Briefs

A remote, authenticated attacker can exploit an arbitrary file upload vulnerability in Census CSWeb 8.0.1 (CVE-2025-60947) to upload malicious files, potentially leading to remote code execution.

CVE-2025-60946 details a vulnerability in Census CSWeb 8.0.1, where arbitrary file path input is permitted, allowing a remote, authenticated attacker to access unintended file directories.

Connect-CMS versions 1.x up to 1.41.0 and 2.x up to 2.41.0 are vulnerable to improper authorization in the page content retrieval feature, potentially allowing retrieval of non-public information, addressed in versions 1.41.1 and 2.41.1.

A critical remote code execution vulnerability, CVE-2026-33017, exists in Langflow AI pipelines prior to version 1.9.0 that allows an unauthenticated remote attacker to execute code with full server process privileges, impacting availability, integrity, and confidentiality.

CrowdStrike is expanding the Falcon Flex model to its services offering to provide organizations with more flexible access to incident response and proactive security services.

Crunchyroll suffered a data breach after a Telus employee was phished, leading to Okta credential theft and exfiltration of 100GB of customer data.

Detection of DNS queries to known remote monitoring and management (RMM) domains originating from non-browser processes on Windows systems indicates potential abuse of legitimate software for command and control.

Easy Chat Server 3.1 is vulnerable to a denial-of-service attack where a remote attacker can crash the application by sending oversized data in the message parameter via a POST request to the body2.ghp endpoint after establishing a session, leading to service unavailability.

JetAudio jetCast Server 2.0 is vulnerable to a stack-based buffer overflow in the Log Directory configuration, enabling local attackers to overwrite structured exception handling pointers and execute arbitrary code.

A shellcode loader dubbed 'Lucky Pasta' employs JIT decryption, string obfuscation, dynamic library loading, fiber-based execution, and AES instruction patching to evade AV detection, retrieving shellcode via HTTP/HTTPS and executing it on Windows systems.

A missing authentication vulnerability exists in MacCMS 2025.1000.4052, specifically affecting the Timming API Endpoint component in application/api/controller/Timming.php, allowing remote attackers to bypass authentication.

OpenClaw before 2026.3.7 is vulnerable to improper header validation in fetchWithSsrFGuard, allowing attackers to intercept sensitive authorization headers via cross-origin redirects.

CVE-2026-21992 allows an unauthenticated attacker to gain network access via HTTP and execute code remotely on Oracle Identity Manager and Oracle Web Services Manager.

A NULL pointer dereference vulnerability in the daap_reply_playlists function of owntone-server allows attackers to cause a Denial of Service (DoS) by sending a crafted DAAP request.

The ReviewX WordPress plugin is vulnerable to arbitrary method calls, allowing unauthenticated attackers to potentially achieve remote code execution.

A remote SQL injection vulnerability (CVE-2026-4624) exists in SourceCodester Online Library Management System 1.0 by manipulating the 'searchField' parameter in the /home.php file, potentially allowing attackers to execute arbitrary SQL commands.

An anonymous, remote attacker can exploit multiple vulnerabilities in VMware Tanzu Spring Security and VMware Tanzu Spring Framework to bypass security measures.

An anonymous remote attacker can exploit a vulnerability in Znuny to perform a cross-site scripting attack, potentially leading to information disclosure or session hijacking.

A local attacker can exploit multiple vulnerabilities in OpenSSH to execute arbitrary code, potentially leading to privilege escalation and system compromise.

A remote, anonymous attacker can exploit a vulnerability in cURL to manipulate files on a vulnerable system.

An anonymous, remote attacker can exploit a vulnerability in the PostgreSQL JDBC Driver to perform SQL injection attacks.

Multiple vulnerabilities in libpng allow a remote, anonymous attacker to perform denial of service attacks and execute arbitrary code.

A remote attacker can exploit multiple vulnerabilities in Apache CXF to disclose information and perform Server-Side Request Forgery (SSRF) attacks.

A remote, anonymous attacker can exploit a vulnerability in GIMP to execute arbitrary code on a targeted system.

A remote, anonymous attacker can exploit multiple vulnerabilities in FreeRDP to cause a denial of service or potentially execute arbitrary program code.

A remote, anonymous attacker can exploit a vulnerability in Apache Commons FileUpload to perform a denial of service attack.

An authenticated remote attacker can exploit a vulnerability in Apache Commons BeanUtils to bypass security measures, potentially leading to unauthorized access or privilege escalation.

An anonymous, remote attacker can exploit a vulnerability in MIT Kerberos to bypass security measures.

A local attacker can exploit a vulnerability in libxslt in Red Hat Enterprise Linux to execute arbitrary program code or manipulate files.

A missing release of memory vulnerability (CVE-2026-33852) in MolotovCherry Android-ImageMagick7 before version 7.1.2-11 can lead to a denial-of-service condition due to memory exhaustion.