Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-3296 — Everest: The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all
The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms CVSSv3.1 9.8 (CRITICAL)
CVE-2026-33810 — Golang Go: When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. CVSSv3.1 8.2 (HIGH)
CVE-2026-27143 — Arithmetic: As a result, the compiler would allow for invalid indexing to occur at runtime
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-27140 — SWIG: file names containing 'cgo' and well-crafted payloads could lead to code smuggling and
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass. CVSSv3.1 8.8 (HIGH)
CVE-2026-4788 — Ibm Tivoli_netcool\/impact: Tivoli Netcool Impact 7.1.0.0 through 7.1.0.37 stores sensitive information in log files that
IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.37 stores sensitive information in log files that could be read by a local user. CVSSv3.1 8.4 (HIGH)
CVE-2026-3357 — Langflow Langflow: IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute
IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component. CVSSv3.1 8.8 (HIGH)
CVE-2026-1346 — Ibm Security_verify_access: Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to escalate their privileges to root due to execution with unnecessary privileges than required. CVSSv3.1 9.3 (CRITICAL)
CVE-2026-1342 — Ibm Security_verify_access: Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to execute malicious scripts from outside of its control sphere. CVSSv3.1 8.5 (HIGH)
v9.0.0-rc2
BloodHound v9.0.0-rc2 released with bug fixes and feature additions including query space handling, user-agent parsing correction, DAWGS dependency bump, and new Azure ingestion support for AZContributor on management groups, resource groups, and subscriptions.
CVE-2026-39847 — Emmett: From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/__emmett__
Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/__emmett__ paths) is vulnerable to path traversal attacks. An attacker can use ../ sequences (eg /__emmett__/../rsgi/handlers.py) to read arbitrary files outside the assets directory. This vulnerability is fixed in 2.8.1. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-39846 — SiYuan: Prior to 3.6.4, a malicious note synced to another user can trigger remote code
SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer runs with nodeIntegration enabled and contextIsolation disabled, attacker-controlled JavaScript executes with access to Node.js CVSSv3.1 9.0 (CRITICAL)
CVE-2026-34582 — Botan_project Botan: Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed
Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-34078 — Flatpak Flatpak: Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4. CVSSv3.1 10.0 (CRITICAL) · EPSS 13th percentile
CVE-2026-31789 — Openssl Openssl: Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads
Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which a CVSSv3.1 9.8 (CRITICAL)
CVE-2026-28387 — Openssl Openssl: Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired
Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-E CVSSv3.1 8.1 (HIGH)
CVE-2026-28386 — Openssl Openssl: Issue summary: Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES
Issue summary: Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support can trigger an out-of-bounds read of up to 15 bytes when processing partial cipher blocks. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not written to o CVSSv3.1 7.5 (HIGH) · EPSS 15th percentile
CVE-2026-39397 — PayloadCMS: @delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder.
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6. CVSSv3.1 9.4 (CRITICAL)
CVE-2026-34045 — Podman: Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network
Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network attacker to remotely trigger denial-of-service conditions and extract sensitive information. By abusing missing connection limits and timeouts, an attacker can exhaust file descriptors and kernel memory, leading to application crash or full host freeze. Additionally, verbose error responses disclose intern CVSSv3.1 8.2 (HIGH)
CVE-2026-39371 — Rwsdk Redwoodsdk: In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers
RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in CVSSv3.1 8.1 (HIGH) · EPSS 0th percentile
CVE-2026-39322 — Polarlearn Polarlearn: In 0-PRERELEASE-15 and earlier, POST /api/v1/auth/sign-in creates a valid session for banned accounts before
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, POST /api/v1/auth/sign-in creates a valid session for banned accounts before verifying the supplied password. That session is then accepted across authenticated /api routes, enabling account data access and authenticated actions as the banned user. CVSSv3.1 8.8 (HIGH)
CVE-2025-69515 — JXL: An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allows
An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to force the infotainment system into accepting falsified GPS signals as legitimate, resulting in the device reporting an incorrect or static location. CVSSv3.1 9.1 (CRITICAL)
10 Minutes with Claude: Remote Code Execution in Apache ActiveMQ (CVE-2026-34197)
CVE-2026-34197 is a critical RCE in Apache ActiveMQ Classic that chains the Jolokia API, network connector functionality, and VM transport to force remote Spring XML configuration loading and arbitrary code execution. The vulnerability requires authentication (default admin:admin credentials are common), but becomes unauthenticated on versions 6.0.0–6.1.1 due to CVE-2024-32114. Patches are available in ActiveMQ 5.19.4 and 6.2.3.
CVE-2026-34197 — Apache-activemq: The vulnerability affects versions before 5.19.4 and 6.0.0 before 6.2.3, and becomes
CVE-2026-34197 is an authenticated remote code execution vulnerability in Apache ActiveMQ Classic's Jolokia JMX-HTTP bridge that allows attackers to inject malicious Spring XML configurations via crafted URIs to broker management operations (addNetworkConnector, addConnector). The vulnerability affects versions before 5.19.4 and 6.0.0 before 6.2.3, and becomes unauthenticated RCE when combined with CVE-2024-32114. Apache released patches on March 30, 2026, with public disclosure on April 7, 2026.
CVE-2026-39355 — Kreaweb Genealogy: Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows
Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables complete takeover of other users’ team workspaces and unrestricted access to all genealogy data associated with the compromised team. This vulnerability is fixed in 5.9.1. CVSSv3.1 9.9 (CRITICAL)
CVE-2026-39351 — Frappe Frappe: Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit.
Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit. CVSSv3.1 9.1 (CRITICAL)