Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-14014 — Upload: Smart Panel allows Accessing Functionality Not Properly Constrained by ACLs.
Unrestricted Upload of File with Dangerous Type vulnerability in NTN Information Processing Services Computer Software Hardware Industry and Trade Ltd. Co. Smart Panel allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Smart Panel: before 20251215. CVSSv3.1 9.8 (CRITICAL) · EPSS 7th percentile
CVE-2026-2007 — Postgresql Postgresql: Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts
Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation. PostgreSQL 18.1 and 18.0 are affected. CVSSv3.1 8.2 (HIGH)
CVE-2026-2006 — Postgresql Postgresql: Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. CVSSv3.1 8.8 (HIGH)
CVE-2026-2005 — Postgresql Postgresql: Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code
Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. CVSSv3.1 8.8 (HIGH)
CVE-2026-2004 — Postgresql Postgresql: Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. CVSSv3.1 8.8 (HIGH)
CVE-2025-13002 — Farktor E-commerce_package: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Cross-Site Scripting (XSS). This issue affects E-Commerce Package: through 27112025. CVSSv3.1 8.2 (HIGH) · EPSS 2th percentile
CVE-2025-10969 — Farktor E-commerce_package: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Blind SQL Injection. This issue affects E-Commerce Package: through 27112025. CVSSv3.1 9.8 (CRITICAL) · EPSS 4th percentile
Bypassing Administrator Protection by Abusing UI Access
Project Zero researcher disclosed 9 bypasses of Windows Administrator Protection, with detailed analysis of 5 root causes centered on UI Access abuse. The vulnerabilities exploit weaknesses in the UAC service's RAiLaunchAdminProcess RPC implementation, secure directory validation, and shared profile/environment handling to achieve arbitrary code execution in High-integrity UI Access processes. All issues have been patched.
OysterLoader Unmasked: The Multi-Stage Evasion Loader
Sekoia published a comprehensive technical analysis of OysterLoader, a multi-stage C++ loader malware distributed via fake software installers (PuTTY, WinSCP, etc.) and used by the Rhysida ransomware group and WIZARD SPIDER. The four-stage infection chain employs API hammering, custom LZMA decompression, dynamic API resolution, steganography-embedded payloads, and obfuscated C2 communication using non-standard Base64 encoding to deliver ransomware and commodity infostealers like Vidar.
CVE-2025-69872 — DiskCache: An attacker with write access to the cache directory can achieve arbitrary code execution
DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-65480 — Pacom: Authenticated users can inject malicious scripts in the Report Templates which are executed when
An issue was discovered in Pacom Unison Client 5.13.1. Authenticated users can inject malicious scripts in the Report Templates which are executed when certain script conditions are fulfilled, leading to Remote Code Execution. CVSSv3.1 8.8 (HIGH) · EPSS 49th percentile
V8 Heap Archaeology: Finding Exploitation Artifacts in Chrome’s Memory
SpecterOps released v8-forensics, a Rust tool for detecting JavaScript memory corruption exploits in Chrome V8 heap dumps without requiring symbols. The research details the anatomy of V8 exploitation primitives (OOB read/write, addrof, fakeobj, caged R/W) and introduces three high-fidelity forensic detection signatures: CorruptedLength (array_length > elements_length), ElementsMapMismatch (elements_kind disagreement with backing store type), and EmbeddedInElements (fake objects forged within array slots). The approach enables proactive detection of failed exploitation attempts via Windows Error Reporting crash dumps, catching attackers at their first failed attempt rather than waiting for successful compromise.
CVE-2025-12059 — Insertion: Logo j-Platform allows Exploiting Incorrectly Configured Access Control Security Levels.
Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Logo Software Industry and Trade Inc. Logo j-Platform allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Logo j-Platform: from 3.29.6.4 before 3.34.8.9. CVSSv3.1 9.8 (CRITICAL) · EPSS 20th percentile
CVE-2025-8668 — Neutralization: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in E-Kalite Software Hardware Engineering Design and Internet Services Industry and Trade Ltd. Co. Turboard allows Reflected XSS. This issue affects Turboard: from 2025.07 before 2026.02. NOTE: This CVE record updated after the vendor implemented mitigations. CVSSv3.1 9.4 (CRITICAL) · EPSS 6th percentile
CVE-2025-8025 — Authentication: Missing Authentication for Critical Function, Improper Access Control vulnerability in Dinosoft Business Solutions Dinosoft
Missing Authentication for Critical Function, Improper Access Control vulnerability in Dinosoft Business Solutions Dinosoft ERP allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Dinosoft ERP: from < 3.0.1 through 11022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 9.8 (CRITICAL) · EPSS 10th percentile
CVE-2025-10174 — Cleartext: PanCafe Pro allows Flooding.
Cleartext Transmission of Sensitive Information vulnerability in Pan Software & Information Technologies Ltd. PanCafe Pro allows Flooding. This issue affects PanCafe Pro: from < 3.3.2 through 23092025. CVSSv3.1 8.3 (HIGH) · EPSS 5th percentile
CVE-2025-9986 — Exposure: of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vadi Corporate
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vadi Corporate Information Systems Ltd. Co. DIGIKENT allows Excavation. This issue affects DIGIKENT: through 13092025. CVSSv3.1 8.2 (HIGH) · EPSS 15th percentile
CVE-2025-10913 — Neutralization: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saastech Cleaning and Internet Services Inc. TemizlikYolda allows Cross-Site Scripting (XSS). This issue affects TemizlikYolda: through 11022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.3 (HIGH) · EPSS 20th percentile
The February 2026 Security Update Review
Microsoft released 62 CVEs in February 2026 with six actively exploited vulnerabilities, including critical Windows Shell and Word security feature bypasses (CVE-2026-21510, CVE-2026-21514), Desktop Window Manager and RDS privilege escalations (CVE-2026-21519, CVE-2026-21533), and multiple Azure cloud infrastructure vulnerabilities. Adobe released 44 CVEs across creative suite products with no active exploitation reported. The unusually high number of ITW exploits (6 vs. 1 last month) and prevalence of one-click code execution and SYSTEM-level privilege escalation bugs warrant immediate patching.
CVE-2026-25646 — Libpng Libpng: Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function.
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past th CVSSv3.1 8.1 (HIGH)
v2.9.1
AzureHound v2.9.1 released with a minor bug fix removing an unneeded channel for devices (BED-7366). This is a routine maintenance release with 41 commits since v2.9.0.
CVE-2025-7636 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ergosis Security Systems Computer Industry and Trade Inc. ZEUS PDKS allows SQL Injection. This issue affects ZEUS PDKS: from <1.0.5.10 through 10022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.8 (HIGH) · EPSS 14th percentile
CVE-2025-7347 — Authorization: Bypass Through User-Controlled Key vulnerability in Dinibh Puzzle Software Solutions Dinibh Patrol Tracking
Authorization Bypass Through User-Controlled Key vulnerability in Dinibh Puzzle Software Solutions Dinibh Patrol Tracking System allows Exploitation of Trusted Identifiers. This issue affects Dinibh Patrol Tracking System: through 10022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.8 (HIGH) · EPSS 19th percentile
CVE-2025-6967 — Execution: CMS allows JSON Hijacking (aka JavaScript Hijacking), Authentication Bypass.
Execution After Redirect (EAR) vulnerability in Sarman Soft Software and Technology Services Industry and Trade Ltd. Co. CMS allows JSON Hijacking (aka JavaScript Hijacking), Authentication Bypass. This issue affects CMS: through 10022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.7 (HIGH) · EPSS 10th percentile
CVE-2025-11242 — Server: Server-Side Request Forgery (SSRF) vulnerability in Teknolist Computer Systems Software Publishing Industry and Trade
Server-Side Request Forgery (SSRF) vulnerability in Teknolist Computer Systems Software Publishing Industry and Trade Inc. Okulistik allows Server Side Request Forgery. This issue affects Okulistik: through 21102025. CVSSv3.1 9.8 (CRITICAL) · EPSS 20th percentile