2026-03-31
2026-03-31 20:16Z
HIGH

Expanding Attack Path Management to macOS Environments

SpecterOps·specterops.io

SpecterOps announces expansion of BloodHound Enterprise to model attack paths in macOS environments via Jamf device management platform integration, alongside Okta and GitHub. The research demonstrates how device management platforms introduce attack primitives—privilege escalation within the management plane, fleet-wide code execution, and hybrid attack paths spanning identity and device management systems—that were previously invisible to directory-centric attack path analysis.

SRFApplicationSRFOsTACTA0004TACTA0006SRFIdentityVNDMicrosoftVNDOktaVNDJamf
78
Edit Score
2026-03-31
2026-03-31 18:16Z
HIGH

CVE-2026-32726 — Scitokens Scitokens_cpp_library: Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32726

SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths CVSSv3.1 8.1 (HIGH)

CWECWE 863VNDScitokensTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-03-31
2026-03-31 18:16Z
HIGH

CVE-2026-32725 — Scitokens Scitokens_cpp_library: Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32725

SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based scopes in tokens. The library normalizes the scope path from the token before authorization and collapses ".." path components instead of rejecting them. As a result, an attacker can use parent-directory traversal in the scope claim to broaden the effective authorization beyond the intended CVSSv3.1 8.3 (HIGH)

CWECWE 23VNDScitokensTYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2026-03-31
2026-03-31 18:16Z
CRIT

CVE-2026-30283 — Peaksel Animal_sounds_and_ringtones: An arbitrary file overwrite vulnerability in PEAKSEL D.O.O.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-30283

An arbitrary file overwrite vulnerability in PEAKSEL D.O.O. NIS Animal Sounds and Ringtones v1.3.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure. CVSSv3.1 9.8 (CRITICAL)

CWECWE 22VNDPeakselTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-31
2026-03-31 18:16Z
CRIT

CVE-2026-30282 — Uxgroupllc Cast_to_tv: An arbitrary file overwrite vulnerability in UXGROUP LLC Cast to TV Screen Mirroring v2.2.77

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-30282

An arbitrary file overwrite vulnerability in UXGROUP LLC Cast to TV Screen Mirroring v2.2.77 allows attackers to overwrite critical internal files via the file import process, leading to arbtrary code execution or information exposure. CVSSv3.1 9.0 (CRITICAL)

CWECWE 22CWECWE 73VNDUxgroupllcTYPVulnerability
9.0
CVSS v3.1
95
Edit Score
2026-03-31
2026-03-31 18:16Z
CRIT

CVE-2026-30278 — Funair Fly_is_fun: An arbitrary file overwrite vulnerability in FLY is FUN Aviation Navigation v35.33 allows attackers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-30278

An arbitrary file overwrite vulnerability in FLY is FUN Aviation Navigation v35.33 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure. CVSSv3.1 9.8 (CRITICAL)

CWECWE 22VNDFunairTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-31
2026-03-31 16:16Z
HIGH

CVE-2026-30284 — Uxgroupllc Voice_recorder: An arbitrary file overwrite vulnerability in UXGROUP LLC Voice Recorder v10.0 allows attackers to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-30284

An arbitrary file overwrite vulnerability in UXGROUP LLC Voice Recorder v10.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure. CVSSv3.1 8.6 (HIGH)

CWECWE 73VNDUxgroupllcTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-03-31
2026-03-31 16:16Z
CRIT

CVE-2026-30281 — Maru Neo.maru: An arbitrary file overwrite vulnerability in MaruNuri LLC v2.0.23 allows attackers to overwrite critical

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-30281

An arbitrary file overwrite vulnerability in MaruNuri LLC v2.0.23 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure. CVSSv3.1 9.8 (CRITICAL)

CWECWE 73VNDMaruTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-31
2026-03-31 16:16Z
CRIT

CVE-2026-30276 — Deftpdf Document_translator: An arbitrary file overwrite vulnerability in DeftPDF Document Translator v54.0 allows attackers to overwrite

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-30276

An arbitrary file overwrite vulnerability in DeftPDF Document Translator v54.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure. CVSSv3.1 9.8 (CRITICAL)

CWECWE 73VNDDeftpdfTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-31
2026-03-31 15:16Z
HIGH

CVE-2026-34377 — Zfnd Zebra: Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error in Zebra's

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34377

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By matching a valid transaction's txid while providing invalid authorization data, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This would not allow invalid tran CVSSv3.1 8.1 (HIGH)

CWECWE 347VNDZfndVNDZebraTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-03-31
2026-03-31 15:16Z
HIGH

CVE-2026-34172 — Giskard Giskard-agent: A developer who passes user input to this method enables full remote code execution

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34172

Giskard is an open-source Python library for testing and evaluating agentic systems. Prior to versions 0.3.4 and 1.0.2b1, ChatWorkflow.chat(message) passes its string argument directly as a Jinja2 template source to a non-sandboxed Environment. A developer who passes user input to this method enables full remote code execution via Jinja2 class traversal. The method name chat and parameter name message naturally invite passing user input directly, but the string is silently pa CVSSv3.1 8.8 (HIGH)

CWECWE 1336VNDGiskardTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-31
2026-03-31 15:16Z
CRIT

CVE-2026-33579 — Openclaw Openclaw: before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33579

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts. CVSSv3.1 9.9 (CRITICAL)

CWECWE 863VNDOpenclawTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2026-03-31
2026-03-31 15:00Z
HIGH

JamfHound v1.1 Update: SSO Attack Paths and Okta Additions

SpecterOps·specterops.io

SpecterOps released JamfHound v1.1, introducing new attack path visualization for JAMF Pro SSO integrations with identity providers like Okta. The update adds jamf_SSOIntegration nodes, jamf_SSO_Login edges, jamf_Update_SSO_Settings edges, and jamf_Okta_Same_Device hybrid edges to BloodHound, enabling discovery of cross-platform privilege escalation paths where compromised low-privilege accounts can pivot through Okta to gain JAMF Pro admin access.

