Briefs

A policy bypass vulnerability in PraisonAI (CVE-NONE) allows untrusted recipes to self-approve and execute default-denied critical shell tools, such as `execute_command`, by declaring them in `workflow.yaml` instead of `TEMPLATE.yaml requires.tools`, leading to arbitrary command execution with the privileges of the PraisonAI process.

An incomplete fix in PraisonAI's `praisonai serve a2u` command leaves the A2U Agent-to-User event stream server unauthenticated by default, potentially exposing sensitive agent event streams to any attacker who can reach the server, bypassing intended authentication mechanisms for versions `4.5.115` to `4.6.60`.

A Server-Side Request Forgery (SSRF) vulnerability in PraisonAI's `praisonaiagents` package (versions prior to 1.6.61), specifically within the `searxng_search` and `search_web` tools, allows an attacker to exploit prompt injection by controlling the `searxng_url` parameter, enabling the server to make requests to arbitrary internal endpoints, read responses, perform network enumeration, and potentially expose cloud instance credentials.

A high-severity authentication bypass vulnerability in PraisonAI versions prior to 4.6.61 allows unauthenticated attackers to invoke any registered agent by setting the `PRAISONAI_CALL_AUTH=disabled` environment variable, potentially leading to arbitrary code execution or system compromise.

Nodemailer versions up to 9.0.0 are vulnerable to arbitrary local file read and full-response Server-Side Request Forgery (SSRF) when handling untrusted input for the message-level `raw` option, bypassing intended security flags and allowing sensitive content to be exfiltrated via an attacker-controlled recipient.

A vulnerability in undici's ProxyAgent, when configured with a SOCKS5 proxy, causes the `requestTls` option to be silently dropped. This bypasses user-configured TLS certificate validation settings (e.g., custom CAs), allowing HTTPS connections through the SOCKS5 tunnel to fall back to the Node.js default trust store. This flaw enables Man-in-the-Middle (MITM) attacks, where any publicly-trusted certificate for the target hostname would be accepted, compromising the intended certificate pinning and allowing attackers to read or tamper with HTTPS traffic.

The npm `praisonai` package's TypeScript `AgentOS` HTTP server defaults to `0.0.0.0` and exposes unauthenticated API endpoints (`/api/agents`, `/api/chat`), allowing attackers to disclose agent configurations and invoke agents without authorization, leading to potential data exfiltration, unauthorized actions, and resource consumption.

A critical vulnerability in PraisonAI's `multiedit` tool, affecting versions prior to 4.6.61, enables threat actors to achieve arbitrary file read and write capabilities by influencing LLM agent tool arguments, leading to sensitive data exfiltration and potential remote code execution.

Praisonai-platform versions up to and including 0.1.4 are vulnerable to a critical authentication bypass stemming from a hardcoded JWT signing secret ('dev-secret-change-me') and a bypassed production guard, allowing unauthenticated attackers to forge JSON Web Tokens (JWTs) and impersonate any user, leading to complete access, privilege escalation to workspace owner, and potential resource destruction.

The `praisonai-platform` package, versions 0.1.4 and below, is critically vulnerable to authentication bypass and privilege escalation due to a hardcoded default JWT signing secret (`dev-secret-change-me`) that is inadvertently enabled in default deployments, allowing an unauthenticated attacker to forge JWTs and impersonate any user.

Sophos X-Ops discovered that Hola Browser version 1.251.91.0 was distributed with an undeclared crypto-mining executable, me.exe, due to a supply chain compromise, leading to resource hijacking on affected Windows systems.

Unspecified adversaries are using a Traffic Direction System (TDS) redirect for initial access, followed by encoded PowerShell execution to download payloads like `script.ps1` into the `ApplicationData` directory, and establishing command-and-control (C2) communication via `curl.exe` to suspicious IP addresses such as `144.31.221.82` with defense evasion techniques like post-execution cleanup, designed to operate below traditional detection thresholds.

An unknown threat actor gained continuous administrative access to a senior finance executive's Microsoft Outlook mailbox at a global stock exchange for at least five months, deploying custom infostealers via scheduled tasks and exfiltrating sensitive emails through a Dropbox-based command and control channel after an initial lateral movement event.

