2026-03-03
2026-03-03 22:16Z
CRIT

CVE-2026-2590 — Devolutions Remote_desktop_manager: Improper enforcement of the Disable password saving in vaults setting in the connection entry

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-2590

Improper enforcement of the Disable password saving in vaults setting in the connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and earlier allows an authenticated user to persist credentials in vault entries, potentially exposing sensitive information to other users, by creating or editing certain connection types while password saving is disabled. CVSSv3.1 9.8 (CRITICAL) · EPSS 17th percentile

CWECWE 20CWECWE 295VNDDevolutionsVNDDisableTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-03
2026-03-03 18:16Z
HIGH

CVE-2026-3437 — Portwell Engineering_toolkits: An improper restriction of operations within the bounds of a memory buffer vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-3437

An improper restriction of operations within the bounds of a memory buffer vulnerability in Portwell Engineering Toolkits version 4.8.2 could allow a local authenticated attacker to read and write to arbitrary memory via the Portwell Engineering Toolkits driver. Successful exploitation of this vulnerability could result in escalation of privileges or cause a denial-of-service condition. CVSSv3.1 8.8 (HIGH) · EPSS 5th percentile

CWECWE 119VNDPortwellTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-03
2026-03-03 14:15Z
CRIT

Sometimes, You Can Just Feel The Security In The Design (Juniper Junos Evolved CVE-2026-21902 Pre-Auth RCE)

watchTowr Labs·labs.watchtowr.comCVE-2026-21902in the wild

CVE-2026-21902 is a pre-authentication remote code execution vulnerability in Juniper Junos OS Evolved affecting PTX Series routers. The On-Box Anomaly Detection Framework REST API listens on port 8160/TCP bound to 0.0.0.0 despite design intent to restrict it to internal interfaces, allowing unauthenticated attackers to create malicious DAG (Directed Acyclic Graph) workflows that execute arbitrary shell commands as root via the RE-SHELL command type. The vulnerability is enabled by default and exploitable through a simple four-step HTTP API sequence: create a command, define a DAG, instantiate it, and commit the configuration.

TACTA0001TACTA0002SRFNetwork ApplianceVNDJuniperTYPWriteupTYPVulnerabilitySTGExecutionSTGInitial Access
92
Edit Score
2026-03-03
2026-03-03 14:00Z
HIGH

Beyond Electron: Attacking Alternative Desktop Application Frameworks

Bishop Fox Labs·bishopfox.com

Bishop Fox researchers demonstrate a practical XSS-to-RCE exploitation chain against Tauri desktop applications, showing that despite architectural improvements over Electron, permissive configuration settings combined with XSS vulnerabilities enable full remote code execution. The attack leverages filesystem write access, shell.open() functionality, and Tauri API exposure to write and execute arbitrary binaries on the target system.

SRFApplicationTACTA0001TYPResearchTYPTechniqueSTGExecutionSTGInitial AccessTECT1190TECT1059
78
Edit Score
2026-03-03
2026-03-03 10:16Z
CRIT

CVE-2026-22886 — Eclipse Openmq: exposes a TCP-based management service (imqbrokerd) that by default requires authentication.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-22886

OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the server continues to accept the default password indefinitely without warning or enforcement. In real-world deployments, this service is often left enabled without changing the default credentials. CVSSv3.1 9.8 (CRITICAL)

CWECWE 1393CWECWE 1391CWECWE 1392VNDEclipseVNDOpenmqTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-03
2026-03-03 00:00Z
HIGH

Claude Code Security set the Cybersecurity Stocks on Fire - Here's the Signal in the Smoke

Trend Micro Research·trendmicro.com

Trend Micro analyzes Anthropic's Claude Code Security announcement and the resulting cybersecurity stock market sell-off, arguing the market overreacted to a pre-deployment code scanning tool. The article contends that while AI-assisted vulnerability detection is valuable, the real emerging threat surface lies in autonomous AI agents themselves—supply chain poisoning, runtime behavior drift, and observability gaps that static code analysis cannot address.

