2026-03-19
2026-03-19 09:16Z
CRIT

CVE-2026-27065 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27065

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress builderpress allows PHP Local File Inclusion.This issue affects BuilderPress: from n/a through <= 2.0.1. CVSSv3.1 9.8 (CRITICAL)

CWECWE 98TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-19
2026-03-19 09:16Z
HIGH

CVE-2026-25445 — Deserialization: of Untrusted Data vulnerability in Membership Software WishList Member X wishlist-member-x allows Object

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-25445

Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X wishlist-member-x allows Object Injection.This issue affects WishList Member X: from n/a through <= 3.29.0. CVSSv3.1 8.8 (HIGH)

CWECWE 502TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-19
2026-03-19 09:16Z
CRIT

CVE-2025-60237 — Deserialization: of Untrusted Data vulnerability in Themeton Finag finag allows Object Injection.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-60237

Deserialization of Untrusted Data vulnerability in Themeton Finag finag allows Object Injection.This issue affects Finag: from n/a through <= 1.5.0. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-19
2026-03-19 09:16Z
CRIT

CVE-2025-60233 — Deserialization: of Untrusted Data vulnerability in Themeton Zuut zuut allows Object Injection.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-60233

Deserialization of Untrusted Data vulnerability in Themeton Zuut zuut allows Object Injection.This issue affects Zuut: from n/a through <= 1.4.2. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-19
2026-03-19 08:16Z
HIGH

CVE-2026-25471 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-25471

Authentication Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard admin-safety-guard allows Password Recovery Exploitation.This issue affects Admin Safety Guard: from n/a through <= 1.2.7. CVSSv3.1 8.1 (HIGH)

CWECWE 288TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-03-19
2026-03-19 07:15Z
HIGH

CVE-2026-27093 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27093

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Tripgo tripgo allows PHP Local File Inclusion.This issue affects Tripgo: from n/a through < 1.5.6. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-03-19
2026-03-19 06:16Z
CRIT

CVE-2026-27542 — Incorrect: Privilege Assignment vulnerability in Rymera Web Co Pty Ltd.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27542

Incorrect Privilege Assignment vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture woocommerce-wholesale-lead-capture allows Privilege Escalation.This issue affects Woocommerce Wholesale Lead Capture: from n/a through <= 2.0.3.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 1th percentile

CWECWE 266TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-03-19
2026-03-19 06:16Z
CRIT

CVE-2026-27540 — Upload: Woocommerce Wholesale Lead Capture woocommerce-wholesale-lead-capture allows Using Malicious Files.This issue affects Woocommerce Wholesale Lead

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27540

Unrestricted Upload of File with Dangerous Type vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture woocommerce-wholesale-lead-capture allows Using Malicious Files.This issue affects Woocommerce Wholesale Lead Capture: from n/a through <= 2.0.3.1. CVSSv3.1 9.0 (CRITICAL) · EPSS 1th percentile

CWECWE 434TYPVulnerability
9.0
CVSS v3.1
95
Edit Score
2026-03-19
2026-03-19 06:16Z
CRIT

CVE-2026-27413 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27413

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro profile-builder-pro allows Blind SQL Injection.This issue affects Profile Builder Pro: from n/a through < 3.14.0. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2026-03-19
2026-03-19 06:16Z
HIGH

CVE-2026-27096 — Deserialization: of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme colorfolio

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27096

Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme colorfolio allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through <= 1.3. CVSSv3.1 8.1 (HIGH)

CWECWE 502TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-03-19
2026-03-19 00:00Z
HIGH

From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect

Elastic Security Labs·elastic.coin the wild

Elastic Security Labs disclosed SILENTCONNECT, a multi-stage .NET loader actively deployed in-the-wild since March 2025 that silently installs ConnectWise ScreenConnect RMM via phishing campaigns. The infection chain leverages VBScript, PowerShell, PEB masquerading, UAC bypass via COM elevation, and Windows Defender exclusions to evade detection and establish persistent hands-on-keyboard access. Campaigns abuse Cloudflare Turnstile CAPTCHAs, Google Drive, and compromised legitimate websites as infrastructure to deliver the payload.

