CVSSv3.1 9.8 (CRITICAL)
CVE-2026-40175 — Axios: Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget"
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1. CVSSv3.1 10.0 (CRITICAL)
CVE-2026-40168 — Gitroom Postiz: Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF.
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource. CVSSv3.1 8.2 (HIGH)
CVE-2026-30232 — Depomo Chartbrew: Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any IP address validation, enabling Server-Side Request Forgery attacks against internal networks and cloud metadata endpoints. This vulnerability is fixed in 4.8.5. CVSSv3.1 9.6 (CRITICAL)
CVE-2026-33707 — Chamilo: Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email)
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the victim's password without authentication. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. CVSSv3.1 9.4 (CRITICAL)
CVE-2026-33618 — Chamilo: Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from
Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3. CVSSv3.1 8.8 (HIGH)
Metasploit Wrap-Up 10/04/2026
Metasploit Framework 6.4.126 adds four new modules including an authentication bypass for Cisco Catalyst SD-WAN controllers (CVE-2026-20127, recently exploited in the wild), an arbitrary file read in osTicket via PHP filter chains (CVE-2026-22200), and AD/CS web enrollment certificate issuance. The release also includes a 2x speedup to msfvenom startup time and enhancements to LDAP/ADCS reporting and Windows S4U persistence techniques.
CVE-2026-5483 — This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for
A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to Kubernetes resources. CVSSv3.1 8.5 (HIGH)
CVE-2026-40163 — Saltcorn: Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulne CVSSv3.1 8.2 (HIGH)
CVE-2026-32892 — Chamilo: Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter — which only passes through Security::remove_XSS() (an HTML-only filter) — is concatenated direct CVSSv3.1 9.1 (CRITICAL)
CVE-2026-31939 — Chamilo: Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file
Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST['test'] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is fixed in 1.11.38. CVSSv3.1 8.3 (HIGH)
CVE-2026-40200 — Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly
An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly implemented double-word primitives. The number of elements must exceed about seven million, i.e., the 32nd Leonardo number on 32-bit platforms (or the 64th Leonardo number on 64-bit platforms, which is not practical). CVSSv3.1 8.1 (HIGH)
CVE-2026-40158 — PraisonAI: Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing arbitrary code execution when running untrusted agent code. The _execute_code_direct function in praisonaiagents/tools/python_tools.py uses AST filtering to block dangerous Python attributes like __subclasses__, __globals__, and __bases__. However, the filter only checks ast.Attribute nodes, allowing a bypass. The san CVSSv3.1 8.6 (HIGH)
CVE-2026-40157 — Praison Praisonai: Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw
PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who distributes a malicious bundle can overwrite arbitrary files on the victim's filesystem when they run praisonai recipe unpack. This vulnerability is fixed in 4.5.128. CVSSv3.1 8.8 (HIGH)
CVE-2026-35669 — Openclaw Openclaw: before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint operator.admin runtime scope regardless of caller-granted scopes. Attackers can exploit this scope boundary bypass to gain elevated privileges and perform unauthorized administrative actions. CVSSv3.1 8.8 (HIGH)
CVE-2026-35666 — Openclaw Openclaw: before 2026.3.22 contains an allowlist bypass vulnerability in system.run approvals that fails to
OpenClaw before 2026.3.22 contains an allowlist bypass vulnerability in system.run approvals that fails to unwrap /usr/bin/time wrappers. Attackers can bypass executable binding restrictions by using an unregistered time wrapper to reuse approval state for inner commands. CVSSv3.1 8.8 (HIGH)
CVE-2026-35663 — Openclaw Openclaw: before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during backend reconnect. Attackers can bypass pairing requirements to reconnect as operator.admin, gaining unauthorized administrative privileges. CVSSv3.1 8.8 (HIGH)
CVE-2026-35660 — Openclaw Openclaw: before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset
OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey to bypass operator.admin requirements and reset arbitrary sessions. CVSSv3.1 8.1 (HIGH)
CVE-2026-35653 — Openclaw Openclaw: before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that
OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the browser.request surface to stop the running browser, close Playwright connections, and move profile directories to Trash, crossing intended privilege boundaries. CVSSv3.1 8.1 (HIGH)
CVE-2026-35643 — Openclaw Openclaw: before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary
OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context. CVSSv3.1 8.8 (HIGH)
CVE-2026-35595 — Vikunja: Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain. When a user has inherited Write access (from a paren CVSSv3.1 8.3 (HIGH)
CVE-2026-23781 — BMC: If left unchanged, these credentials can be easily obtained and may allow unauthorized access
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface. CVSSv3.1 9.8 (CRITICAL)
Z-Hound — Single-file, browser-based Active Directory attack graph tool for SharpHound and AzureHound collection data. No server.
Z-Hound is a single-file, browser-based Active Directory attack graph visualization tool that parses SharpHound and AzureHound collection data without requiring Neo4j, server infrastructure, or installation. It provides interactive graph rendering, automated risk scoring, attack path analysis, NTLM relay chain synthesis, ADCS ESC detection, and Azure/Entra ID support—all processing occurs client-side in the browser with no data exfiltration.
v3.4.0.56
Mythic v3.4.0.56 released with a Dockerfile tag bump to match the release version. No detailed changelog or feature notes are provided in the GitHub release page.
CVE-2026-36236 — Janobe Engineers_online_portal: SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the
SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the new_password parameter. CVSSv3.1 9.8 (CRITICAL)