TACTA0043SRFAiVNDAnthropicVNDCrowdstrikeVNDOktaTYPResearchTYPThreat IntelSTGDiscovery
72
Edit Score
2026-03-02
2026-03-02 23:00Z
CRIT

Avira: Deserialize, Delete and Escalate - The Proper Way to Use an AV

Quarkslab·blog.quarkslab.comCVE-2026-27748CVE-2026-27749CVE-2026-27750

Quarkslab disclosed three critical vulnerabilities in Avira Internet Security (≤1.1.109.1990) affecting privileged modules: arbitrary file deletion via symlink following in Software Updater (CVE-2026-27748), insecure .NET BinaryFormatter deserialization in System Speedup (CVE-2026-27749), and TOCTOU-based folder deletion in Optimizer (CVE-2026-27750). All three enable local privilege escalation to SYSTEM, with the first two chained via the well-known Config.msi MSI rollback DLL injection primitive.

SRFApplicationSRFOsTACTA0004TACTA0005VNDAviraTYPWriteupTYPExploitTYPVulnerability
92
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-03-02
2026-03-02 15:34Z
INFO

v2.10.0

AzureHound releases·github.com

AzureHound v2.10.0 released with support for federated identity credentials enumeration and minor bug fixes. This update extends Azure AD reconnaissance capabilities to include federated identity attack surface.

TACTA0007SRFIdentitySRFCloudVNDSpecteropsVNDMicrosoft AzureTYPToolSTGDiscoverySTGRecon
62
Edit Score
2026-02-27
2026-02-27 23:16Z
CRIT

CVE-2026-28517 — Opendcim Opendcim: version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-28517

openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitization. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process. CVSSv3.1 9.8 (CRITICAL) · EPSS 97th percentile

CWECWE 78VNDOpendcimTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2026-02-27
2026-02-27 22:16Z
HIGH

CVE-2026-28406 — Chainguard Kaniko: is a tool to build container images from a Dockerfile, inside a container

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-28406

kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. Starting in version 1.25.4 and prior to version 1.25.10, kaniko unpacks build context archives using `filepath.Join(dest, cleanedName)` without enforcing that the final path stays within `dest`. A tar entry like `../outside.txt` escapes the extraction root and writes files outside the destination directory. In environments with registry authentication, this can be chained w CVSSv3.1 8.2 (HIGH)

CWECWE 22VNDChainguardTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2026-02-27
2026-02-27 19:16Z
CRIT

CVE-2026-2880 — Fastify Fastify\/middie: A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-2880

A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers. CVSSv3.1 9.1 (CRITICAL) · EPSS 23th percentile

CWECWE 20VNDFastifyTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-02-27
2026-02-27 17:16Z
CRIT

CVE-2026-2293 — Nestjs Nest: A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-2293

A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13. CVSSv3.1 9.8 (CRITICAL)

CWECWE 863VNDNestjsTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-02-27
2026-02-27 13:16Z
CRIT

CVE-2025-11252 — Signumtte Windesk.fm: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-11252

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Signum Technology Promotion and Training Inc. Windesk.Fm allows SQL Injection. This issue affects windesk.Fm: before v2.3.4.  NOTE:  The vendor patched the vulnerability after the CVE was published. CVSSv3.1 9.8 (CRITICAL) · EPSS 4th percentile

CWECWE 89VNDSignumtteTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-02-27
2026-02-27 12:16Z
CRIT

CVE-2026-24352 — Pluxml Pluxml: CMS allows a user's session identifier to be set before authentication.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-24352

PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other ve CVSSv3.1 9.8 (CRITICAL) · EPSS 6th percentile

CWECWE 384VNDPluxmlTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-02-27
2026-02-27 12:16Z
CRIT

CVE-2025-11251 — Daynex Woyio: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-11251

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dayneks Software Industry and Trade Inc. E-Commerce Platform allows SQL Injection. This issue affects E-Commerce Platform: through 27022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 9.8 (CRITICAL) · EPSS 4th percentile

CWECWE 89VNDDaynexTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-02-27
2026-02-27 01:16Z
HIGH

CVE-2026-25109 — Copeland Xweb_500b_pro_firmware: An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-25109

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field when accessing the get setup route. CVSSv3.1 8.0 (HIGH) · EPSS 52th percentile

CWECWE 78VNDCopelandTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2026-02-27
2026-02-27 01:16Z
HIGH

CVE-2026-20910 — Copeland Xweb_300d_pro_firmware: An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-20910

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update action to achieve remote code execution. CVSSv3.1 8.0 (HIGH) · EPSS 52th percentile

CWECWE 78VNDCopelandTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2026-02-26
2026-02-26 21:28Z
CRIT

CVE-2026-22207 — OpenViking: through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-22207

OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration. CVSSv3.1 9.8 (CRITICAL)

