Threat actors are actively abusing Microsoft's ClickOnce technology, specifically targeting the `.application` and `.appref-ms` file types, to achieve stealthy initial access, execute malicious payloads within legitimate Microsoft processes like rundll32.exe and dfsvc.exe, and establish persistence through its built-in update mechanism, effectively bypassing traditional endpoint security controls.

Threat actors are actively leveraging Microsoft's ClickOnce technology, a legitimate application deployment mechanism, to distribute and execute malware by exploiting its user-friendly deployment process that bypasses administrative privilege requirements.

Cap-go versions prior to 12.128.2 are susceptible to an authentication bypass vulnerability (CVE-2026-56073) in OTP verification that allows attackers to manipulate server responses to falsely mark verification successful, leading to unauthorized 2FA enablement and subsequent account takeover.

An unauthenticated attacker can trigger a denial-of-service condition in applications using the Faraday Ruby library by sending deeply nested query parameters (CVE-2026-54297), leading to `SystemStackError` and application crashes due to uncontrolled recursion.

A stored cross-site scripting (XSS) vulnerability, identified as CVE-2026-54527, in the `jupyterlab-git` JupyterLab extension (versions >= 0.30.0b3, < 0.54.0a1), specifically in `PlainTextDiff.ts`, allows an adversary with Git commit access to execute arbitrary JavaScript in a victim's browser and achieve Remote Code Execution (RCE) on the JupyterLab server by crafting a malicious filename in a Git commit that, when viewed as a rename diff, triggers the XSS payload to steal `_xsrf` cookies, open a terminal, and execute arbitrary shell commands to exfiltrate data.

An authenticated user can bypass the admin-configured `excluded_paths` security control in `jupyterlab-git` versions up to 0.53.0 by exploiting a case-sensitivity flaw on case-insensitive filesystems (e.g., macOS APFS, Windows NTFS), allowing unauthorized read access to git history and file content in explicitly excluded directories.

The `Oj.dump` function in the Ruby `oj` gem, when operating in object mode, is vulnerable to a heap buffer overflow (CVE-2026-54896) when serializing `Exception` objects with an excessively large `:indent` value, leading to memory corruption and potential denial of service or remote code execution.

A heap use-after-free vulnerability (CVE-2026-54897) exists in `Oj::Doc` iterators (`each_value`, `each_child`, `each_leaf`) in the `oj` Ruby gem, allowing an attacker to cause application crashes or unpredictable behavior when a Ruby block yielded during iteration reentrantly calls `doc.close` or `d.close`.

The `Oj.dump` function in the `Oj` Ruby gem is vulnerable to a stack-based buffer overflow (CVE-2026-54502) due to improper validation of the `:indent` parameter, allowing an attacker to trigger a process crash or potentially remote code execution by providing an excessively large integer value, affecting all `Oj` gem versions prior to `3.17.2`.

A critical vulnerability (CVE-2026-53488) exists in the containerd CRI plugin where image configuration `LABEL` instructions are propagated to containers without validation, allowing an attacker to inject and execute arbitrary commands with host-root privileges on the underlying host when a maliciously crafted container image is pulled and processed by specific plugins.

A high-severity vulnerability (CVE-2026-53489) in containerd's CRI plugin allows an unprivileged attacker to read arbitrary files on the host system by crafting a malicious checkpoint with a symlink that `containerd` follows during `container.log` restoration, enabling data exfiltration via `kubectl logs`.

A high-severity vulnerability (CVE-2026-53492) in containerd's CRI implementation allows an attacker with pod creation permissions to smuggle arbitrary Container Device Interface (CDI) annotations during container restoration, bypassing Kubernetes resource allocation and enabling unauthorized device and host mount injection into the restored container.

Stanza, an NLP library, is vulnerable to remote code execution (CVE-2026-54499) due to an unsafe fallback mechanism when loading PyTorch model files, allowing an attacker who can place a malicious pretrain or model file to achieve arbitrary code execution on systems processing NLP pipelines, leading to credential theft, backdoors, data exfiltration, and lateral movement.

An unauthenticated information disclosure vulnerability (CVE-2023-54357) in the Joomla com_booking component version 2.4.9 allows attackers to enumerate user accounts, including names, usernames, and email addresses, by exploiting the getUserData function via specific GET requests.

A Server-Side Request Forgery (SSRF) vulnerability exists in Hugo versions 0.162.0 through 0.163.0, where the 'security.http.urls' policy designed to deny requests to loopback, internal, and cloud-metadata IPv4 literals could be bypassed as the policy only matched dotted-decimal notation, allowing alternate IPv4 encodings (integer, hex, octal) to pass, enabling build-time server-side requests to internal services and cloud-metadata endpoints when untrusted or data-derived URLs are passed to 'resources.GetRemote'.

An unauthenticated API endpoint, `GET /api/pages/nested`, in Alchemy CMS versions up to 8.2.5 (including all 8.x versions prior to a fix and all 7.x versions up to 7.4.14), fails to enforce authorization and scoping checks, allowing any anonymous user to retrieve the complete page tree, encompassing restricted and unpublished pages, and, with `?elements=true`, the full content of these sensitive pages, completely bypassing intended access controls and leading to unauthorized information disclosure.

An unauthenticated attacker can exploit CVE-2017-20267, an SQL injection vulnerability in Joomla! Component Calendar Planner 1.0.1, by sending malicious GET requests to the 'events' view via the 'category_id' parameter, allowing for sensitive database information extraction.

An SQL injection vulnerability, CVE-2017-20266, in Joomla SP Movie Database version 1.3 allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the `searchword` parameter in GET requests to the `searchresults` view, enabling extraction of sensitive database information.

An SQL injection vulnerability, CVE-2017-20265, in Joomla! Component Flip Wall 8.0 allows unauthenticated attackers to execute arbitrary SQL queries via malicious GET requests to the `wallid` parameter, enabling the extraction of sensitive database information.

An unauthenticated SQL injection vulnerability (CVE-2017-20264) in Joomla! Component Sponsor Wall version 8.0 allows attackers to execute arbitrary SQL queries by injecting malicious code into the `wallid` parameter of GET requests to `index.php`, leading to the extraction of sensitive database information such as credentials and configuration data.

An unauthenticated SQL injection vulnerability (CVE-2017-20263) in Joomla! Component FocalPoint Pro/Free version 1.2.3 allows attackers to execute arbitrary SQL queries via a crafted 'id' parameter in GET requests, leading to sensitive database information disclosure.

An unauthenticated SQL injection vulnerability, CVE-2017-20262, in Joomla! Component Ajax Quiz version 1.8 allows attackers to execute arbitrary SQL queries by injecting malicious code through the `cid` parameter in GET requests to `index.php` with `option=com_ajaxquiz` and `view=ajaxquiz`, leading to extraction of sensitive database information.

An unauthenticated attacker can exploit CVE-2017-20261, a critical SQL injection vulnerability in Joomla! Component Bargain Product VM3 1.0, by injecting malicious code into the 'product_id' parameter within GET requests to the 'brainy' or 'alice' views, allowing them to execute arbitrary SQL queries and extract sensitive database information.

An unauthenticated SQL injection vulnerability (CVE-2017-20259) in Joomla OSDownloads version 1.7.4 allows attackers to execute arbitrary SQL queries via a crafted GET request to index.php, extracting sensitive database information like credentials and configuration data.

Unauthenticated attackers can exploit an SQL injection vulnerability (CVE-2017-20258) in Joomla! Component RPC Responsive Portfolio 1.6.1 by injecting malicious code through the 'id' parameter in GET requests, allowing the execution of arbitrary SQL queries and extraction of sensitive database information.

