2026-03-26
2026-03-26 11:01Z
CRIT

An AI gateway designed to steal your data

Kaspersky Securelist·securelist.comin the wild

In March 2026, attackers compromised the LiteLLM Python package on PyPI, injecting malicious code into versions 1.82.7 and 1.82.8 that targeted developers and infrastructure. The malware performed recursive filesystem scanning for secrets (AWS credentials, SSH keys, database configs, crypto wallets), extracted runtime credentials from AWS IMDS and ECS, and established persistence in Kubernetes clusters via privileged pods and systemd services. A parallel attack also compromised Checkmarx security scanning extensions on OpenVSX, delivering a Node.js variant of the same stealer.

SRFApplicationTACTA0005TACTA0001TACTA0003SRFCloudTACTA0009SRFSupply ChainVNDLitellm
92
Edit Score
2026-03-26
2026-03-26 10:16Z
HIGH

CVE-2026-4862 — Such manipulation of the argument GroupName leads to buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4862

A security vulnerability has been detected in UTT HiPER 1250GW up to 3.2.7-210907-180535. This issue affects the function strcpy of the file /goform/formConfigDnsFilterGlobal of the component Parameter Handler. Such manipulation of the argument GroupName leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. CVSSv3.1 8.8 (HIGH) · EPSS 14th percentile

CWECWE 120CWECWE 119TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-26
2026-03-26 09:16Z
HIGH

CVE-2026-4861 — Wavlink Wl-nu516u1_firmware: This manipulation of the argument Content-Length causes stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4861

A weakness has been identified in Wavlink WL-NU516U1 260227. This vulnerability affects the function ftext of the file /cgi-bin/nas.cgi. This manipulation of the argument Content-Length causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.8 (HIGH) · EPSS 16th percentile

CWECWE 121CWECWE 119VNDWavlinkTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-26
2026-03-26 08:00Z
CRIT

Coruna: the framework used in Operation Triangulation

Kaspersky Securelist·securelist.comCVE-2023-32434CVE-2023-38606in the wild

Kaspersky analyzed Coruna, a sophisticated iOS exploit kit discovered in March 2026 that reuses the kernel exploitation framework from Operation Triangulation. The kit chains Safari RCE exploits with kernel privilege escalation to deliver implants, and includes five kernel exploits targeting iOS versions up to 17.2, with one being a direct evolution of the Triangulation exploit. The framework demonstrates modular design and is now being weaponized by multiple threat actors beyond the original espionage operators.

SRFOsTACTA0004SRFMobileTACTA0001TACTA0002SRFBrowserVNDAppleTYPResearch
92
Edit Score
2026-03-26
2026-03-26 05:16Z
HIGH

CVE-2026-4840 — Performing a manipulation of the argument IpAddr results in os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4840

A security flaw has been discovered in Netcore Power 15AX up to 3.0.0.6938. Affected by this issue is the function setTools of the file /bin/netis.cgi of the component Diagnostic Tool Interface. Performing a manipulation of the argument IpAddr results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way CVSSv3.1 8.8 (HIGH) · EPSS 42th percentile

CWECWE 77CWECWE 78TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-26
2026-03-26 05:16Z
HIGH

CVE-2026-2931 — Amelia: The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-2931

The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with customer-level permissions or above to change user passwords and potentially take over administrator accounts. The vulnerability is in the pro plugin, which CVSSv3.1 8.8 (HIGH) · EPSS 14th percentile

CWECWE 269VNDAmeliaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-26
2026-03-26 03:16Z
CRIT

CVE-2014-125112 — Miyagawa Plack\: Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2014-125112

Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie. CVSSv3.1 9.8 (CRITICAL)

CWECWE 565VNDPlackVNDMiyagawaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-03-26
2026-03-26 02:16Z
HIGH

CVE-2026-4484 — Masteriyo: The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4484

The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the 'InstructorsController::prepare_object_for_database' function. This makes it possible for authenticated attackers, with Student-level access and above, to elevate their privileges to that of an administrator. CVSSv3.1 8.8 (HIGH) · EPSS 13th percentile

CWECWE 862VNDMasteriyoTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-26
2026-03-26 00:16Z
HIGH

CVE-2026-4758 — Job: The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4758

The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). CVSSv3.1 8.8 (HIGH) · EPSS 51th percentile

CWECWE 22VNDJobTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-26
2026-03-26 00:00Z
CRIT

Illuminating VoidLink: Technical analysis of the VoidLink rootkit framework

Elastic Security Labs·elastic.co

Elastic Security Labs published a deep technical analysis of VoidLink, a sophisticated Linux rootkit framework combining Loadable Kernel Modules (LKMs) with eBPF programs for kernel-level persistence and evasion. The analysis traces four generations of the malware across CentOS 7 through Ubuntu 22.04, revealing iterative development patterns consistent with AI-assisted workflows, operational deployment on Alibaba Cloud infrastructure, and novel techniques for hiding network connections from the ss utility via Netlink message manipulation.

SRFOsTACTA0005TACTA0003VNDElasticTYPResearchTYPThreat IntelSTGDiscoverySTGDefense Evasion
92
Edit Score
2026-03-26
2026-03-26 00:00Z
CRIT

Your AI Gateway Was a Backdoor: Inside the LiteLLM Supply Chain Compromise

Trend Micro Research·trendmicro.comin the wild

LiteLLM, a widely-used Python AI proxy gateway downloaded 3.4M times daily, was compromised on PyPI with versions 1.82.7 and 1.82.8 containing a three-stage malicious payload. The compromise was part of a broader supply chain campaign by TeamPCP that originated from a compromised Trivy security scanner, demonstrating how CI/CD tooling with broad credential access becomes a high-value attack vector. The malware harvested cloud credentials, SSH keys, Kubernetes secrets, and LLM API keys via encrypted exfiltration and established persistent backdoors in target environments.