Multiple vulnerabilities, including CVE-2026-10883, CVE-2026-10892, and others, have been discovered in Microsoft Edge versions prior to 149.0.4022.53, enabling an attacker to bypass security policies and potentially cause other unspecified security issues within the browser environment.

Multiple vulnerabilities, CVE-2026-45491 and CVE-2026-45591, have been discovered in Microsoft .Net and ASP.NET Core versions, allowing a remote attacker to cause a denial of service and compromise data integrity across Windows, Linux, and macOS platforms.

Multiple vulnerabilities discovered in Typo3 allow an attacker to achieve remote arbitrary code execution, privilege escalation, data confidentiality compromise, data integrity compromise, security policy bypass, remote indirect code injection (XSS), and SQL injection (SQLi).

Multiple vulnerabilities, including CVE-2025-10263, CVE-2026-42487, CVE-2026-42488, CVE-2026-42489, and CVE-2026-42490, have been discovered in Xen, allowing an attacker to achieve privilege escalation, trigger a remote denial of service, and compromise data confidentiality on vulnerable hypervisor instances.

CERT-FR has disclosed 31 vulnerabilities in various Microsoft Office products, including CVE-2026-44803 and CVE-2026-47635, which could allow remote code execution, privilege escalation, and data confidentiality compromise.

Multiple vulnerabilities, including CVE-2026-45257 (kernel out-of-bounds write) and CVE-2026-49413 (Linux compatibility layer memory mapping), exist in FreeBSD branches 14 and 15, allowing a local unprivileged attacker to achieve privilege escalation.

Multiple critical vulnerabilities (CVE-2025-67862, CVE-2026-25089, CVE-2026-49938) have been discovered across Fortinet products including FortiOS, FortiPortal, FortiProxy, and FortiSandbox, enabling unauthenticated attackers to achieve remote arbitrary code execution and compromise data confidentiality.

Multiple high-severity vulnerabilities, including CVE-2025-15467, affect various Siemens SCALANCE LPE, M, W, and X series industrial network devices, potentially allowing a remote attacker to achieve arbitrary code execution, provoke a denial of service, or compromise data confidentiality, with some products confirmed to receive no future patches.

A critical remote code execution vulnerability, tracked as CVE-2026-44963, has been discovered in Veeam Backup & Replication versions prior to 12.3.2.4854, which could allow an unauthenticated attacker to execute arbitrary code on affected systems, leading to full compromise of the backup infrastructure and potential data exfiltration or destruction.

A critical vulnerability, CVE-2026-8045, has been identified in Schneider Electric EcoStruxure IT Data Center Expert versions prior to 9.1.2, allowing an attacker to achieve unauthorized access to sensitive data and compromise its confidentiality.

Multiple high-severity vulnerabilities discovered in various SAP products, including SQL injection (SQLi), remote indirect code injection (XSS), and security policy bypasses, could allow unauthenticated attackers to compromise sensitive enterprise systems by June 2026.

The Lazarus Group is conducting a brandjacking campaign on npm, using dozens of malicious packages like 'buffer-utilities' to deploy a Node.js backdoor that collects host information, establishes C2 communication, and maintains persistent attacker-controlled code execution, primarily targeting developers.

The Atomic Arch campaign compromises orphaned Arch User Repository (AUR) packages, modifying their PKGBUILDs to install malicious npm/Bun dependencies like 'atomic-lockfile,' which deploy a Linux payload with credential harvesting, eBPF-based stealth, anti-debugging, and data exfiltration capabilities, impacting approximately 1,500 packages.

Multiple vulnerabilities in CloudCharge cloudcharge.se allow attackers to impersonate charging stations, hijack sessions, cause denial of service, and manipulate backend data, impacting energy and transportation sectors.

This brief summarizes newly published IOCs consisting of domains and URLs associated with the Kimsuky APT group as of June 2nd, 2026, sourced from a Maltrail feed.

OpenMed before 1.5.2 is vulnerable to remote code execution (CVE-2026-47117) due to broad substring matching in the PII privacy-filter model loading path, allowing an unauthenticated attacker to execute arbitrary code by supplying a malicious Hugging Face model repository containing custom Transformers code.

HP released a security advisory addressing a critical vulnerability in Poly VVX, Trio 8300, Trio 8500, and Trio 8800 devices, potentially allowing remote control.