An unauthenticated SQL injection vulnerability (CVE-2017-20257) in Joomla! Component Quiz Deluxe 3.7.4 allows attackers to execute arbitrary SQL commands and extract sensitive information via the `ajaxaction.flag_question` task using `stu_quiz_id` or `flag_quest` parameters.

CVE-2017-20256 describes an SQL injection vulnerability in Joomla Survey Force Deluxe 3.2.4 that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'invite' parameter in GET requests, enabling the extraction of sensitive database information.

An unauthenticated SQL injection vulnerability (CVE-2017-20255) in Joomla! Component JB Visa 1.0 allows attackers to execute arbitrary SQL queries by injecting malicious code via the 'visatype' parameter in GET requests to 'index.php?option=com_bookpro&view=popup', leading to the extraction of sensitive database information including credentials.

An unauthenticated attacker can exploit CVE-2017-20254, an SQL injection vulnerability in the Joomla! Component User Bench 1.0, by sending crafted HTTP GET requests to extract sensitive database information including credentials and configuration data.

An unauthenticated SQL injection vulnerability (CVE-2017-20253) in Joomla! Component My Projects 2.0 allows attackers to execute arbitrary SQL queries via the 'VerAyari' parameter, leading to the extraction of sensitive database information including credentials and system data.

Joomla NextGen Editor 2.1.0 contains an SQL injection vulnerability (CVE-2017-20252) that allows unauthenticated attackers to execute arbitrary SQL commands through the `plname` parameter in crafted GET requests to `index.php?option=com_nge&view=config`, leading to the extraction of sensitive database information.

A local attacker can exploit CVE-2016-20095, an unquoted service path vulnerability in Matrix42 Remote Control Host version 3.20.0031, to achieve arbitrary code execution with SYSTEM privileges by placing a malicious executable named 'Program.exe' in the 'C:\Program Files\' directory, leading to privilege escalation when the vulnerable service starts.

An unquoted service path vulnerability, CVE-2016-20089, in Iperius Remote version 1.7.0 allows a local attacker to execute arbitrary code with SYSTEM privileges by placing a malicious executable in a specific directory when the legitimate service path contains spaces, enabling privilege escalation upon service restart or system reboot.

The Qilin ransomware group has claimed a new victim, Commune d'Eyguires (www.eyguieres.org), a public sector entity in France, employing their Golang-based ransomware and double extortion tactics, leading to data encryption and potential public release of exfiltrated information.

The undici library, when using `Socks5ProxyAgent`, is vulnerable to cross-origin request routing if a single connection pool is reused across different origins, potentially misdirecting requests and credentials, trusting responses from the wrong origin, and silently downgrading HTTPS requests to HTTP (CVE-2026-6734).

An unauthenticated attacker can exploit CVE-2026-55882 in Tilt HUD server versions 0.19.5 through 0.37.3, when exposed on a non-loopback address, by accessing the `/debug/pprof` endpoints to read sensitive process memory, including session and API server tokens, and to degrade application performance through prolonged CPU profiling or tracing.

An attacker can exploit CVE-2026-55883, a Cross-site WebSocket Hijacking vulnerability in Tilt versions 0.24.0 through 0.37.3, by acquiring an unauthenticated CSRF token or bypassing Origin header checks, to establish a WebSocket connection to a network-exposed Tilt HUD and exfiltrate sensitive developer session state, Tiltfile contents, and resource statuses.

Threat actors are performing create, read, update, or delete (CRUD) operations against Azure VM or VM Scale Set extensions (e.g., CustomScript, DSC) from an anomalous source Autonomous System (AS) number, enabling high-privilege code execution and persistence on guest operating systems (SYSTEM on Windows, root on Linux) by abusing compromised Azure identities.

A remote, unauthenticated attacker can exploit a vulnerability in Gitea to bypass existing security measures, potentially leading to unauthorized access, privilege escalation, or data manipulation within the application.

An authenticated remote attacker can exploit multiple vulnerabilities in Google Cloud Platform, specifically within GKE containerd, to achieve arbitrary code execution, bypass security measures, manipulate data, disclose confidential information, or cause a denial-of-service condition.

A remote, authenticated attacker can exploit multiple vulnerabilities in pgAdmin to achieve arbitrary code execution with user or administrator privileges, bypass security measures, perform SQL Injection and Cross-Site Scripting attacks, redirect users to malicious websites, disclose sensitive information, and manipulate data. This comprehensive set of capabilities allows for significant compromise of system integrity, confidentiality, and potentially availability, posing a high risk to affected environments.

The CrowdStrike 2026 Technology Threat Landscape Report highlights the pervasive targeting of the technology sector by China-nexus and eCrime adversaries, employing tactics like password spraying, vulnerability exploitation, supply chain compromises (e.g., Axios npm package, GitHub repositories), and malware distribution (macOS info stealers via OpenClaw lures) to achieve intelligence collection, intellectual property theft, and financial extortion.

A Time-of-Check/Time-of-Use (TOCTOU) vulnerability exists in the `JWSVerifier` and `JWEDecrypter` components of the `web-token/jwt-framework` and `web-token/jwt-library` PHP packages, allowing an attacker to override the integrity-protected `alg` parameter from the unprotected header, leading to authentication bypass and unauthorized access.

CVE-2026-25865 describes an unquoted search path element vulnerability in Yandex Punto Switcher through version 4.5.0.583, allowing local attackers to execute arbitrary code by placing a malicious `RunDll32.exe` earlier in the system's PATH to hijack the application's insecure `WinExec` call, leading to arbitrary code execution with affected user privileges.

A remote, unauthenticated attacker can exploit an unpatched Server-Side Request Forgery (SSRF) vulnerability in Crawl4AI Docker API versions up to 0.8.9, specifically targeting the `/crawl/stream` endpoint, to read internal network services and cloud-metadata endpoints, potentially exposing sensitive information like IAM credentials.

On June 17, 2026, Drupal released critical security advisories (AV26-615) addressing multiple vulnerabilities in Drupal core and several modules including Plotly.js Graphing, Flag attendance field, and Formatter Field, which, if unpatched, could allow remote attackers to compromise affected web servers and sensitive data.

An integer overflow vulnerability (CVE-2026-55203) in HAProxy through version 3.4.0 allows malicious FastCGI backends to desynchronize the FCGI framing parser, leading to request routing errors, response smuggling, or memory safety issues.

An attacker with elevated privileges abuses the Microsoft Entra ID Temporary Access Pass (TAP) feature to bypass multi-factor authentication (MFA), gain unauthorized access to target user accounts, and establish persistence by registering new authentication methods.

Attackers are actively exploiting the OAuth device code flow in Microsoft 365 to bypass multi-factor authentication (MFA) and gain initial access, leveraging phishing kits like Kali365 and tradecraft similar to Storm-2372 to harvest MFA-satisfied tokens from non-compliant or attacker-controlled devices, and subsequently establishing persistence through device registration.

Adversaries leverage the assignment of administrative roles within Google Workspace to an existing or new user/group, establishing persistence and escalating privileges to gain broad control over the tenant, including bypassing single sign-on.

PraisonAI's template loader is vulnerable to a path traversal flaw (GHSA-f44v-7qgw-9gh9) when processing GitHub template URIs, allowing an unauthenticated attacker to write arbitrary files or delete arbitrary directories on the system running PraisonAI, leading to corruption of user configuration, project state, or application data.

Kirby CMS versions prior to 4.9.4 and between 5.0.0-alpha.1 and 5.4.3 are vulnerable to a self-cross-site scripting (self-XSS) flaw, CVE-2026-49276, in the writer field, allowing an attacker to inject malicious JavaScript as the target of a link or email link which, if clicked by an authenticated user before saving, will execute in their browser context, potentially making API requests with their permissions, while Panel plugins using the `<k-writer>` component may be vulnerable to stored XSS if they don't sanitize HTML.