SRFApplicationTACTA0004TACTA0006SRFIdentityVNDBloodhoundVNDOktaVNDJamfTYPResearch
78
Edit Score
2026-03-31
2026-03-31 14:16Z
CRIT

CVE-2026-34156 — Nocobase Nocobase: An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34156

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authentic CVSSv3.1 9.9 (CRITICAL)

CWECWE 913VNDNocobaseTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2026-03-31
2026-03-31 13:00Z
HIGH

Initial Access Brokers have Shifted to High-Value Targets and Premium Pricing

Rapid7 Research·rapid7.comCVE-2025-61882

Rapid7's analysis of H2 2025 cybercrime forum activity (Exploit, XSS, BreachForums, DarkForums, RAMP) reveals Initial Access Brokers have shifted toward high-value targets with dramatically increased pricing (4055% average base price increase YoY) and prioritized high-privilege access (Domain Admin/User at 75% of offerings). RDP, VPN, and RDWeb remain dominant vectors; Government, Retail, and IT sectors are primary targets; U.S. organizations represent 30.9% of global listings, with DarkForums and RAMP now dominating older forums like XSS.

TACTA0001SRFNetworkTACTA0007SRFIdentityVNDFortinetVNDOracleTYPResearchTYPThreat Intel
78
Edit Score
2026-03-31
2026-03-31 12:16Z
HIGH

CVE-2024-14031 — Yves Sereal\: Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-14031

Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used. CVSSv3.1 8.1 (HIGH)

CWECWE 787VNDYvesVNDSerealTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-03-31
2026-03-31 12:16Z
HIGH

CVE-2024-14030 — Yves Sereal\: Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-14030

Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used. CVSSv3.1 8.1 (HIGH)

CWECWE 787VNDYvesVNDSerealTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-03-31
2026-03-31 11:16Z
CRIT

CVE-2025-15618 — Mock Business\: Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-15618

Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key. Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use. This key is intended for encrypting credit card transaction data. CVSSv3.1 9.1 (CRITICAL)

CWECWE 693CWECWE 338VNDMockVNDBusinessTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-03-31
2026-03-31 11:10Z
CRIT

Nuclei Templates v10.4.1 – Release Notes

Nuclei Templates v10.4.1 adds 76 new detection templates covering 42 CVEs, including critical RCE, authentication bypass, and SQL injection vulnerabilities across AI/ML platforms (MindsDB, Langflow, Budibase), WordPress plugins, and enterprise software (Citrix NetScaler, BMC FootPrints). The release includes bug fixes reducing false positives/negatives and improved detection accuracy across existing templates.

SRFApplicationTACTA0001SRFNetworkSRFWebTACTA0043VNDProjectdiscoveryTYPToolTYPVulnerability
9.8
CVSS v3.1
72
Edit Score
2026-03-31
2026-03-31 09:16Z
HIGH

CVE-2025-10553 — 3ds 3dexperience: A Stored Cross-site Scripting (XSS) vulnerability affecting Factory Resource Management in DELMIA Factory Resource

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-10553

A Stored Cross-site Scripting (XSS) vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. CVSSv3.1 8.7 (HIGH)

CWECWE 79VND3dsVNDStoredTYPVulnerability
8.7
CVSS v3.1
94
Edit Score
2026-03-31
2026-03-31 09:16Z
HIGH

CVE-2025-10551 — 3ds 3dexperience: A Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-10551

A Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. CVSSv3.1 8.7 (HIGH)

CWECWE 79VND3dsVNDStoredTYPVulnerability
8.7
CVSS v3.1
94
Edit Score
2026-03-31
2026-03-31 03:15Z
CRIT

CVE-2026-34060 — Shopify Ruby_lsp: Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34060

Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9. CVSSv3.1 9.8 (CRITICAL) · EPSS 9th percentile

CWECWE 94VNDShopifyTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-31
2026-03-31 03:15Z
CRIT

CVE-2026-34041 — Nektos Act: is a project which allows for local running of github actions.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34041

act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This issue has been patched in version 0.2.86. CVSSv3.1 9.8 (CRITICAL)

CWECWE 74VNDNektosTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-31
2026-03-31 03:15Z
HIGH

CVE-2026-34040 — Docker Engine: Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34040

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1. CVSSv3.1 8.8 (HIGH) · EPSS 94th percentile

CWECWE 288VNDDockerVNDMobyTYPVulnerability
8.8
CVSS v3.1
96
Edit Score
2026-03-31
2026-03-31 02:15Z
CRIT

CVE-2026-3300 — Everest: The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-3300

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possibl CVSSv3.1 9.8 (CRITICAL) · EPSS 52th percentile

CWECWE 94VNDEverestTYPVulnerability
9.8
CVSS v3.1
99
Edit Score