Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-33728 — Datadog Dd-trace-java: On JDK version 16 and earlier, an attacker with network access to a JMX
dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to 1.60.2, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnera CVSSv3.1 9.8 (CRITICAL) · EPSS 49th percentile
CVE-2026-33701 — Linuxfoundation Opentelemetry_instrumentation_for_java: On JDK version 16 and earlier, an attacker with network access to a JMX
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditio CVSSv3.1 9.8 (CRITICAL)
CVE-2026-27893 — Vllm Vllm: This enables remote code execution via malicious model repositories even when the user has
vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue. CVSSv3.1 8.8 (HIGH)
Elastic Security Labs uncovers BRUSHWORM and BRUSHLOGGER
Elastic Security Labs disclosed BRUSHWORM and BRUSHLOGGER, two custom malware components targeting a South Asian financial institution. BRUSHWORM is a modular backdoor with USB worm propagation, scheduled task persistence, AES-encrypted configuration, and broad file theft capabilities; BRUSHLOGGER is a DLL side-loaded keylogger masquerading as libcurl.dll with system-wide keystroke capture and XOR-encrypted logs. Multiple development versions (V1.exe, V2.exe, etc.) were discovered on VirusTotal, indicating active refinement by an inexperienced threat actor.
CVE-2026-34352 — Tigervnc Tigervnc: In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate
In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of incorrect permissions. CVSSv3.1 8.5 (HIGH) · EPSS 9th percentile
CVE-2025-12805 — Redhat Openshift_ai: This vulnerability allows unauthorized access to Llama Stack services deployed in other namespaces via
A flaw was found in Red Hat OpenShift AI (RHOAI) llama-stack-operator. This vulnerability allows unauthorized access to Llama Stack services deployed in other namespaces via direct network requests, because no NetworkPolicy restricts access to the llama-stack service endpoint. As a result, a user in one namespace can access another user’s Llama Stack instance and potentially view or manipulate sensitive data. CVSSv3.1 8.1 (HIGH) · EPSS 3th percentile
CVE-2026-0966 — Libssh Libssh: This function is used internally in `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated), which is vulnerable to
The API function `ssh_get_hexa()` is vulnerable, when 0-lenght input is provided to this function. This function is used internally in `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated), which is vulnerable to the same input (length is provided by the calling application). The function is also used internally in the gssapi code for logging the OIDs received by the server during GSSAPI authentication. This could be triggered remotely, when the server allows GSSA CVSSv3.1 8.2 (HIGH) · EPSS 24th percentile
CVE-2026-33149 — Tandoor Recipes: Versions up to and including 2.5.3 set ALLOWED_HOSTS = '*' by default, which causes
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWED_HOSTS = '*' by default, which causes Django to accept any value in the HTTP Host header without validation. The application uses request.build_absolute_uri() to generate absolute URLs in multiple contexts, including invite link emails, API pagination, and OpenAPI schema generation. An attacker who can send requests to the applicat CVSSv3.1 8.1 (HIGH)
CVE-2026-30458 — Thedaylightstudio Fuel_cms: An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset
An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset tokens via a mail splitting attack. CVSSv3.1 9.1 (CRITICAL) · EPSS 33th percentile
CVE-2026-30457 — Thedaylightstudio Dwoo: An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to
An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code. CVSSv3.1 9.8 (CRITICAL) · EPSS 50th percentile
CVE-2026-26213 — Thingino Thingino_firmware: thingino-firmware versions up to the firmware-2026-03-16 release contains an unauthenticated os command injection vulnerability
thingino-firmware versions up to the firmware-2026-03-16 release contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can exploit the eval function in parse_query() and parse_post() functions to achieve remote code execution and perform privileged configuration changes including root CVSSv3.1 9.8 (CRITICAL) · EPSS 46th percentile
CVE-2026-33496 — Ory Oathkeeper: Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion.
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The `oauth2_introspection` authenticator cache does not distinguish tokens that were validated with different introspection URLs. An attacker can therefore legitimately use a token to prime the cache, and subsequently use the same token for r CVSSv3.1 8.1 (HIGH)
CVE-2026-33494 — Ory Oathkeeper: Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal.
