Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-2590 — Devolutions Remote_desktop_manager: Improper enforcement of the Disable password saving in vaults setting in the connection entry
Improper enforcement of the Disable password saving in vaults setting in the connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and earlier allows an authenticated user to persist credentials in vault entries, potentially exposing sensitive information to other users, by creating or editing certain connection types while password saving is disabled. CVSSv3.1 9.8 (CRITICAL) · EPSS 17th percentile
CVE-2026-3437 — Portwell Engineering_toolkits: An improper restriction of operations within the bounds of a memory buffer vulnerability in
An improper restriction of operations within the bounds of a memory buffer vulnerability in Portwell Engineering Toolkits version 4.8.2 could allow a local authenticated attacker to read and write to arbitrary memory via the Portwell Engineering Toolkits driver. Successful exploitation of this vulnerability could result in escalation of privileges or cause a denial-of-service condition. CVSSv3.1 8.8 (HIGH) · EPSS 5th percentile
Sometimes, You Can Just Feel The Security In The Design (Juniper Junos Evolved CVE-2026-21902 Pre-Auth RCE)
CVE-2026-21902 is a pre-authentication remote code execution vulnerability in Juniper Junos OS Evolved affecting PTX Series routers. The On-Box Anomaly Detection Framework REST API listens on port 8160/TCP bound to 0.0.0.0 despite design intent to restrict it to internal interfaces, allowing unauthenticated attackers to create malicious DAG (Directed Acyclic Graph) workflows that execute arbitrary shell commands as root via the RE-SHELL command type. The vulnerability is enabled by default and exploitable through a simple four-step HTTP API sequence: create a command, define a DAG, instantiate it, and commit the configuration.
Beyond Electron: Attacking Alternative Desktop Application Frameworks
Bishop Fox researchers demonstrate a practical XSS-to-RCE exploitation chain against Tauri desktop applications, showing that despite architectural improvements over Electron, permissive configuration settings combined with XSS vulnerabilities enable full remote code execution. The attack leverages filesystem write access, shell.open() functionality, and Tauri API exposure to write and execute arbitrary binaries on the target system.
CVE-2026-22886 — Eclipse Openmq: exposes a TCP-based management service (imqbrokerd) that by default requires authentication.
OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the server continues to accept the default password indefinitely without warning or enforcement. In real-world deployments, this service is often left enabled without changing the default credentials. CVSSv3.1 9.8 (CRITICAL)
Claude Code Security set the Cybersecurity Stocks on Fire - Here's the Signal in the Smoke
Trend Micro analyzes Anthropic's Claude Code Security announcement and the resulting cybersecurity stock market sell-off, arguing the market overreacted to a pre-deployment code scanning tool. The article contends that while AI-assisted vulnerability detection is valuable, the real emerging threat surface lies in autonomous AI agents themselves—supply chain poisoning, runtime behavior drift, and observability gaps that static code analysis cannot address.
Avira: Deserialize, Delete and Escalate - The Proper Way to Use an AV
Quarkslab disclosed three critical vulnerabilities in Avira Internet Security (≤1.1.109.1990) affecting privileged modules: arbitrary file deletion via symlink following in Software Updater (CVE-2026-27748), insecure .NET BinaryFormatter deserialization in System Speedup (CVE-2026-27749), and TOCTOU-based folder deletion in Optimizer (CVE-2026-27750). All three enable local privilege escalation to SYSTEM, with the first two chained via the well-known Config.msi MSI rollback DLL injection primitive.
v2.10.0
AzureHound v2.10.0 released with support for federated identity credentials enumeration and minor bug fixes. This update extends Azure AD reconnaissance capabilities to include federated identity attack surface.
