Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-28798 — Zimaspace Zimaos: This results in unauthenticated access to internal-only endpoints and sensitive local services when the
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests to internal localhost services. This results in unauthenticated access to internal-only endpoints and sensitive local services when the product is reachable from the Internet through a Cloudflare Tunn CVSSv3.1 9.0 (CRITICAL)
CVE-2026-25726 — Cloudreve Cloudreve: This allows them to forge valid JSON Web Tokens (JWTs) for any user, including
Cloudreve is a self-hosted file management and sharing system. Prior to version 4.13.0, the application uses the weak pseudo-random number generator math/rand seeded with time.Now().UnixNano() to generate critical security secrets, including the secret_key, and hash_id_salt. These secrets are generated upon first startup and persisted in the database. An attacker can exploit this by obtaining the administrator's account creation time (via public API endpoints) to narrow the s CVSSv3.1 8.1 (HIGH)
Metasploit Wrap-Up 03/04/2026
Metasploit Framework 6.4.125 adds five new modules including unauthenticated RCE exploits for FreeScout and Grav CMS, a generic HTTP command execution module, Windows persistence via registry abuse, and HTTP/HTTPS payload adapters for x86/x64. The release also includes eight enhancements, six bug fixes, and expanded documentation across multiple scanner and auxiliary modules.
CVE-2026-32186 — Microsoft Bing: Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges
Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges over a network. CVSSv3.1 10.0 (CRITICAL)
CVE-2026-0545 — FastAPI: This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthentica CVSSv3.1 9.1 (CRITICAL)
CVE-2026-28373 — Stackfield: The Stackfield Desktop App before 1.10.2 for macOS and Windows contains a path traversal
The Stackfield Desktop App before 1.10.2 for macOS and Windows contains a path traversal vulnerability in certain decryption functionality when processing the filePath property. A malicious export can write arbitrary content to any path on the victim's filesystem. CVSSv3.1 9.6 (CRITICAL)
CVE-2026-35218 — Budibase Budibase: Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries
Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte's {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. <img src=x onerror=alert(document.domain)>). When any Builder-role user in the same workspace opens the Command Palette (Ctrl CVSSv3.1 8.7 (HIGH)
CVE-2026-35216 — Budibase Budibase: Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on
Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. This issue has been patched in version 3.33.4. CVSSv3.1 9.0 (CRITICAL)
CVE-2026-35214 — Budibase Budibase: Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied
Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can CVSSv3.1 8.7 (HIGH)
CVE-2026-31818 — Budibase Budibase: Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST
Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requ CVSSv3.1 9.6 (CRITICAL)
CVE-2026-31402 — Linux: This results in a slab-out-of-bounds write of up to 944 bytes past the end
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT). When a LOCK operation is CVSSv3.1 9.8 (CRITICAL) · EPSS 15th percentile
CVE-2026-31393 — Linux: A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an out-of-bounds read of adjacent skb
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->dat CVSSv3.1 8.1 (HIGH) · EPSS 9th percentile
CVE-2026-31392 — Linux: In the Linux kernel, the following vulnerability has been resolved: smb: client: fix krb5
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix krb5 mount with username option Customer reported that some of their krb5 mounts were failing against a single server as the client was trying to mount the shares with wrong credentials. It turned out the client was reusing SMB session from first mount to try mounting the other shares, even though a different username= option had been specified to the other mounts. By using username mount CVSSv3.1 8.1 (HIGH) · EPSS 9th percentile
CVE-2026-25044 — Budibase Budibase: User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command
Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command execution. This issue has been patched in version 3.33.4. CVSSv3.1 8.8 (HIGH)
CVE-2026-23462 — Linux: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HIDP: Fix possible
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HIDP: Fix possible UAF This fixes the following trace caused by not dropping l2cap_conn reference when user->remove callback is called: [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17 CVSSv3.1 8.8 (HIGH) · EPSS 9th percentile
CVE-2026-23461 — Linux: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to conn->users. However, l2cap_register_user() and l2cap_unregister_user() don't use conn->lock, creating a race condition where these functions can access conn->users and conn->hchan concurrently with l2cap_conn_ CVSSv3.1 8.8 (HIGH) · EPSS 7th percentile
CVE-2026-23459 — Linux: In the Linux kernel, the following vulnerability has been resolved: ip_tunnel: adapt iptunnel_xmit_stats() to
In the Linux kernel, the following vulnerability has been resolved: ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS Blamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which call iptunnel_xmit_stats(). iptunnel_xmit_stats() was assuming tunnels were only using NETDEV_PCPU_STAT_TSTATS. @syncp offset in pcpu_sw_netstats and pcpu_dstats is different. 32bit kernels would either have corruptions or freezes if the syncp sequence was overwritt CVSSv3.1 8.2 (HIGH) · EPSS 7th percentile
CVE-2026-23457 — Linux: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 3 CVSSv3.1 8.6 (HIGH) · EPSS 9th percentile
CVE-2026-23456 — Linux: This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read.
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byt CVSSv3.1 8.2 (HIGH) · EPSS 9th percentile
CVE-2026-23455 — Linux: If the encoded length is 0, the decrement wraps to -1, which is then
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Ad CVSSv3.1 9.1 (CRITICAL) · EPSS 9th percentile
CVE-2026-23450 — Linux: This leads to two issues: 1) NULL pointer dereference: sk_user_data is NULL when accessed.
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1]. smc_tcp_syn_recv_sock() is called in the TCP receive path (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP listening socket). It reads sk_user_data to get the smc_sock pointer. However, when the SMC listen socket is being closed concurrently, smc_close_active() sets clcsoc CVSSv3.1 9.8 (CRITICAL) · EPSS 9th percentile
CVE-2026-23428 — Linux Linux_kernel: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free of
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free of share_conf in compound request smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == TREE_CONNECTED on the initial lookup path, but the compound reuse path bypasses this check entirely. If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state to TREE_DISCONNECTED and frees share_co CVSSv3.1 9.8 (CRITICAL) · EPSS 2th percentile
CVE-2026-23427 — Linux Linux_kernel: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in durable v2 replay of active file handles parse_durable_handle_context() unconditionally assigns dh_info->fp->conn to the current connection when handling a DURABLE_REQ_V2 context with SMB2_FLAGS_REPLAY_OPERATION. ksmbd_lookup_fd_cguid() does not filter by fp->conn, so it returns file handles that are already actively connected. The unconditional overwrite replaces fp->conn, and CVSSv3.1 9.8 (CRITICAL) · EPSS 2th percentile
CVE-2025-59711 — Kovai Biztalk360: Because of mishandling of user-provided input in an upload mechanism, an authenticated attacker is
An issue was discovered in Biztalk360 before 11.5. Because of mishandling of user-provided input in an upload mechanism, an authenticated attacker is able to write files outside of the destination directory and/or coerce an authentication from the service, aka Directory Traversal. CVSSv3.1 8.3 (HIGH)
CVE-2025-59710 — Kovai Biztalk360: Because of incorrect access control, any user is able to request the loading a
An issue was discovered in Biztalk360 before 11.5. Because of incorrect access control, any user is able to request the loading a DLL file. During the loading, a method is called. An attacker can craft a malicious DLL, upload it to the server, and use it to achieve remote code execution on the server. CVSSv3.1 8.8 (HIGH)