newsThe portal itself — self-promo until real sponsors land
Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
25 results//sorted by published//last sync 2026-06-17 16:46Z
Subscribe to news →
CVE-2026-11630 — Use: after free in File Input in Google Chrome prior to 149.0.7827.103 allowed a
Use after free in File Input in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-11629 — Use: after free in Ozone in Google Chrome prior to 149.0.7827.103 allowed a remote
Use after free in Ozone in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
Extending LLVM's BOLT-based Binary Analyser to Validate Stack Variable Initialisation
Quarkslab·blog.quarkslab.com
Quarkslab extended LLVM's BOLT-based binary analyser to validate compiler hardening via the -ftrivial-auto-var-init flag on x86-64 binaries. The work implements two complementary static analysis approaches (load-oracle and store-witness) to detect uninitialised stack variable reads at the binary level, with a public scanner release and evaluation against GNU coreutils.
62
Edit Score
CVE-2026-46484 — Headplane: Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal /
Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3. CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-52778 — YesWiki: This implementation is inherently flawed: it is vulnerable to Regular Expression Denial of Service
YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This implementation is inherently flawed: it is vulnerable to Regular Expression Denial of Service (ReDoS / Stack Overflow) which can crash the se CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-46490 — Samlify_project Samlify: This allows privilege escalation when attributes are used for authorization (roles/groups).
samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify’s template substitution only escapes attribute contexts. Values inserted into element text (e.g., <saml:AttributeValue>) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new <saml:Attribute> elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-11557 — Executing a manipulation of the argument page can lead to stack-based buffer overflow.
A weakness has been identified in Tenda F451 1.0.0.7/1.0.0.9. The affected element is the function fromNatlimit of the file /goform/Natlimit of the component Web Management Interface. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-11393 — Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2
Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local environment of another user in the same AWS account, via a crafted collaborationInstruction stored on a Bedrock Agent collaborator and later processed by that other user during agent import. To remedia CVSSv3.1 9.0 (CRITICAL)
9.0
CVSS v3.1
95
Edit Score
CVE-2026-11556 — Performing a manipulation of the argument mac results in os command injection.
A security flaw has been discovered in Tenda F451 1.0.0.7/1.0.0.9. Impacted is the function formWriteFacMac of the file /goform/WriteFacMac of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-11553 — Tenda: The manipulation of the argument encodename results in stack-based buffer overflow.
A vulnerability was found in Tenda HG7HG9 and HG10 300001138_en_xpon. This affects the function formPPPEdit of the file /boaform/formPPPEdit. The manipulation of the argument encodename results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-46481 — OpenMetadata: Prior to version 1.12.4, a non-admin SSO user can trigger a TEST_CONNECTION workflow for
OpenMetadata is a unified metadata platform. Prior to version 1.12.4, a non-admin SSO user can trigger a TEST_CONNECTION workflow for a Database Service and receive, in the HTTP 201 response of POST /api/v1/automations/workflows, both the cleartext database password in request.connection.config.password and the ingestion bot JWT in openMetadataServerConnection.securityConfig.jwtToken. The leaked ingestion-bot token can then be reused as Authorization: Bearer <jwt> to access s CVSSv3.1 8.3 (HIGH)
8.3
CVSS v3.1
92
Edit Score
CVE-2026-46307 — Linux: In the Linux kernel, the following vulnerability has been resolved: wifi: ath5k: do not
In the Linux kernel, the following vulnerability has been resolved: wifi: ath5k: do not access array OOB Vincent reports: > The ath5k driver seems to do an array-index-out-of-bounds access as > shown by the UBSAN kernel message: > UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20 > index 4 is out of range for type 'ieee80211_tx_rate [4]' > ... > Call Trace: > <TASK> > dump_stack_lvl+0x5d/0x80 > ubsan_epilogue+0x5/0x2b > __ubsan_handle_out CVSSv3.1 8.3 (HIGH) · EPSS 7th percentile
8.3
CVSS v3.1
92
Edit Score
CVE-2026-46303 — Linux: For in-range reads of adjacent- filesystem data, the CE buffer is parsed as Rock
In the Linux kernel, the following vulnerability has been resolved: isofs: validate Rock Ridge CE continuation extent against volume size rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE record and passes it to sb_bread() without checking that the block number is within the mounted ISO 9660 volume. commit e595447e177b ("[PATCH] rock.c: handle corrupted directories") added cont_offset and cont_size rejection for the CE continuation but did not validate CVSSv3.1 8.2 (HIGH) · EPSS 7th percentile
8.2
CVSS v3.1
91
Edit Score
CVE-2026-46289 — Linux: Additionally, there is a memory leak fix for the test itself.
