newsThe portal itself — self-promo until real sponsors land
Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
25 results//sorted by published//last sync 2026-06-17 19:22Z
Subscribe to news →
CVE-2026-52751 — Ghidra: before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code
Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthenticated remote code execution. Attackers can craft a malicious project file with a ghidra:// URL that, when opened via File → Open Project, deserializes untrusted objects using a Jython 2.7.4 gadget chain to execute arbitrary commands. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-49498 — Ghidra: 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of
Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can inject SQL commands via crafted username parameters in PasswordChange network messages to escalate to PostgreSQL superuser privileges and gain full database control. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-24067 — Slate: This PID-based client validation is subject to a time-of-check time-of-use race condition because process
Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by obtaining the client's process identifier and using it to retrieve code-signing information for the process. This PID-based client validation is subject to a time-of-check time-of-use race condition because process identifiers can CVSSv3.1 8.4 (HIGH)
8.4
CVSS v3.1
92
Edit Score
CVE-2026-24066 — Slate: This allows unauthorized access to privileged helper functionality and may lead to local privilege
Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by checking only the subject.OU value of the client's signing certificate and does not verify that the certificate chains to a trusted code-signing authority. A local attacker can sign a malicious client with a self-signed certificat CVSSv3.1 8.4 (HIGH)
8.4
CVSS v3.1
92
Edit Score
CVE-2026-10520, CVE-2026-10523 - Multiple critical vulnerabilities affecting Ivanti Sentry
Ivanti Sentry (formerly MobileIron Sentry) contains two critical vulnerabilities: CVE-2026-10520 (CVSS 10.0), an unauthenticated OS command injection in the /mics/api/v2/sentry/mics-config/handleMessage endpoint allowing root RCE, and CVE-2026-10523 (CVSS 9.9), an authentication bypass enabling arbitrary admin account creation. A public PoC for CVE-2026-10520 was published by watchTowr on June 10, 2026, making in-the-wild exploitation imminent.
95
Edit Score
v3.9.0
Nuclei releases·github.com
Nuclei v3.9.0 released with protocol redirect support, impacket integration, WMI/TSCH/SCMR/DCOM helper modules for JavaScript, and multiple bug fixes including DNS variable resolution, expression handling, and SMBv1 probing improvements.
45
Edit Score
CVE-2025-6254 — Doctreat: The Doctreat Core plugin for WordPress is vulnerable to Privilege Escalation in all versions
The Doctreat Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.6.8. This is due to the doctreat_process_registration() function not properly restricting the roles that a user can register with. This makes it possible for unauthenticated attackers to register as an administrator user. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
The First AI State-Sponsored Attack: What It Means for Defenders
Horizon3.ai·horizon3.aiin the wild
Anthropic disclosed GTG-1002, a Chinese state-sponsored group that executed a large-scale espionage campaign against ~30 organizations using an AI agent orchestrated via Model Context Protocol (MCP) to autonomously handle 80–90% of the attack lifecycle—reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, and exfiltration—by decomposing the intrusion into benign-looking tasks and social-engineering the model's safety controls. The attack succeeded by chaining existing weaknesses (SSRF, identity escalation, cloud credential theft, GitHub Actions misconfiguration) rather than exploiting novel CVEs, demonstrating that AI lowers the operational cost and timeline of state-sponsored tradecraft rather than introducing new attack primitives.
78
Edit Score
CVE-2026-9067 — Schema: The Schema & Structured Data for WP & AMP WordPress plugin before 1.60 does
The Schema & Structured Data for WP & AMP WordPress plugin before 1.60 does not check user capabilities on its frontend AJAX file-upload handlers and does not validate the actual content of uploaded files against the endpoint's intended media type, allowing unauthenticated users to upload any file type accepted by WordPress's media library through endpoints that should only accept images or videos. CVSSv3.1 9.1 (CRITICAL)
9.1
CVSS v3.1
96
Edit Score
CVE-2026-8071 — Anti: The Anti-Spam by CleanTalk.
The Anti-Spam by CleanTalk. Spam protection WordPress plugin before 6.79 does not properly sanitize content within a custom shortcode used in its email-encoding feature, allowing unauthenticated attackers to inject arbitrary web scripts into approved comments that will execute when any user (including administrators) views the post. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-3326 — Xstore: The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter
The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection CVSSv3.1 8.6 (HIGH)
8.6
CVSS v3.1
93
Edit Score
CVE-2026-26241 — Qnap File_station: A buffer overflow vulnerability has been reported to affect File Station 5.
