Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-39958 — oma is a package manager for AOSC OS.
oma is a package manager for AOSC OS. Prior to 1.25.2, oma-topics is responsible for fetching metadata for testing repositories (topics) named "Topic Manifests" ({mirror}/debs/manifest/topics.json) from remote repository servers, registering them as APT source entries. However, the name field in said metadata were not checked for transliteration. In this case, a malicious party may supply a malformed Topic Manifest, which may cause malicious APT source entries to be added to CVSSv3.1 9.1 (CRITICAL)
CVE-2026-39942 — Monospace Directus: Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter.
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering. This vulnerability is fixed in 11.17.0. CVSSv3.1 8.5 (HIGH)
CVE-2026-30479 — Dynamic: A Dynamic-link Library Injection vulnerability in OSGeo Project MapServer before v8.0 allows attackers to
A Dynamic-link Library Injection vulnerability in OSGeo Project MapServer before v8.0 allows attackers to execute arbitrary code via a crafted executable. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-35204 — Helm Helm: From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not include a version: field containing POSIX dot-dot path separators ie. "/../". This vulnerability is fixed in 4.1.4. CVSSv3.1 8.6 (HIGH)
CVE-2025-70364 — Kiamo: An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute
An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server. CVSSv3.1 8.8 (HIGH)
v2.12.0
AzureHound v2.12.0 released with bug fixes and feature enhancements. Changes include removal of race conditions in unit tests, correction of role filtering logic for User Access Admins, addition of AZContributor role assignment collection across management groups/resource groups/subscriptions, and strengthened unit test verification.
Mythos, Machine-Speed Exploitation, and the Growing Importance of Identity Attack Paths
SpecterOps analysis of Anthropic's Mythos AI model and its implications for enterprise security. The article argues that AI-accelerated vulnerability discovery and exploitation will compress the time between initial access and operational compromise, making identity attack path management critical for defenders. The core thesis: footholds become cheaper to produce, but their consequence depends on the reachability of high-value identities and delegated permissions within the target environment.
CVE-2026-5445 — Orthanc-server Orthanc: An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.cpp`.
An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The lookup-table decoding logic used for `PALETTE COLOR` images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause the decoder to read beyond allocated lookup table memory and expose heap contents in the output image. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-5443 — Orthanc-server Orthanc: A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images.
A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit multiplication for width and height calculations. If these values overflow, the validation check incorrectly succeeds, allowing the decoder to read and write to memory beyond allocated buffers. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-5442 — Orthanc-server Orthanc: A heap buffer overflow vulnerability exists in the DICOM image decoder.
A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-34578 — Opnsense Opnsense: When the LDAP server configuration includes an Extended Query to restrict login to members
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members o CVSSv3.1 8.2 (HIGH)
CVE-2025-70810 — Site: Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to
Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism CVSSv3.1 8.8 (HIGH)
CVE-2025-62718 — Axios Axios: This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or intern CVSSv3.1 9.9 (CRITICAL)
CVE-2025-50228 — Jizhicms Jizhicms: v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in User Evaluation, Message, and
Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in User Evaluation, Message, and Comment modules. CVSSv3.1 9.1 (CRITICAL)
CVE-2025-57735 — JWT: When user logged out, the JWT token the user had authtenticated with was not
When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+ Users are recommended to upgrade to version 3.2.0, which fixes this issue. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-34179 — Canonical: In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not
In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-34178 — Canonical: In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml
In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=tru CVSSv3.1 9.1 (CRITICAL)
CVE-2026-34177 — Canonical: A remote attacker with can_edit permission on a VM instance in a restricted project
Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM CVSSv3.1 9.1 (CRITICAL)
The long road to your crypto: ClipBanker and its marathon infection chain
ClipBanker trojan distributed via trojanized Proxifier installers hosted on GitHub, employing a sophisticated multi-stage infection chain using fileless techniques, process injection, and PowerShell obfuscation to ultimately deliver clipboard-hijacking malware targeting 25+ cryptocurrency wallet types. Over 2,000 Kaspersky users detected since early 2025, primarily in India and Vietnam, with 70% of detections from the free Virus Removal Tool indicating post-infection remediation.
CVE-2026-5854 — Totolink: Performing a manipulation of the argument merge results in os command injection.
A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument merge results in os command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-5853 — Such manipulation of the argument addrPrefixLen leads to os command injection.
A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setIpv6LanCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument addrPrefixLen leads to os command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-5852 — This manipulation of the argument igmpVer causes os command injection.
A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument igmpVer causes os command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-5851 — The manipulation of the argument enable results in os command injection.
A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable results in os command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-5850 — Totolink: The manipulation of the argument pptpPassThru leads to os command injection.
A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument pptpPassThru leads to os command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-1830 — Quick: The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all
The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server. CVSSv3.1 9.8 (CRITICAL) · EPSS 46th percentile