In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series "Fix bugs in extract_iter_to_sg()", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - W CVSSv3.1 9.8 (CRITICAL) · EPSS 5th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-46288 — Linux: In the Linux kernel, the following vulnerability has been resolved: of: unittest: fix use-after-free
In the Linux kernel, the following vulnerability has been resolved: of: unittest: fix use-after-free in of_unittest_changeset() The variable 'parent' is assigned the value of 'nchangeset' earlier in the function, meaning both point to the same struct device_node. The call to of_node_put(nchangeset) can decrement the reference count to zero and free the node if there are no other holders. After that, the code still uses 'parent' to check for the presence of a property and to CVSSv3.1 8.4 (HIGH) · EPSS 5th percentile
8.4
CVSS v3.1
92
Edit Score
CVE-2026-41448 — AdGuard: Home, when started with the --glinet flag, contains an authentication bypass vulnerability that
AdGuard Home, when started with the --glinet flag, contains an authentication bypass vulnerability that allows unauthenticated attackers to gain full admin access by supplying a path traversal sequence in the Admin-Token cookie, exploiting unsanitized string concatenation in the token file path construction within the authglinet middleware. Attackers can craft a request with a traversal payload in the Admin-Token header to redirect file reads to arbitrary paths. CVSSv3.1 9.4 (CRITICAL)
9.4
CVSS v3.1
97
Edit Score
CVE-2026-39910 — STACKIT: IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers
STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining una CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-25856 — OpenBullet2: through version 0.3.2 contains an authenticated remote code execution vulnerability that allows authenticated
OpenBullet2 through version 0.3.2 contains an authenticated remote code execution vulnerability that allows authenticated users to execute arbitrary C# code on the server host by creating or modifying job configurations. Attackers can leverage the plain C# execution mode, which lacks reference filtering or API restrictions, to access the file system, spawn processes, and invoke arbitrary .NET APIs as the process user. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-25855 — OpenBullet2: through version 0.3.2 contains a remote code execution vulnerability that allows authenticated users
OpenBullet2 through version 0.3.2 contains a remote code execution vulnerability that allows authenticated users to execute arbitrary commands by uploading script files (.bat.ps1.sh) through the FileProxySource proxy loading feature. Attackers can upload malicious script files as proxy sources, causing the server to execute the scripts and return output as proxy lines, resulting in arbitrary command execution on the host as the process user. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-25559 — OpenBullet2: through version 0.3.2 contains a path traversal vulnerability in the wordlist endpoint that
OpenBullet2 through version 0.3.2 contains a path traversal vulnerability in the wordlist endpoint that allows authenticated attackers to perform arbitrary file read, write, and delete operations by supplying unsanitized absolute paths to the upload handler and wordlist functions. Attackers can chain the file write and delete primitives to achieve remote code execution by manipulating critical system files such as /etc/passwd, with full system impact since the application run CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-25555 — OpenBullet2: through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication
OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
Critical Check Point VPN Zero-Day Exploited in the Wild (CVE-2026-50751)
Check Point disclosed CVE-2026-50751, a critical authentication bypass (CVSS 9.3) in Remote Access VPN, Mobile Access, and Spark Firewall products affecting IKEv1 deployments without machine certificate requirements. The vulnerability is actively exploited in the wild since May 7, 2026, with confirmed ties to Qilin ransomware affiliates across several dozen organizations. A related MITM vulnerability (CVE-2026-50752, CVSS 7.4) was also identified but remains unexploited.
92
Edit Score
v2.12.2-rc1
AzureHound releases·github.com
AzureHound v2.12.2-rc1 release candidate published with minor maintenance updates: semver compliance fix for rolling build version string, GitHub Actions workflow updates, removal of unnecessary credentials from build process, and migration to Node.js 24 for DigiCert signing.
15
Edit Score
CVE-2026-46656 — Bludit: This "Ghost Session" allows revoked users to maintain full unauthorized access to the system.
Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized access to the system. Version 3.22.0 fixes the issue. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-46480 — Flowiseai Flowise: Prior to version 3.1.2, evaluator create and update mass-assignment allows cross-workspace evaluator takeover.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluator create and update mass-assignment allows cross-workspace evaluator takeover. This issue has been patched in version 3.1.2. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score