Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-35639 — OpenClaw: before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve pending device requests with broader operator scopes than the approver actually holds. Attackers can exploit insufficient scope validation to escalate privileges to operator.admin and achieve remote code execution on the Node infrastructure. CVSSv3.1 8.8 (HIGH)
CVE-2026-35638 — OpenClaw: before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintain elevated permissions by declaring arbitrary scopes, bypassing device identity requirements. CVSSv3.1 8.8 (HIGH)
CVE-2026-34512 — OpenClaw: before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route
OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allows any bearer-authenticated user to invoke admin-level session termination functions without proper scope validation. Attackers can exploit this by sending authenticated requests to kill arbitrary subagent sessions via the killSubagentRunAdmin function, bypassing ownership and operator scope restrictions. CVSSv3.1 8.1 (HIGH)
CVE-2026-33785 — Authorization: A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS on MX
A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS on MX Series allows a local, authenticated user with low privileges to execute specific commands which will lead to a complete compromise of managed devices. Any user logged in, without requiring specific privileges, can issue 'request csds' CLI operational commands. These commands are only meant to be executed by high privileged or users designated for Juniper Device Manager (JDM) / Connected Secu CVSSv3.1 8.8 (HIGH)
CVE-2026-33784 — Use: A Use of Default Password vulnerability in the Juniper Networks Support Insights (JSI) Virtual
A Use of Default Password vulnerability in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device. vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all vers CVSSv3.1 9.8 (CRITICAL)
CVE-2025-13914 — Key: A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks
A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstra allows a unauthenticated, MITM attacker to impersonate managed devices. Due to insufficient SSH host key validation an attacker can perform a machine-in-the-middle attack on the SSH connections from Apstra to managed devices, enabling an attacker to impersonate a managed device and capture user credentials. This issue affects all versions of Apstra before 6.1.1. CVSSv3.1 8.7 (HIGH)
CVE-2026-5980 — This manipulation of the argument curTime causes buffer overflow.
A flaw has been found in D-Link DIR-605L 2.13B01. Affected by this issue is the function formSetMACFilter of the file /goform/formSetMACFilter of the component POST Request Handler. This manipulation of the argument curTime causes buffer overflow. The attack may be initiated remotely. The exploit has been published and may be used. This vulnerability only affects products that are no longer supported by the maintainer. CVSSv3.1 8.8 (HIGH)
CVE-2026-5979 — The manipulation of the argument curTime results in buffer overflow.
A vulnerability was detected in D-Link DIR-605L 2.13B01. Affected by this vulnerability is the function formVirtualServ of the file /goform/formVirtualServ of the component POST Request Handler. The manipulation of the argument curTime results in buffer overflow. The attack can be launched remotely. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. CVSSv3.1 8.8 (HIGH)
CVE-2026-5978 — The manipulation of the argument mode leads to os command injection.
A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setWiFiAclRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument mode leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-5977 — Executing a manipulation of the argument wifiOff can lead to os command injection.
A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument wifiOff can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-40093 — Nimiq Nimiq_proof-of-stake: nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation.
nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In 1.3.0 and earlier, block timestamp validation enforces that timestamp >= parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MIN_PRODUCER_TIMEOUT for skip blocks, but there is no visible upper bound check against the wall clock. A malicious block-producing validator can set block timestamps arbitrarily far in the future. This directly affects reward calculations via Pol CVSSv3.1 8.1 (HIGH) · EPSS 20th percentile
CVE-2023-54359 — WordPress: adivaha Travel Plugin 2.3 contains a time-based blind SQL injection vulnerability that allows
WordPress adivaha Travel Plugin 2.3 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pid' GET parameter. Attackers can send requests to the /mobile-app/v3/ endpoint with crafted 'pid' values using XOR-based payloads to extract sensitive database information or cause denial of service. CVSSv3.1 8.2 (HIGH)
v9.0.0-rc4
BloodHound v9.0.0-rc4 release candidate published with minor bug fixes and dependency updates. Changes include UI navigation scrolling fixes, history table height adjustments, AzureHound version bump, Go 1.26.2 upgrade, and module updates.
CVE-2026-5976 — Performing a manipulation of the argument sambaEnabled results in os command injection.
A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument sambaEnabled results in os command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-5975 — Totolink: Such manipulation of the argument wanIdx leads to os command injection.
A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setDmzCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument wanIdx leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-4436 — A low-privileged remote attacker can send Modbus packets to manipulate register values that are
A low-privileged remote attacker can send Modbus packets to manipulate register values that are inputs to the odorant injection logic such that too much or too little odorant is injected into a gas line. CVSSv3.1 8.6 (HIGH)
CVE-2026-40089 — Sonicverse: The Sonicverse Radio Audio Streaming Stack dashboard contains a Server-Side Request Forgery (SSRF) vulnerability
Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The Sonicverse Radio Audio Streaming Stack dashboard contains a Server-Side Request Forgery (SSRF) vulnerability in its API client (apps/dashboard/lib/api.ts). Installations created using the provided install.sh script (including the one‑liner bash <(curl -fsSL https://sonicverse.short.gy/install-audiostack)) are affected. In these deployments, the dashboard accepts user-controlled URLs and passes them CVSSv3.1 9.9 (CRITICAL)
CVE-2026-40088 — PraisonAI: Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled
PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters. This vulnerability is fixed in 4.5.121. CVSSv3.1 9.6 (CRITICAL)
CVE-2026-29145 — Apache Tomcat: CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2 CVSSv3.1 9.1 (CRITICAL)
CVE-2025-13926 — An attacker could use data obtained by sniffing the network traffic to forge packets
An attacker could use data obtained by sniffing the network traffic to forge packets in order to make arbitrary requests to Contemporary Controls BASC 20T. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-39912 — V2Board: 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response
V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin priv CVSSv3.1 9.1 (CRITICAL)
CVE-2026-31170 — ToToLink: An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi. CVSSv3.1 9.8 (CRITICAL)
Inside Cirro: Attack Paths, Cloud Graphs, and Extensible Schemas
Bishop Fox released Cirro, an open-source cloud attack path analysis tool for Azure that models relationships between identities, RBAC, resources, and data-plane artifacts (secrets, certificates) to expose privilege escalation and lateral movement chains. The tool uses a templated YAML schema engine with Tera templating to scale across Azure resource types without hardcoding, and includes CirroDash for graph visualization and cirro-azcli-ext for passive API response capture.
CVE-2026-5329 — Rapid7: Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the
Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages does not sufficiently validate the queue name supplied by the client, allowing a rogu CVSSv3.1 8.5 (HIGH)
CVE-2026-40070 — Sgbett Bsv-wallet: BSV Ruby SDK is the Ruby SDK for the BSV blockchain.
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatev CVSSv3.1 8.1 (HIGH) · EPSS 1th percentile