Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-0797 — Gimp Gimp: ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability.
GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ICO files. The issue results from the lack of proper validation of the length of user-supplied data prior to c CVSSv3.1 8.8 (HIGH)
CVE-2026-25896 — Naturalintelligence Fast-xml-parser: allows users to validate XML, parse XML to JS object, or build XML
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fi CVSSv3.1 9.3 (CRITICAL)
CVE-2026-2472 — Stored: Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK
Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data. CVSSv3.1 8.1 (HIGH)
CVE-2026-2818 — A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers
A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only. CVSSv3.1 8.2 (HIGH)
CVE-2026-26725 — Edubusinesssolutions Print_shop_pro_webdesk: An issue in edu Business Solutions Print Shop Pro WebDesk v.18.34 (fixed in 19.76)
An issue in edu Business Solutions Print Shop Pro WebDesk v.18.34 (fixed in 19.76) allows a remote attacker to escalate privileges via the AccessID parameter. CVSSv3.1 9.8 (CRITICAL) · EPSS 46th percentile
CVE-2026-22384 — Deserialization: of Untrusted Data vulnerability in leafcolor Applay - Shortcodes applay-shortcodes allows Object Injection.This
Deserialization of Untrusted Data vulnerability in leafcolor Applay - Shortcodes applay-shortcodes allows Object Injection.This issue affects Applay - Shortcodes: from n/a through <= 3.7. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-22365 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Soleng soleng allows PHP Local File Inclusion.This issue affects Soleng: from n/a through <= 1.0.5. CVSSv3.1 8.1 (HIGH)
CVE-2025-69063 — Authorization: Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured
Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/a through <= 3.2.0. CVSSv3.1 8.6 (HIGH)
CVE-2025-68853 — Deserialization: of Untrusted Data vulnerability in Kleor Contact Manager contact-manager allows Object Injection.This issue
Deserialization of Untrusted Data vulnerability in Kleor Contact Manager contact-manager allows Object Injection.This issue affects Contact Manager: from n/a through <= 9.1.1. CVSSv3.1 8.8 (HIGH)
CVE-2025-68545 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Nika nika allows PHP Local File Inclusion.This issue affects Nika: from n/a through <= 1.2.14. CVSSv3.1 8.1 (HIGH)
CVE-2025-67977 — Authorization: Missing Authorization vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security
Missing Authorization vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HAPPY: from n/a through <= 1.0.8. CVSSv3.1 8.2 (HIGH)
Using threat modeling and prompt injection to audit Comet
Trail of Bits disclosed a pre-launch security audit of Perplexity's Comet AI-powered browser, demonstrating four prompt injection techniques that could extract private Gmail data by exploiting the browser's AI assistant. The vulnerabilities exploited the assistant's failure to treat external web content as untrusted input, allowing attackers to inject fake system messages, security mechanisms, and user requests. The findings led to five security recommendations for AI-integrated products, including ML-centered threat modeling, clear trust boundaries, systematic red-teaming, least-privilege capabilities, and input validation.
CVE-2025-10970 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kolay Software Inc. Talentics allows Blind SQL Injection. This issue affects Talentics: through 20022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 9.8 (CRITICAL) · EPSS 15th percentile
CVE-2026-26980 — Ghost Ghost: Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database.
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1. CVSSv3.1 9.4 (CRITICAL) · EPSS 97th percentile
CVE-2026-20841: Arbitrary Code Execution in the Windows Notepad
CVE-2026-20841 is a command injection vulnerability in Windows Notepad's Markdown renderer that allows arbitrary code execution through maliciously crafted links in .md files. The flaw stems from insufficient validation of protocol URIs (file://, ms-appinstaller://) passed to ShellExecuteExW(), enabling remote attackers to execute arbitrary commands in the victim's security context via social engineering. Microsoft patched the vulnerability in February 2026.
CVE-2026-26318 — Systeminformation Systeminformation: Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in
systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue. CVSSv3.1 8.8 (HIGH)
CVE-2026-26280 — Systeminformation Systeminformation: In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows
systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lin CVSSv3.1 8.4 (HIGH)
CVE-2026-24834 — Katacontainers Kata_containers: In versions prior to 3.27.0, an issue in Kata with Cloud Hypervisor allows a
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.27.0, an issue in Kata with Cloud Hypervisor allows a user of the container to modify the file system used by the Guest micro VM ultimately achieving arbitrary code execution as root in said VM. The current understanding is this doesn’t impact the security of the Host or of other containers / VMs running on CVSSv3.1 9.3 (CRITICAL)
Mapping Deception Solutions With BloodHound OpenGraph – Configuration Manager
SpecterOps published a comprehensive guide on implementing deception solutions within System Center Configuration Manager (SCCM) infrastructure using BloodHound OpenGraph. The research details three canary deception techniques: canary Network Access Accounts (NAA), fake PXE media, and poisoned SC_UserAccount database entries, designed to detect adversaries exploiting SCCM for lateral movement and credential theft. The methodology integrates ConfigManBearPig (SCCM collector) and deceptionClone (node modification) tools to map and visualize deception solutions within attack graphs.
CVE-2026-25940 — Parall Jspdf: Prior to 4.2.0, user control of properties and methods of the Acroform module allows
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. The vulnerability has been fixed in jsPDF@4.2.0. As a work CVSSv3.1 8.1 (HIGH)
CVE-2026-25755 — Parall Jspdf: Prior to 4.2.0, user control of the argument of the `addJS` method allows an
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in jspdf@4.2.0. As a workaround, escape parentheses in use CVSSv3.1 8.1 (HIGH)
CVE-2026-20817 — Windows Error Reporting ALPC Elevation of Privilege (CVE-2026-20817) - Proof-of-Concept exploit demonstrating local priv
Public PoC exploit for CVE-2026-20817, a Windows Error Reporting (WER) service ALPC privilege escalation affecting Windows 10, 11, Server 2019/2022 pre-January 2026. The vulnerability allows authenticated low-privilege users to execute arbitrary code as SYSTEM by sending malformed ALPC messages to the WER service with crafted shared memory payloads, exploiting insufficient validation in the SvcElevatedLaunch method.
CVE-2025-9953 — Authorization: Bypass Through User-Controlled SQL Primary Key vulnerability in DATABASE Software Training Consulting Ltd.
Authorization Bypass Through User-Controlled SQL Primary Key vulnerability in DATABASE Software Training Consulting Ltd. Databank Accreditation Software allows SQL Injection. This issue affects Databank Accreditation Software: through 19022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 9.8 (CRITICAL) · EPSS 4th percentile
CVE-2025-8350 — Execution: After Redirect (EAR), Missing Authentication for Critical Function vulnerability in Inrove Software and
Execution After Redirect (EAR), Missing Authentication for Critical Function vulnerability in Inrove Software and Internet Services BiEticaret CMS allows Authentication Bypass, HTTP Response Splitting. This issue affects BiEticaret CMS: from 2.1.13 through 19022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 9.8 (CRITICAL) · EPSS 15th percentile
CVE-2025-13590 — Wso2 Api_control_plane: A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled
A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload. CVSSv3.1 9.1 (CRITICAL) · EPSS 47th percentile