Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
Intego X9: Why your macOS antivirus should not trust PIDs
Quarkslab published a detailed reverse-engineering analysis of Intego X9 antivirus on macOS, demonstrating a PID-reuse race condition that bypasses XPC authentication checks. The vulnerability exploits the NTGCodeSigningVerifier class's reliance on process identifiers rather than audit tokens, allowing unprivileged code to impersonate trusted Intego processes and escalate privileges. The research includes static analysis via Ghidra, dynamic debugging with Frida, and proof-of-concept exploitation techniques.
CVE-2026-27148 — Storybook Storybook: Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev
Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is ru CVSSv3.1 9.6 (CRITICAL)
CVE-2026-26965 — Freerdp Freerdp: A malicious RDP server can exploit this to perform a heap out-of-bounds write with
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only CVSSv3.1 8.8 (HIGH)
CVE-2026-26955 — Freerdp Freerdp: Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing a CVSSv3.1 8.8 (HIGH)
Buy A Help Desk, Bundle A Remote Access Solution? (SolarWinds Web Help Desk Pre-Auth RCE Chain(s))
watchTowr Labs disclosed three new pre-authentication vulnerabilities in SolarWinds Web Help Desk (CVE-2025-40552, CVE-2025-40553, CVE-2025-40554) that chain together to achieve unauthenticated RCE on fully patched instances. The vulnerabilities exploit deserialization flaws in the legacy Java WebObjects framework and bypass existing security patches through encoding tricks and parser differential analysis. This represents the fourth major deserialization RCE chain in the product since 2024, with prior patches (CVE-2024-28986, CVE-2024-28988, CVE-2025-26399) all bypassed through similar mechanisms.
CVE-2026-27727 — Mchange Mchange_commons_java: mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of
mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. Implementations of this functi CVSSv3.1 9.8 (CRITICAL)
CVE-2026-20127 — Cisco Catalyst_sd-wan_manager: A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An CVSSv3.1 10.0 (CRITICAL) · EPSS 99th percentile
Nemesis 2.2
SpecterOps released Nemesis 2.2, a major update to their file enrichment and triage platform with significant new capabilities for processing large forensic containers (disk images), LLM-powered agents for automated triage and analysis, and comprehensive DPAPI decryption support for Chromium-based browsers. The release emphasizes both offensive and defensive use cases, with 10-30x performance improvements in text file processing and new functionality for extracting credentials, analyzing .NET assemblies, and handling modern browser encryption schemes including Chrome's v3 app-bound encryption.
CVE-2026-2624 — Epati Antikor_next_generation_firewall: Missing Authentication for Critical Function vulnerability in ePati Cyber Security Technologies Inc.
Missing Authentication for Critical Function vulnerability in ePati Cyber Security Technologies Inc. Antikor Next Generation Firewall (NGFW) allows Authentication Bypass. This issue affects Antikor Next Generation Firewall (NGFW): from v.2.0.1298 before v.2.0.1301. CVSSv3.1 9.8 (CRITICAL) · EPSS 86th percentile
mquire: Linux memory forensics without external dependencies
Trail of Bits open-sourced mquire, a Linux memory forensics tool that eliminates the need for external debug symbols by extracting type information from BTF (BPF Type Format) and symbol addresses from Kallsyms directly within memory dumps. The tool provides SQL-based querying of kernel structures including processes, open files, memory mappings, and network connections, supporting kernel 4.18+ with BTF and 6.4+ with Kallsyms.
CVE-2026-27608 — Parseplatform Parse_dashboard: In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform wri CVSSv3.1 8.1 (HIGH) · EPSS 12th percentile
CVE-2026-27606 — Rollupjs Rollup: Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host files CVSSv3.1 9.8 (CRITICAL)
CVE-2025-63409 — Gcomtw Gcom_epon_1ge_firmware: Privilege escalation and improper access control in GCOM EPON 1GE C00R371V00B01 allows remote authenticated
Privilege escalation and improper access control in GCOM EPON 1GE C00R371V00B01 allows remote authenticated users to modify administrator only settings and extract administrator credentials. CVSSv3.1 8.8 (HIGH) · EPSS 21th percentile
CVE-2026-2807 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 148 and Thunderbird 148. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-2806 — Mozilla Firefox: Uninitialized memory in the Graphics: Text component.
Uninitialized memory in the Graphics: Text component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-2805 — Mozilla Firefox: Invalid pointer in the DOM: Core & HTML component.
Invalid pointer in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-2800 — Mozilla Firefox: Spoofing issue in the WebAuthn component in Firefox for Android.
Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability was fixed in Firefox 148 and Thunderbird 148. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-2799 — Mozilla Firefox: Use-after-free in the DOM: Core & HTML component.
Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-2798 — Mozilla Firefox: Use-after-free in the DOM: Core & HTML component.
Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. CVSSv3.1 8.8 (HIGH)
CVE-2026-2797 — Mozilla Firefox: Use-after-free in the JavaScript: GC component.
Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-2796 — Mozilla Firefox: JIT miscompilation in the JavaScript: WebAssembly component.
JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-2795 — Mozilla Firefox: Use-after-free in the JavaScript: GC component.
Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-2793 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-2792 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-2791 — Mozilla Firefox: Mitigation bypass in the Networking: Cache component.
Mitigation bypass in the Networking: Cache component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. CVSSv3.1 9.8 (CRITICAL)