Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-39305 — PraisonAI: Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows
PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments (../) in the target path, malicious actions can overwrite sensitive system files or drop executable payloads on the host. This vulnerability is fixed in 1.5.113. CVSSv3.1 9.0 (CRITICAL)
CVE-2026-35614 — Frappe Frappe: Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulk_update.
Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulk_update. This vulnerability is fixed in 16.14.0 and 15.104.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-35610 — PolarLearn: In 0-PRERELEASE-14 and earlier, setCustomPassword(userId, password) and deleteUser(userId) in the account-management module used an
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassword(userId, password) and deleteUser(userId) in the account-management module used an inverted admin check. Because of the inverted condition, authenticated non-admin users were allowed to execute both actions, while real admins were rejected. This is a direct privilege-escalation issue in the application. CVSSv3.1 8.8 (HIGH)
CVE-2026-35607 — File: Prior to 2.63.1, the fix in commit b6a4fb1 ("self-registered users don't get execute perms")
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 ("self-registered users don't get execute perms") stripped Execute permission and Commands from users created via the signup handler. The same fix was not applied to the proxy auth handler. Users auto-created on first successful proxy-auth login are granted execution capabilities from global default CVSSv3.1 8.1 (HIGH)
CVE-2026-35580 — Emissary: Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with repository write access could inject arbitrary shell commands, leading to repository poisoning and supply chain compromise affecting all downstream users. This vulnerability is fixed in 8.39.0. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-27314 — Privilege: escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a
Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity with an arbitrary role, including a superuser role, and authenticate as that role via ADD IDENTITY. Users are recommended to upgrade to version 5.0.7+, which fixes this issue. CVSSv3.1 8.8 (HIGH)
CVE-2026-23696 — Windmill: CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in
Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints. CVSSv3.1 9.9 (CRITICAL)
CVE-2026-22683 — Nextcloud Flow: Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execut CVSSv3.1 8.8 (HIGH) · EPSS 51th percentile
CVE-2024-36058 — Send: The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL
The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, allowing library users to read arbitrary data from the database. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-35521 — FTLDNS: From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability CVSSv3.1 8.8 (HIGH)
CVE-2026-35520 — FTLDNS: From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulne CVSSv3.1 8.8 (HIGH)
CVE-2026-35519 — FTLDNS: From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulne CVSSv3.1 8.8 (HIGH)
CVE-2026-35518 — FTLDNS: From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This v CVSSv3.1 8.8 (HIGH)
CVE-2026-35517 — FTLDNS: From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the upstream DNS servers configuration parameter (dns.upstreams). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This v CVSSv3.1 8.8 (HIGH)
CVE-2026-35490 — Webtechnologies Changedetection: changedetection.io is a free open source web page change detection tool.
changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these route CVSSv3.1 9.8 (CRITICAL)
CVE-2026-35488 — Tandoor: Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but CustomIsShared.has_object_permission() returns True for all HTTP methods — including DELETE, PUT, and PATCH — without checking request.method in SAFE_METHODS. Any user who is in the shared list of a RecipeBook can delete or overwrite it, even though shared ac CVSSv3.1 8.1 (HIGH)
CVE-2026-33816 — Pgx_project Pgx: Memory-safety vulnerability in github.com/jackc/pgx/v5.
Memory-safety vulnerability in github.com/jackc/pgx/v5. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-33815 — Pgx_project Pgx: Memory-safety vulnerability in github.com/jackc/pgx/v5.
Memory-safety vulnerability in github.com/jackc/pgx/v5. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-30460 — Thedaylightstudio Fuel_cms: Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE)
Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module. CVSSv3.1 8.8 (HIGH)
CVE-2025-52908 — Samsung Exynos_1280_firmware: Incorrect Handling of the NL80211 vendor command leads to a buffer overflow via a
An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Incorrect Handling of the NL80211 vendor command leads to a buffer overflow via a certain ioctl message, issue 1 of 2. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-24818 — Nokia: MantaRay NM is vulnerable to an OS command injection vulnerability due to improper
Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Log Search application. CVSSv3.1 8.0 (HIGH)
CVE-2025-24817 — Nokia: MantaRay NM is vulnerable to an OS command injection vulnerability due to improper
Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Symptom Collector application. CVSSv3.1 8.0 (HIGH)
CVE-2024-36057 — Koha: Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to
Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by an attacker and is directly included in a system command, i.e., an attack can occur via malicious filenames after uploading a .zip file and clicking Process Images. CVSSv3.1 9.8 (CRITICAL)
v2.12.0-rc1
AzureHound v2.12.0-rc1 released with bug fixes including removal of a race condition in unit tests, correction of role filtering logic for listResourceGroupUserAccessAdmins, and expanded collection of AzureContributor role assignments across management groups, resource groups, and subscriptions.
CVE-2026-5373 — An issue that allowed all-organization administrators to promote accounts to superuser status has been
An issue that allowed all-organization administrators to promote accounts to superuser status has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N (8.1 High). This issue was fixed in version 4.0.260202.0 of the runZero Platform. CVSSv3.1 8.1 (HIGH)