Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-5350 — Trendnet Tew-657brm_firmware: The manipulation of the argument mac_pc_dba results in stack-based buffer overflow.
A security flaw has been discovered in Trendnet TEW-657BRM 1.00.1. The impacted element is the function update_pcdb of the file /setup.cgi. The manipulation of the argument mac_pc_dba results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor confirms, that "[t]he product in question (...) has been discontinued and end of life since June 23, 2011, that is more than 14 years a CVSSv3.1 8.8 (HIGH)
CVE-2026-5349 — Trendnet Tew-657brm_firmware: The manipulation of the argument mac_pc_dba leads to stack-based buffer overflow.
A vulnerability was identified in Trendnet TEW-657BRM 1.00.1. The affected element is the function add_apcdb of the file /setup.cgi. The manipulation of the argument mac_pc_dba leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor confirms, that "[t]he product in question (...) has been discontinued and end of life since June 23, 2011, that is more than 14 years ago. We no longer provide sup CVSSv3.1 8.8 (HIGH)
ghostsurf: From NTLM Relay to Browser Session Hijacking
SpecterOps released ghostsurf, a tool that enables browser-based NTLM relay attacks against web applications by fixing fundamental design flaws in ntlmrelayx's HTTP SOCKS proxy. The research identifies and circumvents undocumented Windows kernel-mode authentication behavior in IIS that causes authenticated sessions to reset when accessing unauthenticated resources, enabling attackers to browse enterprise password managers and other NTLM-protected web apps as relayed users.
CVE-2026-34797 — Endian Firewall_community: Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_smtp.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation. CVSSv3.1 8.8 (HIGH)
CVE-2026-34796 — Endian Firewall_community: Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_openvpn.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation. CVSSv3.1 8.8 (HIGH)
CVE-2026-34795 — Endian Firewall_community: Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_log.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation. CVSSv3.1 8.8 (HIGH)
CVE-2026-34794 — Endian Firewall_community: Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_ids.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation. CVSSv3.1 8.8 (HIGH)
CVE-2026-34793 — Endian Firewall_community: Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_firewall.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation. CVSSv3.1 8.8 (HIGH)
CVE-2026-34792 — Endian Firewall_community: Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_clamav.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation. CVSSv3.1 8.8 (HIGH)
CVE-2026-34791 — Endian Firewall_community: Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_proxy.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation. CVSSv3.1 8.8 (HIGH)
CVE-2026-34728 — Phpmyfaq Phpmyfaq: When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path without any path traversal validation. The FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters (&, ', ", <, >) and characters with ASCII value < 32, and does not prevent di CVSSv3.1 8.7 (HIGH)
CVE-2026-32871 — Jlowin Fastmcp: Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter
FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL t CVSSv3.1 10.0 (CRITICAL)
CVE-2026-3692 — Progress Flowmon: In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged
In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the report generation process that results in unintended commands being executed on the server. CVSSv3.1 8.8 (HIGH)
CVE-2026-35168 — Devcode Openstamanager: Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execut CVSSv3.1 8.8 (HIGH)
CVE-2026-28805 — Devcode Openstamanager: Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacke CVSSv3.1 8.8 (HIGH)
CVE-2026-4636 — Redhat Build_of_keycloak: An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation.
A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or CVSSv3.1 8.1 (HIGH)
New Whitepaper: Stealthy BPFDoor Variants are a Needle That Looks Like Hay
Rapid7 Labs disclosed seven new BPFDoor kernel-level backdoor variants targeting telecom infrastructure, featuring evolved evasion techniques including stateless ICMP/HTTP C2 tunneling, dynamic PID-bound BPF filters, multi-protocol parallel sniffing, and process masquerading as legitimate daemons (HPE ProLiant agents, NTP services). The malware has evolved from fileless execution to disk-resident variants using /var/run/user/0 to bypass auditd logging, implements relay-based lateral movement via ICMP, and uses magic packet structures with hidden IP fields for stateless C2 routing that survives NAT/VPN deployments.
byob — An open-source post-exploitation framework for students, researchers and developers.
BYOB is an open-source post-exploitation framework written in Python that provides command-and-control infrastructure, payload generation, and 12 post-exploitation modules (persistence, keylogging, privilege escalation, packet sniffing, etc.). The framework features encrypted reverse TCP shells via AES-256 with Diffie-Hellman key exchange, remote code loading without disk writes, and a web GUI dashboard for managing compromised hosts.
You’re Not Supposed To ShareFile With Everyone (Progress ShareFile Pre-Auth RCE Chain CVE-2026-2699 & CVE-2026-2701)
WatchTowr Labs disclosed a pre-authenticated RCE chain in Progress ShareFile Storage Zone Controller (on-premises branch 5.x) affecting ~30,000 internet-exposed instances. CVE-2026-2699 is an authentication bypass via Execution After Redirect (CWE-698) in Admin.aspx, and CVE-2026-2701 chains this to RCE by allowing unauthenticated modification of zone configuration and upload paths to achieve code execution. Both vulnerabilities were patched in version 5.12.4 released March 10, 2026.
CVE-2026-4347 — Form: The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due
The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function in all versions up to, and including, 5.1.0. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitabl CVSSv3.1 8.1 (HIGH) · EPSS 26th percentile
Prioritizing Alerts Triage with Higher-Order Detection Rules
Elastic Security Labs published a technical guide on Higher-Order Rules (HOR), a detection engineering pattern that correlates multiple alerts across endpoints, networks, and observability data to reduce false positives and improve triage prioritization. The approach uses entity-based correlation, cross-data-source visibility, and temporal/prevalence logic to surface high-confidence findings from alert volume that would otherwise overwhelm SOC analysts.
How we caught the Axios supply chain attack
Elastic Security Labs detected and disclosed a critical supply chain attack on Axios (npm's most-downloaded HTTP client) where attackers compromised a maintainer account and injected a phantom dependency with a cross-platform RAT via postinstall hooks. The detection was performed by a proof-of-concept tool built in hours that diffs package releases and uses LLM analysis to identify malicious code patterns; the tool is now open-sourced as supply-chain-monitor. The incident cascaded from earlier Trivy and LiteLLM compromises in the same campaign, attributed to DPRK state actors.
Hooked on Linux: Rootkit Detection Engineering
Elastic Security Labs publishes the second part of a comprehensive Linux rootkit detection engineering series, demonstrating that static signature-based detection is fundamentally unreliable against rootkits—even trivial binary modifications (single null byte) significantly degrade detection rates. The research pivots to behavioral and runtime detection strategies across userland injection (LD_PRELOAD, shared objects), kernel-space loading (LKM syscalls, kernel taint), eBPF-based rootkits, and emerging io_uring evasion techniques, providing practical detection rules and telemetry collection guidance.
CVE-2026-34572 — Ci4-cms-erp Ci4ms: This behavior breaks the intended access control policy and results in persistent unauthorized access
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain CVSSv3.1 8.8 (HIGH)
CVE-2026-34571 — Ci4-cms-erp Ci4ms: Prior to version 0.31.0.0, a Stored Cross-Site Scripting (Stored XSS) vulnerability exists in the
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, a Stored Cross-Site Scripting (Stored XSS) vulnerability exists in the backend user management functionality. The application fails to properly sanitize user-controlled input before rendering it in the administrative interface, allowing attackers to inject persistent JavaScript code. This results in automatic CVSSv3.1 9.9 (CRITICAL)