SRFApplicationSRFOsTACTA0005TACTA0001TACTA0011VNDMicrosoftVNDGoogleVNDCloudflare
78
Edit Score
2026-03-19
2026-03-19 00:00Z
CRIT

Android devices ship with firmware-level malware

Sophos X-Ops·news.sophos.comin the wild

Sophos and Kaspersky identified Keenadu, a firmware-level backdoor pre-installed on Android devices from budget manufacturers (BLU, Ulefone, DOOGEE, etc.) affecting 500+ devices across 40 countries. The malware injects into libandroid_runtime.so via the Zygote process, achieving persistence across all apps and enabling second-stage payload delivery for ad fraud, credential theft, and data exfiltration. The compromise occurred at the firmware build phase, indicating a supply-chain attack at the OEM level.

SRFOsTACTA0005SRFMobileTACTA0001SRFFirmwareTACTA0007TACTA0003TACTA0011
88
Edit Score
2026-03-19
2026-03-19 00:00Z
HIGH

Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack on Key Industries

Trend Micro Research·trendmicro.comin the wild

Trend Micro researchers documented a targeted multi-stage PureLog Stealer campaign using localized copyright-violation lures to deliver information-stealing malware to healthcare, government, hospitality, and education sectors across Germany, Canada, the US, and Australia. The attack chain employs encrypted payloads, remote key retrieval, renamed WinRAR for extraction, Python-based loaders, and fileless .NET execution with AMSI bypass and anti-VM evasion. Two operational variants were identified, with the more recent chain using pre-bundled payloads and hardcoded decryption keys, while earlier variants relied on live C&C communication.

SRFApplicationSRFOsTACTA0005TACTA0001TACTA0002TACTA0007SRFWebTACTA0003
76
Edit Score
2026-03-18
2026-03-18 23:17Z
CRIT

CVE-2025-15031 — Lfprojects Mlflow: A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-15031

A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path validation enables crafted tar.gz files containing `..` or absolute paths to escape the intended extraction directory. This issue affects the latest version of MLflow and poses a high/critical risk in scenarios involving multi-tenant environments or ingestion of untrusted artifacts, a CVSSv3.1 9.1 (CRITICAL)

CWECWE 22VNDLfprojectsTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-03-18
2026-03-18 20:17Z
INFO

v3.4.0.48

Mythic releases·github.com

Mythic v3.4.0.48 released with a Dockerfile tag bump to match the release version. This is a routine version bump with no disclosed security fixes, features, or breaking changes in the available metadata.

VNDMythicTYPTool
15
Edit Score
2026-03-18
2026-03-18 18:16Z
HIGH

CVE-2026-26740 — Giflib_project Giflib: Buffer Overflow vulnerability in giflib v.5.2.2 allows a remote attacker to cause a denial

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-26740

Buffer Overflow vulnerability in giflib v.5.2.2 allows a remote attacker to cause a denial of service via the EGifGCBToExtension overwriting an existing Graphic Control Extension block without validating its allocated size. CVSSv3.1 8.2 (HIGH)

CWECWE 787VNDBufferVNDGiflib ProjectTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2026-03-18
2026-03-18 16:16Z
HIGH

CVE-2026-33001 — Jenkins Jenkins: 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33001

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes. CVSSv3.1 8.8 (HIGH)

CWECWE 22CWECWE 59VNDJenkinsTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-18
2026-03-18 16:16Z
HIGH

CVE-2026-24063 — When the bash script is manipulated by an attacker this scenario will lead to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-24063

When a plugin is installed using the Arturia Software Center (MacOS), it also installs an uninstall.sh bash script in a root owned path. This script is written to disk with the file permissions 777, meaning it is writable by any user. When uninstalling a plugin via the Arturia Software Center the Privileged Helper gets instructed to execute this script. When the bash script is manipulated by an attacker this scenario will lead to privilege escalation. CVSSv3.1 8.2 (HIGH) · EPSS 2th percentile

CWECWE 276TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2026-03-18
2026-03-18 14:16Z
CRIT

CVE-2026-25449 — Deserialization: of Untrusted Data vulnerability in shinetheme Traveler traveler allows Object Injection.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-25449