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. `/public/../admin/secrets`) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during CVSSv3.1 10.0 (CRITICAL)
CVE-2026-32857 — Firecrawl: version 2.8.0 and prior contain a server-side request forgery (SSRF) protection bypass vulnerability
Firecrawl version 2.8.0 and prior contain a server-side request forgery (SSRF) protection bypass vulnerability in the Playwright scraping service where network policy validation is applied only to the initial user-supplied URL and not to subsequent redirect destinations. Attackers can supply an externally valid URL that passes validation and returns an HTTP redirect to an internal or restricted resource, allowing the browser to follow the redirect and fetch the final destinat CVSSv3.1 8.6 (HIGH) · EPSS 13th percentile
BloodHound CE v8.9.1
BloodHound CE v8.9.1 released with three bug fixes: TLS 1.2 cipher restrictions (BED-7722), OpenGraph schema_findings table ID column correction (BED-7734), and tagging database deadlock resolution (BED-7446). This is a maintenance release addressing operational stability and security hardening.
A year of open source vulnerability trends: CVEs, advisories, and malware
GitHub published its 2025 open source vulnerability trends report, analyzing 4,101 reviewed advisories, 7,197 malware advisories, and 2,903 CVEs. Key findings include a 69% surge in npm malware advisories driven by campaigns like SHA1-Hulud, significant increases in resource exhaustion and SSRF vulnerabilities, and improved CWE tagging specificity. The report provides ecosystem distribution data, vulnerability type rankings, and guidance on prioritizing remediation using CVSS and EPSS scoring.
Leveling Up Secure Code Reviews with Claude Code
SpecterOps publishes a detailed methodology for leveraging Claude Code (Anthropic's LLM) as a force multiplier during secure code reviews in penetration tests. The post demonstrates practical system prompt engineering, context window management, and iterative code flow analysis using BloodHound Community Edition and BadWindowsService as case studies, emphasizing the tool's value in understanding complex codebases and identifying data flow vulnerabilities without relying on false-positive-heavy automated scanning.
CVE-2019-25650 — River: Past CamDo 3.7.6 contains a structured exception handler (SEH) buffer overflow vulnerability that
River Past CamDo 3.7.6 contains a structured exception handler (SEH) buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the Lame_enc.dll name field. Attackers can craft a payload with a 280-byte buffer, NSEH jump instruction, and SEH handler address pointing to a pop-pop-ret gadget to trigger code execution and establish a bind shell on port 3110. CVSSv3.1 8.4 (HIGH) · EPSS 5th percentile
CVE-2018-25213 — Nsasoft Nsauditor: 3.0.28.0 contains a structured exception handling buffer overflow vulnerability that allows local attackers
Nsauditor 3.0.28.0 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying malicious input to the DNS Lookup tool. Attackers can craft a payload with SEH chain overwrite and inject shellcode through the DNS Query field to achieve code execution with application privileges. CVSSv3.1 8.4 (HIGH) · EPSS 1th percentile
CVE-2026-1961 — Foreman: A remote attacker could exploit a command injection vulnerability in Foreman's WebSocket proxy implementation.
A flaw was found in Foreman. A remote attacker could exploit a command injection vulnerability in Foreman's WebSocket proxy implementation. This vulnerability arises from the system's use of unsanitized hostname values from compute resource providers when constructing shell commands. By operating a malicious compute resource server, an attacker could achieve remote code execution on the Foreman server when a user accesses VM VNC console functionality. This could lead to the c CVSSv3.1 8.0 (HIGH)
strongSwan CVE-2026-25075: Integer Underflow in VPN Authentication
Bishop Fox researchers disclosed CVE-2026-25075, an integer underflow in strongSwan's EAP-TTLS AVP parser affecting versions 4.5.0–6.0.4 (15+ years of releases). Remote unauthenticated attackers can crash the IKE daemon via a malformed AVP header with length=1, causing denial of service; exploitation may require a two-phase attack depending on malloc behavior. The vulnerability is patched in version 6.0.5 and later; Bishop Fox released a safe detection tool that confirms vulnerability without triggering a crash.
CVE-2018-25206 — KomSeo: Cart 1.3 contains an SQL injection vulnerability that allows attackers to inject SQL
KomSeo Cart 1.3 contains an SQL injection vulnerability that allows attackers to inject SQL commands through the 'my_item_search' parameter in edit.php. Attackers can submit POST requests with malicious SQL payloads to extract sensitive database information using boolean-based blind or error-based injection techniques. CVSSv3.1 8.2 (HIGH) · EPSS 15th percentile
CVE-2018-25203 — Online: Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers
Online Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to index.php with the action=clientaccess parameter using boolean-based blind or time-based blind SQL injection payloads in the email field to extract sensitive database information. CVSSv3.1 8.2 (HIGH) · EPSS 31th percentile
CVE-2026-4809 — plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an
plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execut CVSSv3.1 9.8 (CRITICAL) · EPSS 68th percentile
CVE-2026-24068 — VSL: This allows an attacker to write files to any location with any data as
The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol. No validation is performed CVSSv3.1 8.8 (HIGH) · EPSS 15th percentile