A high-severity cross-site scripting (XSS) vulnerability, tracked as CVE-2026-54002, exists in Kirby CMS versions prior to 4.9.4 and between 5.0.0-alpha.1 and 5.4.3, allowing authenticated Panel users to inject malicious markup into `writer` or `list` fields or via `Sane` API-dependent custom code, leading to stored XSS and potential privilege escalation.

An authenticated user can exploit CVE-2026-54005, a high-severity missing authorization vulnerability in Kirby CMS versions <= 4.9.3 and from 5.0.0-alpha.1 to <= 5.4.3, via the `/api/site/find` REST API route to bypass `pages.access` permissions and retrieve sensitive content and metadata from unauthorized pages.

A high-severity vulnerability in dadrus/heimdall (versions <= 0.17.16) enables attackers to spoof client IP addresses by injecting unvalidated or malformed values into `Forwarded` or `X-Forwarded-For` HTTP headers, potentially bypassing access controls or propagating malicious IP data to upstream services when `trusted_proxies` is configured.

Attackers can exploit Heimdall proxy versions <= 0.17.16 operating in proxy mode by injecting malicious values into the `Host` HTTP header, leading to the construction of a manipulated `Forwarded` header that can spoof client IP addresses for upstream services, potentially bypassing IP-based access controls.

A command injection vulnerability (CVE-NONE) exists in PraisonAI's `praisonaiagents` package (versions <= 1.6.48) where unsanitized LLM-controlled parameters are directly interpolated into IMAP SEARCH commands, allowing attackers to craft malicious prompts to inject arbitrary IMAP commands, leading to unauthorized email exfiltration, deletion, or denial-of-service when email tools are configured.

The npm package `praisonai` versions 1.2.3 through 1.7.1 contain a network isolation bypass vulnerability (GHSA-gqmf-56h7-rrpf) in its `SandboxExecutor` component's `network-isolated` mode, allowing non-proxy-aware client commands to establish direct network connections, leading to potential data exfiltration and access to internal services.

A critical command injection vulnerability exists in the `npm:praisonai` package versions >= 1.2.3 and <= 1.7.1, where the `SandboxExecutor`'s `allowedCommands` policy is bypassed by allowing arbitrary shell command chaining after an allowlisted command, leading to remote code execution with the PraisonAI process privileges.

The npm package `praisonai` versions 1.5.1 through 1.7.1 contains a command injection vulnerability (GHSA-5jv7-2mjm-h6qj) in its `utility-tools.shell()` helper, which allows attackers to bypass a 'safe read-only' command allowlist by appending arbitrary shell commands with metacharacters after an allowed command, leading to arbitrary code execution with the PraisonAI process privileges.

A policy bypass vulnerability in PraisonAI (CVE-NONE) allows untrusted recipes to self-approve and execute default-denied critical shell tools, such as `execute_command`, by declaring them in `workflow.yaml` instead of `TEMPLATE.yaml requires.tools`, leading to arbitrary command execution with the privileges of the PraisonAI process.

An incomplete fix in PraisonAI's `praisonai serve a2u` command leaves the A2U Agent-to-User event stream server unauthenticated by default, potentially exposing sensitive agent event streams to any attacker who can reach the server, bypassing intended authentication mechanisms for versions `4.5.115` to `4.6.60`.

A Server-Side Request Forgery (SSRF) vulnerability in PraisonAI's `praisonaiagents` package (versions prior to 1.6.61), specifically within the `searxng_search` and `search_web` tools, allows an attacker to exploit prompt injection by controlling the `searxng_url` parameter, enabling the server to make requests to arbitrary internal endpoints, read responses, perform network enumeration, and potentially expose cloud instance credentials.

A high-severity authentication bypass vulnerability in PraisonAI versions prior to 4.6.61 allows unauthenticated attackers to invoke any registered agent by setting the `PRAISONAI_CALL_AUTH=disabled` environment variable, potentially leading to arbitrary code execution or system compromise.

Nodemailer versions up to 9.0.0 are vulnerable to arbitrary local file read and full-response Server-Side Request Forgery (SSRF) when handling untrusted input for the message-level `raw` option, bypassing intended security flags and allowing sensitive content to be exfiltrated via an attacker-controlled recipient.

A vulnerability in undici's ProxyAgent, when configured with a SOCKS5 proxy, causes the `requestTls` option to be silently dropped. This bypasses user-configured TLS certificate validation settings (e.g., custom CAs), allowing HTTPS connections through the SOCKS5 tunnel to fall back to the Node.js default trust store. This flaw enables Man-in-the-Middle (MITM) attacks, where any publicly-trusted certificate for the target hostname would be accepted, compromising the intended certificate pinning and allowing attackers to read or tamper with HTTPS traffic.

Sophos X-Ops discovered that Hola Browser version 1.251.91.0 was distributed with an undeclared crypto-mining executable, me.exe, due to a supply chain compromise, leading to resource hijacking on affected Windows systems.

Unspecified adversaries are using a Traffic Direction System (TDS) redirect for initial access, followed by encoded PowerShell execution to download payloads like `script.ps1` into the `ApplicationData` directory, and establishing command-and-control (C2) communication via `curl.exe` to suspicious IP addresses such as `144.31.221.82` with defense evasion techniques like post-execution cleanup, designed to operate below traditional detection thresholds.

An unknown threat actor gained continuous administrative access to a senior finance executive's Microsoft Outlook mailbox at a global stock exchange for at least five months, deploying custom infostealers via scheduled tasks and exfiltrating sensitive emails through a Dropbox-based command and control channel after an initial lateral movement event.

Multiple vulnerabilities discovered in Typo3 allow an attacker to achieve remote arbitrary code execution, privilege escalation, data confidentiality compromise, data integrity compromise, security policy bypass, remote indirect code injection (XSS), and SQL injection (SQLi).

Multiple vulnerabilities, including CVE-2025-10263, CVE-2026-42487, CVE-2026-42488, CVE-2026-42489, and CVE-2026-42490, have been discovered in Xen, allowing an attacker to achieve privilege escalation, trigger a remote denial of service, and compromise data confidentiality on vulnerable hypervisor instances.

CERT-FR has disclosed 31 vulnerabilities in various Microsoft Office products, including CVE-2026-44803 and CVE-2026-47635, which could allow remote code execution, privilege escalation, and data confidentiality compromise.

Multiple vulnerabilities, including CVE-2026-45257 (kernel out-of-bounds write) and CVE-2026-49413 (Linux compatibility layer memory mapping), exist in FreeBSD branches 14 and 15, allowing a local unprivileged attacker to achieve privilege escalation.

Multiple high-severity vulnerabilities, including CVE-2025-15467, affect various Siemens SCALANCE LPE, M, W, and X series industrial network devices, potentially allowing a remote attacker to achieve arbitrary code execution, provoke a denial of service, or compromise data confidentiality, with some products confirmed to receive no future patches.

A critical vulnerability, CVE-2026-8045, has been identified in Schneider Electric EcoStruxure IT Data Center Expert versions prior to 9.1.2, allowing an attacker to achieve unauthorized access to sensitive data and compromise its confidentiality.

Multiple high-severity vulnerabilities discovered in various SAP products, including SQL injection (SQLi), remote indirect code injection (XSS), and security policy bypasses, could allow unauthenticated attackers to compromise sensitive enterprise systems by June 2026.

The Lazarus Group is conducting a brandjacking campaign on npm, using dozens of malicious packages like 'buffer-utilities' to deploy a Node.js backdoor that collects host information, establishes C2 communication, and maintains persistent attacker-controlled code execution, primarily targeting developers.

HP released a security advisory addressing a critical vulnerability in Poly VVX, Trio 8300, Trio 8500, and Trio 8800 devices, potentially allowing remote control.

