2026-04-02
2026-04-02 16:16Z
HIGH

CVE-2026-5350 — Trendnet Tew-657brm_firmware: The manipulation of the argument mac_pc_dba results in stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5350

A security flaw has been discovered in Trendnet TEW-657BRM 1.00.1. The impacted element is the function update_pcdb of the file /setup.cgi. The manipulation of the argument mac_pc_dba results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor confirms, that "[t]he product in question (...) has been discontinued and end of life since June 23, 2011, that is more than 14 years a CVSSv3.1 8.8 (HIGH)

CWECWE 121CWECWE 119VNDTrendnetTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-02
2026-04-02 16:16Z
HIGH

CVE-2026-5349 — Trendnet Tew-657brm_firmware: The manipulation of the argument mac_pc_dba leads to stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5349

A vulnerability was identified in Trendnet TEW-657BRM 1.00.1. The affected element is the function add_apcdb of the file /setup.cgi. The manipulation of the argument mac_pc_dba leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor confirms, that "[t]he product in question (...) has been discontinued and end of life since June 23, 2011, that is more than 14 years ago. We no longer provide sup CVSSv3.1 8.8 (HIGH)

CWECWE 121CWECWE 119VNDTrendnetTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-02
2026-04-02 16:00Z
HIGH

ghostsurf: From NTLM Relay to Browser Session Hijacking

SpecterOps·specterops.io

SpecterOps released ghostsurf, a tool that enables browser-based NTLM relay attacks against web applications by fixing fundamental design flaws in ntlmrelayx's HTTP SOCKS proxy. The research identifies and circumvents undocumented Windows kernel-mode authentication behavior in IIS that causes authenticated sessions to reset when accessing unauthenticated resources, enabling attackers to browse enterprise password managers and other NTLM-protected web apps as relayed users.

SRFNetworkTACTA0006SRFWebTACTA0008VNDMicrosoftVNDImpacketTYPResearchTYPTool
87
Edit Score
2026-04-02
2026-04-02 15:16Z
HIGH

CVE-2026-34797 — Endian Firewall_community: Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34797

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_smtp.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation. CVSSv3.1 8.8 (HIGH)

CWECWE 78VNDEndianTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-02
2026-04-02 15:16Z
HIGH

CVE-2026-34796 — Endian Firewall_community: Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34796

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_openvpn.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation. CVSSv3.1 8.8 (HIGH)

CWECWE 78VNDEndianTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-02
2026-04-02 15:16Z
HIGH

CVE-2026-34795 — Endian Firewall_community: Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34795

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_log.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation. CVSSv3.1 8.8 (HIGH)

CWECWE 78VNDEndianTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-02
2026-04-02 15:16Z
HIGH

CVE-2026-34794 — Endian Firewall_community: Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34794

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_ids.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation. CVSSv3.1 8.8 (HIGH)

CWECWE 78VNDEndianTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-04-02
2026-04-02 15:16Z
HIGH

CVE-2026-34793 — Endian Firewall_community: Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34793

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_firewall.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation. CVSSv3.1 8.8 (HIGH)

CWECWE 78VNDEndianTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-02
2026-04-02 15:16Z
HIGH

CVE-2026-34792 — Endian Firewall_community: Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34792

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_clamav.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation. CVSSv3.1 8.8 (HIGH)

CWECWE 78VNDEndianTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-02
2026-04-02 15:16Z
HIGH

CVE-2026-34791 — Endian Firewall_community: Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34791

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_proxy.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation. CVSSv3.1 8.8 (HIGH)

CWECWE 78VNDEndianTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-02
2026-04-02 15:16Z
HIGH

CVE-2026-34728 — Phpmyfaq Phpmyfaq: When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34728

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path without any path traversal validation. The FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters (&, ', ", <, >) and characters with ASCII value < 32, and does not prevent di CVSSv3.1 8.7 (HIGH)

CWECWE 22VNDPhpmyfaqVNDFaqTYPVulnerability
8.7
CVSS v3.1
94
Edit Score
2026-04-02
2026-04-02 15:16Z
CRIT

CVE-2026-32871 — Jlowin Fastmcp: Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32871

FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL t CVSSv3.1 10.0 (CRITICAL)

CWECWE 918VNDJlowinVNDFastmcpTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2026-04-02
2026-04-02 14:16Z
HIGH

CVE-2026-3692 — Progress Flowmon: In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-3692

In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the report generation process that results in unintended commands being executed on the server. CVSSv3.1 8.8 (HIGH)

CWECWE 78VNDProgressTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-02
2026-04-02 14:16Z
HIGH

CVE-2026-35168 — Devcode Openstamanager: Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35168

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execut CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDDevcodeVNDOpenstamanagerTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-02
2026-04-02 14:16Z
HIGH

CVE-2026-28805 — Devcode Openstamanager: Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-28805

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacke CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDDevcodeVNDOpenstamanagerTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-02
2026-04-02 13:16Z
HIGH

CVE-2026-4636 — Redhat Build_of_keycloak: An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4636

A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or CVSSv3.1 8.1 (HIGH)

CWECWE 551VNDKeycloakTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-02
2026-04-02 13:00Z
CRIT

New Whitepaper: Stealthy BPFDoor Variants are a Needle That Looks Like Hay

Rapid7 Research·rapid7.comin the wild

Rapid7 Labs disclosed seven new BPFDoor kernel-level backdoor variants targeting telecom infrastructure, featuring evolved evasion techniques including stateless ICMP/HTTP C2 tunneling, dynamic PID-bound BPF filters, multi-protocol parallel sniffing, and process masquerading as legitimate daemons (HPE ProLiant agents, NTP services). The malware has evolved from fileless execution to disk-resident variants using /var/run/user/0 to bypass auditd logging, implements relay-based lateral movement via ICMP, and uses magic packet structures with hidden IP fields for stateless C2 routing that survives NAT/VPN deployments.

