Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-27065 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress builderpress allows PHP Local File Inclusion.This issue affects BuilderPress: from n/a through <= 2.0.1. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-25445 — Deserialization: of Untrusted Data vulnerability in Membership Software WishList Member X wishlist-member-x allows Object
Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X wishlist-member-x allows Object Injection.This issue affects WishList Member X: from n/a through <= 3.29.0. CVSSv3.1 8.8 (HIGH)
CVE-2025-60237 — Deserialization: of Untrusted Data vulnerability in Themeton Finag finag allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in Themeton Finag finag allows Object Injection.This issue affects Finag: from n/a through <= 1.5.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-60233 — Deserialization: of Untrusted Data vulnerability in Themeton Zuut zuut allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in Themeton Zuut zuut allows Object Injection.This issue affects Zuut: from n/a through <= 1.4.2. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-25471 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard
Authentication Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard admin-safety-guard allows Password Recovery Exploitation.This issue affects Admin Safety Guard: from n/a through <= 1.2.7. CVSSv3.1 8.1 (HIGH)
CVE-2026-27093 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Tripgo tripgo allows PHP Local File Inclusion.This issue affects Tripgo: from n/a through < 1.5.6. CVSSv3.1 8.1 (HIGH)
CVE-2026-27542 — Incorrect: Privilege Assignment vulnerability in Rymera Web Co Pty Ltd.
Incorrect Privilege Assignment vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture woocommerce-wholesale-lead-capture allows Privilege Escalation.This issue affects Woocommerce Wholesale Lead Capture: from n/a through <= 2.0.3.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 1th percentile
CVE-2026-27540 — Upload: Woocommerce Wholesale Lead Capture woocommerce-wholesale-lead-capture allows Using Malicious Files.This issue affects Woocommerce Wholesale Lead
Unrestricted Upload of File with Dangerous Type vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture woocommerce-wholesale-lead-capture allows Using Malicious Files.This issue affects Woocommerce Wholesale Lead Capture: from n/a through <= 2.0.3.1. CVSSv3.1 9.0 (CRITICAL) · EPSS 1th percentile
CVE-2026-27413 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro profile-builder-pro allows Blind SQL Injection.This issue affects Profile Builder Pro: from n/a through < 3.14.0. CVSSv3.1 9.3 (CRITICAL)
CVE-2026-27096 — Deserialization: of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme colorfolio
Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme colorfolio allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through <= 1.3. CVSSv3.1 8.1 (HIGH)
From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect
Elastic Security Labs disclosed SILENTCONNECT, a multi-stage .NET loader actively deployed in-the-wild since March 2025 that silently installs ConnectWise ScreenConnect RMM via phishing campaigns. The infection chain leverages VBScript, PowerShell, PEB masquerading, UAC bypass via COM elevation, and Windows Defender exclusions to evade detection and establish persistent hands-on-keyboard access. Campaigns abuse Cloudflare Turnstile CAPTCHAs, Google Drive, and compromised legitimate websites as infrastructure to deliver the payload.
Android devices ship with firmware-level malware
Sophos and Kaspersky identified Keenadu, a firmware-level backdoor pre-installed on Android devices from budget manufacturers (BLU, Ulefone, DOOGEE, etc.) affecting 500+ devices across 40 countries. The malware injects into libandroid_runtime.so via the Zygote process, achieving persistence across all apps and enabling second-stage payload delivery for ad fraud, credential theft, and data exfiltration. The compromise occurred at the firmware build phase, indicating a supply-chain attack at the OEM level.
Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack on Key Industries
Trend Micro researchers documented a targeted multi-stage PureLog Stealer campaign using localized copyright-violation lures to deliver information-stealing malware to healthcare, government, hospitality, and education sectors across Germany, Canada, the US, and Australia. The attack chain employs encrypted payloads, remote key retrieval, renamed WinRAR for extraction, Python-based loaders, and fileless .NET execution with AMSI bypass and anti-VM evasion. Two operational variants were identified, with the more recent chain using pre-bundled payloads and hardcoded decryption keys, while earlier variants relied on live C&C communication.
CVE-2025-15031 — Lfprojects Mlflow: A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path validation enables crafted tar.gz files containing `..` or absolute paths to escape the intended extraction directory. This issue affects the latest version of MLflow and poses a high/critical risk in scenarios involving multi-tenant environments or ingestion of untrusted artifacts, a CVSSv3.1 9.1 (CRITICAL)
v3.4.0.48
Mythic v3.4.0.48 released with a Dockerfile tag bump to match the release version. This is a routine version bump with no disclosed security fixes, features, or breaking changes in the available metadata.