Iran's MOIS has broadened the Handala brand to encompass physical threat operations, recruiting proxies to conduct attacks, espionage, and sabotage against US and Israeli interests, amplifying both cyber and physical threats.

Multiple vulnerabilities exist in X.Org X11 and Xwayland, allowing attackers to disclose information, escalate privileges, conduct denial-of-service attacks, and perform unspecified attacks.

Operation FlutterBridge is a malvertising campaign targeting macOS users with the new FlutterShell backdoor, which uses malicious desktop applications for adware distribution and provides backdoor capabilities such as command execution and file system manipulation, with some variants using AI summarization for data exfiltration.

CVE-2026-25276 describes a memory corruption vulnerability in Qualcomm's Strongbox due to a missing bounds check, potentially leading to arbitrary code execution.

CVE-2026-24092 is a memory corruption vulnerability in Qualcomm products arising from improper validation when processing fastboot commands to set the display mode, potentially leading to arbitrary code execution.

CVE-2026-24091 is a memory corruption vulnerability in Qualcomm devices that occurs when processing fastboot commands with improperly formatted input, potentially leading to code execution.

CVE-2026-24090 is a cryptographic issue in Qualcomm chipsets while processing partition table entries, allowing unauthorized modification of the boot flow due to missing authentication for critical functions.

CVE-2026-24089 describes a memory corruption vulnerability in processing fastboot commands with invalid input, potentially leading to arbitrary code execution on affected devices and requiring physical access to trigger.

CVE-2026-24087 is a high-severity memory corruption vulnerability in Qualcomm components that occurs while processing fastboot OEM commands, potentially leading to code execution.

CVE-2026-24085 is a memory corruption vulnerability due to improper initialization of a variable when processing display command line information, potentially leading to a stack-based buffer overflow (CWE-121) and allowing a privileged attacker to achieve code execution.

CVE-2025-59605 is a memory corruption vulnerability in Qualcomm products where processing overly long device identifier strings leads to an out-of-bounds write, potentially allowing for information disclosure, code execution, or denial of service.

CVE-2025-59604 is a memory corruption vulnerability due to invalid writes caused by a null pointer when running a memory copy operation, potentially leading to arbitrary code execution, as reported by Qualcomm.

Dräger Infinity Explorer C700 contains a privilege escalation vulnerability (CVE-2019-25718) that allows attackers to break out of kiosk mode, access the underlying operating system, and potentially cause the device to display incorrect patient monitor information.

A stack-based buffer overflow vulnerability (CVE-2026-10292) exists in the strcpy function of /goform/formTaskEdit in UTT HiPER 1200GW up to version 2.5.3-170306, allowing for remote code execution.

Pixa Bank 2.0 is vulnerable to SQL injection, allowing unauthenticated attackers to extract sensitive data by injecting SQL code into the 'rib' parameter via POST requests to the agence-ajax.php endpoint with UNION-based SQL payloads, potentially leading to the retrieval of user information such as names, email addresses, and phone numbers from the database.

A stack-based buffer overflow vulnerability (CVE-2026-10293) exists in UTT HiPER 1200GW up to version 2.5.3-170306 due to the strcpy function in /goform/formFireWall, allowing remote exploitation via manipulation of the Profile argument.

A SQL injection vulnerability exists in code-projects Hotel and Tourism Reservation System version 1.0 due to improper sanitization of the 'tour' GET parameter in the tour.php file, potentially allowing remote attackers to execute arbitrary SQL queries.

WP AutoSuggest version 0.24 contains an SQL injection vulnerability that allows an unauthenticated attacker to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter via GET requests to autosuggest.php, potentially extracting sensitive database information.

Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability, tracked as CVE-2018-25433, allowing unauthenticated attackers to extract database information by injecting malicious SQL code through the categoryid parameter.

Arm Whois 3.11 contains a buffer overflow vulnerability (CVE-2018-25432) that allows local attackers to execute arbitrary code by overwriting the structured exception handler via a crafted input file.

No-Cms 1.0 is vulnerable to SQL injection (CVE-2018-25431) in the order_by parameter of the manage_privilege export endpoint, allowing authenticated attackers to manipulate database queries and potentially extract sensitive information.

Paroiciel 11.20 contains an SQL injection vulnerability (CVE-2018-25430) that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the eGeqIdEquipe parameter, potentially leading to sensitive data extraction.

Paroiciel 11.20 is vulnerable to SQL injection, allowing authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter, potentially extracting sensitive database information.

Paroiciel 11.20 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tRecIdListe parameter via GET requests to the trec.php endpoint, enabling attackers to extract sensitive database information.

A supply chain attack compromised over 30 npm packages under Red Hat's '@redhat-cloud-services' namespace, distributing a credential-stealing malware variant named 'Miasma' that targets sensitive developer information.

Banana Slides version 0.4.0 contains a path traversal vulnerability (CVE-2026-49136) in the generate_image() function that allows unauthenticated attackers to read arbitrary image-format files outside the intended uploads directory by exploiting an incomplete path prefix check.

CodexBar versions prior to 0.32.0 are vulnerable to insecure temporary file handling, allowing local attackers to access sensitive credentials or tamper with build artifacts due to predictable file paths in the release notarization workflow.

CodexBar versions prior to 0.32.0 contain a privilege escalation vulnerability (CVE-2026-49134) due to a race condition in the CLI installer's temporary file handling, allowing local attackers to execute arbitrary commands as root.

CVE-2026-10288 is a high severity vulnerability in code-projects Hotel and Tourism Reservation System 1.0, allowing remote attackers to bypass authentication via manipulation of the Password argument in the /admin/login.php file.

This rule detects the exploitation of a web server through the execution of a suspicious process by common web server user accounts within a containerized environment, potentially indicating the uploading of a web shell to maintain system access, and covers persistence, execution, and command and control tactics.

Multiple vulnerabilities in NetApp products, including CVE-2023-0482, CVE-2023-20863, CVE-2024-22257, CVE-2025-23367, CVE-2025-48976, CVE-2025-53816, and CVE-2025-53817, could lead to remote denial of service, data confidentiality breaches, and data integrity breaches.

A vulnerability in Keycloak versions prior to 26.2.14, 26.4.10, and 26.5.5 allows an attacker to cause a breach of data confidentiality and bypass the security policy, as tracked by CVE-2026-2092.

The rule detects attempts to clear the kernel ring buffer on Linux systems using the `dmesg` command with options like `-c`, `-C`, `--clear`, or `--read-clear` to evade detection.

Multiple vulnerabilities in IBM Business Automation Workflow can be exploited by an attacker to bypass security measures, conduct a denial of service attack, disclose information, manipulate files, and conduct a cross-site scripting attack.

Multiple vulnerabilities in IBM App Connect Enterprise could allow an attacker to bypass security measures, manipulate data, disclose sensitive information, cause a denial-of-service condition, or perform other unspecified attacks.

This rule detects Linux process executions that access high-value Kubernetes service-account material, kubeconfig or node PKI paths, or common cloud files, potentially indicating credential theft within in-cluster and hybrid environments.

Detects successful AWS AssumeRoleWithWebIdentity where the caller identity is a Kubernetes service account and the source autonomous system organization is not Amazon.com, Inc., potentially indicating a stolen or misused service-account token being used off-cluster.

A local attacker can exploit a vulnerability in Red Hat Enterprise Linux (crun) to escalate their privileges, potentially gaining root access.

A remote, anonymous attacker can exploit a vulnerability in Notepad++ to execute arbitrary program code, potentially leading to system compromise.

A SQL injection vulnerability (CVE-2026-10226) exists in student_management_system_by_php up to version 310d950e09013d5133c6b9210aff9444382d16d1, allowing remote attackers to execute arbitrary SQL commands by manipulating specific parameters in the delete.php file.

