Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
Oracle vulnerability (CVE-2026-21992) impacts core products
Oracle disclosed CVE-2026-21992, a critical vulnerability (CVSS 9.8) affecting Oracle Identity Manager and Oracle Web Services Manager in Fusion Middleware. Unauthenticated attackers can achieve remote code execution via HTTP due to missing network-level authentication. No active exploitation reported as of publication.
CVE-2026-4558 — Linksys Mr9600_firmware: Executing a manipulation of the argument configApSsid/configApPassphrase/srpLogin/srpPassword can lead to os command injection.
A flaw has been found in Linksys MR9600 2.0.6.206937. Affected is the function smartConnectConfigure of the file SmartConnect.lua. Executing a manipulation of the argument configApSsid/configApPassphrase/srpLogin/srpPassword can lead to os command injection. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.8 (HIGH) · EPSS 49th percentile
CVE-2026-4314 — Ultimate: The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to
The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the `isDashboardOrProfileRequest()` method in the Menu Editor module using an insecure `strpos()` check against `$_SERVER['REQUEST_URI']` to determine if a request targets the dashboard or profile page. The `grantVirtualCaps()` method, which is hooked into the `user_has_cap` filter, grants elevated capabiliti CVSSv3.1 8.8 (HIGH) · EPSS 14th percentile
CVE-2026-4529 — Dlink Dhp-1320_firmware: Such manipulation leads to stack-based buffer overflow.
A vulnerability was identified in D-Link DHP-1320 1.00WWB04. This affects the function redirect_count_down_page of the component SOAP Handler. Such manipulation leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. CVSSv3.1 8.8 (HIGH) · EPSS 18th percentile
CVE-2026-3629 — Import: The Import and export users and customers plugin for WordPress is vulnerable to privilege
The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'save_extra_user_profile_fields' function not properly restricting which user meta keys can be updated via profile fields. The 'get_restricted_fields' method does not include sensitive meta keys such as 'wp_capabilities'. This makes it possible for unauthenticated attackers to escalate their privileges to Adminis CVSSv3.1 8.1 (HIGH) · EPSS 24th percentile
CVE-2026-4261 — Expire: The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions
The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.2. This is due to the plugin allowing a user to update the 'on_expire_default_to_role' meta through the 'save_extra_user_profile_fields' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator. CVSSv3.1 8.8 (HIGH) · EPSS 16th percentile
CVE-2026-3334 — CMS: The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname'
The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in all versions up to, and including, 2.288. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL queries in the restore workflow. This makes it possible for authenticated attackers, with CMS Commander API key access, to append additional SQL queries into alread CVSSv3.1 8.8 (HIGH) · EPSS 11th percentile
CVE-2026-2941 — Linksy: The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of
The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'linksy_search_and_replace_item_details' function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to update any database table, any value, including the wp_capabilities database field, which allows attackers to change their own role to administrato CVSSv3.1 8.8 (HIGH) · EPSS 16th percentile
CVE-2026-33236 — Nltk Nltk: Attackers can control a remote XML index server to provide malicious values containing path
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the `subdir` and `id` attributes when processing remote XML index files. Attackers can control a remote XML index server to provide malicious values containing path traversal sequences (such as `../`), which can lead to arbitrary directory creati CVSSv3.1 8.1 (HIGH)
CVE-2026-33228 — Webreflection Flatted: is a circular JSON parser.
flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effecti CVSSv3.1 9.8 (CRITICAL) · EPSS 45th percentile
CVE-2026-33210 — Ruby-lang Json: From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-33186 — Grpc Grpc: Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (includin CVSSv3.1 9.1 (CRITICAL)
CVE-2026-29796 — Igl Eparking.fi: WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructu CVSSv3.1 9.4 (CRITICAL) · EPSS 16th percentile
CVE-2026-25192 — Ctek Charge_portal: WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructu CVSSv3.1 9.4 (CRITICAL) · EPSS 45th percentile
v3.4.0.49
Mythic v3.4.0.49 released with a Dockerfile tag bump to match the release version. No detailed changelog or feature information is provided in the GitHub release page.
CVE-2026-33166 — Qameta Allure_report: The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file
Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive fi CVSSv3.1 8.6 (HIGH)
v2.11.0
AzureHound v2.11.0 released with maintenance updates including CLA workflow fixes, Windows resource generation tooling via winres, tenant info corrections for application fixture naming, and removal of Trivy from CI/CD actions. This is a routine point release with no security fixes or feature additions.
CVE-2026-33010 — Doobidoo Mcp-memory-service: The wildcard Access-Control-Allow-Origin: * header permits any website to read API responses cross-origin.
mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.25.1, when the HTTP server is enabled (MCP_HTTP_ENABLED=true), the application configures FastAPI's CORSMiddleware with allow_origins=['*'], allow_credentials=True, allow_methods=["*"], and allow_headers=["*"]. The wildcard Access-Control-Allow-Origin: * header permits any website to read API responses cross-origin. When combined with anonymous access (MCP_ALLOW_ANONYMOUS_ACCESS=t CVSSv3.1 8.1 (HIGH)
CVE-2026-22898 — Qnap Qvr_pro: A missing authentication for critical function vulnerability has been reported to affect QVR Pro.
A missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system. We have already fixed the vulnerability in the following version: QVR Pro 2.7.4.14 and later CVSSv3.1 9.8 (CRITICAL)
CVE-2025-59383 — Qnap Media_streaming_add-on: A buffer overflow vulnerability has been reported to affect Media Streaming Add-On.
A buffer overflow vulnerability has been reported to affect Media Streaming Add-On. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: Media Streaming Add-on 500.1.1 and later CVSSv3.1 9.1 (CRITICAL)
CVE-2025-67260 — Aster-te Terrapack_tkservercgi: The Terrapack software, from ASTER TEC / ASTER S.p.A., with the indicated components and
The Terrapack software, from ASTER TEC / ASTER S.p.A., with the indicated components and versions has a file upload vulnerability that may allow attackers to execute arbitrary code. Vulnerable components include Terrapack TkWebCoreNG:: 1.0.20200914, Terrapack TKServerCGI 2.5.4.150, and Terrapack TpkWebGIS Client 1.0.0. CVSSv3.1 8.8 (HIGH)
CVE-2024-44722 — Anolis Sysak: v2.0 and before is vulnerable to command execution via aaa;cat /etc/passwd.
SysAK v2.0 and before is vulnerable to command execution via aaa;cat /etc/passwd. CVSSv3.1 9.8 (CRITICAL)
linux-exploit-suggester — Linux privilege escalation auditing tool
Linux Exploit Suggester (LES) is a shell-based auditing tool that identifies Linux kernel privilege escalation vulnerabilities on a target system by matching kernel version, distro, and configuration against a curated database of public exploits. The tool also performs kernel hardening assessment via checksec-style analysis of compile-time and runtime security configurations.
CVE-2026-22324 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Melania melania allows PHP Local File Inclusion.This issue affects Melania: from n/a through <= 2.5.0. CVSSv3.1 8.1 (HIGH)
CVE-2026-4475 — Such manipulation leads to hard-coded credentials.
A vulnerability has been found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The affected element is an unknown function of the file home/web/ipc. Such manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.8 (HIGH) · EPSS 11th percentile