newsThe portal itself — self-promo until real sponsors land
Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
25 results//sorted by published//last sync 2026-06-23 00:44Z
Subscribe to news →
CVE-2026-35430 — Authorization: bypass through user-controlled key in Azure Privileged Identity Management (PIM) allows an authorized
Authorization bypass through user-controlled key in Azure Privileged Identity Management (PIM) allows an authorized attacker to elevate privileges over a network. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-33843 — Authentication: bypass using an alternate path or channel in Microsoft Azure Active Directory B2C
Authentication bypass using an alternate path or channel in Microsoft Azure Active Directory B2C allows an unauthorized attacker to elevate privileges over a network. CVSSv3.1 9.1 (CRITICAL)
9.1
CVSS v3.1
96
Edit Score
CVE-2026-23652 — Improper neutralization of special elements used in a command ('command injection') in Microsoft Power
Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an unauthorized attacker to execute code over a network. CVSSv3.1 10.0 (CRITICAL)
10.0
CVSS v3.1
100
Edit Score
CVE-2026-41147 — NukeViet: Versions 4.5.07 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability caused by insufficient
NukeViet CMS is a multi Content Management System. Versions 4.5.07 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability caused by insufficient server-side input sanitization in the Request class. The application relies primarily on client-side filtering to sanitize HTML tags and attributes in user-submitted content, which can be bypassed by intercepting and modifying HTTP requests directly (e.g., using Burp Suite). An attacker can inject malicious payloads whic CVSSv3.1 8.7 (HIGH)
8.7
CVSS v3.1
94
Edit Score
CVE-2026-41076 — Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations that use LDAP/AD for user authentication. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-41075 — Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability.
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-41071 — Struktur Libheif: In versions 1.21.2 and prior, a crafted HEIF sequence file where the saiz box
libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a crafted HEIF sequence file where the saiz box declares more samples than actually exist in the track's chunk table causes a heap-buffer-overflow (out-of-bounds read) in the SampleAuxInfoReader constructor. The SampleAuxInfoReader constructor iterates over saiz->get_num_samples() samples but doesn't validate that this count is consistent with the number of chunks in the chunks vector. W CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-3294 — Tp-link Re305_firmware: An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on
An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation. Successful exploitation allows an attacker to obtain full administrative control of the affected device, potentially impacting on confidentiality, integrity, and availability. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-5843 — Docker Docker_desktop: The MLX backend runs without sandboxing, resulting in arbitrary code execution on the Docker
The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary Python files from model directories via the model_file configuration field in config.json. When a model's config.json specifies a model_file pointing to a Python file, MLX-LM uses importlib to load and execute it with no trust_remote_code gate or equivalent safety check. The MLX backend runs without sandboxing, resulting in arbitrary code exe CVSSv3.1 8.2 (HIGH)
8.2
CVSS v3.1
91
Edit Score
CVE-2026-5817 — Docker Docker_desktop: This causes transformers.AutoTokenizer.from_pretrained() to import and execute arbitrary Python files included in any model
The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trust_remote_code=True when loading model tokenizers, and runs without sandboxing. This causes transformers.AutoTokenizer.from_pretrained() to import and execute arbitrary Python files included in any model pulled from an OCI registry, resulting in arbitrary code execution on the Docker host as the Docker Desktop user when inference is triggered. Any container on the Docker network can trig CVSSv3.1 8.2 (HIGH)
8.2
CVSS v3.1
91
Edit Score
CVE-2026-6406 — Docker Docker_desktop: The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in Docker Desktop.
The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in Docker Desktop. When ECI is enabled, Docker socket mounts from containers are denied unless explicitly allowed via the admin-settings configuration. However, the --use-api-socket flag adds the Docker socket mount via the HostConfig.Mounts field rather than the HostConfig.Binds field. The ECI enforcement in the Docker Desktop API proxy only inspected Binds, allowing the mount to pa CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
Metasploit Wrap Up 22/05/2026
Metasploit Framework 6.4.134 release adds five new modules covering authentication bypasses and RCE vulnerabilities: Cisco SD-WAN vHub auth bypass (CVE-2026-20182), HUSTOJ zip-slip RCE (CVE-2026-24479), Barracuda ESG Excel eval injection (CVE-2023-7102), cPanel/WHM CRLF injection auth bypass to root (CVE-2026-41940), and Tenable Security Center credential extraction. Also includes six enhancements and four bug fixes.
