newsThe portal itself — self-promo until real sponsors land
Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
25 results//sorted by published//last sync 2026-06-22 06:44Z
Subscribe to news →
CVE-2026-44465 — Zed: This allows an attacker to achieve Remote Code Execution (RCE) when a victim open
Zed is a code editor. Prior to 0.227.1, Zed IDE executes arbitrary commands when opening a folder with a malicious .git/config file that abuses the core.fsmonitor Git configuration option. This allows an attacker to achieve Remote Code Execution (RCE) when a victim open a folder in untrusted mode. This vulnerability is fixed in 0.227.1. CVSSv3.1 8.6 (HIGH)
8.6
CVSS v3.1
93
Edit Score
CVE-2026-44463 — Zed: Prior to 0.229.0, Zed's terminal tool permission system can be bypassed by prepending environment
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed by prepending environment variable assignments to allowlisted commands, hijacking program behavior (e.g., PAGER) to execute arbitrary code. This vulnerability is fixed in 0.229.0. CVSSv3.1 8.6 (HIGH)
8.6
CVSS v3.1
93
Edit Score
CVE-2026-44461 — Zed: This can lead to arbitrary command execution on the remote host under the victim
Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key (for example via project terminal settings), shell expansions in the key (such as $(...)) are evaluated by the remote shell when a terminal is opened. This can lead to arbitrary command execution on the remote hos CVSSv3.1 8.6 (HIGH)
8.6
CVSS v3.1
93
Edit Score
CVE-2026-38707 — A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302
A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-38704 — A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302
A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-38703 — A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302
A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-38702 — A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302
A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-24444 — SDMC: NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 contain a hardcoded password
SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 contain a hardcoded password vulnerability in the web management interface recovery endpoints (mgmt.php, npcmd.php) that allows unauthenticated attackers to gain root access by submitting the hardcoded credential to the recovery endpoint via HTTP. Attackers can leverage this hardcoded password to enable filtered SSH and Telnet services on the device, resulting in unauthenticated root-level remote acc CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-47762 — TinyMCE: Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1. CVSSv3.1 8.7 (HIGH)
8.7
CVSS v3.1
94
Edit Score
CVE-2026-47761 — TinyMCE: Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1. CVSSv3.1 8.7 (HIGH)
8.7
CVSS v3.1
94
Edit Score
CVE-2026-47760 — TinyMCE: From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG
TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.7 (HIGH)
8.7
CVSS v3.1
94
Edit Score
CVE-2026-47759 — TinyMCE: Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1. CVSSv3.1 8.7 (HIGH)
8.7
CVSS v3.1
94
Edit Score
CVE-2026-44358 — Espressif: Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif
Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into it, creating an untrusted search path for both binary resolution and Node.js module resolution. A fork pull request processed by a pull_request_target workflow could therefore cause fork-supplied code to execute inside the action container CVSSv3.1 8.2 (HIGH)
8.2
CVSS v3.1
91
Edit Score
CVE-2026-35676 — phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update
phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sending PUT requests to the /api/index.php/user/password/update endpoint, causing account disruption and invalidating legitimate user credentials. CVSSv3.1 8.2 (HIGH)
8.2
CVSS v3.1
91
Edit Score
CVE-2026-35675 — phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via email, and achieve complete account takeover including administrative access. CVSSv3.1 8.2 (HIGH)
8.2
CVSS v3.1
91
Edit Score
CVE-2026-35671 — phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API
phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
Don’t Jump the Turnstile: Lessons from the Field
SpecterOps·specterops.io
SpecterOps red-teamer Zach Stein documents a phishing engagement where email sandboxes defeated traditional evasion techniques (user-agent spoofing, mouse-movement detection). The solution: weaponizing Cloudflare Turnstile CAPTCHA as a sandbox filter—the CAPTCHA widget validates human interaction before revealing the payload redirect, allowing the phishing page to pass sandbox inspection while remaining invisible to automated crawlers.
