Briefs

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to arbitrary file read due to insufficient path traversal sanitization, allowing authenticated attackers to read sensitive files from the WordPress host.

CVE-2026-6421 is an uncontrolled search path vulnerability in Mobatek MobaXterm Home Edition up to version 26.1, affecting msimg32.dll, that can be exploited locally with high complexity.

HashiCorp Vault is vulnerable to a denial-of-service (DoS) condition, identified as CVE-2026-5807, where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, preventing legitimate operators from completing these workflows.

Vault instances configured to pass through the 'Authorization' header may forward Vault tokens to auth plugin backends when the header is used for authentication, potentially leading to token compromise; this vulnerability is tracked as CVE-2026-4525 and patched in versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service, addressed in Vault versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

A Paperclip API vulnerability allows a board user from one company to create, list, and revoke agent API keys in another company, leading to full cross-tenant compromise due to insufficient authorization checks on `/agents/:id/keys` routes.

A Paperclip-managed `codex_local` runtime can access and utilize Gmail connectors connected in the ChatGPT/OpenAI apps UI without explicit Paperclip configuration, allowing unauthorized mailbox access and email sending capabilities due to a trust-boundary failure and dangerous default runtime settings.

Flowise is vulnerable to SSRF protection bypass via unprotected built-in HTTP modules in the custom function sandbox, allowing authenticated users to access internal network resources by exploiting the lack of SSRF protection on Node.js `http`, `https`, and `net` modules.

A remote code execution vulnerability exists in FlowiseAI's AirtableAgent.ts due to insufficient input verification when using Pandas, allowing attackers to inject malicious code into the prompt and execute arbitrary code via Pyodide.

A middleware bypass vulnerability (CVE-2026-33804) exists in @fastify/middie versions 9.3.1 and earlier when the deprecated Fastify ignoreDuplicateSlashes option is enabled, potentially allowing unauthorized access.

Digitally signed adware from Dragon Boss Solutions LLC deploys payloads with SYSTEM privileges to disable antivirus protections on thousands of endpoints across education, utilities, government, and healthcare sectors.

A use-after-free vulnerability in Google Chrome's CSS engine (CVE-2026-6300) allows a remote attacker to execute arbitrary code within a sandbox by exploiting a crafted HTML page.

A use-after-free vulnerability (CVE-2026-6310) in Google Chrome's Dawn component allows a remote attacker, having compromised the renderer process, to potentially execute a sandbox escape via a specially crafted HTML page.

Google Chrome versions prior to 147.0.7727.101 are vulnerable to an out-of-bounds write in the GPU process (CVE-2026-6314), allowing a remote attacker with GPU process compromise to potentially perform a sandbox escape via a crafted HTML page.

A remote attacker who has compromised the renderer process in Google Chrome on Windows prior to version 147.0.7727.101 can potentially perform a sandbox escape via a crafted HTML page due to an uninitialized use in accessibility, as tracked by CVE-2026-6311.

A type confusion vulnerability in Google Chrome's Turbofan component (CVE-2026-6301) allows a remote attacker to execute arbitrary code within a sandbox by exploiting a crafted HTML page, impacting system integrity and availability.

A type confusion vulnerability (CVE-2026-6363) in Google Chrome's V8 JavaScript engine before version 147.0.7727.101 allows a remote attacker to potentially perform out-of-bounds memory access via a crafted HTML page.

A coordinated campaign uses 108 malicious Chrome extensions to steal user data, inject ads, and establish backdoors on over 20,000 systems via a shared command-and-control infrastructure.

Mirax RAT, a new Android RAT distributed as MaaS, is targeting European users by turning infected devices into residential proxy nodes and enabling credential theft via overlay and notification injection.

A missing authorization vulnerability in the Plisio Accept Cryptocurrencies with Plisio WordPress plugin (versions up to 2.0.5) allows attackers to bypass payment verification due to incorrectly configured access control security levels.

CVE-2025-41118 allows an attacker with direct access to the Pyroscope API, when configured with Tencent COS, to extract the secret_key configuration value, potentially leading to unauthorized access to the cloud storage backend.

Weblate versions prior to 5.17 are vulnerable to improper privilege management due to an API endpoint failing to properly limit the scope of edits, potentially leading to unauthorized modifications.

An authenticated remote attacker can exploit multiple vulnerabilities in Kyverno to disclose information, bypass security measures, manipulate data, and gain elevated privileges.

Multiple vulnerabilities in Cisco Unity Connection can be exploited by an attacker to conduct cross-site scripting attacks, redirect users to malicious websites, manipulate data, and disclose confidential information.

Multiple vulnerabilities in libssh allow an attacker to manipulate files or cause a denial-of-service condition, potentially leading to data corruption or service disruption.

A remote, authenticated attacker can exploit a vulnerability in Grafana to manipulate files and disclose sensitive information, potentially leading to persistence, unauthorized access, and significant impact.

The PowMix botnet campaign targets Czech organizations, particularly HR, legal, and recruitment agencies, using compliance-themed lures delivered via phishing emails, with the attack employing a Windows shortcut file that executes a PowerShell loader to bypass AMSI and deploy the botnet payload in memory.

Microsoft's April 2026 Patch Tuesday addresses 163 vulnerabilities, including 8 critical ones, ranging from Tampering to Remote Code Execution and Privilege Escalation, affecting various Microsoft products; it is recommended to apply patches immediately.

rsync versions 3.0.1 through 3.4.1 are vulnerable to a use-after-free vulnerability in the receive_xattr function during a qsort call, triggered by an untrusted length value when the -X/--xattrs option is used, potentially leading to code execution.

The AcyMailing plugin for WordPress is vulnerable to privilege escalation (CVE-2026-3614), allowing authenticated attackers with subscriber-level access to gain administrative privileges.