Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-2764 — Mozilla Firefox: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component.
JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-2763 — Mozilla Firefox: Use-after-free in the JavaScript Engine component.
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-2762 — Mozilla Firefox: Integer overflow in the JavaScript: Standard Library component.
Integer overflow in the JavaScript: Standard Library component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-2761 — Mozilla Firefox: Sandbox escape in the Graphics: WebRender component.
Sandbox escape in the Graphics: WebRender component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. CVSSv3.1 10.0 (CRITICAL)
CVE-2026-2760 — Mozilla Firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component.
Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. CVSSv3.1 10.0 (CRITICAL)
CVE-2026-2759 — Mozilla Firefox: Incorrect boundary conditions in the Graphics: ImageLib component.
Incorrect boundary conditions in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-2758 — Mozilla Firefox: Use-after-free in the JavaScript: GC component.
Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-2757 — Mozilla Firefox: Incorrect boundary conditions in the WebRTC: Audio/Video component.
Incorrect boundary conditions in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-2634 — Mozilla Firefox: Malicious scripts could cause desynchronization between the address bar and web content before a
Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-controlled pages to be presented under spoofed domains. This vulnerability was fixed in Firefox for iOS 147.4. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-2459 — Hitachienergy Reb500_firmware: A vulnerability exists in REB500 for an authenticated user with Installer role to access
A vulnerability exists in REB500 for an authenticated user with Installer role to access and alter the contents of directories that the role is not authorized to do so. CVSSv3.1 8.1 (HIGH)
Samsung Tizen OS | Version Through 9.0
Bishop Fox disclosed an arbitrary command injection vulnerability in Samsung Tizen OS through version 9.0 affecting the Samsung Debug Bridge (SDB) service. The vulnerability allows OS-level code execution on Tizen-based smart TVs when developer mode is enabled and the attacker operates from the configured developer host IP. The flaw was demonstrated on multiple physical Samsung TV models (Tizen 5.5, 7.0, 8.0) and affects all versions supporting SDB.
v1.7.2
Sliver v1.7.2 released with improvements to shell management (multi-shell support, backgrounding, listing, re-attachment), Windows PE metadata spoofing, macOS shellcode loader enhancements, and security fixes including RPC restriction for external builders and gzip size limits.
v1.7.3
Sliver v1.7.3 released with a single bugfix reverting wasm-donut to v0.0.3 to resolve a regression in Windows shellcode generation. This is a maintenance release addressing a technical issue in the command-and-control framework.
CVE-2026-25965 — Imagemagick Imagemagick: As a result, a policy rule such as /etc/* can be bypassed by a
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enab CVSSv3.1 8.6 (HIGH)
CVE-2026-25794 — Imagemagick Imagemagick: Prior to version 7.1.2-15, when image dimensions are large, the multiplication overflows 32-bit `int`
ImageMagick is free and open-source software used for editing and manipulating digital images. `WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute the pixel buffer size. Prior to version 7.1.2-15, when image dimensions are large, the multiplication overflows 32-bit `int`, causing an undersized heap allocation followed by an out-of-bounds write. This can crash the process or potentially lead to an out of bounds heap write. Version 7.1.2-15 contains a patch. CVSSv3.1 8.2 (HIGH)
Nowhere, man: The 2026 Active Adversary Report
Sophos X-Ops' 2026 Active Adversary Report analyzes 661 incident response cases from Nov 2024–Oct 2025, revealing that identity-related attacks (compromised credentials, brute-force, phishing) now account for 67.32% of root causes—a multi-year dominance trend. Attackers are moving faster (3.4-hour median to AD compromise, 3-day dwell time) and increasingly exfiltrating data alongside ransomware; Impacket usage surged 83% YoY, while Cobalt Strike declined. Critical gaps persist: 59% of organizations lack MFA, firewall logging defaults are inadequate (7 days or less), and 13% run end-of-life Windows Server versions.
CVE-2025-71056 — GCOM: Improper session management in GCOM EPON 1GE ONU version C00R371V00B01 allows attackers to execute
Improper session management in GCOM EPON 1GE ONU version C00R371V00B01 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user. CVSSv3.1 8.1 (HIGH) · EPSS 14th percentile
CVE-2025-67733 — Lfprojects Valkey: Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. CVSSv3.1 8.5 (HIGH)
v1.5.1
NetExec v1.5.1 patches a critical arbitrary file write vulnerability in the spider_plus module. The release includes multiple bug fixes across SMB, NFS, LDAP, FTP, RDP, and WMI modules. Users are advised to upgrade immediately via GitHub/pipx.
v2.10.0-rc1
AzureHound v2.10.0-rc1 released with support for federated identity credentials enumeration and minor bug fixes. This is a pre-release candidate with 23 commits since v2.9.2.
CVE-2026-25747 — Apache Camel: Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component.
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. An attacker who can write to the LevelDB database files used by a Camel application can inject a crafted serialized Java object that, when deserialized during normal aggregation repo CVSSv3.1 8.8 (HIGH)
Malicious OpenClaw Skills Used to Distribute Atomic macOS Stealer
Trend Micro Research identified a campaign distributing Atomic macOS Stealer (AMOS) through malicious OpenClaw AI agent skills, representing an evolution from traditional cracked-software distribution to supply-chain attacks targeting AI workflows. The attack chain embeds malicious instructions in SKILL.md files that trick AI agents into installing a fake CLI tool, which then deploys a Mach-O universal binary stealer that exfiltrates Apple keychains, KeePass vaults, browser data, and documents. Over 39 distinct malicious skills were identified across ClawHub, SkillsMP, and GitHub repositories, with hundreds more related skills previously documented by other researchers.
1 little known secret of sti_ci.dll
Hexacorn documents a Living-off-the-Land Binary (LOLBin) technique leveraging sti_ci.dll's InstallWiaService export function callable via rundll32.exe to execute multiple system binaries (regsvr32.exe, wiaacmgr.exe, etc.). The technique can be abused for code execution and defense evasion by copying rundll32.exe to alternate directories to bypass system32 search order restrictions; execution is logged to wiatrace.log.
CVE-2026-27134 — Linuxfoundation Strimzi_kafka_operator: Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift
Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. In versions 0.49.0 through 0.50.0, when using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs, Strimzi incorrectly configures the trusted certificates for mTLS authentication on the internal as well as user-configured listeners. All CAs from the CA chain will be trusted. And users with certificates signed by any of the CA CVSSv3.1 8.1 (HIGH)
CVE-2026-2044 — Gimp Gimp: PGM File Parsing Uninitialized Memory Remote Code Execution Vulnerability.
GIMP PGM File Parsing Uninitialized Memory Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PGM files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can CVSSv3.1 8.8 (HIGH)