Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
An AI gateway designed to steal your data
In March 2026, attackers compromised the LiteLLM Python package on PyPI, injecting malicious code into versions 1.82.7 and 1.82.8 that targeted developers and infrastructure. The malware performed recursive filesystem scanning for secrets (AWS credentials, SSH keys, database configs, crypto wallets), extracted runtime credentials from AWS IMDS and ECS, and established persistence in Kubernetes clusters via privileged pods and systemd services. A parallel attack also compromised Checkmarx security scanning extensions on OpenVSX, delivering a Node.js variant of the same stealer.
CVE-2026-4862 — Such manipulation of the argument GroupName leads to buffer overflow.
A security vulnerability has been detected in UTT HiPER 1250GW up to 3.2.7-210907-180535. This issue affects the function strcpy of the file /goform/formConfigDnsFilterGlobal of the component Parameter Handler. Such manipulation of the argument GroupName leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. CVSSv3.1 8.8 (HIGH) · EPSS 14th percentile
CVE-2026-4861 — Wavlink Wl-nu516u1_firmware: This manipulation of the argument Content-Length causes stack-based buffer overflow.
A weakness has been identified in Wavlink WL-NU516U1 260227. This vulnerability affects the function ftext of the file /cgi-bin/nas.cgi. This manipulation of the argument Content-Length causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.8 (HIGH) · EPSS 16th percentile
Coruna: the framework used in Operation Triangulation
Kaspersky analyzed Coruna, a sophisticated iOS exploit kit discovered in March 2026 that reuses the kernel exploitation framework from Operation Triangulation. The kit chains Safari RCE exploits with kernel privilege escalation to deliver implants, and includes five kernel exploits targeting iOS versions up to 17.2, with one being a direct evolution of the Triangulation exploit. The framework demonstrates modular design and is now being weaponized by multiple threat actors beyond the original espionage operators.
CVE-2026-4840 — Performing a manipulation of the argument IpAddr results in os command injection.
A security flaw has been discovered in Netcore Power 15AX up to 3.0.0.6938. Affected by this issue is the function setTools of the file /bin/netis.cgi of the component Diagnostic Tool Interface. Performing a manipulation of the argument IpAddr results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way CVSSv3.1 8.8 (HIGH) · EPSS 42th percentile
CVE-2026-2931 — Amelia: The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in
The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with customer-level permissions or above to change user passwords and potentially take over administrator accounts. The vulnerability is in the pro plugin, which CVSSv3.1 8.8 (HIGH) · EPSS 14th percentile
CVE-2014-125112 — Miyagawa Plack\: Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-4484 — Masteriyo: The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions
The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the 'InstructorsController::prepare_object_for_database' function. This makes it possible for authenticated attackers, with Student-level access and above, to elevate their privileges to that of an administrator. CVSSv3.1 8.8 (HIGH) · EPSS 13th percentile
CVE-2026-4758 — Job: The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due
The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). CVSSv3.1 8.8 (HIGH) · EPSS 51th percentile
Illuminating VoidLink: Technical analysis of the VoidLink rootkit framework
Elastic Security Labs published a deep technical analysis of VoidLink, a sophisticated Linux rootkit framework combining Loadable Kernel Modules (LKMs) with eBPF programs for kernel-level persistence and evasion. The analysis traces four generations of the malware across CentOS 7 through Ubuntu 22.04, revealing iterative development patterns consistent with AI-assisted workflows, operational deployment on Alibaba Cloud infrastructure, and novel techniques for hiding network connections from the ss utility via Netlink message manipulation.
Your AI Gateway Was a Backdoor: Inside the LiteLLM Supply Chain Compromise
LiteLLM, a widely-used Python AI proxy gateway downloaded 3.4M times daily, was compromised on PyPI with versions 1.82.7 and 1.82.8 containing a three-stage malicious payload. The compromise was part of a broader supply chain campaign by TeamPCP that originated from a compromised Trivy security scanner, demonstrating how CI/CD tooling with broad credential access becomes a high-value attack vector. The malware harvested cloud credentials, SSH keys, Kubernetes secrets, and LLM API keys via encrypted exfiltration and established persistent backdoors in target environments.
Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities
Pawn Storm (APT28) deployed PRISMEX, a sophisticated malware suite combining steganography, COM hijacking, and cloud abuse, targeting Ukrainian defense and allied government infrastructure across Central/Eastern Europe. The campaign exploited CVE-2026-21509 (Office OLE bypass) in late January 2026 with infrastructure prepared two weeks prior, and chained it with zero-day CVE-2026-21513 (MSHTML security bypass) exploited 11 days before Microsoft's patch, indicating advance vulnerability knowledge.
In WAF we (should not) trust
Quarkslab published a comprehensive deep-dive on Web Application Firewall (WAF) bypass techniques, covering misconfiguration exploitation (direct origin exposure, header spoofing, request size limits), trust-based exclusion abuse, and multi-layered obfuscation strategies (lexical, structural, and protocol-level). The research demonstrates how parsing discrepancies between WAF inspection and backend execution enable attackers to evade detection while maintaining low operational noise.
CVE-2026-30976 — Sonarr Sonarr: In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can
Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files (containing API keys and database credentials), Windows system files, and any user-accessible files on the same drive This issue only impacts Windows systems; macOS and Linux are unaffected. Files returned from the API were not limited CVSSv3.1 8.6 (HIGH)
CVE-2026-33216 — Linuxfoundation Nats-server: Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpo CVSSv3.1 8.6 (HIGH)
CVE-2026-30587 — Seafile Seafile_server: Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed
Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags CVSSv3.1 8.7 (HIGH) · EPSS 18th percentile
CVE-2025-67030 — Codehaus-plexus Plexus-utils: Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b
Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code CVSSv3.1 8.8 (HIGH) · EPSS 50th percentile
CVE-2026-32573 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB
Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through <= 8.2.7. CVSSv3.1 9.1 (CRITICAL) · EPSS 18th percentile
CVE-2026-32539 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Revisions revisionary allows Blind SQL Injection.This issue affects PublishPress Revisions: from n/a through <= 3.7.23. CVSSv3.1 9.3 (CRITICAL) · EPSS 12th percentile
CVE-2026-32536 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in halfdata Green Downloads halfdata-paypal-green-downloads allows
Unrestricted Upload of File with Dangerous Type vulnerability in halfdata Green Downloads halfdata-paypal-green-downloads allows Using Malicious Files.This issue affects Green Downloads: from n/a through <= 2.08. CVSSv3.1 9.9 (CRITICAL) · EPSS 15th percentile
CVE-2026-32534 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.This issue affects JS Help Desk: from n/a through <= 3.0.3. CVSSv3.1 8.5 (HIGH) · EPSS 10th percentile
CVE-2026-32531 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kunco kunco allows PHP Local File Inclusion.This issue affects Kunco: from n/a through < 1.4.5. CVSSv3.1 8.1 (HIGH) · EPSS 36th percentile
CVE-2026-32530 — Incorrect: Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms allows Privilege Escalation.This issue affects
Incorrect Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms allows Privilege Escalation.This issue affects Creator LMS: from n/a through <= 1.1.18. CVSSv3.1 8.8 (HIGH) · EPSS 13th percentile
CVE-2026-32525 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters JetFormBuilder jetformbuilder allows
Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through <= 3.5.6.1. CVSSv3.1 9.9 (CRITICAL) · EPSS 17th percentile
CVE-2026-32524 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through <= 6.4.9. CVSSv3.1 9.1 (CRITICAL) · EPSS 16th percentile