76
Edit Score
Nuclei Templates v10.4.4 - Release Notes
Nuclei templates·github.comCVE-2026-47668CVE-2026-46725CVE-2026-46670CVE-2026-44578CVE-2026-42569CVE-2026-42281CVE-2026-40878CVE-2026-39352CVE-2026-38361CVE-2026-38360CVE-2026-34847CVE-2026-34486CVE-2026-33534CVE-2026-33453CVE-2026-32230CVE-2026-26341CVE-2026-25545CVE-2026-20182CVE-2026-9082CVE-2026-8679CVE-2026-8181CVE-2026-6433CVE-2026-5718CVE-2026-4810CVE-2026-0740CVE-2026-0545CVE-2025-62168CVE-2025-48157CVE-2025-47577CVE-2025-34030CVE-2025-32966CVE-2025-32778CVE-2025-14726CVE-2025-12841CVE-2024-48259CVE-2024-36420CVE-2024-32114CVE-2024-10763CVE-2024-9362CVE-2024-4322CVE-2021-24916CVE-2019-25246
Nuclei Templates v10.4.4 release adds 179 new templates covering 43 CVEs, including critical RCE vulnerabilities in DbGate, TYPO3, Apache Tomcat, Apache Camel, Cisco SD-WAN, Drupal, WordPress plugins, and others. The release includes bug fixes for YAML parsing failures, template ID conflicts, false positives/negatives, and metadata normalization across the template library.
78
Edit Score
CVE-2026-49238 — Canonical: The host-side SFTP server component (sshfs_server), which executes with root privileges on the host
An issue was discovered in Canonical Multipass before version 1.16.3. The host-side SFTP server component (sshfs_server), which executes with root privileges on the host, contains a path containment bypass vulnerability within its validate_path function in src/sshfs_mount/sftp_server.cpp. The function performs a plain string prefix comparison on requested paths without path separator validation or dot-dot (..) normalization. A local attacker with root privileges inside a gues CVSSv3.1 8.4 (HIGH)
8.4
CVSS v3.1
92
Edit Score
CVE-2026-37266 — Responsive: An issue in Responsive File Manager Responsive FileManager Version 9.14.0 allows a remote attacker
An issue in Responsive File Manager Responsive FileManager Version 9.14.0 allows a remote attacker to execute arbitrary code via the force_download.php component CVSSv3.1 8.0 (HIGH)
8.0
CVSS v3.1
90
Edit Score
Authenticated RCE via Argument Injection in Gogs (NOT FIXED)
Rapid7 disclosed a critical authenticated argument injection vulnerability (CVSS 9.4) in Gogs that allows any authenticated user to achieve RCE via malicious branch names injected into git rebase operations during pull request merging. The vulnerability affects all versions supporting rebase-before-merge functionality and remains unpatched; exploitation is fully automatable with a Metasploit module provided. On default-configured instances with open registration, unauthenticated attackers can register, create a repository, and exploit the flaw without admin privileges or user interaction.
95
Edit Score
CVE-2026-9813 — Flowintel Flowintel: up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the
FlowIntel up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker who can submit an external reference URL can cause the application server to issue an HTTP HEAD request to an attacker-specified destination. Due to insufficient validation of the URL scheme and resolved destination address, affected versions may allow requests to loopback, link-local, private, reserved, o CVSSv3.1 9.9 (CRITICAL) · EPSS 14th percentile
9.9
CVSS v3.1
100
Edit Score
CVE-2026-46238 — Linux: In the Linux kernel, the following vulnerability has been resolved: batman-adv: stop caching unowned
In the Linux kernel, the following vulnerability has been resolved: batman-adv: stop caching unowned originator pointers in BAT IV BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs. Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-46232 — Linux: In the Linux kernel, the following vulnerability has been resolved: HID: playstation: Clamp num_touch_reports
In the Linux kernel, the following vulnerability has been resolved: HID: playstation: Clamp num_touch_reports A device would never lie about the number of touch reports would it? If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the nu CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-46212 — Linux: In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: prevent use-after-free
In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: prevent use-after-free when deleting claims When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put(). But the batadv_claim_put() must not be done before the last access to the claim object in this functio CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score