Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-0881 — Mozilla Firefox: Sandbox escape in the Messaging System component.
Sandbox escape in the Messaging System component. This vulnerability was fixed in Firefox 147 and Thunderbird 147. CVSSv3.1 10.0 (CRITICAL)
CVE-2026-0880 — Mozilla Firefox: Sandbox escape due to integer overflow in the Graphics component.
Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. CVSSv3.1 8.8 (HIGH)
CVE-2026-0879 — Mozilla Firefox: Sandbox escape due to incorrect boundary conditions in the Graphics component.
Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-0878 — Mozilla Firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component.
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. CVSSv3.1 8.0 (HIGH)
CVE-2026-0877 — Mozilla Firefox: Mitigation bypass in the DOM: Security component.
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. CVSSv3.1 8.1 (HIGH)
Lack of isolation in agentic browsers resurfaces old vulnerabilities
Trail of Bits disclosed a systematic security analysis of agentic browsers (AI-integrated browsers), demonstrating how inadequate isolation between AI agents, user data, and web origins enables prompt injection, data exfiltration, and session hijacking attacks. The researchers identified four trust zone violation classes (INJECTION, CTX_IN, REV_CTX_IN, CTX_OUT) and demonstrated real-world exploits including false information injection, credential theft via magic links, cross-site data leaks, and persistent history pollution across multiple unnamed vendors who declined coordinated disclosure.
CVE-2026-22805 — Metabase Metabase: Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create
Metabase is an open-source data analytics platform. Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase is colocated with other unsecured resources. This vulnerability is fixed in 55.13, 56.3, and 57.1. CVSSv3.1 8.6 (HIGH)
CVE-2025-29329 — Sagemcom F\@st_3686_firmware: Buffer Overflow in the ippprint (Internet Printing Protocol) service in Sagemcom F@st 3686 MAGYAR_4.121.0
Buffer Overflow in the ippprint (Internet Printing Protocol) service in Sagemcom F@st 3686 MAGYAR_4.121.0 allows remote attacker to execute arbitrary code by sending a crafted HTTP request. CVSSv3.1 9.8 (CRITICAL) · EPSS 64th percentile
CVE-2026-22771 — Envoyproxy Gateway: Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be
Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication. This vulne CVSSv3.1 8.8 (HIGH)
CVE-2025-63314 — Ddsn Cm3_acora_cms: A static password reset token in the password reset function of DDSN Interactive Acora
A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack. CVSSv3.1 10.0 (CRITICAL) · EPSS 21th percentile
CVE-2025-65552 — D3dsecurity Zx-g12_firmware: D3D Wi-Fi Home Security System ZX-G12 v2.1.1 is vulnerable to RF replay attacks on
D3D Wi-Fi Home Security System ZX-G12 v2.1.1 is vulnerable to RF replay attacks on the 433 MHz sensor communication channel. The system does not implement rolling codes, message authentication, or anti-replay protection, allowing an attacker within RF range to record valid alarm/control frames and replay them to trigger false alarms. CVSSv3.1 9.8 (CRITICAL) · EPSS 32th percentile
CVE-2025-14279 — Lfprojects Mlflow: versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5 CVSSv3.1 8.1 (HIGH)
Analyzing a Multi-Stage AsyncRAT Campaign via Managed Detection and Response
Trend Micro documented a multi-stage AsyncRAT campaign leveraging Cloudflare's free-tier TryCloudflare tunneling service and legitimate Python distributions to evade detection. The attack chain begins with phishing emails containing double-extension .pdf.url files hosted on Dropbox, progresses through WebDAV-mounted payload delivery, and culminates in code injection into explorer.exe via Python-executed shellcode. The campaign demonstrates sophisticated abuse of trusted infrastructure (Cloudflare, Python.org, Windows built-ins) to establish persistent remote access.
CVE-2025-68493 — Apache Struts: Missing XML Validation vulnerability in Apache Struts, Apache Struts.
Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue. CVSSv3.1 8.1 (HIGH)
CVE-2026-22029 — Shopify Remix-run\/react: In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and
React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if CVSSv3.1 8.0 (HIGH) · EPSS 3th percentile
CVE-2026-21884 — Shopify React-router: and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration>
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarativ CVSSv3.1 8.2 (HIGH)
CVE-2025-61686 — Shopify React-router\/node: In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior
React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack wou CVSSv3.1 9.1 (CRITICAL) · EPSS 96th percentile
Breaking Down the Attack Surface of the Kenwood DNR1007XR – Part Two
Zero Day Initiative publishes part two of an attack surface analysis of the Kenwood DNR1007XR in-vehicle infotainment (IVI) head unit, detailing potential vulnerability vectors across USB, SD card, Bluetooth, WiFi, Android Auto/CarPlay, and Kenwood companion apps. The research identifies complex file format parsing (audio/video), undocumented Bluetooth services, open network ports (SSH, custom services on 7000/8086/8888), and image handling in the Kenwood Portal app as primary research targets.
CVE-2025-9222 — Gitlab Gitlab: has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown. CVSSv3.1 8.7 (HIGH)
CVE-2025-13761 — Gitlab Gitlab: has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage. CVSSv3.1 8.0 (HIGH)
CVE-2025-70974 — Fastjson: Depending on the behavior of those methods, there may be JNDI injection with an
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. CVSSv3.1 10.0 (CRITICAL) · EPSS 43th percentile
CVE-2025-14736 — Frontend: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.29. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes it possible for unauthenticated attackers to register as administrators and gain complete control of the site, granted they can access a user registration form containing a Role fie CVSSv3.1 9.8 (CRITICAL)
Do Smart People Ever Say They’re Smart? (SmarterTools SmarterMail Pre-Auth RCE CVE-2025-52691)
SmarterTools SmarterMail contains a pre-authentication arbitrary file write vulnerability (CVE-2025-52691, CVSS 10.0) in the /api/upload endpoint. An unauthenticated attacker can exploit path traversal in the deserialized guid parameter to write arbitrary files (including webshells) to web-accessible directories, achieving unauthenticated RCE. The vulnerability was silently patched in build 9413 (October 2025) but not disclosed until late December 2025, creating a 2.5-month window of exposure.
CVE-2026-21876 — Owasp Owasp_modsecurity_core_rule_set: The OWASP core rule set (CRS) is a set of generic attack detection rules
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, CVSSv3.1 9.3 (CRITICAL)
AirBorne-PoC — poc for CVE-2025-24252 & CVE-2025-24132
AirBorne-PoC is a public exploit framework targeting two critical vulnerabilities in Apple's AirPlay service: CVE-2025-24252 (mDNS crash via malformed packet) and CVE-2025-24132 (heap overflow leading to RCE). The framework provides working reverse shell payloads with optional persistence via .bashrc injection, supporting bash, Python, and PowerShell shells across multiple platforms.