Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
The Most Organized Threat Actors Use Your ITSM (BMC FootPrints Pre-Auth Remote Code Execution Chains)
watchTowr Labs disclosed a pre-authenticated RCE chain against BMC FootPrints ITSM affecting versions 20.20.02–20.24.01.001, comprising four chained vulnerabilities: an authentication bypass via SEC_TOKEN generation in the password-reset endpoint (CVE-2025-71257), two blind SSRFs (CVE-2025-71258, CVE-2025-71259), and Java deserialization RCE via AspNetConfig servlet (CVE-2025-71260). BMC released hotfixes in September 2025 after a lengthy disclosure process; CVEs were assigned March 2026.
CVE-2026-31938 — Parall Jspdf: Prior to version 4.2.1, user control of the `options` argument of the `output` function
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The vulnerability can be exploited in the following scenario: the attacker provides values for the output options, for example via a web interface. These values are then passed unsanitized (automatically or semi-automatically) CVSSv3.1 9.6 (CRITICAL)
CVE-2026-31898 — Parall Jspdf: Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the `createAnnotation`: `color` parameter. The vulnerability has CVSSv3.1 8.1 (HIGH)
CVE-2026-2603 — Keycloak: A remote attacker could bypass security controls by sending a valid SAML response from
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication. CVSSv3.1 8.1 (HIGH)
CVE-2026-28500 — Linuxfoundation Onnx: In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load()
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability trans CVSSv3.1 8.6 (HIGH)
CVE-2026-27459 — Pyopenssl Pyopenssl: is a Python wrapper around the OpenSSL library.
pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected. CVSSv3.1 9.8 (CRITICAL)
From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA
Trend Micro documents a SharePoint data exfiltration incident where attackers exploited three chained misconfigurations: exposed Spring Boot Actuator endpoints leaking service account usernames and configuration metadata, plaintext Azure AD application secrets stored in a spreadsheet, and enabled OAuth2 ROPC authentication that bypassed MFA. The attacker used stolen credentials to authenticate via ROPC, obtained a valid access token, and exfiltrated SharePoint data without malware or exploitation.
CVE-2026-32841 — Edimax Gs-5008pl_firmware: GS-5008PL firmware versions 1.00.54 and prior contain an authentication bypass vulnerability that allows
Edimax GS-5008PL firmware versions 1.00.54 and prior contain an authentication bypass vulnerability that allows unauthenticated attackers to access the management interface. Attackers can exploit the global authentication flag mechanism to gain administrative access without credentials after any user authenticates, enabling unauthorized password changes, firmware uploads, and configuration modifications. CVSSv3.1 8.1 (HIGH) · EPSS 19th percentile
CVE-2026-30707 — SpeedExam: It allows Broken Access Control via the ReviewAnswerDetails ASP.NET PageMethod.
An issue was discovered in SpeedExam Online Examination System (SaaS) after v.FEV2026. It allows Broken Access Control via the ReviewAnswerDetails ASP.NET PageMethod. Authenticated attackers can bypass client-side restrictions and invoke this method directly to retrieve the full answer key. The provider states that this issue is "Fixed in [02/2026] backend service update." CVSSv3.1 8.1 (HIGH) · EPSS 11th percentile
CVE-2026-32298 — Angeet Es3_kvm_firmware: The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by the 'cfg.lua'
The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by the 'cfg.lua' script, allowing an authenticated attacker to execute OS-level commands. CVSSv3.1 9.1 (CRITICAL) · EPSS 18th percentile
CVE-2026-4148 — Mongodb Mongodb: A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with
A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline. CVSSv3.1 8.8 (HIGH)
CVE-2026-4208 — Mrsilaz Mfa_mail: This leads to a possible MFA bypass for future login attempts by providing an
The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider. CVSSv3.1 8.8 (HIGH) · EPSS 20th percentile
CVE-2026-1323 — Cps-it Mailqueue: The extension fails to properly define allowed classes used when deserializing transport failure metadata.