CVE-2026-28517 — Opendcim Opendcim: version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php.
openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitization. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process. CVSSv3.1 9.8 (CRITICAL) · EPSS 97th percentile
CVE-2026-28406 — Chainguard Kaniko: is a tool to build container images from a Dockerfile, inside a container
kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. Starting in version 1.25.4 and prior to version 1.25.10, kaniko unpacks build context archives using `filepath.Join(dest, cleanedName)` without enforcing that the final path stays within `dest`. A tar entry like `../outside.txt` escapes the extraction root and writes files outside the destination directory. In environments with registry authentication, this can be chained w CVSSv3.1 8.2 (HIGH)
CVE-2026-2880 — Fastify Fastify\/middie: A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using
A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers. CVSSv3.1 9.1 (CRITICAL) · EPSS 23th percentile
CVE-2026-2293 — Nestjs Nest: A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization
A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-11252 — Signumtte Windesk.fm: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Signum Technology Promotion and Training Inc. Windesk.Fm allows SQL Injection. This issue affects windesk.Fm: before v2.3.4. NOTE: The vendor patched the vulnerability after the CVE was published. CVSSv3.1 9.8 (CRITICAL) · EPSS 4th percentile
CVE-2026-24352 — Pluxml Pluxml: CMS allows a user's session identifier to be set before authentication.
PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other ve CVSSv3.1 9.8 (CRITICAL) · EPSS 6th percentile
CVE-2025-11251 — Daynex Woyio: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dayneks Software Industry and Trade Inc. E-Commerce Platform allows SQL Injection. This issue affects E-Commerce Platform: through 27022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 9.8 (CRITICAL) · EPSS 4th percentile
CVE-2026-25109 — Copeland Xweb_500b_pro_firmware: An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field when accessing the get setup route. CVSSv3.1 8.0 (HIGH) · EPSS 52th percentile
CVE-2026-20910 — Copeland Xweb_300d_pro_firmware: An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update action to achieve remote code execution. CVSSv3.1 8.0 (HIGH) · EPSS 52th percentile
CVE-2026-22207 — OpenViking: through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability
OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-27509 — Unitree Go2_firmware: Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU) do not implement DDS
Unitree Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When CVSSv3.1 8.0 (HIGH) · EPSS 23th percentile
CVE-2025-71057 — Link: Improper session management in D-Link Wireless N 300 ADSL2+ Modem Router DSL-124 ME_1.00 allows
Improper session management in D-Link Wireless N 300 ADSL2+ Modem Router DSL-124 ME_1.00 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user. CVSSv3.1 8.2 (HIGH) · EPSS 4th percentile
Introducing CloudFox GCP: Attack Path Identification for Google Cloud
Bishop Fox released CloudFox GCP, an offensive security enumeration tool for Google Cloud Platform that maps IAM permissions, identifies service account risks, detects storage misconfigurations, and surfaces privilege escalation and lateral movement paths across GCP organization hierarchies. The tool includes 64 modules organized across identity, storage, compute, networking, and attack path analysis categories, with planned integration to FoxMapper for advanced privilege escalation graph analysis.
A Deep Dive into the GetProcessHandleFromHwnd API
Project Zero researcher provides a comprehensive historical analysis of the GetProcessHandleFromHwnd Windows API across Vista through Windows 11 24H2, documenting how it evolved from a hook-based implementation to a kernel function and the security implications of each version. The post details a critical vulnerability (CVE-2023-41772) in Windows 10 and pre-24H2 Windows 11 that allowed bypassing protected process isolation via UIPI checks, and demonstrates a practical attack chain to hijack Protected TCB processes like WerFaultSecure.exe. Microsoft's fixes in 24H2 introduce feature flags to enforce UIPI permanently and restrict the API to UI Access-enabled callers, though workarounds exist for systems with UIPI disabled.
CVE-2026-27830 — JDBC: c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized
c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map<String,Map<String,String>>`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDat CVSSv3.1 8.0 (HIGH)
ShimBad the Sailor, Part 3
Hexacorn documents Windows 11 shim database enhancements including newly tracked process names (SdbMergeTestEntry_Added_Exe_Item.exe variants) and plugin directory structures (%windir%\apppatch\AcPluginDlls\) with test DLLs present across multiple architectures. The research identifies potential persistence and code injection vectors through underdocumented shim plugin mechanisms in apphelp.dll, pcasvc.dll, and appraiser.dll.
Cisco SD-WAN vulnerabilities (CVE-2026-20127, CVE-2022-20775) in active exploitation
Cisco SD-WAN vulnerabilities CVE-2026-20127 and CVE-2022-20775 are under active exploitation targeting federal networks, with CISA issuing an emergency directive. CVE-2026-20127 permits unauthenticated remote attackers to bypass authentication and gain admin access; CVE-2022-20775 enables authenticated local privilege escalation. Sophos has released IPS signatures for detection.