newsThe portal itself — self-promo until real sponsors land
Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
25 results//sorted by published//last sync 2026-06-21 21:32Z
Subscribe to news →
CVE-2026-44237 — Sangoma Freepbx: Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client
FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client_id is required. The validateClient() method in ClientRepository.php unconditionally returns true, allowing any party with knowledge of a valid client_id to obtain OAuth2 access tokens without providing the correct client_secret. This vulnerability is fixed in 17.0.8. CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-48527 — HAX: Versions up to and including 26.0.0 are affected by a stored cross-site scripting (XSS)
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting (XSS) vulnerability in the `/system/api/saveNode` endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name. @haxtheweb/haxcms-nodejs 26.0.1 and haxcms-php 26.0.2 patch the issue. CVSSv3.1 8.7 (HIGH)
8.7
CVSS v3.1
94
Edit Score
CVE-2026-45312 — RAGFlow: In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/generator.py) allows
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/generator.py) allows any authenticated user to execute arbitrary OS commands on the server. Any normal user can register, create a Canvas workflow with a DuckDuckGo + LLM component chain, and trigger the SSTI. CVSSv3.1 9.9 (CRITICAL)
9.9
CVSS v3.1
100
Edit Score
CVE-2026-10071 — DreamMaker: developed by Interinfo has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers
DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
Looting UniFi Controllers: Detecting and Weaponizing CVE-2026-22557
CVE-2026-22557 is an unauthenticated path traversal in UniFi Network Application's guest captive portal (CVSS 10.0) that allows reading arbitrary files including encrypted backups containing all device credentials. The vulnerability requires a customized guest portal to be enabled and is reachable on both guest and admin ports. Bishop Fox published a safe detection tool and detailed exploitation paths showing how attackers extract backups, decrypt them with hardcoded keys, and compromise all managed network devices.
92
Edit Score
CVE-2026-9559 — A path traversal vulnerability exists in the campaign import feature of Mautic 7.
A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. An authenticated user with campaign import privileges (campaign:imports:create) can write arbitrary PHP files to sensitive system directories. An attacker can exploit this to overwrite critical internal configuration or cache components, resul CVSSv3.1 9.9 (CRITICAL)
9.9
CVSS v3.1
100
Edit Score
CVE-2025-41277 — Waterfall-security Wf-500_firmware: Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2025-41276 — Waterfall-security Wf-500_firmware: Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2025-41275 — Waterfall-security Wf-500_firmware: Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2025-41274 — Waterfall-security Wf-500_firmware: Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2025-41273 — Waterfall-security Wf-500_firmware: Nozomi Networks Labs identified a CWE-288: Authentication Bypass Using an Alternate Path or Channel
Nozomi Networks Labs identified a CWE-288: Authentication Bypass Using an Alternate Path or Channel in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to bypass authentication of the Console web application and perform actions as an authenticated user. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2025-41272 — Waterfall-security Wf-500_firmware: Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2025-41270 — Waterfall-security Wf-500_firmware: Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2025-41269 — Waterfall-security Wf-500_firmware: Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2025-41268 — Waterfall-security Wf-500_firmware: Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Administration WebUI in
Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Administration WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to delete arbitrary files on the Host machines. CVSSv3.1 9.1 (CRITICAL)
9.1
CVSS v3.1
96
Edit Score
CVE-2026-9558 — Server: A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine.
A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings. CVSSv3.1 9.9 (CRITICAL)
9.9
CVSS v3.1
100
Edit Score
CVE-2026-49201 — Acer Wave_7_firmware: This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor
The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection. CVSSv3.1 9.8 (CRITICAL) · EPSS 9th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-6075 — Media: The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in
The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata via a forged request. CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-49200 — Acer Wave_7_firmware: This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system
The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access. CVSSv3.1 9.8 (CRITICAL) · EPSS 19th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-49199 — Acer Predator_connect_w6x_firmware: Crafted MQTT messages can trigger command injection, resulting in root-level code execution on the
Crafted MQTT messages can trigger command injection, resulting in root-level code execution on the target device. CVSSv3.1 9.8 (CRITICAL) · EPSS 73th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-49197 — Acer Predator_connect_w6x_firmware: Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header
Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-49195 — Acer Predator_connect_w6x_firmware: Unauthenticated Debug Service.
Unauthenticated Debug Service. The /sbin/mtk_dut binary is exposed on TCP port 9000 without authentication, allowing any LAN-based attacker to execute arbitrary UCC commands. CVSSv3.1 8.8 (HIGH) · EPSS 7th percentile
8.8
CVSS v3.1
94
Edit Score
CVE-2026-3655 — OTP: The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to
The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the `lwp_ajax_register` AJAX handler not binding the Firebase session to the phone number supplied in the request. The `idehweb_lwp_activate_through_firebase()` function validates that a Firebase OTP session is legitimate, but the `phoneNumber` returned by Firebase is never compared ag CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-8732 — Maps: The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator
The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2025-11993 — WooCommerce: The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP
The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8 via the 'settings' parameter in the 'import_settings' function. This is due to deserialization of untrusted data supplied via the import configuration feature without capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No POP chain is present w CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score