A SQL injection vulnerability exists in raisulislamg4's student_management_system_by_php up to commit 310d950e09013d5133c6b9210aff9444382d16d1, allowing remote attackers to execute arbitrary SQL commands by manipulating the Username argument in login_check.php.

NousResearch hermes-agent up to version 0.12.0 is vulnerable to code injection in the _compress_context function of the run_agent.py file, allowing remote exploitation.

A remote code injection vulnerability (CVE-2026-10220) exists in NousResearch hermes-agent versions up to 2026.4.30, affecting the _serve_plugin_skill/skill_view function in tools/skills_tool.py, potentially allowing attackers to inject arbitrary code.

nextlevelbuilder GoClaw up to 3.11.3 is vulnerable to remote OS command injection via manipulation of the write_file Tool component's FsBridge.WriteFile function (CVE-2026-10219), with a public exploit available.

A stack-based buffer overflow vulnerability exists in Tenda W12 version 3.0.0.7(4763) in the `set_local_time_0` function, which allows a remote attacker to execute arbitrary code by manipulating the Time argument.

CVE-2026-10178 is a remote SQL injection vulnerability in code-projects Online Music Site 1.0, affecting the /Administrator/PHP/AdminEditAlbum.php file due to manipulation of the ID argument.

CVE-2025-23167 describes a request smuggling vulnerability in Node.js 20's HTTP parser due to improper header termination, allowing attackers to bypass proxy access controls.

CVE-2026-42015 is a memory corruption vulnerability due to an off-by-one error in PKCS#12 bag handling in GnuTLS.

CVE-2026-10167 is an improper authentication vulnerability in OUSL-GROUP-BrinaryBrains School Student Management System allowing a remote attacker to manipulate the 'role' argument to bypass authentication.

A stack-based buffer overflow vulnerability (CVE-2026-10123) exists in TRENDnet TEW-432BRP version 3.10B20 within the formSetDomainFilter function, allowing a remote attacker to execute arbitrary code by manipulating specific arguments in a request to /goform/formSetDomainFilter.

A stack-based buffer overflow vulnerability exists in Shibby Tomato up to version 1.28 in the rip_zebra_read_ipv4 function within the /usr/sbin/ripd component (Zserv Handler), allowing a remote attacker to execute arbitrary code.

Yot CMS 3.3.1 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters in GET requests, potentially leading to database information disclosure.

Gate Pass Management System 2.1 is vulnerable to SQL injection via the login-exec.php endpoint, allowing unauthenticated attackers to bypass authentication and gain unauthorized access to the application by injecting SQL code in the login and password parameters.

MOGG web simulator Script is vulnerable to SQL injection (CVE-2018-25422), allowing unauthenticated attackers to execute arbitrary SQL commands via the id parameter in play.php, potentially leading to sensitive data extraction.

AiOPMSD Final 1.0.0 is vulnerable to SQL injection via the 'id' parameter in the watch.php script, allowing unauthenticated attackers to send crafted GET requests with SQL payloads to extract sensitive database information.

AiOPMSD Final 1.0.0 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the country parameter via GET requests to country.php, enabling extraction of sensitive database information including usernames, database names, and version details.

AiOPMSD Final 1.0.0 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries via the 'q' parameter in search.php, potentially leading to sensitive data extraction.

MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability (CVE-2018-25411) that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter in GET requests to email.php, potentially leading to sensitive database information disclosure.

SIM-PKH version 2.4.1 is vulnerable to SQL injection (CVE-2018-25410), allowing an authenticated attacker to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter via a crafted GET request, potentially leading to database information disclosure.

Open ISES Project 3.30A is vulnerable to path traversal (CVE-2018-25408), allowing unauthenticated attackers to download arbitrary files by manipulating the filename parameter in the ajax/download.php endpoint, potentially exposing configuration and system files.

eNdonesia Portal version 8.7 is vulnerable to SQL injection (CVE-2018-25405), allowing unauthenticated attackers to execute arbitrary SQL queries through the artid, cid, did, contid, and aboutid parameters in mod.php, potentially leading to the extraction of sensitive database information.

The CIFSwitch vulnerability in the Linux kernel allows an unprivileged user to forge CIFS authentication key descriptions, abuse the kernel's key request mechanism, and gain root privileges by loading a malicious NSS module.

The GEO my WP plugin for WordPress is vulnerable to SQL Injection (CVE-2026-9757) via the 'swlatlng' and 'nelatlng' parameters, allowing unauthenticated attackers to extract sensitive information from the database by injecting SQL queries into a BETWEEN clause.

The Spectra Gutenberg Blocks WordPress plugin is vulnerable to remote code execution, allowing authenticated attackers with Contributor access or higher to execute arbitrary code by crafting a malicious two-block payload within post content.

CVE-2026-7459 is an authenticated account takeover vulnerability in the Simple History WordPress plugin where a subscriber-level user can read password reset emails and escalate privileges to an administrator account.

A flaw in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 allows a remote attacker to perform SQL injection by manipulating the email argument on the Login Page, potentially leading to unauthorized data access.

A public exploit is available for an OS Command Injection vulnerability in Dolibarr ERP/CRM versions prior to 17.0.1 (CVE-2023-30253), which allows authenticated users to inject PHP code via the Website/CMS module to obtain a reverse shell as the www-data user.

CVE-2026-10110 is a SQL injection vulnerability in code-projects Student Details Management System 1.0, allowing a remote attacker to execute arbitrary SQL commands by manipulating the 'roll' argument in the /index.php file, potentially leading to data breaches and unauthorized access.

An authorization bypass vulnerability exists in praisonai-platform where any member can remove any other member, including the workspace owner, due to missing role checks and owner protection logic, allowing an attacker to lock the legitimate owner out of their own workspace, leading to a permanent denial-of-service and potential workspace takeover (CVE-2026-47409).

Praison AI's praisonai-platform is vulnerable to an insecure direct object reference (IDOR) in the label endpoints (CVE-2026-47414), allowing cross-workspace label modification and information disclosure due to improper validation of label and issue IDs.

PraisonAI versions 4.6.37 and earlier are vulnerable to arbitrary file write due to missing path validation in the `write_file` function when `workspace=None`, allowing an attacker to write attacker-controlled content to arbitrary file paths on the victim's system via a malicious webpage.

An unauthenticated user can modify existing Formie submissions by posting a known or guessed submission ID to `formie/submissions/save-submission`, affecting versions prior to 2.2.21 and versions 3.0.0 to 3.1.26.

A remote code execution vulnerability exists in Ouroboros-AI versions prior to 0.39.0, enabling attackers to inject malicious scripts via CLI path variables within a cloned repository's .env file, leading to arbitrary code execution when Ouroboros commands are executed.

Koel is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of podcast episode enclosure URLs, allowing a remote attacker to inject a malicious URL into the enclosure field of a podcast RSS feed, leading to internal network reconnaissance and potential credential theft; this issue is tracked as CVE-2026-47260.

Multiple vulnerabilities, including SQL injection and SMTP header injection, have been discovered in AgenticMail API and Core packages, addressed in versions greater than 0.9.31 and 0.9.9 respectively, posing a risk of unauthorized access and control.

A SQL injection vulnerability exists in ezpublish-legacy, specifically in the dfscleanup.php script and the `_getFileList` function of the `eZDFSFileHandlerMySQLiBackend` class, allowing an attacker with local shell access to potentially expose sensitive data such as user credentials.

xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability (CVE-2026-10108) in the GET /music/{file_path:path} endpoint, allowing unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check.

MoviePilot v2 is vulnerable to server-side request forgery (SSRF) in the image proxy endpoint, allowing authenticated attackers to request arbitrary URLs, enumerate internal services, and exfiltrate data from internal network resources by bypassing internal network protections.

