Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-35643 — Openclaw Openclaw: before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary
OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context. CVSSv3.1 8.8 (HIGH)
CVE-2026-35595 — Vikunja: Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain. When a user has inherited Write access (from a paren CVSSv3.1 8.3 (HIGH)
CVE-2026-23781 — BMC: If left unchanged, these credentials can be easily obtained and may allow unauthorized access
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface. CVSSv3.1 9.8 (CRITICAL)
Z-Hound — Single-file, browser-based Active Directory attack graph tool for SharpHound and AzureHound collection data. No server.
Z-Hound is a single-file, browser-based Active Directory attack graph visualization tool that parses SharpHound and AzureHound collection data without requiring Neo4j, server infrastructure, or installation. It provides interactive graph rendering, automated risk scoring, attack path analysis, NTLM relay chain synthesis, ADCS ESC detection, and Azure/Entra ID support—all processing occurs client-side in the browser with no data exfiltration.
v3.4.0.56
Mythic v3.4.0.56 released with a Dockerfile tag bump to match the release version. No detailed changelog or feature notes are provided in the GitHub release page.
CVE-2026-36236 — Janobe Engineers_online_portal: SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the
SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the new_password parameter. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-36235 — Itsourcecode Online_student_enrollment_system: A SQL injection vulnerability was found in the scheduleSubList.php file of itsourcecode Online Student
A SQL injection vulnerability was found in the scheduleSubList.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'subjcode' parameter is directly embedded into the SQL query via string interpolation without any sanitization or validation. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-36234 — Itsourcecode Online_student_enrollment_system: Online Student Enrollment System v1.0 is vulnerable to SQL Injection in newCourse.php via
itsourcecode Online Student Enrollment System v1.0 is vulnerable to SQL Injection in newCourse.php via the 'coursename' parameter. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-36233 — Itsourcecode Online_student_enrollment_system: A SQL injection vulnerability was found in the assignInstructorSubjects.php file of itsourcecode Online Student
A SQL injection vulnerability was found in the assignInstructorSubjects.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that attackers can inject malicious code via the parameter "subjcode" and use it directly in SQL queries without the need for appropriate cleaning or validation. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-36232 — Itsourcecode Online_student_enrollment_system: A SQL injection vulnerability was found in the instructorClasses.php file of itsourcecode Online Student
A SQL injection vulnerability was found in the instructorClasses.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'classId' parameter from $_GET['classId'] is directly concatenated into the SQL query without any sanitization or validation. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-29861 — PHP: PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter
PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-23780 — BMC: A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable arbitrary file read/write operations and potentially lead to remote code execution. CVSSv3.1 8.8 (HIGH)
CVE-2025-44560 — owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking.
owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking. CVSSv3.1 9.8 (CRITICAL)
Janus: Listen to Your Logs
SpecterOps released Janus, an open-source tool that parses C2 server logs (Mythic, Ghostwriter, Cobalt Strike) to surface operational friction—failed commands, retries, and workarounds—that normally disappear into scratch notes. The tool normalizes task/result telemetry into JSON, applies configurable retention controls, and generates analyzers across command, workflow, and tooling layers to identify which tools fail, which techniques require improvisation, and where operators lose time.
v3.4.0.55
Mythic v3.4.0.55 released with a Dockerfile tag bump to match the release version. No detailed changelog or feature/fix information is provided in the GitHub release page.
CVE-2026-6068 — Nasm Netwide_assembler: contains a heap use after free vulnerability in response file (-@) processing where
NASM contains a heap use after free vulnerability in response file (-@) processing where a dangling pointer to freed memory is stored in the global depend_file and later dereferenced, as the response-file buffer is freed before the pointer is used, allowing for data corruption or remote code execution. CVSSv3.1 9.6 (CRITICAL) · EPSS 9th percentile
CVE-2026-40217 — LiteLLM: through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at
LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI. CVSSv3.1 8.8 (HIGH)
CVE-2025-58913 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro videopro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through <= 2.3.8.1. CVSSv3.1 8.1 (HIGH) · EPSS 15th percentile
v3.4.0.54
Mythic v3.4.0.54 released with a Dockerfile tag bump to match the release version. No detailed changelog or feature notes are provided in the GitHub release page.
CVE-2026-5412 — Juju: This allows a low-privileged user to access sensitive credentials.
In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21. CVSSv3.1 9.9 (CRITICAL)
CVE-2026-6057 — FalkorDB: Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload API
FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload API that allows remote attackers to write arbitrary files and achieve remote code execution. CVSSv3.1 9.8 (CRITICAL)
CVE-2021-47961 — A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684
A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user's PIN code due to insecure storage. This may lead to unauthorized VPN configuration and potential interception of subsequent VPN traffic when combined with user interaction. CVSSv3.1 8.1 (HIGH)
CVE-2026-6029 — Totolink: The manipulation of the argument User results in os command injection.
A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setVpnAccountCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument User results in os command injection. The attack may be launched remotely. The exploit is now public and may be used. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-6028 — The manipulation of the argument enable leads to os command injection.
A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function setPptpServerCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-6027 — Executing a manipulation of the argument enable can lead to os command injection.
A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. This issue affects the function setUrlFilterRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument enable can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. CVSSv3.1 9.8 (CRITICAL)