Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-39486 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Chill Download Monitor download-monitor allows Blind SQL Injection.This issue affects Download Monitor: from n/a through <= 5.1.8. CVSSv3.1 8.5 (HIGH) · EPSS 11th percentile
CVE-2026-39475 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through <= 1.10.1. CVSSv3.1 8.5 (HIGH) · EPSS 10th percentile
CVE-2026-25776 — Movable: contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl
Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl script. CVSSv3.1 9.8 (CRITICAL)
Financial cyberthreats in 2025 and the outlook for 2026
Kaspersky's 2025 financial threat report documents a significant shift in attacker tactics away from traditional PC banking malware toward credential theft via infostealers, mobile banking malware, and highly targeted phishing campaigns. Over 1 million banking accounts from the world's 100 largest banks were compromised and published on dark web resources, with 74% of stolen payment cards remaining valid months or years after theft. Phishing campaigns now heavily target e-commerce, digital services, and gaming platforms with region-specific social engineering, while infostealers surged 59% globally and fuel a thriving dark web economy in stolen credentials, payment data, and identity profiles.
CVE-2026-3535 — DSGVO: The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file
The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function in all versions up to, and including, 1.1. The function is exposed via a `wp_ajax_nopriv_` hook, requiring no authentication. It fetches a user-supplied URL as a CSS file, extracts URLs from its content, and downloads those files to a publicly accessible directory without validating the file type. This CVSSv3.1 9.8 (CRITICAL)
CVE-2026-24913 — SQL: Injection vulnerability exists in MATCHA INVOICE 2.6.6 and earlier.
SQL Injection vulnerability exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, information stored in the database may be obtained or altered by a user who can log in to the product. CVSSv3.1 8.8 (HIGH)
CVE-2026-4003 — Users: The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via
The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary CVSSv3.1 9.8 (CRITICAL)
CVE-2026-3499 — Product: The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin
The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed functions. This makes it possible for unauthenticate CVSSv3.1 8.8 (HIGH)
CVE-2026-3296 — Everest: The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all
The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms CVSSv3.1 9.8 (CRITICAL)
CVE-2026-33810 — Golang Go: When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. CVSSv3.1 8.2 (HIGH)
CVE-2026-27143 — Arithmetic: As a result, the compiler would allow for invalid indexing to occur at runtime
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-27140 — SWIG: file names containing 'cgo' and well-crafted payloads could lead to code smuggling and
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass. CVSSv3.1 8.8 (HIGH)
CVE-2026-4788 — Ibm Tivoli_netcool\/impact: Tivoli Netcool Impact 7.1.0.0 through 7.1.0.37 stores sensitive information in log files that
IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.37 stores sensitive information in log files that could be read by a local user. CVSSv3.1 8.4 (HIGH)
CVE-2026-3357 — Langflow Langflow: IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute
IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component. CVSSv3.1 8.8 (HIGH)
CVE-2026-1346 — Ibm Security_verify_access: Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to escalate their privileges to root due to execution with unnecessary privileges than required. CVSSv3.1 9.3 (CRITICAL)
CVE-2026-1342 — Ibm Security_verify_access: Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to execute malicious scripts from outside of its control sphere. CVSSv3.1 8.5 (HIGH)
v9.0.0-rc2
BloodHound v9.0.0-rc2 released with bug fixes and feature additions including query space handling, user-agent parsing correction, DAWGS dependency bump, and new Azure ingestion support for AZContributor on management groups, resource groups, and subscriptions.
CVE-2026-39847 — Emmett: From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/__emmett__
Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/__emmett__ paths) is vulnerable to path traversal attacks. An attacker can use ../ sequences (eg /__emmett__/../rsgi/handlers.py) to read arbitrary files outside the assets directory. This vulnerability is fixed in 2.8.1. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-39846 — SiYuan: Prior to 3.6.4, a malicious note synced to another user can trigger remote code
SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer runs with nodeIntegration enabled and contextIsolation disabled, attacker-controlled JavaScript executes with access to Node.js CVSSv3.1 9.0 (CRITICAL)
CVE-2026-34582 — Botan_project Botan: Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed
Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-34078 — Flatpak Flatpak: Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4. CVSSv3.1 10.0 (CRITICAL) · EPSS 13th percentile
CVE-2026-31789 — Openssl Openssl: Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads
Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which a CVSSv3.1 9.8 (CRITICAL)
CVE-2026-28387 — Openssl Openssl: Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired
Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-E CVSSv3.1 8.1 (HIGH)
CVE-2026-28386 — Openssl Openssl: Issue summary: Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES
Issue summary: Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support can trigger an out-of-bounds read of up to 15 bytes when processing partial cipher blocks. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not written to o CVSSv3.1 7.5 (HIGH) · EPSS 15th percentile
CVE-2026-39397 — PayloadCMS: @delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder.
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6. CVSSv3.1 9.4 (CRITICAL)