CWECWE 306VNDOpenvikingTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-02-26
2026-02-26 20:31Z
HIGH

CVE-2026-27509 — Unitree Go2_firmware: Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU) do not implement DDS

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27509

Unitree Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When CVSSv3.1 8.0 (HIGH) · EPSS 23th percentile

CWECWE 306VNDUnitreeTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2026-02-26
2026-02-26 16:23Z
HIGH

CVE-2025-71057 — Link: Improper session management in D-Link Wireless N 300 ADSL2+ Modem Router DSL-124 ME_1.00 allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-71057

Improper session management in D-Link Wireless N 300 ADSL2+ Modem Router DSL-124 ME_1.00 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user. CVSSv3.1 8.2 (HIGH) · EPSS 4th percentile

CWECWE 345CWECWE 287CWECWE 384VNDLinkTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2026-02-26
2026-02-26 14:00Z
HIGH

Introducing CloudFox GCP: Attack Path Identification for Google Cloud

Bishop Fox Labs·bishopfox.com

Bishop Fox released CloudFox GCP, an offensive security enumeration tool for Google Cloud Platform that maps IAM permissions, identifies service account risks, detects storage misconfigurations, and surfaces privilege escalation and lateral movement paths across GCP organization hierarchies. The tool includes 64 modules organized across identity, storage, compute, networking, and attack path analysis categories, with planned integration to FoxMapper for advanced privilege escalation graph analysis.

TACTA0006TACTA0007SRFCloudVNDBishop FoxVNDGoogle CloudTYPResearchTYPToolSTGDiscovery
82
Edit Score
2026-02-26
2026-02-26 08:00Z
HIGH

A Deep Dive into the GetProcessHandleFromHwnd API

Project Zero·googleprojectzero.blogspot.comCVE-2023-41772

Project Zero researcher provides a comprehensive historical analysis of the GetProcessHandleFromHwnd Windows API across Vista through Windows 11 24H2, documenting how it evolved from a hook-based implementation to a kernel function and the security implications of each version. The post details a critical vulnerability (CVE-2023-41772) in Windows 10 and pre-24H2 Windows 11 that allowed bypassing protected process isolation via UIPI checks, and demonstrates a practical attack chain to hijack Protected TCB processes like WerFaultSecure.exe. Microsoft's fixes in 24H2 introduce feature flags to enforce UIPI permanently and restrict the API to UI Access-enabled callers, though workarounds exist for systems with UIPI disabled.

SRFOsTACTA0004TACTA0005VNDMicrosoftTYPResearchTYPWriteupSTGDefense EvasionSTGPrivesc
88
Edit Score
2026-02-26
2026-02-26 01:16Z
HIGH

CVE-2026-27830 — JDBC: c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27830

c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map<String,Map<String,String>>`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDat CVSSv3.1 8.0 (HIGH)

CWECWE 94CWECWE 502VNDJdbcTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2026-02-26
2026-02-26 01:16Z
HIGH

ShimBad the Sailor, Part 3

Hexacorn·hexacorn.com

Hexacorn documents Windows 11 shim database enhancements including newly tracked process names (SdbMergeTestEntry_Added_Exe_Item.exe variants) and plugin directory structures (%windir%\apppatch\AcPluginDlls\) with test DLLs present across multiple architectures. The research identifies potential persistence and code injection vectors through underdocumented shim plugin mechanisms in apphelp.dll, pcasvc.dll, and appraiser.dll.

SRFOsTACTA0005TACTA0003VNDMicrosoftTYPResearchSTGDefense EvasionSTGPersistenceTECT1547.009
72
Edit Score
2026-02-26
2026-02-26 00:00Z
CRIT

Cisco SD-WAN vulnerabilities (CVE-2026-20127, CVE-2022-20775) in active exploitation

Sophos X-Ops·news.sophos.comCVE-2026-20127CVE-2022-20775in the wild0day

Cisco SD-WAN vulnerabilities CVE-2026-20127 and CVE-2022-20775 are under active exploitation targeting federal networks, with CISA issuing an emergency directive. CVE-2026-20127 permits unauthenticated remote attackers to bypass authentication and gain admin access; CVE-2022-20775 enables authenticated local privilege escalation. Sophos has released IPS signatures for detection.

TACTA0004TACTA0001SRFNetwork ApplianceVNDCiscoTYPVulnerabilityTYPThreat IntelSTGPrivescSTGInitial Access
92
Edit Score