Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
Expanding Attack Path Management to macOS Environments
SpecterOps announces expansion of BloodHound Enterprise to model attack paths in macOS environments via Jamf device management platform integration, alongside Okta and GitHub. The research demonstrates how device management platforms introduce attack primitives—privilege escalation within the management plane, fleet-wide code execution, and hybrid attack paths spanning identity and device management systems—that were previously invisible to directory-centric attack path analysis.
CVE-2026-32726 — Scitokens Scitokens_cpp_library: Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope
SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths CVSSv3.1 8.1 (HIGH)
CVE-2026-32725 — Scitokens Scitokens_cpp_library: Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based
SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based scopes in tokens. The library normalizes the scope path from the token before authorization and collapses ".." path components instead of rejecting them. As a result, an attacker can use parent-directory traversal in the scope claim to broaden the effective authorization beyond the intended CVSSv3.1 8.3 (HIGH)
CVE-2026-30283 — Peaksel Animal_sounds_and_ringtones: An arbitrary file overwrite vulnerability in PEAKSEL D.O.O.
An arbitrary file overwrite vulnerability in PEAKSEL D.O.O. NIS Animal Sounds and Ringtones v1.3.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-30282 — Uxgroupllc Cast_to_tv: An arbitrary file overwrite vulnerability in UXGROUP LLC Cast to TV Screen Mirroring v2.2.77
An arbitrary file overwrite vulnerability in UXGROUP LLC Cast to TV Screen Mirroring v2.2.77 allows attackers to overwrite critical internal files via the file import process, leading to arbtrary code execution or information exposure. CVSSv3.1 9.0 (CRITICAL)
CVE-2026-30278 — Funair Fly_is_fun: An arbitrary file overwrite vulnerability in FLY is FUN Aviation Navigation v35.33 allows attackers
An arbitrary file overwrite vulnerability in FLY is FUN Aviation Navigation v35.33 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-30284 — Uxgroupllc Voice_recorder: An arbitrary file overwrite vulnerability in UXGROUP LLC Voice Recorder v10.0 allows attackers to
An arbitrary file overwrite vulnerability in UXGROUP LLC Voice Recorder v10.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure. CVSSv3.1 8.6 (HIGH)
CVE-2026-30281 — Maru Neo.maru: An arbitrary file overwrite vulnerability in MaruNuri LLC v2.0.23 allows attackers to overwrite critical
An arbitrary file overwrite vulnerability in MaruNuri LLC v2.0.23 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-30276 — Deftpdf Document_translator: An arbitrary file overwrite vulnerability in DeftPDF Document Translator v54.0 allows attackers to overwrite
An arbitrary file overwrite vulnerability in DeftPDF Document Translator v54.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-34377 — Zfnd Zebra: Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error in Zebra's
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By matching a valid transaction's txid while providing invalid authorization data, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This would not allow invalid tran CVSSv3.1 8.1 (HIGH)
CVE-2026-34172 — Giskard Giskard-agent: A developer who passes user input to this method enables full remote code execution
Giskard is an open-source Python library for testing and evaluating agentic systems. Prior to versions 0.3.4 and 1.0.2b1, ChatWorkflow.chat(message) passes its string argument directly as a Jinja2 template source to a non-sandboxed Environment. A developer who passes user input to this method enables full remote code execution via Jinja2 class traversal. The method name chat and parameter name message naturally invite passing user input directly, but the string is silently pa CVSSv3.1 8.8 (HIGH)
CVE-2026-33579 — Openclaw Openclaw: before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts. CVSSv3.1 9.9 (CRITICAL)
JamfHound v1.1 Update: SSO Attack Paths and Okta Additions
SpecterOps released JamfHound v1.1, introducing new attack path visualization for JAMF Pro SSO integrations with identity providers like Okta. The update adds jamf_SSOIntegration nodes, jamf_SSO_Login edges, jamf_Update_SSO_Settings edges, and jamf_Okta_Same_Device hybrid edges to BloodHound, enabling discovery of cross-platform privilege escalation paths where compromised low-privilege accounts can pivot through Okta to gain JAMF Pro admin access.
CVE-2026-34156 — Nocobase Nocobase: An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authentic CVSSv3.1 9.9 (CRITICAL)
Initial Access Brokers have Shifted to High-Value Targets and Premium Pricing
Rapid7's analysis of H2 2025 cybercrime forum activity (Exploit, XSS, BreachForums, DarkForums, RAMP) reveals Initial Access Brokers have shifted toward high-value targets with dramatically increased pricing (4055% average base price increase YoY) and prioritized high-privilege access (Domain Admin/User at 75% of offerings). RDP, VPN, and RDWeb remain dominant vectors; Government, Retail, and IT sectors are primary targets; U.S. organizations represent 30.9% of global listings, with DarkForums and RAMP now dominating older forums like XSS.
CVE-2024-14031 — Yves Sereal\: Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922.
Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used. CVSSv3.1 8.1 (HIGH)
CVE-2024-14030 — Yves Sereal\: Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922.
Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used. CVSSv3.1 8.1 (HIGH)
CVE-2025-15618 — Mock Business\: Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key.
Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key. Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use. This key is intended for encrypting credit card transaction data. CVSSv3.1 9.1 (CRITICAL)
Nuclei Templates v10.4.1 – Release Notes
Nuclei Templates v10.4.1 adds 76 new detection templates covering 42 CVEs, including critical RCE, authentication bypass, and SQL injection vulnerabilities across AI/ML platforms (MindsDB, Langflow, Budibase), WordPress plugins, and enterprise software (Citrix NetScaler, BMC FootPrints). The release includes bug fixes reducing false positives/negatives and improved detection accuracy across existing templates.
CVE-2025-10553 — 3ds 3dexperience: A Stored Cross-site Scripting (XSS) vulnerability affecting Factory Resource Management in DELMIA Factory Resource
A Stored Cross-site Scripting (XSS) vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. CVSSv3.1 8.7 (HIGH)
CVE-2025-10551 — 3ds 3dexperience: A Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator
A Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. CVSSv3.1 8.7 (HIGH)
CVE-2026-34060 — Shopify Ruby_lsp: Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace
Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9. CVSSv3.1 9.8 (CRITICAL) · EPSS 9th percentile
CVE-2026-34041 — Nektos Act: is a project which allows for local running of github actions.
act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This issue has been patched in version 0.2.86. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-34040 — Docker Engine: Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1. CVSSv3.1 8.8 (HIGH) · EPSS 94th percentile
CVE-2026-3300 — Everest: The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possibl CVSSv3.1 9.8 (CRITICAL) · EPSS 52th percentile