72
Edit Score
CVE-2026-46727 — Ruby-lang Ruby: A race condition leading to a use-after-free in the pthread-based getaddrinfo timeout handler (rb_getaddrinfo
An issue was discovered in Ruby 4 before 4.0.5. A race condition leading to a use-after-free in the pthread-based getaddrinfo timeout handler (rb_getaddrinfo in ext/socket/raddrinfo.c) allows a remote attacker who can delay DNS responses near the user-specified timeout to crash a Ruby process that calls Addrinfo.getaddrinfo(..., timeout:) or Socket.tcp(..., resolv_timeout:). Memory-corruption-based exploitation is theoretically possible. The attack could, for example, be carr CVSSv3.1 8.1 (HIGH)
8.1
CVSS v3.1
91
Edit Score
CVE-2026-32253 — Lizardbyte Sunshine: This can allow an untrusted certificate to pass authentication and access protected HTTPS endpoints.
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ERR_CERT_HAS_EXPIRED as success. This can allow an untrusted certificate to pass authentication and access protected HTTPS endpoints CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-39821 — ToASCII: This behavior can lead to privilege escalation in programs using the idna package.
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the CVSSv3.1 9.6 (CRITICAL)
9.6
CVSS v3.1
98
Edit Score
CVE-2026-9256 — F5 Nginx_open_source: This may cause a heap buffer overflow in the NGINX worker process leading to
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vuln CVSSv3.1 8.1 (HIGH) · EPSS 55th percentile
8.1
CVSS v3.1
91
Edit Score
CVE-2026-8670 — Avantra Avantra: Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing
Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing Session IDs (aka Session Replay). This issue affects Avantra: before 25.3.1. CVSSv3.1 9.6 (CRITICAL)
9.6
CVSS v3.1
98
Edit Score
Detecting CVE-2026-0265 at Scale: PAN-OS CAS Authentication Bypass
CVE-2026-0265 is a pre-authentication JWT signature-verification bypass in PAN-OS and Panorama when Cloud Authentication Service (CAS) is attached to an authentication profile. Bishop Fox published a detection script that identifies vulnerable instances via a single anonymous HTTP request to the GlobalProtect prelogin endpoint, extracting both the CAS configuration state and the authoritative PAN-OS version from embedded JWT claims. Patches are available (10.2.18+, 11.1.15+, 11.2.12+, 12.1.7+); workaround is to detach CAS and use SAML, RADIUS, LDAP, or local authentication instead.
82
Edit Score
We hardened zizmor's GitHub Actions static analyzer
Trail of Bits collaborated with zizmor maintainers to harden the GitHub Actions static analyzer against YAML anchor misconfigurations and edge cases. The work involved analyzing 41,253 real-world workflows from 6,612 high-value open-source repositories, fixing 20 bugs (15 merged PRs) including anchor parsing crashes, deserialization issues, and expression evaluator misalignments. This effort directly addresses the attack surface exploited in the March 2026 Trivy supply-chain compromise.
78
Edit Score
Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload
Kaspersky reports sustained Cloud Atlas APT activity targeting Russian and Belarusian government and diplomatic entities in H2 2025 and early 2026. The group deployed new tools (PowerCloud, PowerShower, VBCloud backdoors) alongside established techniques including LNK-based phishing, reverse SSH/SOCKS tunneling, Tor exfiltration, and multi-user RDP via termsrv.dll patching. Comprehensive IOCs provided including file hashes, C2 domains, and file paths.
78
Edit Score
CVE-2026-27886: Unauthenticated Boolean-Oracle Exfiltration of Administrator Secrets in Strapi
CVE-2026-27886 is a critical unauthenticated sanitization bypass in Strapi 4.0.0–5.36.1 that allows attackers to extract administrator secrets via a boolean-oracle attack on the Content API. By crafting malformed `where` clauses that bypass the query sanitizer, an attacker can leak password-reset tokens character-by-character through pagination metadata, then pivot to full Super Admin account takeover using Strapi's legitimate password-recovery endpoints. The vulnerability affects over 20,000 internet-facing instances and was patched in version 5.37.0 on February 26, 2026.
92
Edit Score
CVE-2026-9018 — Easy: The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is
The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the `easyel_handle_register()` function. This is due to the `wp_ajax_nopriv_eel_register` AJAX handler iterating the attacker-controlled `custom_meta` POST array and writing every supplied key-value pair to the newly created user's meta via `update_user_meta()` without any key whitelist or blocklist, allowing t CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-39834 — Golang Crypto: When writing data larger than 4GB in a single Write call on an SSH
When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation. CVSSv3.1 9.1 (CRITICAL)
9.1
CVSS v3.1
96
Edit Score
CVE-2026-39833 — Golang Crypto: The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but
The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested. CVSSv3.1 9.1 (CRITICAL)
9.1
CVSS v3.1
96
Edit Score
CVE-2026-39832 — Golang Crypto: When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were
When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them. CVSSv3.1 9.1 (CRITICAL)
9.1
CVSS v3.1
96
Edit Score