Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-22499 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Lella lella allows PHP Local File Inclusion.This issue affects Lella: from n/a through <= 1.2. CVSSv3.1 8.1 (HIGH) · EPSS 36th percentile
CVE-2026-22498 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion.This issue affects Laurent: from n/a through <= 3.1. CVSSv3.1 8.1 (HIGH) · EPSS 36th percentile
CVE-2026-22496 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hypnotherapy hypnotherapy allows PHP Local File Inclusion.This issue affects Hypnotherapy: from n/a through <= 1.2.10. CVSSv3.1 8.1 (HIGH) · EPSS 36th percentile
CVE-2026-22495 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Greenville greenville allows PHP Local File Inclusion.This issue affects Greenville: from n/a through <= 1.3.2. CVSSv3.1 8.1 (HIGH) · EPSS 36th percentile
CVE-2026-22494 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Good Homes good-homes allows PHP Local File Inclusion.This issue affects Good Homes: from n/a through <= 1.3.13. CVSSv3.1 8.1 (HIGH) · EPSS 36th percentile
CVE-2026-22493 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Gaspard gaspard allows PHP Local File Inclusion.This issue affects Gaspard: from n/a through <= 1.3. CVSSv3.1 8.1 (HIGH) · EPSS 36th percentile
CVE-2026-22484 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pebas Lisfinity Core lisfinity-core allows SQL Injection.This issue affects Lisfinity Core: from n/a through <= 1.5.0. CVSSv3.1 9.3 (CRITICAL) · EPSS 12th percentile
CVE-2025-69347 — Authorization: Bypass Through User-Controlled Key vulnerability in Convers Lab WPSubscription subscription allows Exploiting Incorrectly
Authorization Bypass Through User-Controlled Key vulnerability in Convers Lab WPSubscription subscription allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPSubscription: from n/a through <= 1.8.10. CVSSv3.1 8.6 (HIGH) · EPSS 9th percentile
CVE-2026-26832 — Zapolnoch Tesseract_ocr: In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS
node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to child_process.exec() without proper sanitization CVSSv3.1 9.8 (CRITICAL) · EPSS 51th percentile
CVE-2025-59707 — N2ws N2w: In N2W before 4.3.2 and 4.4.x before 4.4.1, there is potential remote code execution
In N2W before 4.3.2 and 4.4.x before 4.4.1, there is potential remote code execution and account credentials theft because of a spoofing vulnerability. CVSSv3.1 9.8 (CRITICAL) · EPSS 52th percentile
CVE-2025-59706 — N2ws N2w: In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters
In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters enables remote code execution. CVSSv3.1 9.8 (CRITICAL) · EPSS 52th percentile
CVE-2024-51348 — A stack-based buffer overflow vulnerability in the P2P API service in BS Producten Petcam
A stack-based buffer overflow vulnerability in the P2P API service in BS Producten Petcam with firmware 33.1.0.0818 allows unauthenticated attackers within network range to overwrite the instruction pointer and achieve Remote Code Execution (RCE) by sending a specially crafted HTTP request. CVSSv3.1 8.8 (HIGH) · EPSS 43th percentile
CVE-2026-31788 — Linux Linux_kernel: In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: restrict usage in
In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: restrict usage in unprivileged domU The Xen privcmd driver allows to issue arbitrary hypercalls from user space processes. This is normally no problem, as access is usually limited to root and the hypervisor will deny any hypercalls affecting other domains. In case the guest is booted using secure boot, however, the privcmd driver would be enabling a root user process to modify e.g. kernel mem CVSSv3.1 8.2 (HIGH)
CVE-2026-23395 — Linux Linux_kernel: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix accepting
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ Currently the code attempts to accept requests regardless of the command identifier which may cause multiple requests to be marked as pending (FLAG_DEFER_SETUP) which can cause more than L2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer causing an overflow. The spec is quite clear that the same identifier shall not be used on subse CVSSv3.1 8.8 (HIGH)
Your AI Stack Just Handed Over Your Root Keys: Inside the litellm PyPI Breach
The litellm Python package on PyPI was compromised in versions 1.82.7 and 1.82.8 with malicious code that steals cloud credentials, SSH keys, and Kubernetes secrets. The attacker hijacked maintainer accounts and injected a sophisticated payload that executes on Python interpreter startup, exfiltrates AWS/GCP/Azure credentials, escalates to Kubernetes cluster takeover, and establishes persistence via container escape. The package received 3.4M downloads on the day of discovery and 95M+ in the preceding month, making this a supply-chain incident with massive blast radius across AI/ML infrastructure.
CVE-2026-33331 — Orpc Orpc: Prior to version 1.13.9, a stored cross-site scripting (XSS) vulnerability exists in the OpenAPI
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.9, a stored cross-site scripting (XSS) vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control any field within the OpenAPI specification (such as info.description), they can break out of the JSON context and execute arbitrary JavaScript when a user views the generated API documentation. This issue has been patched CVSSv3.1 8.2 (HIGH)
CVE-2026-33322 — Minio Minio: From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect
MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-22559 — Input: An Improper Input Validation vulnerability in UniFi Network Server may allow unauthorized access to
An Improper Input Validation vulnerability in UniFi Network Server may allow unauthorized access to an account if the account owner is socially engineered into clicking a malicious link. Affected Products: UniFi Network Server (Version 10.1.85 and earlier) Mitigation: Update UniFi Network Server to Version 10.1.89 or later. CVSSv3.1 8.8 (HIGH) · EPSS 9th percentile
Attack Paths Don’t Stop at Identity Providers
SpecterOps published research demonstrating how modern federated identity architectures create cross-platform attack paths that transcend individual system boundaries. The article models Okta as a translation layer between upstream identity sources (Active Directory, Entra) and downstream applications (GitHub, SaaS), showing how privilege accumulates across systems and how compromising upstream identity can propagate downstream through federation and synchronization relationships. The research introduces Okta modeling in BloodHound Enterprise to visualize these nested dependencies as attack graphs.
RTFM: Read The Fatal Manual – When Vendor Documentation Creates Critical Attack Paths
SpecterOps researcher Martin Sohn Christensen disclosed that vendor documentation from 16 major technology companies actively guided administrators to deploy critical Active Directory Certificate Services (AD CS) misconfigurations (ESC1, ESC3, ESC4) that have been known for over four years. Through responsible disclosure coordinated across November 2025–March 2026, some vendors (CyberArk, Iru, ManageEngine, Netskope) remediated within weeks, while others (Cisco, Entrust, FEITIAN, HP, Mitel, Oracle, ServiceNow) remain partially or fully unresolved. The research demonstrates that documentation-induced misconfigurations can create domain-wide attack paths worse than traditional CVEs, affecting countless organizations following official guidance.
CVE-2026-27654 — F5 Nginx_plus: NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular express CVSSv3.1 8.2 (HIGH)
v3.4.0.52
Mythic v3.4.0.52 released with a Dockerfile tag bump to match the release version. No detailed changelog or feature information is available in the GitHub release page.
CVE-2026-4729 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149 and Thunderbird 149. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-4725 — Mozilla Firefox: Sandbox escape due to use-after-free in the Graphics: Canvas2D component.
Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149 and Thunderbird 149. CVSSv3.1 10.0 (CRITICAL)
CVE-2026-4724 — Mozilla Firefox: Undefined behavior in the Audio/Video component.
Undefined behavior in the Audio/Video component. This vulnerability was fixed in Firefox 149 and Thunderbird 149. CVSSv3.1 9.1 (CRITICAL)