Deserialization of Untrusted Data vulnerability in shinetheme Traveler traveler allows Object Injection.This issue affects Traveler: from n/a through < 3.2.8.1. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-18
2026-03-18 11:45Z
HIGH

Introducing Attack Path Management for GitHub in BloodHound Enterprise

SpecterOps·specterops.io

SpecterOps announced BloodHound Enterprise with OpenGraph extensions for GitHub, enabling attack path analysis across GitHub identities, repositories, CI/CD workflows, secrets, and external trust relationships (SSO, OIDC federation to Azure/AWS). The extension models how GitHub acts as both a target and an interchange between systems, exposing paths to critical code, credentials, and cloud pivots that traditional configuration review misses.

SRFApplicationTACTA0006SRFIdentitySRFCloudTACTA0008TACTA0009SRFSupply ChainVNDMicrosoft
72
Edit Score
2026-03-18
2026-03-18 11:45Z
HIGH

BloodHound Enterprise Expands Beyond Microsoft: Mapping Identity Attack Paths Across Okta, GitHub, and Mac environments

SpecterOps·specterops.io

SpecterOps announced BloodHound Enterprise 9.0 with OpenGraph extensions enabling attack path mapping across Okta, GitHub, and Jamf-managed macOS environments, moving beyond Microsoft-only visibility. The platform now identifies cross-platform privilege chains and introduces Privilege Zones for defining critical security boundaries. The expansion addresses the reality that modern breaches chain privileges across identity providers, developer platforms, and device management systems.

SRFApplicationSRFOsTACTA0004TACTA0001SRFIdentityTACTA0003SRFCloudTACTA0008
78
Edit Score
2026-03-18
2026-03-18 11:16Z
HIGH

CVE-2026-23246 — Linux: link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, so index 15 is out-of-bounds.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23246

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration link_id is taken from the ML Reconfiguration element (control & 0x000f), so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, so index 15 is out-of-bounds. Skip subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds write. CVSSv3.1 8.8 (HIGH) · EPSS 6th percentile

TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-18
2026-03-18 11:00Z
HIGH

The SOC Files: Time to “Sapecar”. Unpacking a new Horabot campaign in Mexico

Kaspersky Securelist·securelist.comin the wild

Kaspersky's MDR team dissected an active Horabot campaign targeting 5,384 victims (93% in Mexico) combining fake CAPTCHA lures, polymorphic HTA/VBS loaders, AutoIT-wrapped banking Trojans (Casbaneiro/Ponteiro variants), and email spreader functionality. The attack chain leverages server-side polymorphism, custom XOR-subtraction ciphers for C2 communication, and anti-VM checks, with detailed analysis of encryption routines, socket protocols, and configuration parsing mechanisms.

SRFOsTACTA0001TACTA0002TACTA0006TACTA0007SRFWebTACTA0003TACTA0011
78
Edit Score
2026-03-18
2026-03-18 10:02Z
CRIT

The Most Organized Threat Actors Use Your ITSM (BMC FootPrints Pre-Auth Remote Code Execution Chains)

watchTowr Labs disclosed a pre-authenticated RCE chain against BMC FootPrints ITSM affecting versions 20.20.02–20.24.01.001, comprising four chained vulnerabilities: an authentication bypass via SEC_TOKEN generation in the password-reset endpoint (CVE-2025-71257), two blind SSRFs (CVE-2025-71258, CVE-2025-71259), and Java deserialization RCE via AspNetConfig servlet (CVE-2025-71260). BMC released hotfixes in September 2025 after a lengthy disclosure process; CVEs were assigned March 2026.

SRFApplicationTACTA0001TACTA0002SRFWebTACTA0003VNDBmcTYPResearchTYPWriteup
88
Edit Score
2026-03-18
2026-03-18 04:17Z
CRIT

CVE-2026-31938 — Parall Jspdf: Prior to version 4.2.1, user control of the `options` argument of the `output` function

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-31938

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The vulnerability can be exploited in the following scenario: the attacker provides values for the output options, for example via a web interface. These values are then passed unsanitized (automatically or semi-automatically) CVSSv3.1 9.6 (CRITICAL)

CWECWE 79VNDParallTYPVulnerability
9.6
CVSS v3.1
98
Edit Score