Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-32768 — Ctfer-io Chall-manager: In versions prior to 0.6.5, due to a miswritten NetworkPolicy, a malicious actor can
Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. In versions prior to 0.6.5, due to a miswritten NetworkPolicy, a malicious actor can pivot from an instance to any Pod out of the origin namespace. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. In the specific case of sdk/kubernetes.Kompose it does not isolate the instances. This issue has been fixed in CVSSv3.1 9.9 (CRITICAL)
CVE-2026-33017 — Langflow Langflow: In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, CVSSv3.1 9.8 (CRITICAL) · EPSS 97th percentile
CVE-2026-32888 — Opensourcepos Open_source_point_of_sale: Versions contain an SQL Injection in the Items search functionality.
Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input from the search GET parameter is interpolated directly into a HAVING clause without parameterization or sanitization. This allows an authenticated attacker with basic item search permissions to execute ar CVSSv3.1 8.8 (HIGH)
CVE-2026-4447 — Google Chrome: Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker
Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 13th percentile
CVE-2026-32763 — Kysely Kysely: Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path
Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL. This is inconsistent with `s CVSSv3.1 8.2 (HIGH)
CVE-2026-32759 — Filebrowser Filebrowser: The impact ranges from DoS through expensive processing hooks, to command injection amplification when
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions on the 2.x branch prior to 2.33.8, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This cau CVSSv3.1 8.1 (HIGH) · EPSS 35th percentile
CVE-2026-22733 — Vmware Spring_boot: Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31. CVSSv3.1 8.2 (HIGH)
Linux & Cloud Detection Engineering - TeamPCP Container Attack Scenario
Elastic Security Labs publishes a detailed detection engineering walkthrough of the TeamPCP cloud-native ransomware campaign, mapping eight stages of container compromise (initial execution, discovery, lateral movement, persistence, tooling, tunneling, encoded payloads, and miner deployment) to concrete Defend for Containers (D4C) runtime telemetry and detection rules. The article demonstrates how behavioral signals—download-to-shell pipes, process killing, Kubernetes API enumeration, systemd persistence attempts, package manager abuse, tunneling tool execution, and base64 decoding—can be chained together to detect the full attack lifecycle rather than isolated suspicious commands.
CVE-2026-32721 — Openwrt Luci: Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the
LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitati CVSSv3.1 8.6 (HIGH)
Intego X9: Never trust my updates
Quarkslab disclosed a critical local privilege escalation chain in Intego X9 for macOS affecting the com.intego.netupdated daemon. The vulnerability chains a PID-reuse XPC authentication bypass with a TOCTOU race condition in the package signature validation mechanism, allowing unprivileged users to install arbitrary packages as root by manipulating update settings and swapping validated packages before installation.
CVE-2026-4342 — Kubernetes Ingress-nginx: This can lead to arbitrary code execution in the context of the ingress-nginx controller
A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) CVSSv3.1 8.8 (HIGH) · EPSS 16th percentile
CVE-2026-32194 — Microsoft Bing_images: Improper neutralization of special elements used in a command ('command injection') in Microsoft Bing
Improper neutralization of special elements used in a command ('command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-32191 — Microsoft Bing_images: Improper neutralization of special elements used in an os command ('os command injection') in
Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-32169 — Microsoft Azure_cloud_shell: Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate
Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a network. CVSSv3.1 10.0 (CRITICAL)
CVE-2026-30924 — Getqui Qui: Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while
qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentia CVSSv3.1 9.6 (CRITICAL)
CVE-2026-30836 — Smallstep Step-ca: Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0. CVSSv3.1 10.0 (CRITICAL) · EPSS 1th percentile
A 32-Year-Old Bug Walks Into A Telnet Server (GNU inetutils Telnetd CVE-2026-32746 Pre-Auth RCE)
CVE-2026-32746 is a 32-year-old pre-authentication buffer overflow in GNU inetutils telnetd's LINEMODE SLC (Set Linemode Characters) negotiation handler, allowing attackers to corrupt ~400 bytes of adjacent global variables. The vulnerability affects telnetd across major Linux distributions (Ubuntu, Debian, FreeBSD, NetBSD), Citrix NetScaler, TrueNAS, and others. Exploitation is complex due to triplet encoding constraints and 0xFF byte doubling, but achievable on 32-bit systems via heap corruption and free() primitive abuse.
CVE-2026-3548 — Wolfssl Wolfssl: Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser when parsing CRL numbers
Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser when parsing CRL numbers: a heap-based buffer overflow could occur when improperly storing the CRL number as a hexadecimal string, and a stack-based overflow for sufficiently sized CRL numbers. With appropriately crafted CRLs, either of these out of bound writes could be triggered. Note this only affects builds that specifically enable CRL support, and the user would need to load a CRL from an untrusted sou CVSSv3.1 9.8 (CRITICAL) · EPSS 6th percentile
CVE-2026-2646 — Wolfssl Wolfssl: A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function.
A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function. When deserializing session data with SESSION_CERTS enabled, certificate and session id lengths are read from an untrusted input without bounds validation, allowing an attacker to overflow fixed-size buffers and corrupt heap memory. A maliciously crafted session would need to be loaded from an external source to trigger this vulnerability. Internal sessions were not vulnerable. CVSSv3.1 8.1 (HIGH) · EPSS 3th percentile
Graph the Planet: Shai-Hulud 2.0
SpecterOps analyzes the Shai-Hulud 2.0 worm supply-chain attack through an attack path management lens, decomposing how attackers exploited GitHub PWN requests to harvest credentials, weaponized NPM tokens to infect packages, and propagated malware across 13.7k public repositories. The post introduces NPMHound, a BloodHound OpenGraph extension for modeling NPM dependency chains and semantic versioning attack surfaces, and SecretHound for tracking credential exposure in organizational graphs.
CVE-2026-30711 — Devome: GRR v4.5.0 was discovered to contain multiple authenticated SQL injection vulnerabilities in the
Devome GRR v4.5.0 was discovered to contain multiple authenticated SQL injection vulnerabilities in the include/session.inc.php file via the referer and user-agent. CVSSv3.1 8.8 (HIGH) · EPSS 12th percentile
CVE-2026-22557 — A malicious actor with access to the network could exploit a Path Traversal vulnerability
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account. CVSSv3.1 10.0 (CRITICAL) · EPSS 10th percentile
v2.11.0-rc2
AzureHound v2.11.0-rc2 released with a bug fix addressing tenant information handling in application-specific configurations to ensure correct name construction. This is a pre-release candidate containing 13 commits since the previous RC1.
CVE-2006-10003 — Toddr Xml\: XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack.
XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack. In the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals stacksize and therefore falls just outside the allocated buffer. The bug can be observed when parsing an XML file with very deep element nesting CVSSv3.1 9.8 (CRITICAL)
CVE-2026-27067 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor mobile-app-editor
Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor mobile-app-editor allows Upload a Web Shell to a Web Server.This issue affects Mobile App Editor: from n/a through <= 1.3.1. CVSSv3.1 9.1 (CRITICAL)