Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-50004 — Deserialization: of Untrusted Data vulnerability in artbees JupiterX Core jupiterx-core allows Object Injection.This issue
Deserialization of Untrusted Data vulnerability in artbees JupiterX Core jupiterx-core allows Object Injection.This issue affects JupiterX Core: from n/a through <= 4.10.1. CVSSv3.1 8.8 (HIGH)
CVE-2025-50003 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Amuli amuli allows PHP Local File Inclusion.This issue affects Amuli: from n/a through <= 2.3.0. CVSSv3.1 8.1 (HIGH)
CVE-2025-50002 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Farost Energia energia allows Upload
Unrestricted Upload of File with Dangerous Type vulnerability in Farost Energia energia allows Upload a Web Shell to a Web Server.This issue affects Energia: from n/a through <= 1.1.2. CVSSv3.1 10.0 (CRITICAL)
CVE-2025-49994 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Athens athens allows PHP Local File Inclusion.This issue affects Athens: from n/a through <= 1.1.6. CVSSv3.1 8.1 (HIGH)
CVE-2025-49055 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection.This issue affects WP Lead Capturing Pages: from n/a through <= 2.5. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-49050 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection.This issue affects WP Lead Capturing Pages: from n/a through <= 2.5. CVSSv3.1 8.5 (HIGH)
CVE-2025-49049 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ZoomIt DZS Video Gallery dzs-videogallery allows SQL Injection.This issue affects DZS Video Gallery: from n/a through <= 12.39. CVSSv3.1 8.5 (HIGH)
CVE-2025-47474 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ninetheme Anarkali anarkali allows PHP Local File Inclusion.This issue affects Anarkali: from n/a through <= 1.0.9. CVSSv3.1 8.1 (HIGH)
CVE-2026-24009 — Docling Docling-core: A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in docling-core starting
Docling Core (or docling-core) is a library that defines core data types and transformations in the document processing application Docling. A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in docling-core starting in version 2.21.0 and prior to version 2.48.4, specifically only if the application uses pyyaml prior to version 5.4 and invokes `docling_core.types.doc.DoclingDocument.load_from_yaml()` passing it untrusted YAML data. T CVSSv3.1 8.1 (HIGH)
CVE-2025-10856 — Upload: Teknoera allows File Content Injection.
Unrestricted Upload of File with Dangerous Type vulnerability in Solvera Software Services Trade Inc. Teknoera allows File Content Injection. This issue affects Teknoera: through 01102025. CVSSv3.1 8.1 (HIGH) · EPSS 5th percentile
CVE-2025-4764 — Aida Hotel_guest_hotspot: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows SQL Injection. This issue affects Hotel Guest Hotspot: through 22012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.0 (HIGH) · EPSS 7th percentile
Pwn2Own Automotive 2026 - Day Two Results
Pwn2Own Automotive 2026 Day Two concluded with 29 unique 0-day vulnerabilities disclosed across automotive infotainment systems, EV chargers, and embedded platforms, awarding $439,250 USD. Cumulative event totals reached $955,750 USD across 66 unique 0-days, with command injection, buffer overflows, and authentication bypasses dominating the attack surface. Fuzzware.io maintains the Master of Pwn lead heading into the final competition day.
Attackers With Decompilers Strike Again (SmarterTools SmarterMail WT-2026-0001 Auth Bypass)
watchTowr Labs disclosed WT-2026-0001, a critical authentication bypass in SmarterTools SmarterMail allowing unauthenticated attackers to reset the system administrator password via the /api/v1/auth/force-reset-password endpoint. The vulnerability chains directly to RCE through built-in admin functionality for executing OS commands via volume mount configuration. The vulnerability was patched in version 9511 (January 15, 2026), but is already being actively exploited in the wild within days of patch release, indicating attackers performed patch diffing to reconstruct the vulnerability.
Watering Hole Attack Targets EmEditor Users with Information-Stealing Malware
EmEditor's official download page was compromised in late December 2025 to distribute trojanized installers delivering multistage PowerShell-based malware. The malware disables ETW logging, steals credentials from Windows Credential Manager, performs system fingerprinting, and exfiltrates data to a C&C server; geofencing patterns suggest Russian or CIS-origin threat actors. Active exploitation has already occurred with multiple confirmed infections prior to vendor disclosure.
CVE-2026-22822 — External-secrets External_secrets_operator: External Secrets Operator reads information from a third-party service and automatically injects the values
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed i CVSSv3.1 8.8 (HIGH)
CVE-2026-22807 — Vllm Vllm: An attacker who can influence the model repo/path (local directory or remote Hugging Face
vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM CVSSv3.1 8.8 (HIGH)
CVE-2026-0834 — Tp-link Archer_ax53_firmware: Logic vulnerability in TP-Link Archer C20 v5, 6.0, Archer AX53 v1.0 and TL-WR841N v13
Logic vulnerability in TP-Link Archer C20 v5, 6.0, Archer AX53 v1.0 and TL-WR841N v13 (TDDP module) allows unauthenticated adjacent attackers to execute administrative commands including factory reset and device reboot without credentials. Attackers on the adjacent network can remotely trigger factory resets and reboots without credentials, causing configuration loss and interruption of device availability.This issue affects Archer C20 v6.0 < V6_251031, Archer C20 v5 <EU_V5_2 CVSSv3.1 8.8 (HIGH)
Task Failed Successfully – Microsoft’s “Immediate” Retirement of MDT
SpecterOps researcher Garrett Foster disclosed critical vulnerabilities in Microsoft Deployment Toolkit (MDT) that enable unauthenticated credential theft and lateral movement. Rather than patch the issues, Microsoft chose to retire MDT entirely as of January 6, 2026, leaving enterprises with unpatched systems. The attack chain combines unauthenticated WDS/PXE discovery, XXE injection in the MDT monitoring service, and authentication coercion to extract privileged service account credentials.
Pwn2Own Automotive 2026 - Day One Results
Pwn2Own Automotive 2026 Day One concluded with 37 unique 0-days disclosed across automotive infotainment systems, EV chargers, and Tesla components. Researchers exploited memory corruption vulnerabilities (stack/heap overflows, out-of-bounds writes), authentication bypasses, hardcoded credentials, and command injection flaws to achieve root-level code execution and charging signal manipulation. Total prize pool awarded: $516,500 USD.
CVE-2025-55130 — Nodejs Node.js: A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission m CVSSv3.1 9.1 (CRITICAL)
CVE-2025-56005 — Dabeaz Ply: An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote
An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the Gi CVSSv3.1 9.8 (CRITICAL)
Updates to the MSSQLHound OpenGraph Collector for BloodHound
SpecterOps released updates to MSSQLHound, a BloodHound OpenGraph collector that now detects NTLM relay attack susceptibility by scanning for Extended Protection for Authentication (EPA) settings on MSSQL servers. The tool also identifies CVE-2025-49758, a privilege escalation flaw allowing ALTER ANY LOGIN permission holders to change passwords for securityadmin principals without knowing the old password, enabling server compromise. New BloodHound Cypher queries enable visualization of attack paths from domain principals to MSSQL compromise.
CVE-2026-23950 — Isaacs Tar: node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards CVSSv3.1 8.8 (HIGH)
CVE-2026-23876 — Imagemagick Imagemagick: Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipeli CVSSv3.1 8.1 (HIGH)
CVE-2026-23884 — Freerdp Freerdp: A malicious server can trigger a client‑side use after free, causing a crash (DoS)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. CVSSv3.1 9.8 (CRITICAL)