CVE-2026-26740 — Giflib_project Giflib: Buffer Overflow vulnerability in giflib v.5.2.2 allows a remote attacker to cause a denial
Buffer Overflow vulnerability in giflib v.5.2.2 allows a remote attacker to cause a denial of service via the EGifGCBToExtension overwriting an existing Graphic Control Extension block without validating its allocated size. CVSSv3.1 8.2 (HIGH)
CVE-2026-33001 — Jenkins Jenkins: 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes. CVSSv3.1 8.8 (HIGH)
CVE-2026-24063 — When the bash script is manipulated by an attacker this scenario will lead to
When a plugin is installed using the Arturia Software Center (MacOS), it also installs an uninstall.sh bash script in a root owned path. This script is written to disk with the file permissions 777, meaning it is writable by any user. When uninstalling a plugin via the Arturia Software Center the Privileged Helper gets instructed to execute this script. When the bash script is manipulated by an attacker this scenario will lead to privilege escalation. CVSSv3.1 8.2 (HIGH) · EPSS 2th percentile
CVE-2026-25449 — Deserialization: of Untrusted Data vulnerability in shinetheme Traveler traveler allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in shinetheme Traveler traveler allows Object Injection.This issue affects Traveler: from n/a through < 3.2.8.1. CVSSv3.1 9.8 (CRITICAL)
Introducing Attack Path Management for GitHub in BloodHound Enterprise
SpecterOps announced BloodHound Enterprise with OpenGraph extensions for GitHub, enabling attack path analysis across GitHub identities, repositories, CI/CD workflows, secrets, and external trust relationships (SSO, OIDC federation to Azure/AWS). The extension models how GitHub acts as both a target and an interchange between systems, exposing paths to critical code, credentials, and cloud pivots that traditional configuration review misses.
BloodHound Enterprise Expands Beyond Microsoft: Mapping Identity Attack Paths Across Okta, GitHub, and Mac environments
SpecterOps announced BloodHound Enterprise 9.0 with OpenGraph extensions enabling attack path mapping across Okta, GitHub, and Jamf-managed macOS environments, moving beyond Microsoft-only visibility. The platform now identifies cross-platform privilege chains and introduces Privilege Zones for defining critical security boundaries. The expansion addresses the reality that modern breaches chain privileges across identity providers, developer platforms, and device management systems.
CVE-2026-23246 — Linux: link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, so index 15 is out-of-bounds.
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration link_id is taken from the ML Reconfiguration element (control & 0x000f), so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, so index 15 is out-of-bounds. Skip subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds write. CVSSv3.1 8.8 (HIGH) · EPSS 6th percentile
The SOC Files: Time to “Sapecar”. Unpacking a new Horabot campaign in Mexico
Kaspersky's MDR team dissected an active Horabot campaign targeting 5,384 victims (93% in Mexico) combining fake CAPTCHA lures, polymorphic HTA/VBS loaders, AutoIT-wrapped banking Trojans (Casbaneiro/Ponteiro variants), and email spreader functionality. The attack chain leverages server-side polymorphism, custom XOR-subtraction ciphers for C2 communication, and anti-VM checks, with detailed analysis of encryption routines, socket protocols, and configuration parsing mechanisms.
The Most Organized Threat Actors Use Your ITSM (BMC FootPrints Pre-Auth Remote Code Execution Chains)
watchTowr Labs disclosed a pre-authenticated RCE chain against BMC FootPrints ITSM affecting versions 20.20.02–20.24.01.001, comprising four chained vulnerabilities: an authentication bypass via SEC_TOKEN generation in the password-reset endpoint (CVE-2025-71257), two blind SSRFs (CVE-2025-71258, CVE-2025-71259), and Java deserialization RCE via AspNetConfig servlet (CVE-2025-71260). BMC released hotfixes in September 2025 after a lengthy disclosure process; CVEs were assigned March 2026.
CVE-2026-31938 — Parall Jspdf: Prior to version 4.2.1, user control of the `options` argument of the `output` function
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The vulnerability can be exploited in the following scenario: the attacker provides values for the output options, for example via a web interface. These values are then passed unsanitized (automatically or semi-automatically) CVSSv3.1 9.6 (CRITICAL)