Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
AirBorne-PoC — poc for CVE-2025-24252 & CVE-2025-24132
AirBorne-PoC is a public exploit framework targeting two critical vulnerabilities in Apple's AirPlay service: CVE-2025-24252 (mDNS crash via malformed packet) and CVE-2025-24132 (heap overflow leading to RCE). The framework provides working reverse shell payloads with optional persistence via .bashrc injection, supporting bash, Python, and PowerShell shells across multiple platforms.
CVE-2026-0719 — This results in incorrect memory allocation on the stack, followed by unsafe memory copying.
A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk. CVSSv3.1 8.6 (HIGH)
CVE-2025-67934 — Qodeinteractive Wellspring: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wellspring wellspring allows PHP Local File Inclusion.This issue affects Wellspring: from n/a through < 2.8. CVSSv3.1 8.1 (HIGH)
CVE-2025-67928 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in themesuite Automotive Listings automotive allows Blind SQL Injection.This issue affects Automotive Listings: from n/a through <= 18.6. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-67924 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Corpkit corpkit allows Upload
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Corpkit corpkit allows Upload a Web Shell to a Web Server.This issue affects Corpkit: from n/a through <= 2.0. CVSSv3.1 9.9 (CRITICAL)
CVE-2025-67921 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VanKarWai Lobo lobo allows Blind SQL Injection.This issue affects Lobo: from n/a through < 2.8.6. CVSSv3.1 8.5 (HIGH)
CVE-2025-67920 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Neo Ocular neoocular allows PHP Local File Inclusion.This issue affects Neo Ocular: from n/a through < 1.2. CVSSv3.1 8.1 (HIGH)
CVE-2025-67915 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in Arraytics Timetics timetics allows
Authentication Bypass Using an Alternate Path or Channel vulnerability in Arraytics Timetics timetics allows Authentication Abuse.This issue affects Timetics: from n/a through <= 1.0.46. CVSSv3.1 8.8 (HIGH)
CVE-2025-67910 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in contentstudio Contentstudio contentstudio allows Upload
Unrestricted Upload of File with Dangerous Type vulnerability in contentstudio Contentstudio contentstudio allows Upload a Web Shell to a Web Server.This issue affects Contentstudio: from n/a through <= 1.3.7. CVSSv3.1 9.1 (CRITICAL)
CVE-2025-23993 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RiceTheme Felan Framework felan-framework allows SQL Injection.This issue affects Felan Framework: from n/a through <= 1.1.3. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-22728 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AmentoTech Workreap (theme's plugin) workreap allows SQL Injection.This issue affects Workreap (theme's plugin): from n/a through <= 3.3.6. CVSSv3.1 8.5 (HIGH)
CVE-2025-22713 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vanquish WooCommerce Orders & Customers Exporter woocommerce-orders-ei allows SQL Injection.This issue affects WooCommerce Orders & Customers Exporter: from n/a through <= 5.4. CVSSv3.1 8.5 (HIGH)
CVE-2025-22712 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Typify typify allows PHP Local File Inclusion.This issue affects Typify: from n/a through <= 3.0.2. CVSSv3.1 8.1 (HIGH)
CVE-2025-22708 — Thememove Mitech: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Mitech mitech allows PHP Local File Inclusion.This issue affects Mitech: from n/a through <= 2.3.4. CVSSv3.1 8.1 (HIGH)
CVE-2025-22707 — Thememove Moody: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Moody tm-moody allows PHP Local File Inclusion.This issue affects Moody: from n/a through <= 2.7.3. CVSSv3.1 8.1 (HIGH)
CVE-2025-22509 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TMRW-studio Atlas atlas allows PHP Local File Inclusion.This issue affects Atlas: from n/a through <= 2.1.0. CVSSv3.1 8.1 (HIGH)
CVE-2025-14431 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in THEMELOGI Navian navian allows PHP Local File Inclusion.This issue affects Navian: from n/a through <= 1.5.4. CVSSv3.1 8.1 (HIGH)
CVE-2025-14430 — Thememove Brook: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Brook brook allows PHP Local File Inclusion.This issue affects Brook: from n/a through <= 2.9.0. CVSSv3.1 8.1 (HIGH)
CVE-2025-14429 — Thememove Aeroland: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove AeroLand aeroland allows PHP Local File Inclusion.This issue affects AeroLand: from n/a through <= 1.6.6. CVSSv3.1 8.1 (HIGH)
CVE-2025-14359 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in brandexponents Oshine oshin allows PHP Local File Inclusion.This issue affects Oshine: from n/a through <= 7.2.7. CVSSv3.1 8.1 (HIGH)
CVE-2025-12550 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes OchaHouse ochahouse allows PHP Local File Inclusion.This issue affects OchaHouse: from n/a through <= 2.2.8. CVSSv3.1 8.1 (HIGH)
CVE-2025-12549 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech Rozy - Flower Shop rozy allows PHP Local File Inclusion.This issue affects Rozy - Flower Shop: from n/a through <= 1.2.25. CVSSv3.1 8.1 (HIGH)
CVE-2025-69264 — Pnpm Pnpm: Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approva CVSSv3.1 8.8 (HIGH)
CVE-2026-22189 — Cmu Panda3d: The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains a stack-based
The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic c CVSSv3.1 9.8 (CRITICAL) · EPSS 32th percentile
Breaking Down the Attack Surface of the Kenwood DNR1007XR – Part One
Zero Day Initiative published a detailed hardware teardown and attack surface analysis of the Kenwood DNR1007XR in-vehicle infotainment (IVI) unit ahead of Pwn2Own Automotive 2026. The analysis identifies multiple attack vectors including an SD card slot, USB ports, and critically, an exposed UART debug connector providing unauthenticated Linux shell access at 115200bps. The device runs a Dolphin+ TCC8034 ARM SoC with Linux, eMMC storage, and Murata WiFi/Bluetooth radio.