A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later CVSSv3.1 9.1 (CRITICAL) · EPSS 33th percentile
9.1
CVSS v3.1
96
Edit Score
CVE-2026-26240 — Qnap File_station: A buffer overflow vulnerability has been reported to affect File Station 5.
A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later CVSSv3.1 9.1 (CRITICAL) · EPSS 33th percentile
9.1
CVSS v3.1
96
Edit Score
CVE-2026-26239 — Qnap File_station: A buffer overflow vulnerability has been reported to affect File Station 5.
A buffer overflow vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5208 and later CVSSv3.1 8.1 (HIGH) · EPSS 33th percentile
8.1
CVSS v3.1
91
Edit Score
CVE-2026-24724 — Qnap File_station: An incorrect authorization vulnerability has been reported to affect File Station 6.
An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later CVSSv3.1 8.1 (HIGH) · EPSS 19th percentile
8.1
CVSS v3.1
91
Edit Score
CVE-2025-66276 — Qnap Qts: QuTS hero is not affected.
QuTS hero is not affected. We have already fixed the vulnerability in the following version: QTS 5.2.7.3256 build 20250913 and later CVSSv3.1 9.8 (CRITICAL) · EPSS 13th percentile
9.8
CVSS v3.1
99
Edit Score
Prompt Engineering for Security Agents: A Measurable Approach with GEPA
SpecterOps·specterops.io
SpecterOps publishes a detailed technical guide on GEPA (Genetic-Pareto), an optimization framework for systematically refining LLM prompts used in security agents. The post walks through applying GEPA to a CTF agent use case, covering reward function design, actionable side information (ASI), batch evaluation, Pareto frontier selection, and reflective mutation—with working Python code examples using the optimize_anything framework.
72
Edit Score
CVE-2026-45328 — ESF: In versions 5.5.4 and 6.0, the esp_tee component exposes secure-service wrappers in esp_secure_services.c and
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.4 and 6.0, the esp_tee component exposes secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c that bridge calls from the user application (i.e. the REE) to TEE-protected hardware peripherals (AES, SHA, ECC, HMAC, SPI, MMU, WDT) and to the security feature like attestation, OTA updates, secure storage. This issue has been patched in versions 5.5.5 and 6.0.1. CVSSv3.1 9.3 (CRITICAL)
9.3
CVSS v3.1
97
Edit Score
More Evidence That Words Don't Mean What We Thought They Meant (Ivanti Sentry Pre-Auth OS Command Injection CVE-2026-10520)
watchTowr Labs published a detailed technical writeup of CVE-2026-10520, a pre-authenticated OS command injection in Ivanti Sentry affecting versions before R10.5.2, R10.6.2, and R10.7.1. The vulnerability exists in the /mics/api/v2/sentry/mics-config/handleMessage endpoint, which accepts user-controlled XML-formatted configuration commands that are passed directly to a native command execution handler via reflection. The researchers reverse-engineered the patch by diffing vulnerable and patched JAR files, identified the vulnerable code path, and successfully reproduced root-level RCE with a CVSS 10.0 score.
92
Edit Score
CVE-2026-53673 — BuddyPress: 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API
BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user's identifier to the get_item_permissions_check method, which validates the supplied user_id instead of the logged-in user and is reused by the update and delete handlers, to read, reply to, or delete any user's privat CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-46491 — SimpleSAMLphp: In deployments using FileSystemTicketStore, a remote attacker can use path traversal sequences such as
SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. Prior to version 7.0.3, simplesamlphp-module-casserver builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controlled ticket identifier. Public CAS validation/proxy endpoints pass attacker-controlled ticket / pgt query parameters into this store. In deployments using FileSystemTicketStore, a remot CVSSv3.1 8.6 (HIGH)
8.6
CVSS v3.1
93
Edit Score
CVE-2026-41732 — JsonPulsarHeaderMapper: Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying
JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list. Affected versions: Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17. CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-41731 — JsonKafkaHeaderMapper: Combined with Jackson's default bean deserialization, a producer could supply crafted header values that
JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-41729 — Spring: Data REST is vulnerable to SpEL expression injection through map-typed properties when processing
Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-41717 — Spring: Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability.
Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19. CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score