newsThe portal itself — self-promo until real sponsors land
Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
25 results//sorted by published//last sync 2026-06-22 15:23Z
Subscribe to news →
CVE-2026-44706 — Chatwoot: From 2.2.0 to before 4.11.2, a SQL injection vulnerability exists in the conversation and
Chatwoot is a customer engagement suite. From 2.2.0 to before 4.11.2, a SQL injection vulnerability exists in the conversation and contact filter APIs. When filtering by a custom attribute of type date or number using the is_greater_than or is_less_than operators, user-supplied values in the values field of the filter payload are interpolated directly into the SQL query without parameterization. Any authenticated user with access to an account can exploit this to execute arbi CVSSv3.1 8.5 (HIGH)
8.5
CVSS v3.1
93
Edit Score
CVE-2026-44669 — FACTION: Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in assessment file preview flows. User-supplied filename values are persisted and later rendered into HTML/attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who views the affected page. Because the payload is stored server-side and rende CVSSv3.1 8.7 (HIGH)
8.7
CVSS v3.1
94
Edit Score
CVE-2026-44668 — FACTION: Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke()
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke() without checking for a valid session. Four action methods in BoilerPlateConfig perform no local session check either, allowing an unauthenticated attacker to read, overwrite, deactivate, and permanently delete any boilerplate template in the system. This vulnerability is fixe CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-44667 — FACTION: Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in remediation verification file preview flows. User-supplied filename values are persisted and then rendered into HTML and attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who opens the affected verification/remediation views. Because CVSSv3.1 8.7 (HIGH)
8.7
CVSS v3.1
94
Edit Score
CVE-2026-24187 — NVIDIA: Display Driver for Linux contains a vulnerability where an attacker could cause a
NVIDIA Display Driver for Linux contains a vulnerability where an attacker could cause a use-after-free. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
v9.2.0-rc2
BloodHound v9.2.0-rc2 release candidate published with bug fixes and dependency updates. Changes include DAWGS graph driver bump to 0.5.2, self-referencing relationship handling, UI rate-limiting fixes, and a vulnerability patch (CVE-2026-46625).
28
Edit Score
CVE-2026-48904 — Joomla Joomla\!: An improper access check allows privelege escalation through the com_users group editing webservice endpoint.
An improper access check allows privelege escalation through the com_users group editing webservice endpoint. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-48902 — Joomla Joomla\!: The password and username reset features created plain http links for https connections if
The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-48899 — Joomla Joomla\!: An improper access check allows privilege escalation through the com_users batch task.
An improper access check allows privilege escalation through the com_users batch task. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-48898 — Joomla Joomla\!: An improper access check allows privilege escalation through the com_users batch task.
An improper access check allows privilege escalation through the com_users batch task. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-48691 — Pavel-odintsov Fastnetmon: Community Edition through 1.2.9 contains an integer overflow in the BGP AS_PATH attribute
FastNetMon Community Edition through 1.2.9 contains an integer overflow in the BGP AS_PATH attribute encoder. In src/bgp_protocol.hpp, the IPv4UnicastAnnounce::get_attributes() function computes attribute_length as 'sizeof(bgp_as_path_segment_element_t) + this->as_path_asns.size() * sizeof(uint32_t)' and stores it in a uint8_t field (line 600-605). Since uint8_t can only hold values 0-255, an AS_PATH containing more than 63 ASNs (2 + 64*4 = 258 > 255) causes silent truncation CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-48126 — Algernon: Subsequent file resolution then exposes everything in that parent directory — arbitrary file read
Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then expose CVSSv3.1 8.2 (HIGH)
8.2
CVSS v3.1
91
Edit Score
CVE-2026-45721 — Algernon: Any process that can write handler.lua anywhere in a parent directory of the server
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancestor steps or when filepath.Dir returns ., so on any absolute server-root path the search reaches the filesystem root (/ CVSSv3.1 9.0 (CRITICAL)
9.0
CVSS v3.1
95
Edit Score
CVE-2026-44729 — Twenty: This allows an authenticated attacker to upload an HTML file containing JavaScript, which will
Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using fileStream.pipe(res) without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an authenticated attacker to upload an HTML file containing JavaScript, which will be rendered by the victim's browser in the context of the Twenty CRM domain when accessed — enabling sessi CVSSv3.1 8.7 (HIGH)
8.7
CVSS v3.1
94
Edit Score
CVE-2026-40383 — Joomla Joomla\!: An improper validation of user-supplied input leads to a local file inclusion vulnerability.
An improper validation of user-supplied input leads to a local file inclusion vulnerability. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-35223 — Joomla Joomla\!: An improper access check allows unauthorized access to com_config webservice endpoints.
An improper access check allows unauthorized access to com_config webservice endpoints. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-35222 — Joomla Joomla\!: Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.
Improperly validated order clauses lead to a SQL injection vulnerability in com_tags. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-35221 — Joomla Joomla\!: Improperly built filter clauses lead to a SQL injection vulnerability in the search query
Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
killshot — Polymorphic AV/AMSI bypass toolkit - Donut shellcode runner for offensive .NET/PE tools
GitHub · EDR bypass / evasion·github.comGITHUB POC
killshot is a polymorphic AV/AMSI bypass toolkit that converts Windows PE and .NET binaries into XOR-encoded shellcode, executed via a 10KB C runner with indirect syscalls, ETW patching, module stomping, and sleep-re-encryption. The toolkit bundles 20+ offensive tools (Rubeus, Mimikatz, SharpUp, GodPotato, etc.) and generates polymorphic stagers with PowerShell AMSI/SBL bypass, tested clean against Windows 11 24H2 with Defender real-time protection enabled.
78
Edit Score
CVE-2026-48692 — FastNetMon: An attacker with local network access can ban arbitrary IP addresses (causing denial of
FastNetMon Community Edition through 1.2.9 exposes a gRPC API server on port 50052 with no authentication mechanism. The server is initialized with grpc::InsecureServerCredentials() (src/fastnetmon.cpp line 477) and a source code comment explicitly acknowledges 'Listen on the given address without any authentication mechanism.' None of the RPC methods in src/api.cpp (ExecuteBan, ExecuteUnBan, GetBanlist, GetTotalTrafficCounters, etc.) perform any credential verification. The CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-48687 — Pavel-odintsov Fastnetmon: Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper
FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[ CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-48686 — FastNetMon: Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI
FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder. The function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the BGP packet (line 99) without validating it is <= 32 for IPv4 prefixes. This value is passed to how_much_bytes_we_need_for_storing_certain_subnet_mask() which computes ceil(prefix_bit_length / 8), returning up to 32 CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-43935 — Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows
e107 is a content management system (CMS). Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the Host header to generate password reset links pointing to attacker-controlled domains. This can lead to phishing attacks, account takeover, or other security risks. The severity is high, as the vulnerability affects a critical function related to user authentication. This vulnerability is fixed in 2.3.4. CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-4480 — This could lead to remote code execution on the affected system.
A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system. CVSSv3.1 8.5 (HIGH)
8.5
CVSS v3.1
93
Edit Score
CVE-2026-46368 — luci-app-https-dns-proxy through 2025.12.29-5 — an optional LuCI web UI add-on for the https-dns-proxy package
luci-app-https-dns-proxy through 2025.12.29-5 — an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default — contains a command injection vulnerability in the setInitAction function. An authenticated user holding the luci.https-dns-proxy ACL permission can inject shell metacharacters through the 'name' parameter of a ubus RPC call to luci.https-dns-proxy setInitAction, resulting in arbit CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score