Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
API Authentication Bypass in FortiClient EMS 7.4.5-7.4.6–CVE-2026-35616
Bishop Fox researchers reverse-engineered CVE-2026-35616, a critical authentication bypass in FortiClient EMS 7.4.5-7.4.6 affecting the management plane for entire endpoint fleets. The vulnerability stems from two independent flaws: Django trusts user-controllable HTTP headers (X-SSL-CLIENT-VERIFY, X-SSL-CLIENT-CERT) as equivalent to Apache mod_ssl WSGI variables, and certificate chain validation performs only DN string matching with zero cryptographic signature verification. Fortinet confirmed active exploitation and released a hotfix that strips headers at the Apache layer; a permanent code-level fix is deferred to 7.4.7.
What we learned about TEE security from auditing WhatsApp's Private Inference
Trail of Bits published findings from a pre-launch security audit of WhatsApp's Private Inference system, which uses AMD SEV-SNP and Nvidia confidential GPUs to process encrypted messages with AI features. The audit identified 28 issues including 8 high-severity vulnerabilities—such as unmeasured configuration loading (LD_PRELOAD injection), unvalidated ACPI tables, incorrect firmware patch verification, and missing attestation freshness—all of which Meta has patched before launch. The research demonstrates that TEE deployments require rigorous validation of all inputs, cryptographic measurement of critical data, and comprehensive negative testing to prevent subtle implementation gaps from becoming exploitable.
CVE-2026-34197 — Input: Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke the CVSSv3.1 8.8 (HIGH)
CVE-2026-5465 — Booking: The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. CVSSv3.1 8.8 (HIGH)
CVE-2026-1114 — In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalat CVSSv3.1 9.8 (CRITICAL)
EvilTokens: an AI-augmented Phishing-as-a-Service for automating BEC fraud – Part 2
Sekoia disclosed EvilTokens, an AI-augmented Phishing-as-a-Service (PhaaS) kit leveraging Microsoft device code phishing to harvest OAuth tokens and automate Business Email Compromise (BEC) fraud. The platform integrates LLM-driven analysis (Groq and OpenAI APIs) to automatically identify financial exposure in compromised mailboxes, generate tailored BEC attack scenarios, and draft convincing phishing emails—reducing manual effort and lowering the barrier to entry for threat actors. Since February 2026, EvilTokens has been actively sold via Telegram with structured affiliate programs, custom browsers for token management, and backend infrastructure supporting reconnaissance via Microsoft Graph API and persistence mechanisms.
CVE-2025-65115 — Code: Remote Code Execution Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT
Remote Code Execution Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management 2 - Operations Director on Windows, Job Management Partner 1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management - Manager on Windows, Job Management Partner 1/IT Desktop Management - Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows, Job Management Partner 1/Software Distribution Manager on Windows, Job Managem CVSSv3.1 8.8 (HIGH)
CVE-2026-0740 — Ninja: The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in v CVSSv3.1 9.8 (CRITICAL)
CVE-2026-20433 — Mediatek Mt2735_firmware: In Modem, there is a possible out of bounds write due to a missing
In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01088681; Issue ID: MSV-4460. CVSSv3.1 8.8 (HIGH)
CVE-2026-20432 — Mediatek Mt2735_firmware: In Modem, there is a possible out of bounds write due to a missing
In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01406170; Issue ID: MSV-4461. CVSSv3.1 8.0 (HIGH)
Claude Code Packaging Error Remains a Lure in an Active Campaign: What Defenders Should Do
Threat actors exploited Anthropic's Claude Code npm packaging error to distribute trojanized archives via a fake GitHub repository (leaked-claude-code), delivering Vidar, GhostSocks, and PureLog Stealer malware. The campaign has been active since February 2026, cycling through 25+ software brands as lures, with 533+ confirmed downloads of the Claude Code payload as of April 7, 2026. The malware enables credential theft, cryptocurrency wallet exfiltration, session hijacking, and residential proxy abuse on Windows systems.
CVE-2026-5709 — Amazon Research_and_engineering_studio: Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version
Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment. CVSSv3.1 8.8 (HIGH)
CVE-2026-5708 — Amazon Research_and_engineering_studio: Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and
Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to th CVSSv3.1 8.8 (HIGH)
CVE-2026-5707 — Amazon Research_and_engineering_studio: Unsanitized input in an OS command in the virtual desktop session name handling in
Unsanitized input in an OS command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment. CVSSv3.1 8.8 (HIGH)
CVE-2026-5687 — This manipulation of the argument page causes stack-based buffer overflow.
A weakness has been identified in Tenda CX12L 16.03.53.12. This issue affects the function fromNatStaticSetting of the file /goform/NatStaticSetting. This manipulation of the argument page causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. CVSSv3.1 8.8 (HIGH)
CVE-2026-5686 — The manipulation of the argument page results in stack-based buffer overflow.
A security flaw has been discovered in Tenda CX12L 16.03.53.12. This vulnerability affects the function fromRouteStatic of the file /goform/RouteStatic. The manipulation of the argument page results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. CVSSv3.1 8.8 (HIGH)
CVE-2026-5685 — Tenda: The manipulation of the argument page leads to stack-based buffer overflow.
A vulnerability was identified in Tenda CX12L 16.03.53.12. This affects the function fromAddressNat of the file /goform/addressNat. The manipulation of the argument page leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used. CVSSv3.1 8.8 (HIGH)
CVE-2026-5684 — Tenda: Executing a manipulation of the argument page can lead to stack-based buffer overflow.
A vulnerability was determined in Tenda CX12L 16.03.53.12. Affected by this issue is the function fromwebExcptypemanFilter of the file /goform/webExcptypemanFilter. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack requires access to the local network. The exploit has been publicly disclosed and may be utilized. CVSSv3.1 8.0 (HIGH)
CVE-2026-35471 — Goshs Goshs: Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check.
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-35442 — Directus: Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users. This vulne CVSSv3.1 8.1 (HIGH)
CVE-2026-35408 — Directus: Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retains the ability to access and manipulate the window object of that page. An attacker can exploit this to intercept and redirect the OAuth authorization flow to an attacker-controll CVSSv3.1 8.7 (HIGH)
Milking the last drop of Intego - Time for Windows to get its LPE
Quarkslab disclosed a local privilege escalation vulnerability in Intego 3.0.0.1 for Windows affecting the Optimization module. The vulnerability stems from a time-of-check-time-of-use (TOCTOU) race condition where IavService.exe deletes files as SYSTEM without validating whether targets are symlinks or directories, allowing attackers to chain the deletion with the Config.msi rollback primitive to achieve SYSTEM code execution.
v3.4.0.53
Mythic v3.4.0.53 released with a Dockerfile tag bump to match the release version. This is a routine version bump with no disclosed security fixes, features, or breaking changes in the available metadata.
CVE-2026-35395 — Wegia Wegia: Prior to 3.6.9, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability in dao/memorando/DespachoDAO.php. The id_memorando parameter is extracted from $_REQUEST without validation and directly interpolated into SQL queries, allowing any authenticated user to execute arbitrary SQL commands against the database. This vulnerability is fixed in 3.6.9. CVSSv3.1 8.8 (HIGH)
CVE-2026-35394 — Mobilenexthq Mobile_mcp: Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's
Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. This vulnerability is fixed in 0.0.50. CVSSv3.1 8.3 (HIGH)