SRFApplicationTACTA0005TACTA0001TACTA0002TACTA0006SRFIdentityTACTA0003SRFCloud
95
Edit Score
2026-03-26
2026-03-26 00:00Z
CRIT

Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities

Trend Micro Research·trendmicro.comCVE-2026-21509CVE-2026-21513in the wild0day

Pawn Storm (APT28) deployed PRISMEX, a sophisticated malware suite combining steganography, COM hijacking, and cloud abuse, targeting Ukrainian defense and allied government infrastructure across Central/Eastern Europe. The campaign exploited CVE-2026-21509 (Office OLE bypass) in late January 2026 with infrastructure prepared two weeks prior, and chained it with zero-day CVE-2026-21513 (MSHTML security bypass) exploited 11 days before Microsoft's patch, indicating advance vulnerability knowledge.

SRFApplicationSRFOsTACTA0005TACTA0001TACTA0002TACTA0003TACTA0011VNDMicrosoft
92
Edit Score
2026-03-25
2026-03-25 23:00Z
HIGH

In WAF we (should not) trust

Quarkslab·blog.quarkslab.com

Quarkslab published a comprehensive deep-dive on Web Application Firewall (WAF) bypass techniques, covering misconfiguration exploitation (direct origin exposure, header spoofing, request size limits), trust-based exclusion abuse, and multi-layered obfuscation strategies (lexical, structural, and protocol-level). The research demonstrates how parsing discrepancies between WAF inspection and backend execution enable attackers to evade detection while maintaining low operational noise.

TACTA0005SRFWebTYPResearchTYPWriteupSTGDefense EvasionTECT1190TECT1566TECT1027
82
Edit Score
2026-03-25
2026-03-25 21:16Z
HIGH

CVE-2026-30976 — Sonarr Sonarr: In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-30976

Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files (containing API keys and database credentials), Windows system files, and any user-accessible files on the same drive This issue only impacts Windows systems; macOS and Linux are unaffected. Files returned from the API were not limited CVSSv3.1 8.6 (HIGH)

CWECWE 22VNDSonarrTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-03-25
2026-03-25 20:16Z
HIGH

CVE-2026-33216 — Linuxfoundation Nats-server: Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33216

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpo CVSSv3.1 8.6 (HIGH)

CWECWE 256CWECWE 213VNDLinuxfoundationVNDNatsTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-03-25
2026-03-25 18:16Z
HIGH

CVE-2026-30587 — Seafile Seafile_server: Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-30587

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags CVSSv3.1 8.7 (HIGH) · EPSS 18th percentile

CWECWE 79VNDStoredVNDSeafileTYPVulnerability
8.7
CVSS v3.1
94
Edit Score
2026-03-25
2026-03-25 18:16Z
HIGH

CVE-2025-67030 — Codehaus-plexus Plexus-utils: Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-67030

Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code CVSSv3.1 8.8 (HIGH) · EPSS 50th percentile

CWECWE 22VNDCodehaus PlexusTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-25
2026-03-25 17:17Z
CRIT

CVE-2026-32573 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32573

Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through <= 8.2.7. CVSSv3.1 9.1 (CRITICAL) · EPSS 18th percentile

CWECWE 94TYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-03-25
2026-03-25 17:17Z
CRIT

CVE-2026-32539 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32539

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Revisions revisionary allows Blind SQL Injection.This issue affects PublishPress Revisions: from n/a through <= 3.7.23. CVSSv3.1 9.3 (CRITICAL) · EPSS 12th percentile

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2026-03-25
2026-03-25 17:17Z
CRIT

CVE-2026-32536 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in halfdata Green Downloads halfdata-paypal-green-downloads allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32536

Unrestricted Upload of File with Dangerous Type vulnerability in halfdata Green Downloads halfdata-paypal-green-downloads allows Using Malicious Files.This issue affects Green Downloads: from n/a through <= 2.08. CVSSv3.1 9.9 (CRITICAL) · EPSS 15th percentile

CWECWE 434TYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2026-03-25
2026-03-25 17:17Z
HIGH

CVE-2026-32534 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32534

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.This issue affects JS Help Desk: from n/a through <= 3.0.3. CVSSv3.1 8.5 (HIGH) · EPSS 10th percentile

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2026-03-25
2026-03-25 17:17Z
HIGH

CVE-2026-32531 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32531

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kunco kunco allows PHP Local File Inclusion.This issue affects Kunco: from n/a through < 1.4.5. CVSSv3.1 8.1 (HIGH) · EPSS 36th percentile

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-03-25
2026-03-25 17:17Z
HIGH

CVE-2026-32530 — Incorrect: Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms allows Privilege Escalation.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32530

Incorrect Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms allows Privilege Escalation.This issue affects Creator LMS: from n/a through <= 1.1.18. CVSSv3.1 8.8 (HIGH) · EPSS 13th percentile

CWECWE 266TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-25
2026-03-25 17:17Z
CRIT

CVE-2026-32525 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters JetFormBuilder jetformbuilder allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32525

Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through <= 3.5.6.1. CVSSv3.1 9.9 (CRITICAL) · EPSS 17th percentile

CWECWE 94TYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2026-03-25
2026-03-25 17:17Z
CRIT

CVE-2026-32524 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32524

Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through <= 6.4.9. CVSSv3.1 9.1 (CRITICAL) · EPSS 16th percentile

CWECWE 434TYPVulnerability
9.1
CVSS v3.1
96
Edit Score