Agno 2.6.5 is vulnerable to SQL injection in the ClickHouse vector database backend (CVE-2026-10105), enabling attackers to inject arbitrary SQL expressions via malicious metadata in the delete_by_metadata() method, potentially leading to data deletion or information extraction.

Gotenberg's `IsPublicIP` function incorrectly classifies IPv6 6to4, NAT64, and deprecated site-local addresses as public IPs, enabling an unauthenticated attacker to reach internal destinations such as cloud metadata services.

Gotenberg is vulnerable to path traversal (CVE-2026-44829) due to improper sanitization of filenames in zip archives, allowing attackers to write files outside the intended extraction directory by using Windows-style path separators (backslashes) in uploaded filenames, affecting versions up to 8.32.0.

GitHub internal repositories were compromised after an attacker injected malicious code into the Nx Console Visual Studio Code extension (v18.95.0), leading to the exfiltration of approximately 3,800 internal repositories.

GitHub CLI versions 2.92.0 and earlier incorrectly include authorization headers in API requests to TUF repository mirrors and external hosts when using the `gh attestation`, `gh release verify`, and `gh release verify-asset` commands, potentially exposing sensitive tokens.

TRENDnet TEW-432BRP version 3.10B20 is vulnerable to a stack-based buffer overflow via manipulation of the ip/mask/gateway arguments in the formSetRoute function of the /goform/formSetRoute file, enabling remote attackers to potentially execute arbitrary code.

Multiple vulnerabilities in Elastic Kibana allow for privilege escalation, remote denial of service, data breach, server-side request forgery (SSRF), and cross-site scripting (XSS).

DreamMaker by Interinfo is vulnerable to arbitrary file read via relative path traversal, allowing unauthenticated attackers to download arbitrary system files.

DreamMaker by Interinfo is vulnerable to arbitrary file upload, allowing privileged remote attackers to upload and execute web shell backdoors, enabling arbitrary code execution on the server.

CVE-2026-46579 describes a vulnerability in the Red Hat OpenShift Router. When a Route is configured with `insecureEdgeTerminationPolicy` set to Allow, the HTTP frontend fails to remove `X-SSL-Client-*` headers from incoming requests, allowing unauthenticated attackers to bypass mutual TLS authentication and impersonate client certificate identities.

Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker authenticates using a non-standard user agent, inconsistent with common browser, mobile, or Windows platforms, potentially indicating adversary-in-the-middle or OAuth phishing attacks.

Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker requests the Device Registration Service from a suspicious ASN, indicating potential OAuth phishing or adversary-in-the-middle device registration.

An authenticated remote attacker can exploit a vulnerability in Hirschmann HiSecOS to escalate privileges, potentially gaining unauthorized access and control over the affected system.

Multiple vulnerabilities exist in Check Point Security Gateway that could be exploited by an attacker to perform a denial of service attack, disclose information, and perform a SQL injection attack.

A public exploit (EDB-52592) has been published for ZTE H298A and H108N routers, which allows unauthenticated access to sensitive credentials.

A public exploit is available for an authentication bypass vulnerability affecting ZTE ZXHN H188A V6, increasing the risk to unpatched devices.

MixPHP Framework 2.2.17 is vulnerable to remote code execution due to unsafe deserialization, with a public exploit available, increasing the risk for unpatched systems.

A local privilege escalation vulnerability in the Linux Kernel has a published exploit on Exploit-DB, potentially allowing unprivileged users to gain elevated privileges on vulnerable systems.

CVE-2026-42250 is an off-by-one vulnerability leading to an out-of-bounds write in bzip2, for which Microsoft has released information.

CVE-2026-46163 is a vulnerability in the b43legacy WiFi driver related to a missing bounds check on the firmware key index in the RX path, potentially leading to memory corruption.

The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection (CVE-2025-11993) due to deserialization of untrusted data in the 'import_settings' function, potentially leading to arbitrary code execution if a suitable POP chain is present.

CubeCart versions before 6.7.0 are vulnerable to reflected cross-site scripting (XSS), allowing an unauthenticated attacker to inject malicious JavaScript payloads via the search functionality, which will be executed in the context of the victim's browser.

ESET's APT Activity Report for Q4 2025 and Q1 2026 highlights diverse campaigns by China, Iran, North Korea, and Russia-aligned threat actors, including espionage, supply chain compromise, and destructive attacks.

Dulwich versions before 1.2.5 are vulnerable to an arbitrary file write leading to remote code execution on Windows systems when cloning or checking out a malicious Git repository due to improper path validation, as tracked by CVE-2026-42305.

Dulwich is vulnerable to command injection (CVE-2026-42563). By injecting malicious file paths through a crafted git tree, an attacker can achieve arbitrary command execution when a victim merges an untrusted branch because the `ProcessMergeDriver` substitutes the file path into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`.

The likely Russian-aligned GreyVibe group is targeting Ukrainian organizations with AI-generated lures delivered via spear-phishing and malicious websites, deploying custom malware such as PhantomRelay, LegionRelay, and FallSpy to exfiltrate sensitive data.

CVE-2026-46837 is a SQL injection vulnerability in Oracle Flow Manufacturing within Oracle E-Business Suite versions 12.2.9 through 12.2.15, allowing a low-privileged attacker with network access to potentially take over the application.

CVE-2026-46827 allows a low-privileged attacker with network access via HTTP to compromise Oracle Payroll versions 12.2.3 through 12.2.15, leading to a potential system takeover.

CVE-2026-46826 is a vulnerability in Oracle Payroll within Oracle E-Business Suite, where a low-privileged attacker can achieve a system takeover via network access over HTTPS.

CVE-2026-46818 is a vulnerability in Oracle Payments within Oracle E-Business Suite (versions 12.2.3-12.2.15) that allows an unauthenticated attacker with network access via HTTPS to compromise the system, leading to unauthorized data access and modification.

CVE-2026-35277 is a vulnerability in Oracle REST Data Services (Core) versions 24.2.0 to 26.1.0 that allows a low-privileged attacker with network access via HTTPS to compromise the system, leading to unauthorized data access, creation, deletion, or modification.

A SQL injection vulnerability exists in Pimcore Platform when handling DataObject composite indices during class definition import/save, allowing an authenticated administrative user to inject attacker-controlled composite index metadata, leading to unintended SQL execution in the backend, specifically via the `index_columns` element.

The analytic detects ACL deletion on the domain root object in Active Directory by monitoring Windows Event Log Security event ID 5136, identifying significant AD changes with potentially high impact.

Detection of changes to the xp_cmdshell configuration in SQL Server, a feature often abused by attackers for privilege escalation and lateral movement by enabling execution of operating system commands.

Modification of critical SQL Server configuration options, such as 'Ad Hoc Distributed Queries', 'external scripts enabled', 'Ole Automation Procedures', 'clr enabled', and 'clr strict security', can enable attackers to perform Active Directory reconnaissance and execute arbitrary code, potentially leading to code execution or reconnaissance activities.

Detection of the Microsoft Software Licensing User Interface Tool (`slui.exe`) being executed with elevated privileges using the `-verb runas` parameter, indicating a potential privilege escalation attempt.

This analytic detects the issuance of a suspicious certificate with a Subject Alternative Name (SAN) using Active Directory Certificate Services (AD CS) and its immediate use for authentication, indicating potential exploitation of improperly configured certificate templates for privilege escalation.

This analytic detects when a process running with low or medium integrity spawns an elevated process with high or system integrity in suspicious locations, potentially indicating successful privilege escalation by a threat actor.

This Splunk analytic detects the addition of a Service Principal Name (SPN) to a domain account by monitoring Windows Event Code 5136 and changes to the servicePrincipalName attribute, potentially indicating Kerberoasting attempts leading to unauthorized access.

