Briefs

Auth0-PHP SDK versions 8.0.0 to before 8.19.0 encrypt cookies with insufficient entropy, potentially allowing attackers to brute-force the encryption key and forge session cookies.

A broken access control vulnerability in Open WebUI versions prior to 0.8.11 (CVE-2026-34222) allows authenticated users to potentially access or modify tool values they should not be authorized to, leading to privilege escalation and unauthorized configuration changes.

Tina CMS versions before 2.2.2 are vulnerable to a path traversal attack that allows unauthorized file system access due to insufficient validation of symlinks and junction targets in media routes.

DedeCMS 5.7.118 is vulnerable to remote code execution via crafted setup tag values during a module upload, as exploited by an unauthenticated attacker (CVE-2026-30643).

pandas-ai v3.0.0 is vulnerable to SQL injection via the pandasai.agent.base._execute_sql_query component, potentially allowing unauthorized database access and modification.

CVE-2026-20160 is a critical vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) that allows an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system with root privileges by sending a crafted request to an exposed API.

Lakeside SysTrack Agent 11 before 11.2.1.28 is vulnerable to a race condition that allows for local privilege escalation to SYSTEM, as tracked by CVE-2026-35099.

CVE-2026-34162 in FastGPT allows unauthenticated attackers to exfiltrate API keys and gain complete access to internal services managed by Docker Compose by sending arbitrary HTTP requests, leading to potential compromise of the internal network.

The creation of Zoom meetings without passcodes allows unauthorized access and disruption, known as Zoombombing, potentially leading to the exposure of sensitive information or reputational damage.

This rule detects a potential JAVA/JNDI exploitation attempt by identifying outbound network connections by JAVA to LDAP, RMI, or DNS standard ports followed by suspicious JAVA child processes such as shell interpreters and scripting languages, which may indicate a Java Naming and Directory Interface (JNDI) injection vulnerability exploitation attempt.

CVE-2026-35092 is an integer overflow vulnerability in Corosync's join message sanity validation, allowing a remote, unauthenticated attacker to send crafted UDP packets, resulting in a denial of service condition.

A local attacker can exploit CVE-2026-35093 in libinput by placing a specially crafted Lua bytecode file in configuration directories, allowing arbitrary code execution with the privileges of the application using libinput.

This rule detects potential kubectl network configuration modification activity by monitoring for process events where the kubectl command is executed with arguments that suggest an attempt to modify network configurations in Kubernetes, potentially leading to unauthorized access or data exfiltration.

Detection of web server access log deletion across Windows, Linux, and macOS systems indicates potential defense evasion and destruction of forensic evidence by threat actors.

Dell AppSync version 4.6.0 contains an incorrect permission assignment vulnerability that allows a low-privileged attacker with local access to elevate privileges on the system.

Dell AppSync version 4.6.0 is vulnerable to a UNIX Symbolic Link (Symlink) Following vulnerability (CVE-2026-22767) that allows a low-privileged local attacker to tamper with information.

Multiple vulnerabilities in CrewAI, an open-source multi-agent orchestration framework, can be exploited by attackers through prompt injection to execute arbitrary code and perform other malicious activities, potentially leading to system compromise.

F5 has reclassified CVE-2025-53521, a vulnerability in BIG-IP APM, as a critical unauthenticated remote code execution vulnerability and reports it is being actively exploited in the wild.

Adversaries are using the Right-to-Left Override (RTLO) character (U+202E) in command-line arguments to obfuscate malicious file names and trick users into executing them, achieving defense evasion.

BPFDoor, an evasive Linux backdoor, is detected via the unusual access of process ID and lock files in the /var/run/ directory, indicating potential malicious activity.

A remote, anonymous attacker can exploit a vulnerability in gdk-pixbuf to cause a denial of service and potentially execute arbitrary code.

A remote, authenticated attacker with administrator rights can exploit multiple vulnerabilities in SonicWall Email Security Appliance to perform cross-site scripting, manipulate data, or cause a denial-of-service.

A local attacker can exploit a vulnerability in cPanel/WHM to escalate their privileges.

Multiple vulnerabilities in 7-Zip allow an attacker to execute arbitrary program code with the privileges of the service, potentially leading to system compromise.

Multiple vulnerabilities in PowerDNS could be exploited by an attacker to disclose information, bypass security measures, cause a denial of service, and potentially execute code.

A remote, anonymous attacker can exploit a vulnerability in various HTTP/2 implementations to perform a denial-of-service attack.

A remote, anonymous attacker can exploit multiple vulnerabilities in libpng to execute arbitrary program code or cause a denial of service.

A remote, anonymous attacker can exploit a vulnerability in 7-Zip to manipulate files, leading to potential data integrity issues.

A remote, anonymous attacker can exploit multiple vulnerabilities in IBM App Connect Enterprise to cause a denial-of-service condition or bypass security measures, enabling cross-site scripting attacks.

A local attacker can exploit a vulnerability in libxslt on Red Hat Enterprise Linux to cause a denial of service or execute arbitrary program code.