Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-25773 — Mattermost Focalboard: This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data
** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data inc CVSSv3.1 8.1 (HIGH) · EPSS 1th percentile
CVE-2026-23425 — Linux Linux_kernel: This results in the hypervisor seeing the flag as set while the ID registers
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix ID register initialization for non-protected pKVM guests In protected mode, the hypervisor maintains a separate instance of the `kvm` structure for each VM. For non-protected VMs, this structure is initialized from the host's `kvm` state. Currently, `pkvm_init_features_from_host()` copies the `KVM_ARCH_FLAG_ID_REGS_INITIALIZED` flag from the host without the underlying `id_regs` data being CVSSv3.1 8.8 (HIGH) · EPSS 2th percentile
You Don’t Have a Security Problem, You Have a Visibility Problem
Rapid7 research argues that most breaches stem from visibility gaps rather than advanced exploits—specifically the inability to map assets, identities, and attack paths holistically. The article uses a medical technology breach case study where exposed assets, credential reuse, and over-permissioned access chained together into a lateral movement path that remained invisible until critical systems were compromised. The core thesis is that attackers exploit the connections between common weaknesses, not individual vulnerabilities, and that a visibility-first approach focusing on asset discovery, identity exposure, and attack path simulation is more effective than traditional vulnerability management.
Simplifying MBA obfuscation with CoBRA
Trail of Bits released CoBRA, an open-source tool that simplifies Mixed Boolean-Arithmetic (MBA) obfuscation expressions with 99.86% success rate across 73,000+ real-world samples. CoBRA operates as a CLI tool, C++ library, and LLVM pass plugin, addressing a gap where existing simplifiers (SiMBA, GAMBA) handle only partial expression classes.
CVE-2026-4350 — Perfmatters: The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal
The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the `PMCS::action_handler()` method processing the `$_GET['delete']` parameter without any sanitization, authorization check, or nonce verification. The unsanitized filename is concatenated with the storage directory path and passed to `unlink()`. This makes it possible for authenticated attackers, with Subscriber-level CVSSv3.1 8.1 (HIGH) · EPSS 14th percentile
CVE-2026-5463 — Danmcinerney Pymetasploit3: Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject
Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions. CVSSv3.1 8.6 (HIGH) · EPSS 83th percentile
CVE-2026-33107 — Microsoft Azure_databricks: Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges
Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network. CVSSv3.1 10.0 (CRITICAL)
CVE-2026-33105 — Microsoft Azure_kubernetes_service: Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges
Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network. CVSSv3.1 10.0 (CRITICAL)
CVE-2026-32213 — Microsoft Azure_ai_foundry: Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over
Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network. CVSSv3.1 10.0 (CRITICAL)
CVE-2026-32211 — Microsoft Azure_web_apps: Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker to
Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker to disclose information over a network. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-32173 — Microsoft Azure_sre_agent: Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over
Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over a network. CVSSv3.1 8.6 (HIGH)
CVE-2026-26135 — Microsoft Azure_custom_locations_resource_provider: Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized
Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a network. CVSSv3.1 9.6 (CRITICAL)
Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads
Anthropic accidentally exposed ~512K lines of Claude Code TypeScript source via a misconfigured npm package on March 31, 2026. Within 24 hours, threat actors weaponized the incident by creating fake GitHub repositories distributing Vidar stealer and GhostSocks proxy malware under the guise of leaked Claude Code, pivoting an existing rotating-lure campaign active since February 2026 that has impersonated 25+ software brands.
CVE-2025-15620 — HiOS: Switch Platform versions 09.1.00 prior to 09.4.05 and 10.3.01 contains a denial-of-service vulnerability
HiOS Switch Platform versions 09.1.00 prior to 09.4.05 and 10.3.01 contains a denial-of-service vulnerability in the web interface that allows remote attackers to reboot the affected device by sending a malicious HTTP GET request to a specific endpoint. Attackers can trigger an uncontrolled reboot condition through crafted HTTP requests to cause service disruption and unavailability of the switch. CVSSv3.1 8.6 (HIGH) · EPSS 1th percentile
CVE-2026-35053 — Hackerbay Oneuptime: Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication middleware. An attacker who can obtain or guess a workflow ID can trigger arbitrary workflow execution with attacker-controlled input data, enabling JavaScript code execution, notification abuse, and data manipu CVSSv3.1 9.8 (CRITICAL)
CVE-2026-34840 — Hackerbay Oneuptime: An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimately
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() verifies the first <Signature> element in the XML DOM using xml-crypto, while getEmail() always reads from assertion[0] via xml2js. An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimatel CVSSv3.1 8.1 (HIGH)
CVE-2026-34759 — Hackerbay Oneuptime: Combined with a projectId leak from the public Status Page API, an unauthenticated attacker
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase ph CVSSv3.1 8.1 (HIGH)
CVE-2026-34742 — Lfprojects Mcp_go_sdk: Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does not enable
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPHandler or SSEHandler, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tool CVSSv3.1 8.1 (HIGH)
CVE-2026-34577 — Gitroom Postiz: The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragment. The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker to read response CVSSv3.1 8.6 (HIGH)
CVE-2026-34524 — Sillytavern Sillytavern: Prior to version 1.17.0, a path traversal vulnerability in chat endpoints allows an authenticated
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in chat endpoints allows an authenticated attacker to read and delete arbitrary files under their user data root (for example secrets.json and settings.json) by supplying avatar_url="..". This issue has been patched in version 1.17.0. CVSSv3.1 8.3 (HIGH)
CVE-2026-34522 — Sillytavern Sillytavern: Prior to version 1.17.0, a path traversal vulnerability in /api/chats/import allows an authenticated attacker
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in /api/chats/import allows an authenticated attacker to write attacker-controlled files outside the intended chats directory by injecting traversal sequences into character_name. This issue has been patched in version 1.17.0. CVSSv3.1 8.1 (HIGH)
CVE-2026-34121 — Tp-link Tapo_c520ws_firmware: An authentication bypass vulnerability within the HTTP handling of the DS configuration service in
An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt action to a request containing privileged DS do actions, bypassing authorization checks. Successful exploitation allows unauthenticated execution of restricted configuration ac CVSSv3.1 8.8 (HIGH)
CVE-2026-34877 — Arm Mbed_tls: Insufficient protection of serialized SSL context or session structures allows an attacker who can
An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-33950 — Signalk Signal_k_server: Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4. CVSSv3.1 9.4 (CRITICAL)
CVE-2026-5350 — Trendnet Tew-657brm_firmware: The manipulation of the argument mac_pc_dba results in stack-based buffer overflow.
A security flaw has been discovered in Trendnet TEW-657BRM 1.00.1. The impacted element is the function update_pcdb of the file /setup.cgi. The manipulation of the argument mac_pc_dba results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor confirms, that "[t]he product in question (...) has been discontinued and end of life since June 23, 2011, that is more than 14 years a CVSSv3.1 8.8 (HIGH)