SRFOsTACTA0005SRFNetworkSRFNetwork ApplianceTACTA0011TACTA0043VNDRapid7TYPResearch
88
Edit Score
2026-04-02
2026-04-02 12:58Z
HIGH

byob — An open-source post-exploitation framework for students, researchers and developers.

GitHub · LPE exploits·github.comGITHUB POC

BYOB is an open-source post-exploitation framework written in Python that provides command-and-control infrastructure, payload generation, and 12 post-exploitation modules (persistence, keylogging, privilege escalation, packet sniffing, etc.). The framework features encrypted reverse TCP shells via AES-256 with Diffie-Hellman key exchange, remote code loading without disk writes, and a web GUI dashboard for managing compromised hosts.

SRFOsTACTA0011TACTA0010TYPResearchTYPToolSTGExecutionSTGPersistenceSTGC2
68
Edit Score
2026-04-02
2026-04-02 10:00Z
CRIT

You’re Not Supposed To ShareFile With Everyone (Progress ShareFile Pre-Auth RCE Chain CVE-2026-2699 & CVE-2026-2701)

watchTowr Labs·labs.watchtowr.comCVE-2026-2699CVE-2026-2701in the wild

WatchTowr Labs disclosed a pre-authenticated RCE chain in Progress ShareFile Storage Zone Controller (on-premises branch 5.x) affecting ~30,000 internet-exposed instances. CVE-2026-2699 is an authentication bypass via Execution After Redirect (CWE-698) in Admin.aspx, and CVE-2026-2701 chains this to RCE by allowing unauthenticated modification of zone configuration and upload paths to achieve code execution. Both vulnerabilities were patched in version 5.12.4 released March 10, 2026.

SRFApplicationTACTA0001TACTA0002SRFNetworkVNDCitrixVNDProgressTYPWriteupTYPExploit
92
Edit Score
2026-04-02
2026-04-02 06:16Z
HIGH

CVE-2026-4347 — Form: The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4347

The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function in all versions up to, and including, 5.1.0. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitabl CVSSv3.1 8.1 (HIGH) · EPSS 26th percentile

CWECWE 22VNDFormTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-02
2026-04-02 00:00Z
INFO

Prioritizing Alerts Triage with Higher-Order Detection Rules

Elastic Security Labs·elastic.co

Elastic Security Labs published a technical guide on Higher-Order Rules (HOR), a detection engineering pattern that correlates multiple alerts across endpoints, networks, and observability data to reduce false positives and improve triage prioritization. The approach uses entity-based correlation, cross-data-source visibility, and temporal/prevalence logic to surface high-confidence findings from alert volume that would otherwise overwhelm SOC analysts.

SRFNetworkTACTA0006TACTA0007VNDElasticTYPResearchTYPTechnique
68
Edit Score
2026-04-02
2026-04-02 00:00Z
CRIT

How we caught the Axios supply chain attack

Elastic Security Labs·elastic.coin the wild

Elastic Security Labs detected and disclosed a critical supply chain attack on Axios (npm's most-downloaded HTTP client) where attackers compromised a maintainer account and injected a phantom dependency with a cross-platform RAT via postinstall hooks. The detection was performed by a proof-of-concept tool built in hours that diffs package releases and uses LLM analysis to identify malicious code patterns; the tool is now open-sourced as supply-chain-monitor. The incident cascaded from earlier Trivy and LiteLLM compromises in the same campaign, attributed to DPRK state actors.

TACTA0005TACTA0001TACTA0003TACTA0011SRFSupply ChainVNDElasticVNDLitellmVNDTrivy
95
Edit Score
2026-04-02
2026-04-02 00:00Z
HIGH

Hooked on Linux: Rootkit Detection Engineering

Elastic Security Labs·elastic.co

Elastic Security Labs publishes the second part of a comprehensive Linux rootkit detection engineering series, demonstrating that static signature-based detection is fundamentally unreliable against rootkits—even trivial binary modifications (single null byte) significantly degrade detection rates. The research pivots to behavioral and runtime detection strategies across userland injection (LD_PRELOAD, shared objects), kernel-space loading (LKM syscalls, kernel taint), eBPF-based rootkits, and emerging io_uring evasion techniques, providing practical detection rules and telemetry collection guidance.

SRFOsTACTA0005TACTA0003TYPResearchTYPTechniqueSTGDefense EvasionSTGPersistence
82
Edit Score
2026-04-01
2026-04-01 22:16Z
HIGH

CVE-2026-34572 — Ci4-cms-erp Ci4ms: This behavior breaks the intended access control policy and results in persistent unauthorized access

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34572

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain CVSSv3.1 8.8 (HIGH)

CWECWE 284CWECWE 613CWECWE 1254VNDCi4 Cms ErpVNDCi4msTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-01
2026-04-01 22:16Z
CRIT

CVE-2026-34571 — Ci4-cms-erp Ci4ms: Prior to version 0.31.0.0, a Stored Cross-Site Scripting (Stored XSS) vulnerability exists in the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34571

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, a Stored Cross-Site Scripting (Stored XSS) vulnerability exists in the backend user management functionality. The application fails to properly sanitize user-controlled input before rendering it in the administrative interface, allowing attackers to inject persistent JavaScript code. This results in automatic CVSSv3.1 9.9 (CRITICAL)

CWECWE 79VNDCi4 Cms ErpVNDCi4msTYPVulnerability
9.9
CVSS v3.1
100
Edit Score