This analytic detects changes to the sIDHistory attribute of user or computer objects within the same domain using Windows Security Event Codes 4738 and 4742, which can be abused by adversaries to gain unauthorized access, maintain persistence, or escalate privileges by inheriting permissions from another account.

This analytic detects when an ACL is applied to an organizational unit (OU) to deny listing the objects residing in it; this activity, combined with modifying the owner of the OU, can hide Active Directory objects, even from domain administrators.

Modification of Access Control Lists (ACLs) on the Active Directory domain root object can grant attackers persistent and escalated privileges.

This analytic detects the addition of permissions required for a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set, leveraging Windows Security Event Log 5136 to identify when these permissions are granted, which indicates potential preparation for replicating AD objects and exfiltrating sensitive data.

This detection identifies an Active Directory access-control list (ACL) modification event, which applies the minimum required extended rights to perform the DCShadow attack by modifying permissions on the domainDNS object.

Detection of Active Directory user object ACL modifications that grant dangerous permissions, such as full control or the ability to modify permissions, potentially indicating privilege escalation or malicious activity.

The compliance-trestle application is vulnerable to arbitrary file write via path traversal; the `-o/--output` argument in `trestle author jinja` allows writing files outside the intended workspace due to improper validation of path traversal characters, leading to potential CI/CD compromise or local code execution by overwriting sensitive files such as `.github/workflows/*.yml` or `.git/hooks/*`.

This analytic detects instances where prohibited network traffic is allowed, highlighting potential misconfigurations or policy violations that could lead to unauthorized access or data exfiltration, ultimately allowing attackers to bypass network defenses.

The following analytic identifies modifications to the SourceAnchor (ImmutableId) attribute for an Azure Active Directory user, which is a step in setting up an Azure AD identity federation backdoor that allows an attacker to impersonate any user and bypass MFA.

This analytic detects a correlation between privileged account creation on Cisco IOS devices and subsequent inbound SSH connections to non-standard ports or sshd_operns, indicating persistence establishment following initial compromise.

Attackers create privileged accounts on Cisco IOS devices and then execute commands remotely via HTTP to gain privileged access.

This analytic identifies potential post-exploitation behaviors on a Windows system by monitoring multiple risk events and their associated MITRE ATT&CK tactics, indicating potential malicious actions following an initial compromise.

The analytic identifies potential threats related to the theft or forgery of authentication certificates by detecting when five or more analytics from the Windows Certificate Services story trigger within a specified timeframe, indicating an ongoing attack aimed at compromising authentication mechanisms that could grant unauthorized access to sensitive systems and data.

A Splunk correlation search identifies potential Linux persistence and privilege escalation activities based on risk scores and event counts from various Linux-related data sources, highlighting behaviors that could allow an attacker to maintain access or gain elevated privileges on a Linux system.

This correlation analytic identifies potential privilege escalation activities within an organization's Active Directory (AD) environment by correlating multiple analytics from the Active Directory Privilege Escalation analytic story within a specified time frame, helping identify coordinated attempts to gain elevated privileges which could lead to unauthorized access to sensitive systems and data.

This correlation identifies potential lateral movement activities within an Active Directory environment by correlating multiple analytics from the Active Directory Lateral Movement analytic story within a specified time frame, potentially leading to privilege escalation, access to sensitive information, and persistence within the environment.

This analytic identifies high-risk activities within repositories by correlating repository data with risk scores in DevSecOps environments, focusing on scores above 100 and sources with more than three occurrences to highlight potential vulnerabilities leading to data breaches or infrastructure compromise.

This analytic identifies potential AWS S3 exfiltration behavior by correlating multiple risk events related to Collection and Exfiltration techniques, leveraging AWS sources and focusing on instances where multiple unique analytics and distinct MITRE ATT&CK IDs are triggered for a specific risk object.

This correlation identifies when a user exceeds a risk threshold based on multiple suspicious Okta activities by aggregating risk events from 'Suspicious Okta Activity,' 'Okta Account Takeover,' and 'Okta MFA Exhaustion' analytic stories, highlighting potentially compromised user accounts exhibiting multiple TTPs that could lead to unauthorized access, privilege escalation, or persistence.

This analytic detects the creation of suspicious mailbox rules in Office 365, a common technique used in Business Email Compromise (BEC) to hide emails by identifying rules with short or nonsensical names, marking emails as read, or moving them to specific folders.

OpenBao versions up to 2.5.3 allow cross-namespace lease revocation by exploiting legacy sys/revoke endpoints, potentially leading to unauthorized credential access and denial of service.

This rule detects potential privilege escalation attempts on Linux systems by monitoring the use of `unshare` with user namespace-related arguments followed by a UID change to root, indicating a transition to root and a potential local privilege escalation.

phpMyFAQ before version 4.1.3 is vulnerable to an authentication bypass in the password reset endpoint, allowing unauthenticated attackers to reset any user account password without token verification or email confirmation, potentially leading to complete account takeover, including administrative access.

phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification, leading to privilege escalation.

Multiple vulnerabilities in Langflow allow a remote, anonymous attacker to execute arbitrary code or cause a denial of service.

A local attacker can exploit multiple vulnerabilities in the Linux Kernel to escalate privileges, cause a denial-of-service condition, disclose sensitive information, or perform an unspecified attack.

The 2026 FIFA World Cup faces significant cyber threats from ransomware groups, state-aligned entities like Iran-nexus Handala Hack Team and Russia-nexus NoName057(16), and financially motivated cybercriminals, anticipating disruptive intrusions, large-scale criminal fraud, and politically driven DDoS and hack-and-leak operations targeting fans, hospitality services, and tournament infrastructure.

A heap overflow vulnerability exists within the DICOM file format, potentially allowing an attacker to target an Orthanc server during image uploads, leading to an out-of-bounds write.

A path traversal vulnerability exists in KubeVirt's virt-exportserver component, where an attacker with namespace-level access can exploit this flaw by creating a symbolic link within an exported filesystem PVC to read arbitrary files from the exporter pod, leading to information disclosure.

The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to arbitrary file upload, allowing authenticated attackers with author-level access to achieve remote code execution by uploading executable files with double extensions.

The Appointment Booking Calendar WordPress plugin is vulnerable to time-based blind SQL Injection (CVE-2026-7797) via the 'append_where_sql' parameter, allowing unauthenticated attackers to extract sensitive information from the database by injecting SQL queries through the /appointments/bulk REST endpoint with a specific request format.

The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF), leading to arbitrary file deletion via SQL injection and PHP object injection due to missing nonce verification and unsafe deserialization, allowing attackers to delete arbitrary files on the server.

A command injection vulnerability (CVE-2026-44604) exists in the `rpmuncompress` utility of RPM; when extracting specially crafted ZIP, 7z, or GEM archives, an attacker can inject shell commands via a malicious top-level folder name, leading to arbitrary code execution as the user running the extraction.

CVE-2026-45571 is a vulnerability in go-git that allows crafted repositories to modify main and submodule .git directories, potentially leading to arbitrary code execution or information disclosure.

FUXA v1.3.0-2773 is vulnerable to unauthenticated project data disclosure (CVE-2026-47717) via the /api/project endpoint, exposing sensitive configuration data like scripts and device settings, even with security enabled.

A vulnerability in Kata Containers allows a guest root user to escalate privileges to host root by exploiting the virtiofs shared file system to create arbitrary symlinks on the host.

Cyber extortion is increasingly relying on data theft rather than ransomware encryption, with threat actors like Bling Libra and TGR-CRI-1135 leveraging techniques like vishing and software supply chain compromise, fueled by regulatory compliance pressures and the impending weaponization of frontier AI models.

Automad versions 2.0.0-alpha.1 through 2.0.0-beta.27 are vulnerable to CVE-2026-45332, a Broken Access Control vulnerability that allows an unauthenticated attacker to retrieve bcrypt password hashes of administrator accounts using a single POST request to the `/_api/user-collection/create-first-user` endpoint, potentially leading to credential compromise and information disclosure.