The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath']. CVSSv3.1 8.8 (HIGH) · EPSS 6th percentile
CVE-2026-4312 — Dragonsoft Gcb\/fcb_government_financial_cybersecurity_configuration_audit_: GCB/FCB Audit Software developed by DrangSoft has a Missing Authentication vulnerability, allowing unauthen
GCB/FCB Audit Software developed by DrangSoft has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access certain APIs to create a new administrative account. CVSSv3.1 9.8 (CRITICAL) · EPSS 46th percentile
CVE-2026-0708 — Vstakhov Libucl: This can cause a segmentation fault (SEGV fault) in the `ucl_object_emit` function when parsing
A flaw was found in libucl. A remote attacker could exploit this by providing a specially crafted Universal Configuration Language (UCL) input that contains a key with an embedded null byte. This can cause a segmentation fault (SEGV fault) in the `ucl_object_emit` function when parsing and emitting the object, leading to a Denial of Service (DoS) for the affected system. CVSSv3.1 8.3 (HIGH) · EPSS 24th percentile
CVE-2026-4177 — Toddr Yaml\: YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity
YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming ancho CVSSv3.1 9.1 (CRITICAL)
CVE-2025-69902 — A command injection vulnerability in the minimal_wrapper.py component of kubectl-mcp-server v1.2.0 allows attackers to
A command injection vulnerability in the minimal_wrapper.py component of kubectl-mcp-server v1.2.0 allows attackers to execute arbitrary commands via injecting arbitrary shell metacharacters. CVSSv3.1 9.8 (CRITICAL) · EPSS 58th percentile
CVE-2025-50881 — Use: The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to
The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution. When handling GET requests, the script takes user-supplied input from the `action` URL parameter, performs insufficient validation, and incorporates this input into a string that is subsequently executed by the `eval()` function. Although a `method_exists()` check is performed, it only validates the part of the user input *before* the first parenthe CVSSv3.1 8.8 (HIGH) · EPSS 49th percentile
CVE-2025-69809 — P2r3 Bareiron: A write-what-where condition in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to write arbitrary
A write-what-where condition in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to write arbitrary values to memory, enabling arbitrary code execution via a crafted packet. CVSSv3.1 9.8 (CRITICAL) · EPSS 21th percentile
CVE-2025-69808 — P2r3 Bareiron: An out-of-bounds memory access (OOB) in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to
An out-of-bounds memory access (OOB) in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to access sensitive information and cause a Denial of Service (DoS) via supplying a crafted packet. CVSSv3.1 9.1 (CRITICAL) · EPSS 26th percentile
CVE-2026-27962 — Authlib Authlib: Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their ow CVSSv3.1 9.1 (CRITICAL)
Cage2Host — Offensive container‑escape toolkit for red teams. Automatically hunts and exploits Docker socket abuse, privileged conta
Cage2Host is a modular offensive container-escape toolkit designed for red teams, automating exploitation of Docker socket abuse, privileged containers, and host filesystem breakout vectors. The framework provides dual-mode execution (utility-based payload orchestration and direct module invocation), extensible plugin architecture, and operational features including base64 command transport, multi-stage pipelines, and automated cleanup.
CVE-2025-62319 — Hcltech Unica: Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates
Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently depending on whether the injected condition evaluates to true or false. This allows an attacker to inject arbitrary SQL into backend configuration queries executed within the application. CVSSv3.1 9.8 (CRITICAL) · EPSS 15th percentile
v2.11.0-rc1
AzureHound v2.11.0-rc1 released with minor maintenance updates including CLA workflow fixes, Windows resource generation tooling, and internal refactoring. No security fixes or feature additions of note in this pre-release candidate.
CVE-2026-4181 — Dlink Dir-816_firmware: The manipulation of the argument key1/key2/key3/key4/pskValue results in stack-based buffer overflow.
A security flaw has been discovered in D-Link DIR-816 1.10CNB05. This affects an unknown function of the file /goform/form2RepeaterStep2.cgi of the component goahead. The manipulation of the argument key1/key2/key3/key4/pskValue results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. CVSSv3.1 9.8 (CRITICAL)