Briefs

Open WebUI is vulnerable to an access control bypass due to improper model chaining, allowing a regular user to create a model that chains to a restricted base model and query it using the admin's API key, bypassing access restrictions.

A time-of-check/time-of-use (TOCTOU) race condition in OpenClaw versions 2026.4.21 and earlier allows a symlink swap to redirect filesystem writes outside the intended sandbox mount root, potentially leading to arbitrary file modification.

OpenRemote is vulnerable to privilege escalation, allowing an attacker with write:admin privileges in one Keycloak realm to gain administrator access to the master realm by manipulating Keycloak realm roles due to missing authorization checks in the updateUserRealmRoles function.

CVE-2026-6849 is an OS Command Injection vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus OS My Computer versions <=0.7.5 before 0.8.0, allowing an attacker to execute arbitrary OS commands due to improper neutralization of special elements.

A stored XSS vulnerability in phpMyFAQ version 4.1.1 allows an authenticated user to inject JavaScript code into comments, leading to session cookie theft and potential admin account takeover when other users view the affected FAQ or News page.

A critical vulnerability exists in phpVMS 7.x versions up to 7.0.5, allowing unauthenticated access to a legacy import feature, enabling a remote attacker to trigger internal processes that can modify or delete application data, potentially leading to data loss and service disruption.

PicoTronica e-Clinic Healthcare System ECHS 5.7 is vulnerable to remote hardcoded credential exploitation due to manipulation of the ADMIN_KEY argument in /cdemos/echs/priv/echs.js, potentially leading to unauthorized access.

This rule identifies when a User Account starts the Active Directory Replication Process, potentially indicating a DCSync attack, which allows attackers to steal credential information compromising the entire domain.

The detection rule identifies a potential credential access attempt via the trusted developer utility MSBuild by detecting instances where it loads DLLs associated with Windows credential management, specifically vaultcli.dll or SAMLib.DLL, which is often used for credential dumping.

Detection of renamed COMSVCS.DLL being loaded by rundll32.exe, potentially used to dump LSASS memory for credential access while evading command-line detection.

This rule detects the use of Invoke-Mimikatz or Mimikatz commands within PowerShell scripts to dump credentials, extract password stores, export certificates, or use alternate authentication material, indicating potential in-memory credential access.

This rule detects the execution of kubeletctl, a command-line tool used to interact with the Kubelet API, on Linux hosts, potentially leading to discovery and lateral movement within Kubernetes environments.

Attackers may attempt to masquerade as the Service Host process `svchost.exe` by executing from non-standard paths to evade detection and blend in with normal system activity.

This alert detects potential protocol tunneling activity via the execution of Yuze, a lightweight open-source tunneling tool often used by threat actors for intranet penetration via forward and reverse SOCKS5 proxy tunneling.

Detection of PowerShell commands, specifically `Add-MpPreference` or `Set-MpPreference`, used to create Windows Defender exclusions, enabling attackers to bypass antivirus defenses and execute malicious code undetected.

A denial-of-service vulnerability exists in python-multipart versions prior to 0.0.27 due to unbounded multipart part header parsing, allowing attackers to exhaust CPU resources by sending requests with many repeated headers or a single oversized header value.

Attackers may modify the Windows registry to disable ETW logging for the .NET Framework, hindering endpoint detection and response capabilities.

This brief details detection of lateral movement attempts using remote RPC calls to modify the registry, potentially leading to code execution, detected via RPC Firewall logs.

A vulnerability in RustFS allows a non-admin user to overwrite a shared admin-defined notification target, leading to event interception and audit evasion due to missing admin-action authorization on notification target admin API endpoints.

The S3 Browser utility is being used to enumerate IAM users lacking login profiles and subsequently create them, potentially for reconnaissance, persistence, and privilege escalation within AWS environments.

Detection of Service Control (sc.exe) being spawned from script interpreter processes, such as PowerShell or cmd.exe, to create, modify, or start services, which may indicate privilege escalation or persistence attempts by an attacker.

macOS stores Signal message notifications in an unencrypted SQLite database, potentially exposing 'disappearing' messages even after they are deleted from the Signal application.

SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint (CVE-2026-7807) that allows authenticated users to read arbitrary .json files, potentially leading to credential compromise.

Detection of medium-sized registry hive files being created or modified on Server Message Block (SMB) shares, potentially indicating exfiltration of Security Account Manager (SAM) data for credential extraction.

A machine learning job detects an abnormal volume of remote file transfers, potentially indicating lateral movement by attackers attempting to blend in with normal network egress activity.

Adversaries may use unusual parent processes to execute .NET compilers for compiling malicious code after delivery, evading security mechanisms, and this activity is detected by monitoring compiler executions initiated by scripting engines or system utilities.

The rule detects suspicious access to LDAP attributes in Active Directory by identifying read access to a high number of Active Directory object attributes, which can help adversaries find vulnerabilities, elevate privileges, or collect sensitive information.

This alert identifies suspicious network connections initiated by the command prompt (cmd.exe) when executed with arguments indicative of script execution, remote resource access, or originating from Microsoft Office applications, which is a common tactic for downloading payloads or establishing command and control.

Adversaries abuse the trusted status of explorer.exe to launch malicious scripts or executables, often using DCOM to start processes like PowerShell or cmd.exe, achieving initial access, defense evasion, and execution.

Adversaries may target user email to collect sensitive information or send email on their behalf via API by abusing Outlook's Component Object Model (COM) interface from unusual processes.