A cryptojacking campaign targets systems with high-performance GPUs using SEO poisoning and manipulated AI chatbot recommendations, distributing malware disguised as legitimate software utilities to establish persistence and evade detection before deploying GPU mining programs.

Symfony's Mime Address component is susceptible to email header and SMTP command injection due to accepting CRLF characters within email addresses, leading to potential header manipulation or unauthorized SMTP commands in symfony/mime and symfony/symfony versions prior to 5.4.52, versions 6.0.0 to before 6.4.40, versions 7.0.0 to before 7.4.12 and versions 8.0.0 to before 8.0.12.

CrowdSec AppSec component fails to read the HTTP request body for chunked/HTTP-2 requests, leading to a bypass of WAF rules targeting `REQUEST_BODY`, `BODY_ARGS`, `ARGS_POST`, `JSON`, or `XML`, enabling unauthenticated remote attackers to evade body-inspection pipelines.

A vulnerability in Deno's Node.js tls compatibility layer (versions 2.0.0 to 2.7.7) allows a network attacker to intercept and tamper with plaintext application data transmitted over a supposedly TLS-protected connection when `autoSelectFamily` is enabled and the initial connection attempt fails, leading to potential information disclosure and data manipulation.

Kirby CMS is vulnerable to stored cross-site scripting (XSS) due to insufficient sanitization of links within KirbyTags and image blocks, allowing authenticated users with content editing privileges to inject malicious JavaScript that executes when other users interact with the crafted links on the site frontend; patched in versions 4.9.1 and 5.4.1.

Nx Console contained an embedded malicious code vulnerability (CVE-2026-48027) which allowed a malicious version of the extension to be published and harvest credentials from disk and memory.

Pimcore's WebDAV asset endpoint exposes a `MOVE` operation without authentication, allowing unauthenticated remote attackers to delete assets if they know two existing asset paths in the same directory; Authenticated low-privileged users may also be able to perform unauthorized asset move or overwrite operations because the move path does not enforce `rename`, `delete`, `create`, or `publish` permissions, leading to data loss, content integrity loss, and service disruption.

Pimcore v11 and earlier is vulnerable to unsafe PHP deserialization in multiple locations due to missing `allowed_classes` restrictions when calling `unserialize()` on data from database columns and filesystem files; an attacker with control over serialized data sources (e.g., via SQL injection or file write vulnerabilities) can inject PHP gadget chains, leading to remote code execution.

Symfony's X509Authenticator is vulnerable to identity spoofing due to an unanchored regex in the extraction of the user identifier from the Subject DN of client certificates, allowing attackers to authenticate as other users by crafting a certificate with a malicious CN value.

Taipy 4.1.1 contains a path traversal vulnerability (CVE-2026-48544) in the ElementLibrary.get_resource() method that allows unauthenticated attackers to escape the intended module directory by exploiting an incomplete path containment check, enabling unauthorized file access outside the intended library directory.

Multiple vulnerabilities in Veeam Backup & Replication prior to version 13.0.2.29 allow an attacker to cause privilege escalation and compromise data integrity.

Multiple vulnerabilities in Symfony, including SSRF, XSS, and security policy bypass, can be exploited by an attacker to compromise the application.

Multiple vulnerabilities in Check Point Security Gateways and Spark Firewalls allow for remote denial of service, data confidentiality breaches, and data integrity compromise.

Multiple vulnerabilities in Joomla! versions before 5.4.6 and 6.x before 6.1.1 can allow attackers to perform privilege escalation, compromise data confidentiality, perform cross-site scripting (XSS), and conduct cross-site request forgery (CSRF) attacks.

IBM Aspera High-Speed Transfer Endpoint and Server 3.7.4 through 4.4.7 Fix Pack 1 are vulnerable to a buffer overflow in the asperahttpd component, potentially allowing an authenticated user to execute arbitrary code.

IBM Operations Analytics - Log Analysis and IBM SmartCloud Analytics - Log Analysis use default passwords from the manufacturing process, potentially allowing attackers to bypass authentication.

IBM InfoSphere Optim Test Data Fabrication versions 1.0.0 through 1.0.2.7 are susceptible to a path traversal vulnerability (CVE-2026-3366), allowing a remote attacker to send a specially crafted URL request containing 'dot dot' sequences (/../) to view arbitrary files on the system.

IBM QRadar 7.5.0 through 7.5.0 UP15 Interim Fix 002 is vulnerable to CVE-2024-56462, enabling a privileged user to upload a malicious backup archive that, upon restoration, leads to unauthorized access to the underlying operating system.

A public exploit is available for EspoCRM 9.3.3, exploiting a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-33534) allowing authenticated attackers to potentially access internal resources.

Casdoor version 3.54.1 is vulnerable to a path traversal attack, allowing arbitrary file writes on the system, with a public exploit available.

A SQL Injection vulnerability exists in OpenCATS 0.9.7.4, with a published exploit that allows for database version and user extraction on unpatched systems.

A local privilege escalation vulnerability exists in Realtek rtl819x Jungle SDK due to missing capability checks on ioctl commands, allowing unprivileged users to gain root privileges on affected Linux systems.

A command injection vulnerability exists in MeiG Smart FORGE_SLT711, as demonstrated by a public exploit, posing a high risk to unpatched systems.

This brief detects the use of the Kali365 user agent, a phishing-as-a-service platform, within Entra ID or Microsoft 365 logs, indicating potential account compromise through stolen tokens.

CVE-2026-3012 describes a vulnerability in Samba's certificate auto-enrollment Group Policy handling, where retrieval of CA certificates over unencrypted HTTP connections without proper verification could allow attackers to supply malicious certificates, leading to interception or spoofing of trusted communications.

A remote, anonymous attacker can exploit a vulnerability in 7-Zip to execute arbitrary program code on Windows, Linux, and macOS systems.

CVE-2025-30028 is a vulnerability in Synology Active Backup for Business that allows unauthorized remote attackers to read arbitrary files due to improper neutralization of special elements used in an SQL Command ('SQL Injection').

Synology C2 Identity Edge Server package in DSM before 1.76.0-0307 is vulnerable to an Exposed Dangerous Method or Function (CWE-749), allowing remote attackers to obtain user credentials from the edge server.

Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 is vulnerable to improper checks for unusual or exceptional conditions in SSO, allowing remote attackers to bypass authentication with prior knowledge of the distinguished name (DN).

Synology BeeDrive for desktop before 1.3.2-13814 is vulnerable to an uncontrolled search path element, allowing local users to execute arbitrary code through a maliciously placed OpenSSL DLL component.

A local attacker can exploit a vulnerability in Insyde UEFI Firmware to execute arbitrary program code, potentially leading to privilege escalation and system compromise.

The WPCode WordPress plugin before or equal to 2.3.5 is vulnerable to remote code execution due to missing capability restrictions on the 'wpcode' custom post type, allowing authenticated attackers with author-level access to execute arbitrary PHP code via XML-RPC.

The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution (CVE-2026-6169) due to the use of the BladeOne templating engine's runString() method, which allows authenticated attackers with Editor-level access or higher to execute arbitrary PHP code by injecting it into a plugin template.

CVE-2025-41669 allows a remote, low-privileged engineer user to install additional, potentially malicious, applications on the PLCnext Control device without data verification, leading to arbitrary code execution with root privileges and impacting system integrity and availability.

Multiple vulnerabilities in CODESYS could allow an attacker to escalate privileges, manipulate data, or cause a denial of service.

CVE-2026-39832 describes a vulnerability where agent constraints are dropped when forwarding keys in golang.org/x/crypto/ssh/agent, potentially leading to unauthorized access.